From 935d9d1012d39a42d9d17f3ed3f5230b1b11b6d7 Mon Sep 17 00:00:00 2001 From: Ashvin S Date: Fri, 5 Apr 2024 12:28:32 +0530 Subject: [PATCH] INFRA-809 | Ashvin | Move jsonnet to kutegen (#864) * INFRA-809 | Ashvin | Replace jsonnet with kutegen * INFRA-809 | Ashvin | Install kutegen on build and test * INFRA-809 | Ashvin | Fix 'static' modifier out of order with the JLS suggestions in KutegenClient.java * INFRA-809 | Ashvin | Remove all templates files * INFRA-809 | Ashvin | Add kutegen submodule * INFRA-809 | Ashvin | Use go run kutegen instead of build This will save dev an extra step of building kutegen each time they make a change in the templates files and thus save time and effort. go.work file lets us run go build and run in the parent directory. * INFRA-809 | Ashvin | Remove redundant dirs from Dockerfile * INFRA-809 | Ashvin | Remove go build in maven file. This was causing various dependency issue in the build process. I will add a Makefile if there is a need in the future for now. For now all local development will be done using go run command so this will not be necessary. * INFRA-809 | Ashvin | Update kutegen version * INFRA-809 | Ashvin | Revert YAML support from kutegen * INFRA-809 | Ashvin | Rebase the commit to kutegen * INFRA-809 | Ashvin | Fix test Using changes in the kutegen * INFRA-809 | Ashvin | Remove the templates dir * INFRA-809 | Ashvin | Clean generated dirs with mvn clean --- .gitignore | 1 + .gitmodules | 3 + Dockerfile | 15 +- README.md | 1 + go.work | 3 + go.work.sum | 19 + gocd-templates/main.jsonnet | 5 - gocd-templates/material.jsonnet | 156 -- gocd-templates/pipeline_helper.jsonnet | 70 - gocd-templates/pipelines.jsonnet | 92 - .../sample-manifest/pipeline_manifest.json | 66 - gocd-templates/stages.jsonnet | 243 --- kutegen | 1 + pom.xml | 19 + .../service/gocd/PipelineManifestService.java | 15 +- .../kubernetes/KubernetesManifestService.java | 29 +- .../navi/infra/portal/util/JsonnetUtil.java | 19 - .../infra/portal/util/JsonnetUtilImpl.java | 68 - .../util/KubernetesManifestGenerator.java | 8 + .../navi/infra/portal/util/KutegenClient.java | 52 + .../v2/ingress/IngressGroupApplierImpl.java | 29 +- .../KubernetesManifestServiceTest.java | 10 +- .../gocd/PipelineManifestServiceTest.java | 6 + .../ingress/IngressGroupApplierImplTest.java | 8 +- .../kube_objects/kube_object_alb.json | 2 +- .../kube_object_alb_redirect.json | 2 +- .../kube_objects/kube_object_efs_pvc.json | 2 +- .../kube_objects/kube_object_fsx.json | 2 +- .../kube_objects/kube_object_prod_tsc.json | 2 +- .../kube_object_prod_with_maxsurge.json | 2 +- templates/README.md | 14 - templates/chaos_engine.jsonnet | 94 -- templates/chaos_experiment.jsonnet | 87 - templates/chaos_main.jsonnet | 118 -- templates/chaos_util.jsonnet | 6 - templates/chart.jsonnet | 29 - templates/cluster_values.jsonnet | 1487 ----------------- templates/common.jsonnet | 67 - templates/common_api_gateway.jsonnet | 213 --- templates/configmap.jsonnet | 20 - templates/cron_hpa_autoscaler.jsonnet | 34 - templates/default_alerts.jsonnet | 407 ----- templates/deployment.jsonnet | 29 - templates/deployment_manifest.jsonnet | 209 --- templates/deployment_util.jsonnet | 108 -- templates/dynamic_configuration.jsonnet | 22 - templates/efs_persistent_volume_claim.jsonnet | 34 - templates/elastic_search.jsonnet | 90 - .../elasticsearch_alerts_default.jsonnet | 186 --- templates/elasticsearch_secrets.jsonnet | 18 - .../elasticsearch_servicemonitor.jsonnet | 75 - templates/elasticsearch_sm_secrets.jsonnet | 18 - templates/elasticsearch_snapshots.jsonnet | 122 -- templates/flink_default_alerts.jsonnet | 238 --- templates/flink_deployment.jsonnet | 172 -- templates/flink_role_binding.jsonnet | 27 - templates/flink_service_account.jsonnet | 27 - templates/flink_session_job.jsonnet | 24 - templates/health_check_values.jsonnet | 65 - templates/hpa.jsonnet | 70 - templates/ingress.jsonnet | 189 --- templates/kibana.jsonnet | 60 - templates/kibana_ingress_endpoint.jsonnet | 83 - templates/load_balancer_util.jsonnet | 142 -- templates/main.jsonnet | 97 -- templates/manifest_util.jsonnet | 17 - templates/namespace_values.jsonnet | 19 - templates/pdb.jsonnet | 20 - templates/perf_utility.jsonnet | 289 ---- templates/pod_template.jsonnet | 363 ---- templates/port_map.jsonnet | 50 - templates/rollout.jsonnet | 31 - templates/rollout_analysis_template.jsonnet | 33 - templates/sandbox/access_role.jsonnet | 80 - templates/sandbox/access_role_binding.jsonnet | 26 - templates/sandbox/aws_iam_role.jsonnet | 36 - templates/sandbox/main.jsonnet | 53 - templates/sandbox/namespace.jsonnet | 17 - templates/sandbox/role_binding.jsonnet | 25 - templates/secret.jsonnet | 18 - templates/security_group.jsonnet | 32 - templates/service.jsonnet | 119 -- templates/service_monitor.jsonnet | 37 - templates/shared_ingress_config/main.jsonnet | 5 - .../shared_ingress.libsonnet | 75 - ...in:dev-internal:custom-group-name:dev.json | 34 - .../tests/jsonnetfile.json | 15 - .../tests/jsonnetfile.lock.json | 16 - .../tests/shared_ingress.jsonnet | 49 - templates/sidecar.jsonnet | 87 - templates/util.jsonnet | 96 -- templates/vars.jsonnet | 44 - templates/vpa.jsonnet | 60 - 93 files changed, 168 insertions(+), 7209 deletions(-) create mode 100644 .gitmodules create mode 100644 go.work create mode 100644 go.work.sum delete mode 100644 gocd-templates/main.jsonnet delete mode 100644 gocd-templates/material.jsonnet delete mode 100644 gocd-templates/pipeline_helper.jsonnet delete mode 100644 gocd-templates/pipelines.jsonnet delete mode 100644 gocd-templates/sample-manifest/pipeline_manifest.json delete mode 100644 gocd-templates/stages.jsonnet create mode 160000 kutegen delete mode 100644 src/main/java/com/navi/infra/portal/util/JsonnetUtil.java delete mode 100644 src/main/java/com/navi/infra/portal/util/JsonnetUtilImpl.java create mode 100644 src/main/java/com/navi/infra/portal/util/KubernetesManifestGenerator.java create mode 100644 src/main/java/com/navi/infra/portal/util/KutegenClient.java delete mode 100644 templates/README.md delete mode 100644 templates/chaos_engine.jsonnet delete mode 100644 templates/chaos_experiment.jsonnet delete mode 100644 templates/chaos_main.jsonnet delete mode 100644 templates/chaos_util.jsonnet delete mode 100644 templates/chart.jsonnet delete mode 100644 templates/cluster_values.jsonnet delete mode 100644 templates/common.jsonnet delete mode 100644 templates/common_api_gateway.jsonnet delete mode 100644 templates/configmap.jsonnet delete mode 100644 templates/cron_hpa_autoscaler.jsonnet delete mode 100644 templates/default_alerts.jsonnet delete mode 100644 templates/deployment.jsonnet delete mode 100644 templates/deployment_manifest.jsonnet delete mode 100644 templates/deployment_util.jsonnet delete mode 100644 templates/dynamic_configuration.jsonnet delete mode 100644 templates/efs_persistent_volume_claim.jsonnet delete mode 100644 templates/elastic_search.jsonnet delete mode 100644 templates/elasticsearch_alerts_default.jsonnet delete mode 100644 templates/elasticsearch_secrets.jsonnet delete mode 100644 templates/elasticsearch_servicemonitor.jsonnet delete mode 100644 templates/elasticsearch_sm_secrets.jsonnet delete mode 100644 templates/elasticsearch_snapshots.jsonnet delete mode 100644 templates/flink_default_alerts.jsonnet delete mode 100644 templates/flink_deployment.jsonnet delete mode 100644 templates/flink_role_binding.jsonnet delete mode 100644 templates/flink_service_account.jsonnet delete mode 100644 templates/flink_session_job.jsonnet delete mode 100644 templates/health_check_values.jsonnet delete mode 100644 templates/hpa.jsonnet delete mode 100644 templates/ingress.jsonnet delete mode 100644 templates/kibana.jsonnet delete mode 100644 templates/kibana_ingress_endpoint.jsonnet delete mode 100644 templates/load_balancer_util.jsonnet delete mode 100644 templates/main.jsonnet delete mode 100644 templates/manifest_util.jsonnet delete mode 100644 templates/namespace_values.jsonnet delete mode 100644 templates/pdb.jsonnet delete mode 100644 templates/perf_utility.jsonnet delete mode 100644 templates/pod_template.jsonnet delete mode 100644 templates/port_map.jsonnet delete mode 100644 templates/rollout.jsonnet delete mode 100644 templates/rollout_analysis_template.jsonnet delete mode 100644 templates/sandbox/access_role.jsonnet delete mode 100644 templates/sandbox/access_role_binding.jsonnet delete mode 100644 templates/sandbox/aws_iam_role.jsonnet delete mode 100644 templates/sandbox/main.jsonnet delete mode 100644 templates/sandbox/namespace.jsonnet delete mode 100644 templates/sandbox/role_binding.jsonnet delete mode 100644 templates/secret.jsonnet delete mode 100644 templates/security_group.jsonnet delete mode 100644 templates/service.jsonnet delete mode 100644 templates/service_monitor.jsonnet delete mode 100644 templates/shared_ingress_config/main.jsonnet delete mode 100644 templates/shared_ingress_config/shared_ingress.libsonnet delete mode 100644 templates/shared_ingress_config/tests/expected/ingress/nonprod.np.navi-tech.in:dev-internal:custom-group-name:dev.json delete mode 100644 templates/shared_ingress_config/tests/jsonnetfile.json delete mode 100644 templates/shared_ingress_config/tests/jsonnetfile.lock.json delete mode 100644 templates/shared_ingress_config/tests/shared_ingress.jsonnet delete mode 100644 templates/sidecar.jsonnet delete mode 100644 templates/util.jsonnet delete mode 100644 templates/vars.jsonnet delete mode 100644 templates/vpa.jsonnet diff --git a/.gitignore b/.gitignore index 400c3cbb..2c58a867 100644 --- a/.gitignore +++ b/.gitignore @@ -50,3 +50,4 @@ pipelines pipeline_manifests user-mapping.yaml **/vendor/ +bin/ diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 00000000..51c3de6f --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "kutegen"] + path = kutegen + url = ../kutegen diff --git a/Dockerfile b/Dockerfile index 85152941..1602be51 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,18 @@ ARG BUILDER_CACHE_TARGET=193044292705.dkr.ecr.ap-south-1.amazonaws.com/common/spring-boot-maven:1.0 + +FROM 193044292705.dkr.ecr.ap-south-1.amazonaws.com/common/golang:1.21.1 as golang_builder +WORKDIR /app +COPY ./kutegen/go.mod ./kutegen/go.sum ./ +RUN go mod download +COPY ./kutegen ./ +RUN go build -o kutegen cmd/main.go + FROM ${BUILDER_CACHE_TARGET} as builder ARG ARTIFACT_VERSION=0.0.1-SNAPSHOT RUN rm -rf /build && mkdir -p /build WORKDIR /build COPY src /build/src COPY pom.xml /build -COPY templates /build/src/templates -COPY gocd-templates /build/src/gocd-templates -COPY scripts /build/src/scripts COPY entrypoint.sh /build/entrypoint.sh RUN wget -O elastic-apm.jar https://repo1.maven.org/maven2/co/elastic/apm/elastic-apm-agent/1.42.0/elastic-apm-agent-1.42.0.jar RUN mvn -Dhttps.protocols=TLSv1.2 -B dependency:resolve dependency:resolve-plugins @@ -20,10 +25,8 @@ WORKDIR /usr/local/ COPY --from=builder /build/elastic-apm.jar /usr/local/elastic-apm.jar COPY --from=builder /build/src/main/resources/elasticapm.properties /usr/local/elasticapm.properties COPY --from=builder /build/target/deployment-portal-backend-${ARTIFACT_VERSION}.jar /usr/local/deployment-portal-backend.jar -COPY --from=builder /build/src/templates /usr/local/templates -COPY --from=builder /build/src/gocd-templates /usr/local/gocd-templates -COPY --from=builder /build/src/scripts /usr/local/scripts COPY --from=builder /build/entrypoint.sh /usr/local/entrypoint.sh +COPY --from=golang_builder /app/kutegen /usr/local/bin/kutegen RUN apt-get update && \ apt-get install telnet curl dnsutils kafkacat -y && \ adduser --system --uid 4000 --disabled-password non-root-user && \ diff --git a/README.md b/README.md index b0cefc3f..135eee5f 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ # Deployment Portal Backend +- Run `git submodule update --init --recursive` to pull the kutegen submodule. - Use `export ENVIRONMENT=test` to avoid applying changes to the cluster. - Docker Setup - To run the application just do `docker-compose up` diff --git a/go.work b/go.work new file mode 100644 index 00000000..40b57856 --- /dev/null +++ b/go.work @@ -0,0 +1,3 @@ +go 1.21.0 + +use ./kutegen diff --git a/go.work.sum b/go.work.sum new file mode 100644 index 00000000..6c2412aa --- /dev/null +++ b/go.work.sum @@ -0,0 +1,19 @@ +github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= +github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= +github.com/fatih/color v1.12.0 h1:mRhaKNwANqRgUBGKmnI5ZxEk7QXmjQeCcuYFMX2bfcc= +github.com/fatih/color v1.12.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= +github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA= +github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/rs/xid v1.5.0 h1:mKX4bl4iPYJtEIxp6CYiUuLQ/8DYMoz0PUdtGgMFRVc= +github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= +golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= +golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= diff --git a/gocd-templates/main.jsonnet b/gocd-templates/main.jsonnet deleted file mode 100644 index f68ad27a..00000000 --- a/gocd-templates/main.jsonnet +++ /dev/null @@ -1,5 +0,0 @@ -local pipelines = import 'pipelines.jsonnet'; - -{ - 'pipelines.json': pipelines, -} diff --git a/gocd-templates/material.jsonnet b/gocd-templates/material.jsonnet deleted file mode 100644 index 8b04f5fc..00000000 --- a/gocd-templates/material.jsonnet +++ /dev/null @@ -1,156 +0,0 @@ -local pipeline_helper = import 'pipeline_helper.jsonnet'; -local pipeline_manifest = import 'pipeline_manifest.json'; -local pipelines = pipeline_manifest.pipelines; -local name = pipeline_manifest.name; -local infraVertical = pipeline_manifest.infraVertical; - -local githubOrgMap = { - lending:: { - default:: 'git@github.com:navi-medici/', - prod:: self.default, - qa:: self.default, - dev:: self.default, - uat:: self.default, - perf:: self.default, - test:: self.default, - build:: self.default, - 'data-platform-prod':: 'git@github.com:navi-data/', - 'data-platform-nonprod':: 'git@github.com:navi-data/', - }, - insurance:: { - default:: 'git@github.com:navi-gi/', - prod:: self.default, - qa:: self.default, - dev:: self.default, - uat:: self.default, - perf:: self.default, - test:: self.default, - build:: self.default, - }, - infra:: { - default: 'git@github.com:navi-infra/', - prod:: self.default, - qa:: self.default, - dev:: self.default, - uat:: self.default, - perf:: self.default, - test:: self.default, - build:: self.default, - }, - amc:: { - default: 'git@github.com:navi-amc/', - prod:: self.default, - qa:: self.default, - dev:: self.default, - uat:: self.default, - perf:: self.default, - test:: self.default, - build:: self.default, - }, - sa:: { - default: 'git@github.com:navi-sa/', - prod:: self.default, - qa:: self.default, - dev:: self.default, - uat:: self.default, - perf:: self.default, - test:: self.default, - build:: self.default, - }, - colending:: { - default: 'git@github.com:navi-co-lending/', - prod:: self.default, - qa:: self.default, - dev:: self.default, - uat:: self.default, - perf:: self.default, - test:: self.default, - build:: self.default, - }, - 'navi-pay':: { - default: 'git@github.com:navi-pay/', - prod:: self.default, - qa:: self.default, - dev:: self.default, - uat:: self.default, - perf:: self.default, - test:: self.default, - build:: self.default, - }, - 'navi-saas':: { - default: 'git@github.com:navi-saas/', - prod:: self.default, - qa:: self.default, - dev:: self.default, - uat:: self.default, - perf:: self.default, - test:: self.default, - build:: self.default, - }, - 'navi-ppl':: { - default: 'git@github.com:navi-ppl/', - prod:: self.default, - qa:: self.default, - dev:: self.default, - uat:: self.default, - perf:: self.default, - test:: self.default, - build:: self.default, - }, -}; - -{ - getMaterial(name, env):: { - test:: { - plugin_configuration: { - id: 'github.pr', - version: '1.4.0-RC2', - }, - options: { - url: githubOrgMap[infraVertical][env] + name + '.git', - branch: 'master', - }, - destination: 'test', - }, - build:: { - git: { - git: githubOrgMap[infraVertical][env] + name + '.git', - shallow_clone: true, - branch: 'master', - }, - }, - 'rds-deploy':: { - mygit: { - git: githubOrgMap[infraVertical][env] + name + '.git', - shallow_clone: true, - branch: 'master', - }, - }, - 's3-deploy':: self['rds-deploy'], - 'iam-deploy':: self['rds-deploy'], - 'redis-deploy':: self['rds-deploy'], - 'docdb-deploy':: self['rds-deploy'], - 'migrate-deploy':: { - git: { - git: githubOrgMap[infraVertical][env] + name + '.git', - shallow_clone: true, - branch: 'master', - }, - }, - }, - getUpstreamMaterial(name, pipeline):: - (if pipeline.type == 'migrate-deploy' then { - code: { - pipeline: pipeline_helper.getUpstreamPipelineName(pipeline), - stage: pipeline_helper.getUpstreamPipelineStage(pipeline), - }, - } else {}), - material(name, pipeline):: $.getMaterial(name, pipeline.env)[pipeline.type] + $.getUpstreamMaterial(name, pipeline), - pipelineName(name, pipeline):: $.getPipelineName(name, pipeline.type, pipeline.env), - getPipelineName(name, type, env):: - if type == 'test' || type == 'build' then - (name + '-' + type) - else if type == 'rds-deploy' || type == 's3-deploy' || type == 'redis-deploy' || type == 'docdb-deploy' || type == 'iam-deploy' then - (name + '-' + env + '-all-resource-deploy') - else (name + '-' + env + '-' + type), -} diff --git a/gocd-templates/pipeline_helper.jsonnet b/gocd-templates/pipeline_helper.jsonnet deleted file mode 100644 index b40e0ca0..00000000 --- a/gocd-templates/pipeline_helper.jsonnet +++ /dev/null @@ -1,70 +0,0 @@ -local pipeline_manifest = import 'pipeline_manifest.json'; -local pipelines = pipeline_manifest.pipelines; -local name = pipeline_manifest.name; -local buildPipelineName = name + '-build'; -local devPipelineName = name + '-dev-migrate-deploy'; -local qaPipelineName = name + '-qa-migrate-deploy'; -local uatPipelineName = name + '-uat-migrate-deploy'; -local prodPipelineName = name + '-prod-migrate-deploy'; -local pipelineMap = { - [pipeline.env]: true - for pipeline in pipelines -}; -local approvalTypeMap(stages) = { -[stage.type]: stage.approvalType -for stage in stages -}; -local hasDevPipeline = std.objectHas(pipelineMap, 'dev'); -local hasQaPipeline = std.objectHas(pipelineMap, 'qa'); -local hasUatPipeline = std.objectHas(pipelineMap, 'uat'); -local hasProdPipeline = std.objectHas(pipelineMap, 'prod'); - -{ - getUpstreamPipelineName(pipeline):: ( - if pipeline.env == 'dev' then buildPipelineName - else if pipeline.env == 'qa' then ( - if hasDevPipeline then devPipelineName - else buildPipelineName - ) - else if pipeline.env == 'uat' then ( - if hasQaPipeline then qaPipelineName - else if hasDevPipeline then devPipelineName - else buildPipelineName - ) - else if pipeline.env == 'prod' then ( - if hasUatPipeline then uatPipelineName - else if hasQaPipeline then qaPipelineName - else if hasDevPipeline then devPipelineName - else buildPipelineName - ) - ), - getUpstreamPipelineStage(pipeline):: ( - if pipeline.env == 'dev' then 'build' - else if pipeline.env == 'qa' then (if hasDevPipeline then 'deploy' else 'build') - else if pipeline.env == 'uat' then (if (hasQaPipeline || hasDevPipeline) then 'deploy' else 'build') - else if pipeline.env == 'prod' then (if (hasQaPipeline || hasDevPipeline || hasUatPipeline) then 'deploy' else 'build') - ), - getUpstreamPipelineJob(pipeline):: $.getUpstreamPipelineStage(pipeline), - stageMap(pipeline):: { - [stage.type]: true - for stage in pipeline.stages - }, - artifactPipeline(pipeline):: - if pipeline.env == 'dev' then buildPipelineName - else if pipeline.env == 'qa' then ( - if hasDevPipeline then (buildPipelineName + '/' + devPipelineName) - else buildPipelineName - ) - else if pipeline.env == 'uat' then ( - buildPipelineName + - (if hasDevPipeline then ('/' + devPipelineName) else '') + - (if hasQaPipeline then ('/' + qaPipelineName) else '') - ) - else if pipeline.env == 'prod' then ( - buildPipelineName + - (if hasDevPipeline then ('/' + devPipelineName) else '') + - (if hasQaPipeline then ('/' + qaPipelineName) else '') + - (if hasUatPipeline then ('/' + uatPipelineName) else '') - ), - getApprovalType(allStages,stageType):: approvalTypeMap(allStages)[stageType] -} diff --git a/gocd-templates/pipelines.jsonnet b/gocd-templates/pipelines.jsonnet deleted file mode 100644 index 832b0a4a..00000000 --- a/gocd-templates/pipelines.jsonnet +++ /dev/null @@ -1,92 +0,0 @@ -local pipeline_manifest = import 'pipeline_manifest.json'; -local pipelines = pipeline_manifest.pipelines; -local name = pipeline_manifest.name; -local util = import 'material.jsonnet'; -local stage_util = import 'stages.jsonnet'; -local infraVertical = pipeline_manifest.infraVertical; - -local groupMap = { - lending: { - test: 'Medici-test', - build: 'Medici', - dev: 'Medici-deploy-dev', - qa: 'Medici-deploy-qa', - uat: 'Medici-deploy-uat', - prod: 'Medici-deploy-prod', - cmd: 'Infrastructure', - 'data-platform-prod': 'Data', - 'data-platform-nonprod': 'Data', - }, - insurance:: { - test:: 'GI-test', - build: 'GI', - dev: 'GI-deploy-dev', - qa: 'GI-deploy-qa', - uat: 'GI-deploy-uat', - prod: 'GI-deploy-prod', - }, - amc:: { - test:: 'amc-test', - build: 'amc', - dev: 'amc-deploy-dev', - qa: 'amc-deploy-qa', - prod: 'amc-deploy-prod', - }, - sa:: { - test:: 'SA-test', - build: 'SA', - dev: 'SA-deploy-dev', - qa: 'SA-deploy-qa', - uat: 'SA-deploy-uat', - prod: 'SA-deploy-prod', - }, - infra:: {}, - colending::{ - test:: 'Co-Lending-test', - build: 'Co-Lending', - dev: 'Co-Lending-deploy-dev', - qa: 'Co-Lending-deploy-qa', - prod: 'Co-Lending-deploy-prod', - }, - 'navi-pay'::{ - test:: 'Navi-Pay-deploy-dev', - build: 'Navi-Pay', - dev: 'Navi-Pay-deploy-dev', - qa: 'Navi-Pay-deploy-qa', - uat: 'Navi-Pay-deploy-uat', - prod: 'Navi-Pay-deploy-prod', - }, - 'navi-saas'::{ - test:: 'Navi-Saas-deploy-dev', - build: 'Navi-Saas', - dev: 'Navi-Saas-deploy-dev', - qa: 'Navi-Saas-deploy-qa', - prod: 'Navi-Saas-deploy-prod', - }, - 'navi-ppl'::{ - test:: 'Navi-PPL-deploy-dev', - build: 'Navi-PPL', - dev: 'Navi-PPL-deploy-dev', - qa: 'Navi-PPL-deploy-qa', - prod: 'Navi-PPL-deploy-prod', - }, -}; - - -{ - format_version: 3, - pipelines: { - [util.pipelineName(name, pipeline)]: { - group: groupMap[infraVertical][pipeline.env], - materials: (if pipeline.type == 'test' then { - [util.pipelineName(name, pipeline)]: util.material(name, pipeline), - } else util.material(name, pipeline)), - environment_variables: { - ENVIRONMENT: pipeline.env, - APP_NAME: name, - }, - stages: stage_util.getStages(pipeline), - }, - for pipeline in pipelines - }, -} diff --git a/gocd-templates/sample-manifest/pipeline_manifest.json b/gocd-templates/sample-manifest/pipeline_manifest.json deleted file mode 100644 index 325d21c5..00000000 --- a/gocd-templates/sample-manifest/pipeline_manifest.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "name": "spring-boot-demo", - "pipelines": [ - { - "type": "test", - "env": "test", - "stages": [ - { - "type": "test" - } - ] - }, - { - "type": "build", - "env": "build", - "stages": [ - { - "type": "build" - } - ] - }, - { - "type": "migrate-deploy", - "env": "dev", - "stages": [ - { - "type": "migrate", - "approvalType":"auto" - }, - { - "type": "deploy", - "approvalType":"auto" - } - ] - }, - { - "type": "migrate-deploy", - "env": "qa", - "stages": [ - { - "type": "migrate", - "approvalType":"auto" - }, - { - "type": "deploy", - "approvalType":"auto" - } - ] - }, - { - "type": "migrate-deploy", - "env": "prod", - "stages": [ - { - "type": "migrate", - "approvalType":"manual" - }, - { - "type": "deploy", - "approvalType":"manual" - } - ] - } - ], - "infraVertical": "medici" -} \ No newline at end of file diff --git a/gocd-templates/stages.jsonnet b/gocd-templates/stages.jsonnet deleted file mode 100644 index 960231cd..00000000 --- a/gocd-templates/stages.jsonnet +++ /dev/null @@ -1,243 +0,0 @@ -local materialUtil = import 'material.jsonnet'; -local helpers = import 'pipeline_helper.jsonnet'; -local pipeline_manifest = import 'pipeline_manifest.json'; -local name = pipeline_manifest.name; -local pipelines = pipeline_manifest.pipelines; - -local elastic_profile_map = { - build: { - build: 'prod-default', - }, - test: { - test: 'prod-default', - }, - dev: { - migrate: 'prod-default', - deploy: 'nonprod-infra', - }, - qa: { - migrate: 'prod-default', - deploy: 'nonprod-infra', - }, - uat: { - migrate: 'prod-default', - deploy: 'nonprod-infra', - }, - prod: { - migrate: 'prod-default', - deploy: 'prod-infra', - }, -}; - -local infra_provisioner_arg = { - 'rds-deploy': 'database', - 's3-deploy': 's3-buckets', - 'iam-deploy': 'iam-roles', - 'redis-deploy': 'redis', - 'docdb-deploy': 'docdb', -}; - -{ - test(pipeline):: [ - { - test:{ - fetch_materials: true, - approval: { - type: 'success', - allow_only_on_success: false, - }, - jobs: { - test: { - timeout: 0, - elastic_profile_id: elastic_profile_map[pipeline.env].test, - tasks: [ - { - exec: { - command: 'bash', - arguments: [ - '-c', - 'git submodule update --remote --init', - ], - working_directory: 'test', - run_if: 'passed', - }, - }, - { - exec: { - arguments: [ - '-c', - 'eval $(aws ecr get-login --no-include-email --region ap-south-1 --registry-id 193044292705) && docker-compose up --abort-on-container-exit', - ], - command: 'bash', - run_if: 'passed', - working_directory: 'test', - }, - }, - ], - }, - }, - } - }, - ], - build(pipeline):: [ - { - build: { - fetch_materials: true, - jobs: { - build: { - timeout: 0, - elastic_profile_id: elastic_profile_map[pipeline.env].build, - tasks: [ - { - exec: { - arguments: [ - '-c', - 'docker-build' + ' ' + pipeline_manifest.name, - ], - command: 'bash', - run_if: 'passed', - }, - }, - ], - artifacts: [ - { - build: { - source: 'image_version', - destination: '', - }, - }, - ], - }, - }, - }, - }, - ], - migrate(pipeline):: [ - { - migration: { - fetch_materials: true, - approval: { - type: helpers.getApprovalType(pipeline.stages,'migrate'), - allow_only_on_success: false, - }, - jobs: { - migration: { - elastic_profile_id: elastic_profile_map[pipeline.env].migrate, - tasks: [ - { - fetch: { - is_file: true, - source: 'image_version', - destination: 'deployment', - pipeline: helpers.artifactPipeline(pipeline), - stage: 'build', - job: 'build', - run_if: 'passed', - }, - }, - { - script: ' cd deployment \n . fetch_config_portal \n eval $(aws ecr get-login --no-include-email --region ap-south-1 --registry-id 193044292705)\n docker run -w /usr/local \\ \n -e DATASOURCE_URL=${DATASOURCE_URL} -e DATASOURCE_USERNAME=${DATASOURCE_USERNAME} \\ \n -e DATASOURCE_PASSWORD=${DATASOURCE_PASSWORD} `cat image_version` java -jar database.jar', - }, - ], - }, - }, - }, - }, - ], - deploy(pipeline):: [ - { - deploy: { - fetch_materials: true, - approval: { - type: helpers.getApprovalType(pipeline.stages,'deploy'), - allow_only_on_success: false, - }, - jobs: { - deploy: { - timeout: 0, - elastic_profile_id: elastic_profile_map[pipeline.env].deploy, - tasks: [ - { - fetch: { - is_file: true, - source: 'image_version', - destination: 'deployment', - pipeline: helpers.artifactPipeline(pipeline), - stage: 'build', - job: 'build', - run_if: 'passed', - }, - }, - { - exec: { - arguments: [ - '-c', - 'portal_deploy ${ENVIRONMENT} `cat image_version`', - ], - command: 'bash', - run_if: 'passed', - working_directory: 'deployment', - }, - }, - ], - }, - }, - }, - }, - ], - deployAwsResourcesWithPlan(pipeline, type):: [ - { - plan: { - approval: { - type: "manual", - allow_only_on_success: false - }, - environment_variables: { - "ADDITIONAL_OPTIONS": "--plan" - }, - jobs: { - "deploy": { - elastic_profile_id: 'prod-infra', - tasks: [ - { - script: '. fetch_manifest\n infra-provisioner-v2 -m $MANIFEST ${ADDITIONAL_OPTIONS} all\n' - } - ] - } - } - } - }, - { - deploy: { - approval: { - type: "manual", - allow_only_on_success: false - }, - environment_variables: { - "ADDITIONAL_OPTIONS": "" - }, - jobs: { - "deploy": { - elastic_profile_id: 'prod-infra', - tasks: [ - { - script: ". fetch_manifest\n infra-provisioner-v2 -m $MANIFEST ${ADDITIONAL_OPTIONS} all\n" - } - ] - } - } - } - }, - ], - getStages(pipeline):: - if pipeline.type == 'test' then $.test(pipeline) - else if pipeline.type == 'build' then $.build(pipeline) - else if pipeline.type == 'migrate-deploy' then ( - (if std.objectHas(helpers.stageMap(pipeline), 'migrate') then $.migrate(pipeline) else []) + - (if std.objectHas(helpers.stageMap(pipeline), 'deploy') then $.deploy(pipeline) else []) - ) else if pipeline.type == 'rds-deploy' || - pipeline.type == 's3-deploy' || - pipeline.type == 'redis-deploy' || - pipeline.type == 'docdb-deploy' || - pipeline.type == 'iam-deploy' then $.deployAwsResourcesWithPlan(pipeline, infra_provisioner_arg[pipeline.type]) -} diff --git a/kutegen b/kutegen new file mode 160000 index 00000000..b23e2ded --- /dev/null +++ b/kutegen @@ -0,0 +1 @@ +Subproject commit b23e2dedf69914135c95dd8bab5537518aa3aba8 diff --git a/pom.xml b/pom.xml index d75b99ab..23f0140d 100644 --- a/pom.xml +++ b/pom.xml @@ -325,6 +325,25 @@ + + maven-clean-plugin + + + + ${project.basedir}/kubernetes_manifests + + + ${project.basedir}/manifests + + + ${project.basedir}/pipeline_manifests + + + ${project.basedir}/pipelines + + + + diff --git a/src/main/java/com/navi/infra/portal/service/gocd/PipelineManifestService.java b/src/main/java/com/navi/infra/portal/service/gocd/PipelineManifestService.java index 159e3bde..ab8034e8 100644 --- a/src/main/java/com/navi/infra/portal/service/gocd/PipelineManifestService.java +++ b/src/main/java/com/navi/infra/portal/service/gocd/PipelineManifestService.java @@ -3,7 +3,7 @@ package com.navi.infra.portal.service.gocd; import com.fasterxml.jackson.databind.ObjectMapper; import com.navi.infra.portal.domain.gocd.PipelineManifest; import com.navi.infra.portal.repository.PipelineManifestRepository; -import com.navi.infra.portal.util.JsonnetUtil; +import com.navi.infra.portal.util.KubernetesManifestGenerator; import java.io.ByteArrayOutputStream; import java.io.File; import java.io.FileReader; @@ -30,8 +30,6 @@ import org.springframework.web.server.ResponseStatusException; public class PipelineManifestService { private final String PIPELINE_MANIFEST_PATH = "pipeline_manifests"; - private final String PIPELINE_TEMPLATES_FOLDER = "gocd-templates"; - private final String mainJsonnet = "main.jsonnet"; private final String PIPELINE_YAML_PATH = "pipelines"; private final String PIPELINE_MANIFEST_FILE_NAME = "pipeline_manifest.json"; private final String PIPELINE_YAML_FILE_NAME = "pipelines.json"; @@ -40,7 +38,7 @@ public class PipelineManifestService { private final PipelineManifestRepository pipelineManifestRepository; - private final JsonnetUtil jsonnetUtil; + private final KubernetesManifestGenerator kubernetesManifestGenerator; public List pipelineManifestList() { return pipelineManifestRepository @@ -88,9 +86,12 @@ public class PipelineManifestService { ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); PrintStream printStream = new PrintStream(byteArrayOutputStream, false, StandardCharsets.UTF_8); - var exitCode = jsonnetUtil.generateKManifests(getPipelinesManifestPath(pipelineManifest), - getPipelinesPath(pipelineManifest), printStream, new String[]{}, mainJsonnet, - PIPELINE_TEMPLATES_FOLDER); + var exitCode = kubernetesManifestGenerator.generate( + printStream, new String[]{"gocd-pipeline", + "-f", getPipelinesManifestPath(pipelineManifest) + PIPELINE_MANIFEST_FILE_NAME, + "-o", getPipelinesPath(pipelineManifest) + } + ); if (exitCode != 0) { throw new RuntimeException(String.format("Could not generate manifests %s", diff --git a/src/main/java/com/navi/infra/portal/service/kubernetes/KubernetesManifestService.java b/src/main/java/com/navi/infra/portal/service/kubernetes/KubernetesManifestService.java index 41e55c73..d7ed6fcf 100644 --- a/src/main/java/com/navi/infra/portal/service/kubernetes/KubernetesManifestService.java +++ b/src/main/java/com/navi/infra/portal/service/kubernetes/KubernetesManifestService.java @@ -31,7 +31,7 @@ import com.navi.infra.portal.domain.manifest.StatusMarker; import com.navi.infra.portal.dto.manifest.SecurityGroup; import com.navi.infra.portal.exceptions.KubernetesManifestException; import com.navi.infra.portal.service.manifest.DeploymentService; -import com.navi.infra.portal.util.JsonnetUtil; +import com.navi.infra.portal.util.KubernetesManifestGenerator; import com.navi.infra.portal.util.MapDiffUtil; import com.navi.infra.portal.util.kubernetes.KubernetesManifestUtils; import io.kubernetes.client.openapi.ApiException; @@ -71,8 +71,6 @@ import org.springframework.stereotype.Service; @Slf4j public class KubernetesManifestService { - private static final String JSONNET_TEMPLATES_FOLDER = "templates"; - private static final String GENERATED_KUBERNETES_MANIFEST_FOLDER = "kubernetes_manifests"; private static final String MANIFEST_INPUT_FILE_PATH = "manifests"; @@ -93,7 +91,7 @@ public class KubernetesManifestService { private final String environment; - private final JsonnetUtil jsonnetUtil; + private final KubernetesManifestGenerator kubernetesManifestGenerator; private final KubeClient kubeClient; private final long securityGroupIdFetchRetryFixedBackoff; @@ -104,7 +102,7 @@ public class KubernetesManifestService { ObjectMapper objectMapper, Executor executor, @Value("${ENVIRONMENT:test}") String environment, - JsonnetUtil jsonnetUtil, + KubernetesManifestGenerator kubernetesManifestGenerator, KubeClient kubeClient, @Value("${kubernetes.security-group.id.fetch.fixed-backoff.interval}") long securityGroupIdFetchRetryFixedBackoff, @Value("${kubernetes.security-group.id.fetch.fixed-backoff.max-attempts}") int securityGroupIdFetchRetryMaxAttempts @@ -113,7 +111,7 @@ public class KubernetesManifestService { this.objectMapper = objectMapper; this.executor = executor; this.environment = environment; - this.jsonnetUtil = jsonnetUtil; + this.kubernetesManifestGenerator = kubernetesManifestGenerator; this.kubeClient = kubeClient; this.securityGroupIdFetchRetryFixedBackoff = securityGroupIdFetchRetryFixedBackoff; this.securityGroupIdFetchRetryMaxAttempts = securityGroupIdFetchRetryMaxAttempts; @@ -132,7 +130,7 @@ public class KubernetesManifestService { public void generateManifestsAndApply(Manifest manifest) { if (manifest.getDeployment() != null) { - final String kManifestPath = generateManifests(manifest, null); + final String kManifestPath = generateManifests(manifest, "null"); log.info("Generated kubernetes manifests at {}", kManifestPath); if (environment.equals("test")) { log.info( @@ -340,8 +338,10 @@ public class KubernetesManifestService { PrintStream printStream = new PrintStream(byteArrayOutputStream, false, StandardCharsets.UTF_8); String writePath = getKubernetesManifestPath(manifest); - int exitCode = generateKManifests(getManifestPath(manifest), writePath, printStream, - new String[]{"--ext-str", "IMAGE=" + image }, mainJsonnet); + int exitCode = generateKManifests(printStream, + new String[]{"generate", "--image", image, + "--file", getManifestPath(manifest) + MANIFEST_INPUT_FILE_NAME, + "--output", writePath}); if (exitCode > 0) { throw new KubernetesManifestException( format("Not able to generate kubernetes manifests: %s", @@ -501,15 +501,8 @@ public class KubernetesManifestService { return jsonObject; } - private int generateKManifests( - String readPath, - String writePath, - PrintStream ps, - String[] jsonnetAdditionalOptions, - String mainJsonnet - ) { - return jsonnetUtil.generateKManifests(readPath, writePath, ps, jsonnetAdditionalOptions, - mainJsonnet, JSONNET_TEMPLATES_FOLDER); + private int generateKManifests(PrintStream ps, String[] jsonnetAdditionalOptions) { + return kubernetesManifestGenerator.generate(ps, jsonnetAdditionalOptions); } /** diff --git a/src/main/java/com/navi/infra/portal/util/JsonnetUtil.java b/src/main/java/com/navi/infra/portal/util/JsonnetUtil.java deleted file mode 100644 index ebc808b3..00000000 --- a/src/main/java/com/navi/infra/portal/util/JsonnetUtil.java +++ /dev/null @@ -1,19 +0,0 @@ -package com.navi.infra.portal.util; - -import java.io.PrintStream; - -public interface JsonnetUtil { - - int generateKManifests( - String readPath, String writePath, PrintStream ps, - String[] jsonnetAdditionalOptions, String mainJsonnet, String jsonnetTemplatesFolder - ); - - int run( - String writePath, - PrintStream ps, - String[] jsonnetAdditionalOptions, - String mainJsonnet, - String jsonnetTemplatesFolder - ); -} diff --git a/src/main/java/com/navi/infra/portal/util/JsonnetUtilImpl.java b/src/main/java/com/navi/infra/portal/util/JsonnetUtilImpl.java deleted file mode 100644 index 89010fea..00000000 --- a/src/main/java/com/navi/infra/portal/util/JsonnetUtilImpl.java +++ /dev/null @@ -1,68 +0,0 @@ -package com.navi.infra.portal.util; - -import static java.lang.System.arraycopy; -import static scala.None$.empty; - -import java.io.PrintStream; -import org.springframework.stereotype.Component; -import os.package$; -import sjsonnet.DefaultParseCache; -import sjsonnet.SjsonnetMain; - -@Component -public class JsonnetUtilImpl implements JsonnetUtil { - - @Override - public int generateKManifests( - String readPath, String writePath, PrintStream ps, - String[] jsonnetAdditionalOptions, String mainJsonnet, String jsonnetTemplatesFolder - ) { - - String[] jsonnetOptions = new String[]{jsonnetTemplatesFolder + "/" + mainJsonnet, "-J", - readPath, "-c", "-m", writePath}; - - return run(jsonnetOptions, jsonnetAdditionalOptions, ps); - } - - @Override - public int run( - String writePath, - PrintStream ps, - String[] jsonnetAdditionalOptions, - String mainJsonnet, - String jsonnetTemplatesFolder - ) { - String[] jsonnetOptions = new String[]{jsonnetTemplatesFolder + "/" + mainJsonnet, - "-c", "-m", writePath}; - - return run(jsonnetOptions, jsonnetAdditionalOptions, ps); - } - - private static int run( - String[] options, - String[] additionalOptions, - PrintStream ps - ) { - PrintStream stdErr = System.err; - System.setErr(ps); - - try { - var jsonnetCommand = new String[additionalOptions.length + options.length]; - arraycopy(options, 0, jsonnetCommand, 0, options.length); - arraycopy(additionalOptions, 0, jsonnetCommand, options.length, - additionalOptions.length); - - return SjsonnetMain.main0(jsonnetCommand, - new DefaultParseCache(), - System.in, - System.out, - System.err, - package$.MODULE$.pwd(), - empty(), - empty() - ); - } finally { - System.setErr(stdErr); - } - } -} diff --git a/src/main/java/com/navi/infra/portal/util/KubernetesManifestGenerator.java b/src/main/java/com/navi/infra/portal/util/KubernetesManifestGenerator.java new file mode 100644 index 00000000..2492fb87 --- /dev/null +++ b/src/main/java/com/navi/infra/portal/util/KubernetesManifestGenerator.java @@ -0,0 +1,8 @@ +package com.navi.infra.portal.util; + +import java.io.PrintStream; + +public interface KubernetesManifestGenerator { + + int generate(PrintStream ps, String[] args); +} diff --git a/src/main/java/com/navi/infra/portal/util/KutegenClient.java b/src/main/java/com/navi/infra/portal/util/KutegenClient.java new file mode 100644 index 00000000..9bd73d9e --- /dev/null +++ b/src/main/java/com/navi/infra/portal/util/KutegenClient.java @@ -0,0 +1,52 @@ +package com.navi.infra.portal.util; + +import static java.lang.System.arraycopy; + +import java.io.PrintStream; +import java.util.Arrays; +import lombok.extern.slf4j.Slf4j; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.stereotype.Component; + +@Component +@Slf4j +public class KutegenClient implements KubernetesManifestGenerator { + + private final String[] kutegenPath; + + public KutegenClient(@Value("${ENVIRONMENT:test}") String environment) { + if (environment.equals("test")) { + kutegenPath = new String[]{"go", "run", "kutegen/cmd/main.go"}; + } else { + kutegenPath = new String[]{"bin/kutegen"}; + } + } + + @Override + public int generate(PrintStream ps, String[] args) { + final var exitCode = run(args, ps); + log.info("Kutegen exit code: {}", exitCode); + return exitCode; + } + + private int run(String[] args, PrintStream errorStream) { + final var stdErr = System.err; + System.setErr(errorStream); + + try { + final var command = new String[kutegenPath.length + args.length]; + + arraycopy(kutegenPath, 0, command, 0, kutegenPath.length); + arraycopy(args, 0, command, kutegenPath.length, args.length); + + log.info("Running kutegen with options: {}", Arrays.toString(command)); + final var processBuilder = new ProcessBuilder(command); + final var process = processBuilder.inheritIO().start(); + return process.waitFor(); + } catch (Exception e) { + throw new RuntimeException("Error running kutegen", e); + } finally { + System.setErr(stdErr); + } + } +} diff --git a/src/main/java/com/navi/infra/portal/v2/ingress/IngressGroupApplierImpl.java b/src/main/java/com/navi/infra/portal/v2/ingress/IngressGroupApplierImpl.java index 88f92a04..c018b054 100644 --- a/src/main/java/com/navi/infra/portal/v2/ingress/IngressGroupApplierImpl.java +++ b/src/main/java/com/navi/infra/portal/v2/ingress/IngressGroupApplierImpl.java @@ -9,7 +9,7 @@ import static java.util.Objects.requireNonNull; import com.fasterxml.jackson.core.type.TypeReference; import com.fasterxml.jackson.databind.ObjectMapper; import com.navi.infra.portal.exceptions.KubernetesManifestException; -import com.navi.infra.portal.util.JsonnetUtil; +import com.navi.infra.portal.util.KubernetesManifestGenerator; import com.navi.infra.portal.util.kubernetes.KubernetesManifestUtils; import java.io.ByteArrayOutputStream; import java.io.File; @@ -33,7 +33,7 @@ public class IngressGroupApplierImpl implements IngressGroupApplier { private final String kubernetesManifestsPath; - private final JsonnetUtil jsonnetUtil; + private final KubernetesManifestGenerator kubernetesManifestGenerator; private final KubernetesManifestUtils kubernetesManifestUtils; private final ObjectMapper jsonMapper; @@ -41,13 +41,13 @@ public class IngressGroupApplierImpl implements IngressGroupApplier { public IngressGroupApplierImpl( @Value("templates/shared_ingress_config") String jsonnetTemplatesFolder, @Value("kubernetes_manifests") String kubernetesManifestsPath, - JsonnetUtil jsonnetUtil, + KubernetesManifestGenerator kubernetesManifestGenerator, KubernetesManifestUtils kubernetesManifestUtils, @Qualifier("jsonMapper") ObjectMapper jsonMapper ) { this.jsonnetTemplatesFolder = jsonnetTemplatesFolder; this.kubernetesManifestsPath = kubernetesManifestsPath; - this.jsonnetUtil = jsonnetUtil; + this.kubernetesManifestGenerator = kubernetesManifestGenerator; this.kubernetesManifestUtils = kubernetesManifestUtils; this.jsonMapper = jsonMapper; } @@ -72,23 +72,18 @@ public class IngressGroupApplierImpl implements IngressGroupApplier { } private String createK8sManifest(IngressGroupCreateRequest request, String writePath) { - final var jsonnetAdditionalOptions = new String[]{ - "--tla-str", "cluster=" + request.getCluster(), - "--tla-str", "namespace=" + request.getNamespace(), - "--tla-str", "group_name=" + request.getName(), - "--tla-str", "environment=" + request.getEnvironment(), - "--tla-str", "product=" + request.getProduct() + final var args = new String[]{"shared-alb-config", + "--output", writePath, + "--cluster", request.getCluster(), + "--namespace", request.getNamespace(), + "--group_name", request.getName(), + "--environment", request.getEnvironment(), + "--product", request.getProduct() }; var byteArrayOutputStream = new ByteArrayOutputStream(); var ps = new PrintStream(byteArrayOutputStream, false, UTF_8); - var exitCode = jsonnetUtil.run( - writePath, - ps, - jsonnetAdditionalOptions, - "main.jsonnet", - jsonnetTemplatesFolder - ); + var exitCode = kubernetesManifestGenerator.generate(ps, args); if (exitCode > 0) { throw new KubernetesManifestException( diff --git a/src/test/java/com/navi/infra/portal/service/KubernetesManifestServiceTest.java b/src/test/java/com/navi/infra/portal/service/KubernetesManifestServiceTest.java index ad77f435..d2faf96e 100644 --- a/src/test/java/com/navi/infra/portal/service/KubernetesManifestServiceTest.java +++ b/src/test/java/com/navi/infra/portal/service/KubernetesManifestServiceTest.java @@ -21,8 +21,8 @@ import com.navi.infra.portal.provider.Common; import com.navi.infra.portal.service.kubernetes.BashExecute; import com.navi.infra.portal.service.kubernetes.KubernetesManifestService; import com.navi.infra.portal.service.manifest.DeploymentService; -import com.navi.infra.portal.util.JsonnetUtil; -import com.navi.infra.portal.util.JsonnetUtilImpl; +import com.navi.infra.portal.util.KubernetesManifestGenerator; +import com.navi.infra.portal.util.KutegenClient; import com.navi.infra.portal.util.MapDiffUtil; import io.kubernetes.client.openapi.ApiException; import java.io.IOException; @@ -55,7 +55,7 @@ public class KubernetesManifestServiceTest { private final BashExecute bashExecute; - private final JsonnetUtil jsonnetUtil; + private final KubernetesManifestGenerator kubernetesManifestGenerator; private final KubeClient kubeClient; @@ -67,10 +67,10 @@ public class KubernetesManifestServiceTest { deploymentService = Mockito.mock(DeploymentService.class); bashExecute = Mockito.mock(BashExecute.class); kubeClient = Mockito.mock(KubeClient.class); - jsonnetUtil = new JsonnetUtilImpl(); + kubernetesManifestGenerator = new KutegenClient("test"); kubernetesManifestService = new KubernetesManifestService(deploymentService, objectMapper, - bashExecute, "dev", jsonnetUtil, kubeClient, 2000L, + bashExecute, "dev", kubernetesManifestGenerator, kubeClient, 2000L, 5); } diff --git a/src/test/java/com/navi/infra/portal/service/gocd/PipelineManifestServiceTest.java b/src/test/java/com/navi/infra/portal/service/gocd/PipelineManifestServiceTest.java index 65d998c9..e46f2774 100644 --- a/src/test/java/com/navi/infra/portal/service/gocd/PipelineManifestServiceTest.java +++ b/src/test/java/com/navi/infra/portal/service/gocd/PipelineManifestServiceTest.java @@ -4,6 +4,7 @@ import com.navi.infra.portal.domain.gocd.PipelineManifest; import com.navi.infra.portal.provider.ExternalIntegrationProvider; import java.io.IOException; import org.apache.commons.io.FileUtils; +import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.mockito.junit.jupiter.MockitoExtension; @@ -19,6 +20,11 @@ public class PipelineManifestServiceTest extends ExternalIntegrationProvider { @Autowired private PipelineManifestService pipelineManifestService; + @BeforeAll + static void setUp() { + System.setProperty("ENVIRONMENT", "test"); + } + private void assertJsonEqual(String inputFile, String expectedFile) throws IOException { String pipelineManifestJson = FileUtils .readFileToString(ResourceUtils.getFile(inputFile), "UTF-8"); diff --git a/src/test/java/com/navi/infra/portal/v2/ingress/IngressGroupApplierImplTest.java b/src/test/java/com/navi/infra/portal/v2/ingress/IngressGroupApplierImplTest.java index a2eddd6e..6fb84be5 100644 --- a/src/test/java/com/navi/infra/portal/v2/ingress/IngressGroupApplierImplTest.java +++ b/src/test/java/com/navi/infra/portal/v2/ingress/IngressGroupApplierImplTest.java @@ -7,7 +7,7 @@ import static org.mockito.Mockito.when; import com.fasterxml.jackson.databind.ObjectMapper; import com.navi.infra.portal.exceptions.KubernetesManifestException; import com.navi.infra.portal.service.kubernetes.BashExecute; -import com.navi.infra.portal.util.JsonnetUtil; +import com.navi.infra.portal.util.KubernetesManifestGenerator; import com.navi.infra.portal.util.kubernetes.KubernetesManifestUtils; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.DisplayName; @@ -20,7 +20,7 @@ import org.mockito.junit.jupiter.MockitoExtension; class IngressGroupApplierImplTest { @Mock - private JsonnetUtil jsonnetUtil; + private KubernetesManifestGenerator kubernetesManifestGenerator; private IngressGroupApplier ingressGroupApplier; @@ -28,7 +28,7 @@ class IngressGroupApplierImplTest { @BeforeEach void setup() { - ingressGroupApplier = new IngressGroupApplierImpl("", "", jsonnetUtil, + ingressGroupApplier = new IngressGroupApplierImpl("", "", kubernetesManifestGenerator, new KubernetesManifestUtils( new BashExecute(), "test"), jsonMapper); } @@ -39,7 +39,7 @@ class IngressGroupApplierImplTest { var createRequest = new IngressGroupCreateRequest("name", "namespace", "cluster", "environment", "product"); - when(jsonnetUtil.run(any(), any(), any(), any(), any())).thenReturn(1); + when(kubernetesManifestGenerator.generate(any(), any())).thenReturn(1); assertThrows(KubernetesManifestException.class, () -> ingressGroupApplier.createAndApply(createRequest)); diff --git a/src/test/resources/fixtures/kube_objects/kube_object_alb.json b/src/test/resources/fixtures/kube_objects/kube_object_alb.json index b6b6b502..2cd0f35c 100644 --- a/src/test/resources/fixtures/kube_objects/kube_object_alb.json +++ b/src/test/resources/fixtures/kube_objects/kube_object_alb.json @@ -258,7 +258,7 @@ }, { "name": "secretMd5", - "value": "ca5855f61008767291e629652da57dc6" + "value": "d74618e323ae5b8a83fa496eb16ef003" } ], "ports": [ diff --git a/src/test/resources/fixtures/kube_objects/kube_object_alb_redirect.json b/src/test/resources/fixtures/kube_objects/kube_object_alb_redirect.json index 4d4736b9..fbabe090 100644 --- a/src/test/resources/fixtures/kube_objects/kube_object_alb_redirect.json +++ b/src/test/resources/fixtures/kube_objects/kube_object_alb_redirect.json @@ -242,7 +242,7 @@ }, { "name": "secretMd5", - "value": "ca5855f61008767291e629652da57dc6" + "value": "d74618e323ae5b8a83fa496eb16ef003" } ], "ports": [ diff --git a/src/test/resources/fixtures/kube_objects/kube_object_efs_pvc.json b/src/test/resources/fixtures/kube_objects/kube_object_efs_pvc.json index cde24723..cdd6b1fb 100644 --- a/src/test/resources/fixtures/kube_objects/kube_object_efs_pvc.json +++ b/src/test/resources/fixtures/kube_objects/kube_object_efs_pvc.json @@ -225,7 +225,7 @@ }, { "name": "secretMd5", - "value": "ca5855f61008767291e629652da57dc6" + "value": "d74618e323ae5b8a83fa496eb16ef003" } ], "image": "IMAGE", diff --git a/src/test/resources/fixtures/kube_objects/kube_object_fsx.json b/src/test/resources/fixtures/kube_objects/kube_object_fsx.json index e429bc32..2c690432 100644 --- a/src/test/resources/fixtures/kube_objects/kube_object_fsx.json +++ b/src/test/resources/fixtures/kube_objects/kube_object_fsx.json @@ -225,7 +225,7 @@ }, { "name": "secretMd5", - "value": "ca5855f61008767291e629652da57dc6" + "value": "d74618e323ae5b8a83fa496eb16ef003" } ], "image": "IMAGE", diff --git a/src/test/resources/fixtures/kube_objects/kube_object_prod_tsc.json b/src/test/resources/fixtures/kube_objects/kube_object_prod_tsc.json index 6a9935b8..de774c99 100644 --- a/src/test/resources/fixtures/kube_objects/kube_object_prod_tsc.json +++ b/src/test/resources/fixtures/kube_objects/kube_object_prod_tsc.json @@ -242,7 +242,7 @@ }, { "name": "secretMd5", - "value": "129cd9ea6fd37de0e07a8ff94467306f" + "value": "8a40bdadb732b9107fbf1eba768a302a" } ], "ports": [ diff --git a/src/test/resources/fixtures/kube_objects/kube_object_prod_with_maxsurge.json b/src/test/resources/fixtures/kube_objects/kube_object_prod_with_maxsurge.json index 24259656..82e1055f 100644 --- a/src/test/resources/fixtures/kube_objects/kube_object_prod_with_maxsurge.json +++ b/src/test/resources/fixtures/kube_objects/kube_object_prod_with_maxsurge.json @@ -242,7 +242,7 @@ }, { "name": "secretMd5", - "value": "129cd9ea6fd37de0e07a8ff94467306f" + "value": "8a40bdadb732b9107fbf1eba768a302a" } ], "ports": [ diff --git a/templates/README.md b/templates/README.md deleted file mode 100644 index 72a54060..00000000 --- a/templates/README.md +++ /dev/null @@ -1,14 +0,0 @@ -## Steps to test JSONNET changes - -1. Create a temporary directory in templates directory: - - ```mkdir /templates/temp``` - -2. Change directory to the same - - ```cd /templates/temp``` - -3. Run the following command to create json for testing purposes: - ```jsonnet main.jsonnet -J /manifests// --ext-str IMAGE='image' -m temp``` - -4. Inspect the jsonnets in temp folder. \ No newline at end of file diff --git a/templates/chaos_engine.jsonnet b/templates/chaos_engine.jsonnet deleted file mode 100644 index 3243431b..00000000 --- a/templates/chaos_engine.jsonnet +++ /dev/null @@ -1,94 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; -local chaos_util = import 'chaos_util.jsonnet'; - - -local env = function(experiment) { - latencyInjection: [ - { - name: 'NETWORK_LATENCY', - value: experiment.details.latency, - }, - ], - packetLoss: [ - { - name: 'NETWORK_PACKET_LOSS_PERCENTAGE', - value: experiment.details.packetLoss, - }, - ], -}[experiment.type]; - - -std.map(function(experiment) { - apiVersion: 'litmuschaos.io/v1alpha1', - kind: 'ChaosEngine', - metadata: { - name: '%s-chaos' % deployment.name, - namespace: deployment.namespace, - labels: { - resource_id: '%s-chaos' % deployment.name, - }, - }, - spec: { - jobCleanUpPolicy: 'delete', - annotationCheck: 'true', - engineState: 'active', - auxiliaryAppInfo: '', - monitoring: false, - appinfo: { - appns: deployment.namespace, - applabel: 'release=%s' % deployment.name, - appkind: 'deployment', - }, - chaosServiceAccount: '%s-sa' % chaos_util.experimentName(experiment), - components: { - runner: { - runnerannotation: { - 'sidecar.istio.io/inject': 'false', - }, - }, - }, - experiments: [{ - name: chaos_util.experimentName(experiment), - spec: { - components: { - experimentannotation: { - 'sidecar.istio.io/inject': 'false', - }, - env: [ - { - name: 'CHAOS_NAMESPACE', - value: deployment.namespace, - }, - { - name: 'APP_NAMESPACE', - value: deployment.namespace, - }, - { - name: 'NETWORK_INTERFACE', - value: 'eth0', - }, - { - name: 'TARGET_CONTAINER', - value: chart.full_service_name(deployment.name), - }, - { - name: 'TOTAL_CHAOS_DURATION', - value: experiment.duration, - }, - { - name: 'PODS_AFFECTED_PERC', - value: '100', - }, - { - name: 'TARGET_HOSTS', - value: std.join(',', experiment.details.targetHosts), - }, - ] + env(experiment), - }, - }, - }], - }, -}, deployment.faults) diff --git a/templates/chaos_experiment.jsonnet b/templates/chaos_experiment.jsonnet deleted file mode 100644 index 8de4fcf8..00000000 --- a/templates/chaos_experiment.jsonnet +++ /dev/null @@ -1,87 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; -local chaos_util = import 'chaos_util.jsonnet'; - -local descriptionMessage = function(experiment) { - latencyInjection: 'Injects network latency on pods belonging to an app deployment\n', - packetLoss: 'Injects network packet loss on pods belonging to an app deployment\n', -}[experiment.type]; - -local args = function(experiment) { - latencyInjection: './experiments/pod-network-latency', - packetLoss: './experiments/pod-network-loss', -}[experiment.type]; - -std.map( - function(experiment) - { - apiVersion: 'litmuschaos.io/v1alpha1', - description: { - message: descriptionMessage(experiment), - }, - kind: 'ChaosExperiment', - metadata: { - name: chaos_util.experimentName(experiment), - }, - spec: { - definition: { - scope: 'Namespaced', - permissions: [ - { - apiGroups: [ - '', - 'batch', - 'litmuschaos.io', - ], - resources: [ - 'jobs', - 'pods', - 'pods/log', - 'events', - 'chaosengines', - 'chaosexperiments', - 'chaosresults', - ], - verbs: [ - 'create', - 'list', - 'get', - 'patch', - 'update', - 'delete', - ], - }, - ], - image: '193044292705.dkr.ecr.ap-south-1.amazonaws.com/litmus-go:1.8.1', - imagePullPolicy: 'Always', - args: [ - '-c', - args(experiment), - ], - command: [ - '/bin/bash', - ], - env: [ - { - name: 'NETWORK_INTERFACE', - value: 'eth0', - }, - { - name: 'LIB_IMAGE', - value: '193044292705.dkr.ecr.ap-south-1.amazonaws.com/litmus-go:1.8.1', - }, - { - name: 'TC_IMAGE', - value: 'gaiadocker/iproute2', - }, - ], - labels: { - name: chaos_util.experimentName(experiment), - }, - }, - }, - }, - deployment.faults -) diff --git a/templates/chaos_main.jsonnet b/templates/chaos_main.jsonnet deleted file mode 100644 index 77234cf5..00000000 --- a/templates/chaos_main.jsonnet +++ /dev/null @@ -1,118 +0,0 @@ -local chaos_engines = import 'chaos_engine.jsonnet'; -local chaos_experiments = import 'chaos_experiment.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; -local chaos_util = import 'chaos_util.jsonnet'; - -local chaos_sa = function(experiment) { - apiVersion: 'v1', - kind: 'ServiceAccount', - metadata: { - labels: { - name: '%s-sa' % chaos_util.experimentName(experiment), - }, - name: '%s-sa' % chaos_util.experimentName(experiment), - namespace: deployment.namespace, - }, -}; - -local chaos_role = function(experiment) { - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'Role', - metadata: { - labels: { - name: '%s-sa' % chaos_util.experimentName(experiment), - }, - name: '%s-sa' % chaos_util.experimentName(experiment), - namespace: deployment.namespace, - }, - rules: [ - { - apiGroups: [ - '', - 'litmuschaos.io', - 'batch', - ], - resources: [ - 'pods', - 'jobs', - 'pods/log', - 'events', - 'chaosengines', - 'chaosexperiments', - 'chaosresults', - ], - verbs: [ - 'create', - 'list', - 'get', - 'patch', - 'update', - 'delete', - ], - }, - ], -}; - -local chaos_rolebinding = function(experiment) { - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'RoleBinding', - metadata: { - labels: { - name: '%s-sa' % chaos_util.experimentName(experiment), - }, - name: '%s-sa' % chaos_util.experimentName(experiment), - namespace: deployment.namespace, - }, - roleRef: { - apiGroup: 'rbac.authorization.k8s.io', - kind: 'Role', - name: '%s-sa' % chaos_util.experimentName(experiment), - }, - subjects: [ - { - kind: 'ServiceAccount', - name: '%s-sa' % chaos_util.experimentName(experiment), - }, - ], -}; - -local chaos_privileged_rolebinding = function(experiment) { - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'RoleBinding', - metadata: { - name: 'psp:privileged:%s-sa' % chaos_util.experimentName(experiment), - namespace: deployment.namespace, - }, - roleRef: { - apiGroup: 'rbac.authorization.k8s.io', - kind: 'ClusterRole', - name: 'psp:privileged', - }, - subjects: [ - { - kind: 'ServiceAccount', - name: '%s-sa' % chaos_util.experimentName(experiment), - }, - ], -}; - -local getFiles = function(s, fn) { - [s % index]: fn(deployment.faults[index]) - for index in std.range(0, std.length(chaos_experiments) - 1) -}; - - -if 'faults' in deployment && std.length(deployment.faults) > 0 then - (if chaos_experiments != null then { - ['1_%s_chaos_experiment.json' % index]: chaos_experiments[index] - for index in std.range(0, std.length(chaos_experiments) - 1) - } else {}) + - getFiles('2_%s_chaos_sa.json', chaos_sa) + - getFiles('3_%s_chaos_role.json', chaos_role) + - getFiles('4_%s_chaos_rolebinding.json', chaos_rolebinding) + - getFiles('5_%s_chaos_privileged_rolebinding.json', chaos_privileged_rolebinding) + - (if chaos_engines != null then { - ['6_%s_chaos_engine.json' % index]: chaos_engines[index] - for index in std.range(0, std.length(chaos_engines) - 1) - } else {}) diff --git a/templates/chaos_util.jsonnet b/templates/chaos_util.jsonnet deleted file mode 100644 index 9e3b49dd..00000000 --- a/templates/chaos_util.jsonnet +++ /dev/null @@ -1,6 +0,0 @@ -{ - experimentName:: function(experiment) { - latencyInjection: 'pod-network-latency', - packetLoss: 'pod-network-loss', - }[experiment.type], -} diff --git a/templates/chart.jsonnet b/templates/chart.jsonnet deleted file mode 100644 index 4b4d9999..00000000 --- a/templates/chart.jsonnet +++ /dev/null @@ -1,29 +0,0 @@ -{ - //Private values - values:: { - apiVersion: 'v1', - name: 'navi-service', - description: 'Deploy navi services to kubernetes', - version: '0.0.1', - appVersion: '0.1', - home: 'https://github.cmd.navi-tech.in/navi-infra', - maintainers: [ - { - name: 'Infra', - email: 'infra-team@navi.com', - }, - ], - }, - - //Public functions - service_name: self.values.name, - - full_service_name(deployment_name): ( - assert std.length(deployment_name) <= 63 : 'Service name must be less than 63 characters. name: %s' % deployment_name; - local name = '%s-%s' % [deployment_name, self.service_name]; - assert std.length(name) <= 253 : 'Full Service name must be less than 253 characters. name: %s' % name; - name - ), - - service_chart: '%s-%s' % [self.values.name, self.values.version], -} diff --git a/templates/cluster_values.jsonnet b/templates/cluster_values.jsonnet deleted file mode 100644 index 05f2b073..00000000 --- a/templates/cluster_values.jsonnet +++ /dev/null @@ -1,1487 +0,0 @@ -{ - baseCluster+:: { - loadBalancer+:: { - sourceRanges:: ['1.1.1.1/32'], - annotations+:: { - webAcl:: 'dummy-webacl', - deletionProtection:: false, - accessLog:: true, - subnets+:: {}, - }, - }, - commonApiGateway+:: { - externalAuth:: { - config:: { - url:: 'dummyUrl', - }, - }, - }, - sidecarEnabled:: true, - zalandoEnabled:: true, - isEfsSupported: false, - isFsxSupported: false, - isVpaDeployed:: true, - isSwApmEnabled:: false - }, - - // Perf Endpoints - perfDomainEndpoint:: { - lending: '.np.navi-tech.in', - insurance: '.np.navi-gi.in', - sa: '.np.navi-sa.in', - amc: '.np.navi-amc.in', - }, - - //Non Prod cluster - 'nonprod.np.navi-tech.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'lending', - }, - flinkBucket: 'navi-flink-nonprod', - isEfsSupported: true, - isFsxSupported: true, - awsAccountId: 571315076762, - loadBalancer+:: { - annotations+:: { - webAcl:: 'arn:aws:wafv2:ap-south-1:571315076762:regional/webacl/AclNonProd/9ad3e612-4125-42ec-ab83-9e83ce95ac22', - securityGroups+:: { - //This security group allows packets from everywhere - internetFacing:: 'sg-01bbd376d7004403e', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-01a64c085bfdb2cbb', - - //This security group allows inter k8 cluster communication - internal:: 'sg-0bc07e856d000a5f4', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-022aa76e816973224', - - // Cloudflare ips - cdn:: 'sg-04abaea56b3db4697', - }, - sslCert:: { - 'np.navi-tech.in':: 'arn:aws:acm:ap-south-1:571315076762:certificate/a19c398a-639b-45ca-b885-4cf6002a16dc', - 'np.navi-ext.com':: 'arn:aws:acm:ap-south-1:571315076762:certificate/d9f5aac3-daee-401a-9035-b3f89a348d21', - 'navibank.ph':: 'arn:aws:acm:ap-south-1:571315076762:certificate/a19c398a-639b-45ca-b885-4cf6002a16dc', - 'navi.com':: 'arn:aws:acm:ap-south-1:571315076762:certificate/a19c398a-639b-45ca-b885-4cf6002a16dc', - }, - subnets:: { - internal:: 'internal-lb-ap-south-1a.nonprod.np.navi-tech.in,internal-lb-ap-south-1b.nonprod.np.navi-tech.in', - }, - accessLogBucket:: 'navi-nonprod-lb-access-logs', - accessLog: true, - }, - }, - }, - qa:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-services-alb', - }, - }, - }, - dev:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-services-alb', - }, - }, - }, - automation:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'automation-services-alb', - }, - fixedHostNames+:: { - 'mobile-application': 'automation-api.navi.com', - }, - }, - }, - 'qa-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-internal-services-alb', - }, - }, - }, - perf:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'perf-services-alb', - }, - }, - }, - 'dev-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-internal-services-alb', - }, - }, - }, - 'dev-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-critical-services-alb', - }, - }, - }, - 'qa-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-critical-services-alb', - }, - }, - }, - 'dev-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-3p-services-alb', - }, - fixedHostNames+:: { - 'mobile-application': 'dev-api.navi.com', - }, - }, - }, - 'qa-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-3p-services-alb', - }, - fixedHostNames+:: { - 'mobile-application': 'qa-api.navi.com', - }, - }, - }, - }, - - //CMD cluster - 'prod.cmd.navi-tech.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'shared', - }, - isVpaDeployed:: false, - awsAccountId: 193044292705, - loadBalancer+:: { - annotations+:: { - securityGroups+:: { - - //This security group allows inter k8 cluster communication - internal:: 'sg-05a07c526f95eeb77', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-07e815976f838974d', - - // Cloudflare IPs - cdn:: 'sg-030f711a697aefbcd', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-0c46b6742d741ef56', - }, - sslCert:: { - 'cmd.navi-tech.in':: 'arn:aws:acm:ap-south-1:193044292705:certificate/f5746e77-f3e0-467b-b09e-3f6f2bd33d5d', - }, - accessLog:: true, - accessLogBucket:: 'navi-cmd-lb-access-logs', - }, - }, - sidecarEnabled:: false, - }, - }, - - //GI nonprod cluster - 'aps1.np.navi-gi.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'gi', - }, - commonApiGateway+:: { - externalAuth:: { - config:: { - url:: 'https://test-ops-auth-service.np.navi-gi.in/auth', - }, - }, - }, - flinkBucket: 'navi-flink-gi-nonprod', - awsAccountId: 883430762451, - loadBalancer+:: { - annotations+:: { - webAcl:: 'arn:aws:wafv2:ap-south-1:883430762451:regional/webacl/AclNonProdGi/63c08952-a0ca-4f20-b237-ebebc3e6b45e', - securityGroups+:: { - - //This security group allows inter k8 cluster communication - internal:: 'sg-095f4e72442a3b1cb', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-092a892e2ed92f934', - - //This security group allows packets from everywhere - internetFacing:: 'sg-00f702563af978c17', - - natIp:: 'sg-0bbe47680861cb3af', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-05ed65ea26e845f6b', - - // CF ips - cdn:: 'sg-0101e7a8058f3ff90', - }, - sslCert:: { - 'np.navi-gi.in':: 'arn:aws:acm:ap-south-1:883430762451:certificate/fc0dbd8e-7754-48ac-b5f1-dc5614f918f1', - 'navi.com':: 'arn:aws:acm:ap-south-1:883430762451:certificate/cbd7d693-ef24-44c7-a26c-44cbe198cc89', - }, - accessLog:: true, - accessLogBucket:: 'aps1.np.navi-gi.in-alb-access-logs', - subnets:: { - internal: 'internal-lb-ap-south-1a.aps1.np.navi-gi.in,internal-lb-ap-south-1b.aps1.np.navi-gi.in', - }, - }, - }, - }, - qa:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-services-alb', - }, - }, - }, - dev:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-services-alb', - }, - }, - }, - 'qa-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-internal-services-alb', - }, - }, - }, - perf:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'perf-services-alb', - }, - }, - }, - 'dev-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-internal-services-alb', - }, - }, - }, - 'dev-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-critical-services-alb', - }, - }, - }, - 'qa-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-critical-services-alb', - }, - }, - }, - 'dev-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-3p-services-alb', - }, - }, - }, - 'qa-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-3p-services-alb', - }, - }, - }, - }, - - 'aps1.np.navi-amc.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'amc', - }, - loadBalancer+:: { - annotations+:: { - webAcl:: 'arn:aws:wafv2:ap-south-1:667580634104:regional/webacl/AclNonProdAmc/354559db-49fc-465c-9b30-fd84d4583c40', - securityGroups+:: { - - //This security group allows inter k8 cluster communication(nodes security group) - internal:: 'sg-02acb03253f80d846', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-0655b24320f15a3c7', - - //This security group allows packets from everywhere - internetFacing:: 'sg-0064b8d763e4ee8a6', - - natIp:: 'sg-03986fe435275bce3', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-09c7dc317585f77fe', - }, - sslCert:: { - 'np.navi-amc.in':: 'arn:aws:acm:ap-south-1:667580634104:certificate/d6b73d36-d83b-4a75-aec3-bb05b8c995a4', - 'navi.com':: 'arn:aws:acm:ap-south-1:667580634104:certificate/d6b73d36-d83b-4a75-aec3-bb05b8c995a4', - }, - accessLog:: true, - accessLogBucket:: 'aps1.np.navi-amc.in-alb-access-logs', - subnets:: { - internal: 'ap-south-1a.aps1.np.navi-amc.in,ap-south-1b.aps1.np.navi-amc.in,ap-south-1c.aps1.np.navi-amc.in', - }, - }, - }, - }, - qa:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-services-alb', - }, - }, - }, - dev:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-services-alb', - }, - }, - }, - 'qa-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-internal-services-alb', - }, - }, - }, - perf:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'perf-services-alb', - }, - }, - }, - 'dev-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-internal-services-alb', - }, - }, - }, - 'dev-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-critical-services-alb', - }, - }, - }, - 'qa-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-critical-services-alb', - }, - }, - }, - 'dev-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-3p-services-alb', - }, - }, - }, - 'qa-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-3p-services-alb', - }, - }, - }, - }, - - 'aps1.np.navi-sa.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'sa', - }, - flinkBucket: 'navi-flink-sa-nonprod', - awsAccountId: 197185947855, - loadBalancer+:: { - annotations+:: { - webAcl:: 'arn:aws:wafv2:ap-south-1:197185947855:regional/webacl/AclNonProdSa/bbb07e35-7353-41d2-8603-fcbac4adf181', - securityGroups+:: { - - //This security group allows inter k8 cluster communication(nodes security group) - internal:: 'sg-0800f97f9c4cf731b', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-0c954334a33a84784', - - //This security group allows packets from everywhere - internetFacing:: 'sg-00abfe4eb79cb607b', - - natIp:: 'sg-01d5ec5d474097cae', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-079bf73b2288f63ae', - - // Cloudflare ips - cdn:: 'sg-023c2b1a40cdae68d', - }, - sslCert:: { - 'np.navi-sa.in':: 'arn:aws:acm:ap-south-1:197185947855:certificate/a8025483-daf3-49f9-8528-4ffa4683ce88', - 'navi.com':: 'arn:aws:acm:ap-south-1:197185947855:certificate/a8025483-daf3-49f9-8528-4ffa4683ce88', - 'loangy.com':: 'arn:aws:acm:ap-south-1:197185947855:certificate/202f2edf-51ff-4b8d-97af-84750f8d15cf', - 'nuford.com':: 'arn:aws:acm:ap-south-1:197185947855:certificate/68208769-4040-4b29-842f-a1034c5f338a', - }, - accessLogBucket:: 'aps1.np.navi-sa.in-alb-access-logs', - accessLog:: true, - subnets:: { - internal: 'ap-south-1a.aps1.np.navi-sa.in,ap-south-1b.aps1.np.navi-sa.in,ap-south-1c.aps1.np.navi-sa.in', - }, - }, - }, - isSwApmEnabled:: false, - }, - qa:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-services-alb', - }, - }, - }, - 'navi-ops-tech-qa':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-services-alb', - }, - }, - }, - 'navi-ops-tech-dev':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-services-alb', - }, - }, - }, - dev:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-services-alb', - }, - }, - }, - 'qa-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-internal-services-alb', - }, - }, - }, - perf:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'perf-services-alb', - }, - }, - }, - 'dev-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-internal-services-alb', - }, - }, - }, - 'dev-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-critical-services-alb', - }, - }, - }, - 'qa-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-critical-services-alb', - }, - }, - }, - 'dev-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-3p-services-alb', - }, - }, - }, - 'qa-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-3p-services-alb', - }, - }, - }, - }, - - // sa-prod - 'aps1.prod.navi-sa.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'sa', - }, - flinkBucket: 'navi-flink-sa-prod', - awsAccountId: 120419666648, - isVpaDeployed:: true, - loadBalancer+: { - annotations+:: { - webAcl:: 'arn:aws:wafv2:ap-south-1:120419666648:regional/webacl/AclMASProdSa/3cd8ff0b-716b-4342-aa69-9592bc98055d', - securityGroups+:: { - //This security group allows packets from everywhere - internetFacing:: 'sg-0eefc892db09982c2', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-0fe034c75aa465ef3', - - //This security group allows inter k8 cluster communication - internal:: 'sg-011f3fb53e6506486', - - //This security group allows communication from nat gateways of prod cluster - natIp:: 'sg-03b3400e9107cf8bc', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-0853dd98badfed3bd', - - // Cloudflare ips - cdn:: 'sg-01ee5bcb8640e2a1a', - }, - sslCert:: { - 'prod.navi-sa.in':: 'arn:aws:acm:ap-south-1:120419666648:certificate/196a820c-feec-4005-a7fd-a51ed72d4329', - 'navi.com':: 'arn:aws:acm:ap-south-1:120419666648:certificate/196a820c-feec-4005-a7fd-a51ed72d4329', - 'navi.net':: 'arn:aws:acm:ap-south-1:120419666648:certificate/fdfab80c-fc67-4005-938c-05b1188508ee', - 'loangy.com':: 'arn:aws:acm:ap-south-1:120419666648:certificate/a9494b99-c325-4058-bd51-807a3c8227a9', - 'nuford.com':: 'arn:aws:acm:ap-south-1:120419666648:certificate/d96e7a0d-8a14-46a0-92da-95a13faedf3f', - 'navifinserv.com':: 'arn:aws:acm:ap-south-1:120419666648:certificate/15f090d7-608c-4938-911c-6244a9922eb6', - }, - subnets:: { - internal: 'ap-south-1a.aps1.prod.navi-sa.in,ap-south-1b.aps1.prod.navi-sa.in,ap-south-1c.aps1.prod.navi-sa.in', - }, - accessLogBucket:: 'aps1.prod.navi-sa.in-alb-access-logs', - accessLog:: true, - deletionProtection:: false, - }, - }, - }, - 'prod-3p':: self.default { - loadBalancer+:: { - fixedHostNames+:: { - 'mobile-application': 'sa-api.navi.com', - }, - }, - }, - }, - - //PROD cluster - 'aps1.prod.navi-tech.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'lending', - }, - flinkBucket: 'navi-flink-prod', - isEfsSupported: true, - isFsxSupported: true, - awsAccountId: 492941056607, - isVpaDeployed:: true, - loadBalancer+: { - annotations+:: { - webAcl:: 'arn:aws:wafv2:ap-south-1:492941056607:regional/webacl/AclProd/fa85bcff-3c71-434c-be4f-dc4e0456c47d', - securityGroups+:: { - //This security group allows packets from everywhere - internetFacing:: 'sg-0a4e70d66a8a8bc34', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-0df3121be8adc2fbc', - - //This security group allows inter k8 cluster communication - internal:: 'sg-064d258429b99b518', - - //This security group allows communication from nat gateways of prod cluster - natIp:: 'sg-0c7fb31b9b27e5e6f', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-032733713f4787bdc', - - cdn:: 'sg-09317e0e354c7f81f', - }, - sslCert:: { - 'prod.navi-tech.in':: 'arn:aws:acm:ap-south-1:492941056607:certificate/07a548dc-249d-4475-8783-58e3060b0c3f', - 'prod.navi-ext.com':: 'arn:aws:acm:ap-south-1:492941056607:certificate/0a3af671-4e93-415a-a05d-7f4d7dead5dc', - 'navi-ext.com':: 'arn:aws:acm:ap-south-1:492941056607:certificate/0a3af671-4e93-415a-a05d-7f4d7dead5dc', - 'navi.com':: 'arn:aws:acm:ap-south-1:492941056607:certificate/50681498-31f5-4117-8b42-8d0662ab5e93', - 'go-nlc.com':: 'arn:aws:acm:ap-south-1:492941056607:certificate/0ae1b16f-855c-48ca-bcf8-8692a7893d95', - 'navi.net':: 'arn:aws:acm:ap-south-1:492941056607:certificate/194e6d16-a263-4f08-bc2a-414e05bf5cd3', - 'naviinsurance.com':: 'arn:aws:acm:ap-south-1:492941056607:certificate/6e9dfccd-9794-483f-a884-789abf81747d', - }, - subnets:: { - internal: 'internal-lb-ap-south-1a.aps1.prod.navi-tech.in,internal-lb-ap-south-1b.aps1.prod.navi-tech.in,internal-lb-ap-south-1c.aps1.prod.navi-tech.in', - }, - accessLogBucket:: 'navi-prod-lb-access-logs', - accessLog:: true, - deletionProtection:: false, - }, - }, - }, - 'prod-3p':: self.default { - loadBalancer+:: { - fixedHostNames+:: { - 'mobile-application': 'api.navi.com', - }, - }, - }, - }, - - // GI cluster - - //PROD cluster - 'aps1.prod.navi-gi.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'gi', - }, - flinkBucket: 'navi-flink-gi-prod', - awsAccountId: 590617173486, - loadBalancer+: { - annotations+:: { - webAcl:: 'arn:aws:wafv2:ap-south-1:590617173486:regional/webacl/AclMASProdGi/284f5c83-ae37-4197-b885-37773aded948', - securityGroups+:: { - //This security group allows packets from everywhere - internetFacing:: 'sg-0b1ccba594a9d1119', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-09598b733e28af8f1', - - //This security group allows inter k8 cluster communication - internal:: 'sg-0c3570037bbe9e753', - - //This security group allows communication from nat gateways of prod cluster - natIp:: 'sg-0c13df2b692dadfbc', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-0c325908ef9db57da', - - // Cloudflare ips - cdn:: 'sg-0ecd8f0de802b40c2', - }, - sslCert:: { - 'prod.navi-gi.in':: 'arn:aws:acm:ap-south-1:590617173486:certificate/2ceb99d1-c50d-47d3-8e37-6743726fe48d', - 'prod.navi-gi-ext.com':: 'arn:aws:acm:ap-south-1:590617173486:certificate/2ceb99d1-c50d-47d3-8e37-6743726fe48d', - 'naviinsurance.com':: 'arn:aws:acm:ap-south-1:590617173486:certificate/b60efe78-e8da-43c0-ac7a-cb61adaffd43', - 'navi-gi.in':: 'arn:aws:acm:ap-south-1:590617173486:certificate/b60efe78-e8da-43c0-ac7a-cb61adaffd43', - 'navi.com':: 'arn:aws:acm:ap-south-1:590617173486:certificate/2ceb99d1-c50d-47d3-8e37-6743726fe48d', - 'argohealthsure.com':: 'arn:aws:acm:ap-south-1:590617173486:certificate/481cebc0-897f-48d2-88a7-9a1eccbfe793', - 'navi.net':: 'arn:aws:acm:ap-south-1:590617173486:certificate/904c0763-75ec-4c6c-8ac7-2094d72e778c', - - }, - subnets:: { - internal: 'ap-south-1a.aps1.prod.navi-gi.in,ap-south-1b.aps1.prod.navi-gi.in,ap-south-1c.aps1.prod.navi-gi.in', - }, - accessLogBucket:: 'navi-prod-gi-lb-access-logs', - accessLog:: true, - deletionProtection:: false, - }, - }, - }, - 'prod-3p':: self.default { - loadBalancer+:: { - fixedHostNames+:: { - 'mobile-application': 'gi-api.navi.com', - }, - }, - }, - }, - - 'aps1.prod.navi-amc.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'amc', - }, - zalandoEnabled:: false, - flinkBucket: 'navi-flink-navi-amc-prod', - awsAccountId: 121661608696, - isVpaDeployed:: true, - loadBalancer+: { - annotations+:: { - webAcl:: 'WAF ACL is not required for this cluster. Use API Gateway or Cloudflare instead.', - securityGroups+:: { - //This security group allows packets from everywhere - internetFacing:: 'sg-084e3d4a23b307840', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-0ba9c0e4dbb8c1e09', - - //This security group allows inter k8 cluster communication - internal:: 'sg-064a66df84f58df82', - - //This security group allows communication from nat gateways of prod cluster - natIp:: 'sg-045b3038d61746065', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-0a0499ba0ce2a488f', - }, - sslCert:: { - 'prod.navi-amc.in':: 'arn:aws:acm:ap-south-1:121661608696:certificate/20378b6a-0391-43f0-bd59-6ac83ebf7d60', - }, - subnets:: { - internal: 'ap-south-1a.aps1.prod.navi-amc.in,ap-south-1b.aps1.prod.navi-amc.in,ap-south-1c.aps1.prod.navi-amc.in', - }, - accessLogBucket:: 'navi-prod-amc-lb-access-logs', - accessLog:: true, - }, - }, - }, - }, - - //colending PROD cluster - 'aps1.prod.navi-colending.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'colending', - }, - zalandoEnabled:: false, - loadBalancer+: { - annotations+:: { - webAcl:: 'arn:aws:wafv2:ap-south-1:903695743721:regional/webacl/AclMASProdColending/3c155013-3bd1-4198-b7fc-8d345acb2324', - securityGroups+:: { - //This security group allows packets from everywhere - internetFacing:: 'sg-030b62263df624188', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-03b488d79b9bf1d40', - - //This security group allows inter k8 cluster communication - internal:: 'sg-0e58f969aa60be012', - - //This security group allows communication from nat gateways of prod cluster - natIp:: 'sg-00020a1085c55a380', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-05a801a9dcdcaeff2', - }, - sslCert:: { - 'prod.navi-colending.in':: 'arn:aws:acm:ap-south-1:903695743721:certificate/821aa0ec-ecfa-4432-af60-718fe249aede', - 'go-nlc.com':: 'arn:aws:acm:ap-south-1:903695743721:certificate/2c8774fd-de94-47c9-96f5-377fcdd48c1c', - }, - subnets:: { - internal: 'prod-colending-private-subnet01-ap-south-1a,prod-colending-private-subnet01-ap-south-1b,prod-colending-private-subnet01-ap-south-1c', - }, - accessLogBucket:: 'aps1-prod-colending-alb-access-logs', - accessLog:: true, - deletionProtection:: false, - }, - }, - }, - 'prod-3p':: self.default { - loadBalancer+:: { - fixedHostNames+:: { - 'mobile-application': 'colending-api.navi.com', - }, - }, - }, - }, - //colending nonprod cluster - 'aps1.np.navi-colending.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'colending', - }, - zalandoEnabled:: false, - loadBalancer+: { - annotations+:: { - webAcl:: 'arn:aws:wafv2:ap-south-1:942894539187:regional/webacl/AclNonProdColending/fb72041b-1136-4d51-a3af-2f3510c71763', - securityGroups+:: { - //This security group allows packets from everywhere - internetFacing:: 'sg-0001aca7a784a21aa', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-0367bbf59da32f056', - - //This security group allows inter k8 cluster communication - internal:: 'sg-01e48bdc4d14b4b71', - - //This security group allows communication from nat gateways of nonprod cluster - natIp:: 'sg-00e7c7c3ae689c0bb', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-07a6684a8c4caf18e', - }, - sslCert:: { - 'np.navi-colending.in':: 'arn:aws:acm:ap-south-1:942894539187:certificate/c0588d27-8375-4795-89a4-b417f9b92ee4', - }, - subnets:: { - internal: 'nonprod-colending-private-subnet01-ap-south-1a,nonprod-colending-private-subnet01-ap-south-1b,nonprod-colending-private-subnet01-ap-south-1c', - }, - accessLogBucket:: 'aps1-np-colending-alb-access-logs', - accessLog:: true, - deletionProtection:: false, - }, - }, - }, - qa:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-services-alb', - }, - }, - }, - dev:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-services-alb', - }, - }, - }, - 'qa-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-internal-services-alb', - }, - }, - }, - perf:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'perf-services-alb', - }, - }, - }, - 'dev-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-internal-services-alb', - }, - }, - }, - 'dev-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-critical-services-alb', - }, - }, - }, - 'qa-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-critical-services-alb', - }, - }, - }, - 'dev-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-3p-services-alb', - }, - }, - }, - 'qa-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-3p-services-alb', - }, - }, - }, - }, - - //navi-pay nonprod cluster - 'aps1.np.navi-pay.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'navi-pay', - }, - flinkBucket: 'navi-flink-navi-pay-nonprod', - awsAccountId: 840875920349, - zalandoEnabled:: false, - commonApiGateway+:: { - externalAuth:: { - config:: { - url:: 'https://dev-navipay-external-client.np.navi-pay.in/external-client-service/auth', - }, - }, - }, - loadBalancer+: { - annotations+:: { - webAcl:: 'arn:aws:wafv2:ap-south-1:840875920349:regional/webacl/AclNonProdNaviPay/4066d790-24db-420b-8bef-18fab8aab41e', - securityGroups+:: { - //This security group allows packets from everywhere - internetFacing:: 'sg-0fa070f1f06716bff', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-0e3a4d99b08f1af52', - - //This security group allows inter k8 cluster communication - internal:: 'sg-08780f13445d3455d', - - //This security group allows communication from nat gateways of nonprod cluster - natIp:: 'sg-0eb39100171bbde83', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-08721320e6adbdf1b', - - // Cloudflare ips - cdn:: 'sg-04aa6cd49eed4a11d', - }, - sslCert:: { - 'np.navi-pay.in':: 'arn:aws:acm:ap-south-1:840875920349:certificate/9a655746-7db5-4c67-8941-22f0ff80026e', - }, - subnets:: { - internal: 'nonprod-navi-pay-private-subnet01-ap-south-1a,nonprod-navi-pay-private-subnet01-ap-south-1b,nonprod-navi-pay-private-subnet01-ap-south-1c', - }, - accessLogBucket:: 'aps1-np-navi-pay-alb-access-logs', - accessLog:: true, - deletionProtection:: false, - }, - }, - }, - qa:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-services-alb', - }, - }, - }, - dev:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-services-alb', - }, - }, - }, - 'qa-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-internal-services-alb', - }, - }, - }, - perf:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'perf-services-alb', - }, - }, - }, - 'dev-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-internal-services-alb', - }, - }, - }, - 'dev-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-critical-services-alb', - }, - }, - }, - 'qa-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-critical-services-alb', - }, - }, - }, - 'dev-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-3p-services-alb', - }, - }, - }, - 'qa-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-3p-services-alb', - }, - }, - }, - }, - - //navi-saas nonprod cluster - 'aps1.np.navi-saas.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'saas', - }, - zalandoEnabled:: false, - loadBalancer+: { - annotations+:: { - webAcl:: 'arn:aws:wafv2:ap-south-1:334573405453:regional/webacl/AclNonProdNaviSaas/8f6e2e84-9c90-4956-825c-4cff20a38e18', - securityGroups+:: { - //This security group allows packets from everywhere - internetFacing:: 'sg-0478f9870d4a9c560', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-02af9692b15baa4f3', - - //This security group allows inter k8 cluster communication - internal:: 'sg-0c9b05d1d251ad6a4', - - //This security group allows communication from nat gateways of nonprod cluster - natIp:: 'sg-0ba2f4125960ee4c9', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-00f43883eaa7a2ebb', - - // Cloudflare ips - cdn:: 'sg-0d8654c7f61d13b36', - }, - sslCert:: { - 'np.navi-saas.in':: 'arn:aws:acm:ap-south-1:334573405453:certificate/7dc303c8-2fd6-40c9-89fd-d85676e00f74', - }, - subnets:: { - internal: 'nonprod-navi-saas-private-subnet01-ap-south-1a,nonprod-navi-saas-private-subnet01-ap-south-1b,nonprod-navi-saas-private-subnet01-ap-south-1c', - }, - accessLogBucket:: 'aps1-np-navi-saas-alb-access-logs', - accessLog:: true, - deletionProtection:: false, - }, - }, - }, - qa:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-services-alb', - }, - }, - }, - dev:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-services-alb', - }, - }, - }, - 'qa-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-internal-services-alb', - }, - }, - }, - perf:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'perf-services-alb', - }, - }, - }, - 'dev-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-internal-services-alb', - }, - }, - }, - 'dev-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-critical-services-alb', - }, - }, - }, - 'qa-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-critical-services-alb', - }, - }, - }, - 'dev-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-3p-services-alb', - }, - }, - }, - 'qa-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-3p-services-alb', - }, - }, - }, - }, - - //Spike cluster - 'spike.np.navi-tech.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'shared', - }, - loadBalancer+:: { - annotations+:: { - webAcl:: 'arn:aws:wafv2:ap-south-1:571315076762:regional/webacl/AclNonProd/9ad3e612-4125-42ec-ab83-9e83ce95ac22', - securityGroups+:: { - //This security group allows packets from everywhere - internetFacing:: 'sg-0ebec8d9727618fd6', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-0fd848902c4616550', - - //This security group allows inter k8 cluster communication - internal:: 'sg-009129cbe138c921a', - - // sg for http - http:: 'sg-06cc4240b0ffd8cc4', - - // sg for CF ips - cdn:: 'sg-0b7563d6b962d6676', - }, - sslCert:: { - 'spike.navi-tech.in':: 'arn:aws:acm:ap-south-1:571315076762:certificate/4cbea2e2-2a83-4733-a822-29f44a6a16c4', - 'spike.navi-ext.com':: 'arn:aws:acm:ap-south-1:571315076762:certificate/ccf17c74-a5eb-4470-9963-cff3c3296c97', - }, - accessLogBucket:: 'navi-nonprod-lb-access-logs', - deletionProtection:: false, - }, - }, - }, - }, - - //Data platform cluster - 'aps1.dp.navi-tech.in':: { - default:: $.baseCluster { - sidecarEnabled:: false, - additionalTags+:: { - product:: 'DataPlatform', - }, - flinkBucket: 'navi-flink-dp-prod', - awsAccountId: 594542361424, - isVpaDeployed:: false, - loadBalancer+:: { - annotations+:: { - webAcl:: 'WAF ACL is not required for this cluster. Use API Gateway or Cloudflare instead.', - securityGroups+:: { - - //This security group allows inter k8 cluster communication(nodes security group) - internal:: 'sg-07a65dbfbd6c42341', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-04b7d5863a360176c', - - //This security group allows packets from everywhere - internetFacing:: 'sg-0473a1399a9671143', - - natIp:: 'sg-0099e44dd1758ab89', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-03eaac3bc24db6738', - - // Cloudflare SG - cdn:: 'sg-0a3d26e45c4d32787', - }, - sslCert:: { - 'dp.navi-tech.in':: 'arn:aws:acm:ap-south-1:594542361424:certificate/3646fee2-c07a-4e43-9683-14edb14cf694', - 'prod.navi-tech.in':: 'arn:aws:acm:ap-south-1:492941056607:certificate/07a548dc-249d-4475-8783-58e3060b0c3f', - }, - accessLog:: true, - accessLogBucket:: 'aps1-dp-navi-tech-alb-access-logs', - subnets:: { - internal: 'data-platform-eks-private-ap-south-1a,data-platform-eks-private-ap-south-1b,data-platform-eks-private-ap-south-1c', - }, - }, - }, - }, - }, - //Data platform cluster - 'aps1.np.dp.navi-tech.in':: { - default:: $.baseCluster { - sidecarEnabled:: false, - additionalTags+:: { - product:: 'DataPlatform', - }, - flinkBucket: 'navi-flink-dp-nonprod', - awsAccountId: 644366753862, - isVpaDeployed:: false, - loadBalancer+:: { - annotations+:: { - webAcl:: 'WAF ACL is not required for this cluster. Use API Gateway or Cloudflare instead.', - securityGroups+:: { - - //This security group allows inter k8 cluster communication(nodes security group) - internal:: 'sg-0694dbac4b980a99c', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-05577e828628ad6fa', - - //This security group allows packets from everywhere - internetFacing:: 'sg-0bc67bbc16eeaa7fc', - - natIp:: 'sg-0b1c4e57f642bf766', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-00667a4f566c8ffc8', - - // Cloudflare SG - cdn:: 'sg-015f6617b95d8448f', - }, - sslCert:: { - 'np.dp.navi-tech.in':: 'arn:aws:acm:ap-south-1:644366753862:certificate/1033dabd-c5c8-4e45-aad1-380d53c1d232', - }, - accessLog:: true, - accessLogBucket:: 'aps1-np-dp-navi-tech-alb-access-logs', - subnets:: { - internal: 'data-platform-nonprod-private-subnet01-ap-south-1a,data-platform-nonprod-private-subnet01-ap-south-1b', - }, - }, - }, - }, - }, - - //Navi-pay prod cluster - 'aps1.prod.navi-pay.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'navi-pay', - }, - zalandoEnabled:: false, - flinkBucket: 'navi-flink-prod', - awsAccountId: 928489389470, - isVpaDeployed:: true, - loadBalancer+:: { - annotations+:: { - webAcl:: 'WAF ACL is not required for this cluster. Use API Gateway or Cloudflare instead.', - securityGroups+:: { - - //This security group allows inter k8 cluster communication(nodes security group) - internal:: 'sg-038b43e1ec70f8e8f', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-008cea2813bc422d0', - - //This security group allows packets from everywhere - internetFacing:: 'sg-06e5131b85ed91eb6', - - natIp:: 'sg-06476c7a084fc7994', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-0c4b2773323da9c66', - - // Cloudflare SG - cdn:: 'sg-0971dd662e54a5722', - }, - sslCert:: { - 'prod.navi-pay.in':: 'arn:aws:acm:ap-south-1:928489389470:certificate/4c2826e3-5f7d-4dd6-a279-3584ee15d8fb', - }, - accessLog:: true, - accessLogBucket:: 'aps1-prod-navi-pay-alb-access-logs', - subnets:: { - internal: 'prod-navi-pay-private-subnet01-ap-south-1a,prod-navi-pay-private-subnet01-ap-south-1b,prod-navi-pay-private-subnet01-ap-south-1c', - }, - }, - }, - }, - }, - - 'aps1.prod.ml.navi-tech.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'blizzard', - }, - flinkBucket: 'navi-flink-ml-prod', - heapDumpBucket: 'java-heap-dumps-ml-prod', - isEfsSupported: true, - isFsxSupported: true, - awsAccountId: 492941056607, - isVpaDeployed:: false, - loadBalancer+:: { - annotations+:: { - webAcl:: 'WAF ACL is not required for this cluster. Use API Gateway or Cloudflare instead.', - securityGroups+:: { - //This security group allows inter k8 cluster communication(nodes security group) - internal:: 'sg-05d9d3e66d55ed677', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-0139d7eb8709a9fdc', - - //This security group allows packets from everywhere - internetFacing:: 'sg-0e0cca12102820a81', - - natIp:: 'sg-0efb731547402e4b2', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-0762245d9e914ceec', - - // Cloudflare SG - cdn:: 'sg-0d429839605004d55', - }, - sslCert:: { - 'prod.ml.navi-tech.in':: 'arn:aws:acm:ap-south-1:492941056607:certificate/6bca6bec-e70b-4557-9f06-c7c4ac731ea1', - 'prod.navi-tech.in':: 'arn:aws:acm:ap-south-1:492941056607:certificate/07a548dc-249d-4475-8783-58e3060b0c3f', - }, - accessLog:: true, - accessLogBucket:: 'aps1-prod-mlops-alb-access-logs', - subnets:: { - internal: 'prod-mlops-private-subnet01-ap-south-1a,prod-mlops-private-subnet01-ap-south-1b,prod-mlops-private-subnet01-ap-south-1c', - }, - }, - }, - zalandoEnabled:: false, - }, - }, - 'aps1.np.navi-ppl.in'::{ - default:: $.baseCluster { - additionalTags+:: { - product:: 'navi-ppl', - }, - flinkBucket: 'navi-flink-navi-ppl-nonprod', - awsAccountId: 471112764652, - zalandoEnabled:: false, - isVpaDeployed:: true, - loadBalancer+:: { - annotations+:: { - webAcl:: 'WAF ACL is not required for this cluster. Use API Gateway or Cloudflare instead.', - securityGroups+:: { - //This security group allows inter k8 cluster communication(nodes security group) - internal:: 'sg-0051cb11fff4c5fb2', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-0be3e60ef8a431589', - - //This security group allows packets from everywhere - internetFacing:: 'sg-0a92ec85b904a120c', - - //This security group allows communication from nat gateways of nonprod cluster - natIp:: 'sg-0ad9b23a6bce01619', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-0be7aeae9826fdd35', - - // Cloudflare SG - cdn:: 'sg-0d45e72ff61d8dd53', - }, - sslCert:: { - 'np.navi-ppl.in':: 'arn:aws:acm:ap-south-1:471112764652:certificate/fd0e85af-3e19-4086-944a-3e12f3b91b31', - }, - accessLog:: true, - accessLogBucket:: 'aps1-np-navi-ppl-alb-access-logs', - subnets:: { - internal: 'nonprod-navi-ppl-private-subnet01-ap-south-1a,nonprod-navi-ppl-private-subnet01-ap-south-1b,nonprod-navi-ppl-private-subnet01-ap-south-1c', - }, - deletionProtection:: false, - }, - }, - }, - qa:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-services-alb', - }, - }, - }, - dev:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-services-alb', - }, - }, - }, - 'qa-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-internal-services-alb', - }, - }, - }, - perf:: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'perf-services-alb', - }, - }, - }, - 'dev-internal':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-internal-services-alb', - }, - }, - }, - 'dev-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-critical-services-alb', - }, - }, - }, - 'qa-critical':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-critical-services-alb', - }, - }, - }, - 'dev-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'dev-3p-services-alb', - }, - }, - }, - 'qa-3p':: self.default { - loadBalancer+:: { - annotations+:: { - alb:: 'qa-3p-services-alb', - }, - }, - }, - }, - 'aps1.prod.navi-ppl.in':: { - default:: $.baseCluster { - additionalTags+:: { - product:: 'navi-ppl', - }, - zalandoEnabled:: false, - flinkBucket: 'navi-flink-navi-ppl-prod', - awsAccountId: 471112770174, - isVpaDeployed:: true, - loadBalancer+:: { - annotations+:: { - webAcl:: 'WAF ACL is not required for this cluster. Use API Gateway or Cloudflare instead.', - securityGroups+:: { - - //This security group allows inter k8 cluster communication(nodes security group) - internal:: 'sg-0f938fdee0487d9cb', - - //This security group allows packets from office Ips(VPN, LAN etc) - officeIp:: 'sg-0b20b1e4d6bdaacd8', - - //This security group allows packets from everywhere - internetFacing:: 'sg-0d203187e4a7fde6f', - - natIp:: 'sg-0d6989b921d40fb98', - - //This security group allows HTTP traffic from everywhere - http:: 'sg-0e2b16c7bc3151f47', - - // Cloudflare SG - cdn:: 'sg-0dbefd59452817bc6', - }, - sslCert:: { - 'prod.navi-ppl.in':: 'arn:aws:acm:ap-south-1:471112770174:certificate/a9bacc24-150d-4725-a888-cdf340b15e60', - }, - accessLog:: true, - accessLogBucket:: 'aps1-prod-navi-ppl-alb-access-logs', - subnets:: { - internal: 'prod-navi-ppl-private-subnet01-ap-south-1a,prod-navi-ppl-private-subnet01-ap-south-1b,prod-navi-ppl-private-subnet01-ap-south-1c', - }, - }, - }, - }, - } -} diff --git a/templates/common.jsonnet b/templates/common.jsonnet deleted file mode 100644 index f895274a..00000000 --- a/templates/common.jsonnet +++ /dev/null @@ -1,67 +0,0 @@ -local chart = import 'chart.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local load_balancer_util = import 'load_balancer_util.jsonnet'; -local namespace_values = import 'namespace_values.jsonnet'; -local util = import 'util.jsonnet'; -local metadata = deployment_manifest.metadata; - -local remove_slash = function(key, value) - util.replace_character_in_string(metadata[key], '/', '_'); - -local metadata_without_slash = std.mapWithKey(remove_slash, metadata); - -local metadata_labels = { [field]: metadata_without_slash[field] for field in std.objectFields(metadata_without_slash) if field != 'product' }; -{ - labels:: - (if 'labels' in deployment_manifest then deployment_manifest.labels else {}) + - (metadata_labels) + - { - app: chart.service_name, - chart: chart.service_chart, - heritage: 'NaviDeploymentManifest', - release: deployment_manifest.name, - Team: deployment_manifest.team.name, - Environment: deployment_manifest.environment, - Name: deployment_manifest.name, - Product: if 'product' in metadata then metadata.product else namespace_values.additionalTags.product, - Owner: if deployment_manifest.infraVertical == 'lending' then 'medici' else if deployment_manifest.infraVertical == 'insurance' then 'gi' else deployment_manifest.infraVertical, - }, - - matchLabels:: - { - app: chart.service_name, - release: deployment_manifest.name, - }, - - awsTags:: { - app: deployment_manifest.name, - Environment: $.labels.Environment, - Team: $.labels.Team, - Name: $.labels.Name, - Owner: $.labels.Owner, - Product: $.labels.Product, - Namespace: deployment_manifest.deployment.namespace, - Ingress: load_balancer_util.alb_ingress_name(chart.full_service_name($.labels.Name)), - }, - - perfMockServerLabels:: $.labels { - release: deployment_manifest.deployment.name + '-mock-server', - Name: deployment_manifest.deployment.name + '-mock-server', - }, - - perfPostgresServerLabels:: $.labels { - release: deployment_manifest.deployment.name + '-postgres-server', - Name: deployment_manifest.deployment.name + '-postgres-server', - }, - - janitor_annotation:: { - 'janitor/ttl': deployment_manifest.metadata.ttl, - }, - - annotations_map:: { - perf: $.janitor_annotation, - sandbox: $.janitor_annotation, - }, - - annotations:: if deployment_manifest.environment in $.annotations_map then $.annotations_map[deployment_manifest.environment] else {}, -} diff --git a/templates/common_api_gateway.jsonnet b/templates/common_api_gateway.jsonnet deleted file mode 100644 index b668003c..00000000 --- a/templates/common_api_gateway.jsonnet +++ /dev/null @@ -1,213 +0,0 @@ -//Imports -local chart = import 'chart.jsonnet'; -local cluster_values = import 'cluster_values.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local load_balancer_util = import 'load_balancer_util.jsonnet'; -local namespace_values = import 'namespace_values.jsonnet'; -local port_map = import 'port_map.jsonnet'; -local util = import 'util.jsonnet'; -local deployment = deployment_manifest.deployment; - -local create_gateway_ingress(environment, servicePrefix, typeIdentifier, gateway, attributeIndex, serviceName) = { - local resourceName = '%s-%s-%s-%s' % [environment, servicePrefix, typeIdentifier, gateway.gatewayAttributes[attributeIndex].pathName], - local commonResourceName = '%s-%s-%s' % [environment, servicePrefix, gateway.gatewayAttributes[attributeIndex].pathName], - - local rateLimitIdentifier = '%s-%s-%s' % [environment, servicePrefix, typeIdentifier], - local pathName = if 'pathName' in gateway.gatewayAttributes[attributeIndex] then gateway.gatewayAttributes[attributeIndex].pathName, - - local urlRewritePlugin = if (std.objectHas(gateway.gatewayAttributes[attributeIndex], 'sourceGatewayPath')) - && (gateway.gatewayAttributes[attributeIndex].sourceGatewayPath != gateway.gatewayAttributes[attributeIndex].targetGatewayPath) - then commonResourceName + '-url-rewrite', - local externalAuthPlugin = if (std.objectHas(gateway.gatewayAttributes[attributeIndex], 'externalAuth') && typeIdentifier == 'external') - then (if gateway.gatewayAttributes[attributeIndex].externalAuth then resourceName + '-external-auth'), - local ipRestrictedPlugin = if (std.objectHas(gateway.gatewayAttributes[attributeIndex], 'whitelistedGatewayIps') && typeIdentifier == 'external') - then resourceName + '-ip-restriction', - local rateLimitRules = if 'rateLimitRules' in gateway.gatewayAttributes[attributeIndex] - then gateway.gatewayAttributes[attributeIndex].rateLimitRules else [], - local rateLimitPlugin = std.map(function(rule) - '%s-%s-%s-%s-%s' % [environment, servicePrefix, pathName, rule.name, 'rl'], - rateLimitRules), - - local kongPluginsList = [ - urlRewritePlugin, - ipRestrictedPlugin, - externalAuthPlugin, - (if typeIdentifier == 'external' then std.join(',', rateLimitPlugin)), - ], - local filteresKongPluginsList = std.filter(function(plugin) plugin != null && std.length(plugin) > 0, kongPluginsList), - - - apiVersion: 'networking.k8s.io/v1', - kind: 'Ingress', - metadata: { - name: resourceName, - labels: common.labels { - Name: resourceName, - 'gateway-resource-identifier': commonResourceName, - }, - annotations: common.annotations { - [if filteresKongPluginsList != null && std.length(filteresKongPluginsList) > 0 then 'konghq.com/plugins']: std.join(',', filteresKongPluginsList), - 'external-dns.alpha.kubernetes.io/exclude': 'true', - }, - namespace: deployment_manifest.deployment.namespace, - }, - spec: { - ingressClassName: 'kong-' + typeIdentifier, - rules: [ - { - host: if (typeIdentifier == 'external') then gateway.commonApiGatewayUrl else gateway.internalCommonApiGatewayUrl, - http: { - paths: [ - { - path: gateway.gatewayAttributes[attributeIndex].sourceGatewayPath, - pathType: 'ImplementationSpecific', - backend: { - service: { - name: serviceName, - port: { - number: port_map.getPort('serviceport'), - }, - }, - }, - }, - ], - }, - }, - ], - }, -}; - -// This will be a common resource across internal & external gateways -local create_gateway_url_plugin(environment, servicePrefix, gateway, attributeIndex, serviceName) = { - local resourceName = '%s-%s-%s' % [environment, servicePrefix, gateway.gatewayAttributes[attributeIndex].pathName], - apiVersion: 'configuration.konghq.com/v1', - kind: 'KongPlugin', - metadata: { - name: resourceName + '-url-rewrite', - labels: common.labels { - Name: resourceName + '-url-rewrite', - 'gateway-resource-identifier': resourceName, - }, - namespace: deployment_manifest.deployment.namespace, - }, - config: { - replace: { - uri: gateway.gatewayAttributes[attributeIndex].targetGatewayPath, - }, - }, - plugin: 'request-transformer', -}; - -local create_external_auth_plugin(environment, servicePrefix, typeIdentifier, gateway, attributeIndex, serviceName) = { - local resourceName = '%s-%s-%s-%s' % [environment, servicePrefix, typeIdentifier, gateway.gatewayAttributes[attributeIndex].pathName], - local commonResourceName = '%s-%s-%s' % [environment, servicePrefix, gateway.gatewayAttributes[attributeIndex].pathName], - local currentCluster = deployment_manifest.cluster, - local currentNamespace = deployment_manifest.deployment.namespace, - local configValues = cluster_values[deployment_manifest.cluster], - local configUrl = if currentNamespace in configValues - then configValues[currentNamespace].commonApiGateway.externalAuth.config.url - else configValues.default.commonApiGateway.externalAuth.config.url, - - apiVersion: 'configuration.konghq.com/v1', - kind: 'KongPlugin', - metadata: { - name: resourceName + '-external-auth', - labels: common.labels { - Name: resourceName + '-external-auth', - 'gateway-resource-identifier': resourceName, - }, - namespace: currentNamespace, - }, - config: { - url: configUrl, - }, - plugin: 'external-auth', -}; - -// This will only be required for External Gateway -local create_gateway_ip_plugin(environment, servicePrefix, typeIdentifier, gateway, attributeIndex, serviceName) = { - local resourceName = '%s-%s-%s-%s' % [environment, servicePrefix, typeIdentifier, gateway.gatewayAttributes[attributeIndex].pathName], - local commonResourceName = '%s-%s-%s' % [environment, servicePrefix, gateway.gatewayAttributes[attributeIndex].pathName], - apiVersion: 'configuration.konghq.com/v1', - kind: 'KongPlugin', - metadata: { - name: resourceName + '-ip-restriction', - labels: common.labels { - Name: resourceName + '-ip-restriction', - 'gateway-resource-identifier': commonResourceName, - }, - namespace: deployment_manifest.deployment.namespace, - }, - config: { - allow: std.split(std.strReplace(gateway.gatewayAttributes[attributeIndex].whitelistedGatewayIps, ' ', ''), ','), - }, - plugin: 'ip-restriction', -}; - -// This is only for external api gateways currently. -local create_kong_rate_limiter(environment, servicePrefix, typeIdentifier, gateway, attributeIndex, serviceName) = { - local resourceName = '%s-%s-%s' % [environment, servicePrefix, gateway.gatewayAttributes[attributeIndex].pathName], - local commonResourceName = '%s-%s-%s' % [environment, servicePrefix, gateway.gatewayAttributes[attributeIndex].pathName], - local forTheGateway = gateway.gatewayAttributes[attributeIndex].sourceGatewayPath, - local rateLimitRules = if 'rateLimitRules' in gateway.gatewayAttributes[attributeIndex] - then gateway.gatewayAttributes[attributeIndex].rateLimitRules else [], - - kongrules: [{ - apiVersion: 'configuration.konghq.com/v1', - kind: 'KongPlugin', - plugin: 'rate-limiting', - metadata: { - name: resourceName + '-%s' % rule.name + '-rl', // shortening due 63 character limits - labels: common.labels { - 'gateway-resource-identifier': resourceName, - }, - }, - config: { - minute: rule.limit, - limit_by: '%s' % rule.options, - [if rule.options == 'path' then 'path' else null]: '%s' % forTheGateway, - [if rule.options == 'header' then 'header_name' else null]: '%s' % rule.header, - }, - } for rule in rateLimitRules], -}; - -local gateways = deployment.commonApiGateways; -local gatewaysLen = std.length(deployment.commonApiGateways); - -std.map( - function(apiGatewayIndex) { - local gateway = gateways[apiGatewayIndex], - local serviceName = chart.full_service_name(deployment.name), - local servicePrefix = deployment.name, - local environment = deployment_manifest.environment, - local gatewayAttributeLen = std.length(gateway.gatewayAttributes), - local kongRateLimits = [ - create_kong_rate_limiter(environment, servicePrefix, 'external', gateway, attributeIndex, serviceName) - for attributeIndex in std.range(0, gatewayAttributeLen - 1) - if (std.objectHas(gateway.gatewayAttributes[attributeIndex], 'rateLimitRules')) - ], - - apiVersion: 'v1', - kind: 'List', - items: [create_gateway_ingress(environment, servicePrefix, 'external', gateway, attributeIndex, serviceName) for attributeIndex in std.range(0, gatewayAttributeLen - 1)] + - [create_gateway_ingress(environment, servicePrefix, 'internal', gateway, attributeIndex, serviceName) for attributeIndex in std.range(0, gatewayAttributeLen - 1)] + - [ - create_gateway_url_plugin(environment, servicePrefix, gateway, attributeIndex, serviceName) - for attributeIndex in std.range(0, gatewayAttributeLen - 1) - if (gateway.gatewayAttributes[attributeIndex].sourceGatewayPath != gateway.gatewayAttributes[attributeIndex].targetGatewayPath) - ] + - [ - create_gateway_ip_plugin(environment, servicePrefix, 'external', gateway, attributeIndex, serviceName) - for attributeIndex in std.range(0, gatewayAttributeLen - 1) - if (std.objectHas(gateway.gatewayAttributes[attributeIndex], 'whitelistedGatewayIps')) - ] + - [ - create_external_auth_plugin(environment, servicePrefix, 'external', gateway, attributeIndex, serviceName) - for attributeIndex in std.range(0, gatewayAttributeLen - 1) - if (gateway.gatewayAttributes[attributeIndex].externalAuth) - ] + - if (std.length(kongRateLimits) > 0) then kongRateLimits[0].kongrules else [], - }, - std.range(0, gatewaysLen - 1) -) diff --git a/templates/configmap.jsonnet b/templates/configmap.jsonnet deleted file mode 100644 index 096a7a54..00000000 --- a/templates/configmap.jsonnet +++ /dev/null @@ -1,20 +0,0 @@ -local chart = import 'chart.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local util = import 'util.jsonnet'; -local deployment = deployment_manifest.deployment; -local common = import 'common.jsonnet'; - -if 'environmentFile' in deployment then - local environmentFile = deployment.environmentFile; - { - apiVersion: 'v1', - data: { - [util.file_name(environmentFile.path)]: environmentFile.data, - }, - kind: 'ConfigMap', - metadata: { - name: chart.full_service_name(deployment_manifest.deployment.name) + '-cm', - namespace: deployment_manifest.deployment.namespace, - annotations: common.annotations, - }, - } diff --git a/templates/cron_hpa_autoscaler.jsonnet b/templates/cron_hpa_autoscaler.jsonnet deleted file mode 100644 index c73595f3..00000000 --- a/templates/cron_hpa_autoscaler.jsonnet +++ /dev/null @@ -1,34 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local util = import 'util.jsonnet'; -local vars = import 'vars.jsonnet'; - -local deployment = deployment_manifest.deployment; -local hpa = deployment_manifest.deployment.hpa; - -local isEnabled = hpa.type == vars.deployment.hpa.type.cron; -local basename = chart.full_service_name(deployment.name); - -local name = if isEnabled then - basename + '-cron-hpa-autoscaler' -else - basename + '-cron-hpa-autoscaler-disabled'; - - -if std.length(hpa.cronJobs) != 0 then { - - apiVersion: 'autoscaling.alibabacloud.com/v1beta1', - kind: 'CronHorizontalPodAutoscaler', - metadata: { - name: name, - labels: common.labels { 'controller-tools.k8s.io': '1.0' }, - namespace: deployment_manifest.deployment.namespace, - annotations: common.annotations, - }, - spec: { - scaleTargetRef: util.hpa_scale_target_ref(deployment.name, deployment.controller, !isEnabled), - deploymentName: chart.full_service_name(deployment_manifest.deployment.name), - jobs: [job + (if job.name == 'ScaleDown' then { targetSize: hpa.minReplicas } else { targetSize: hpa.maxReplicas }) for job in hpa.cronJobs], - }, -} diff --git a/templates/default_alerts.jsonnet b/templates/default_alerts.jsonnet deleted file mode 100644 index 8378deb4..00000000 --- a/templates/default_alerts.jsonnet +++ /dev/null @@ -1,407 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local namespace_values = import 'namespace_values.jsonnet'; -local app_name = chart.full_service_name(deployment_manifest.deployment.name); -local namespace = deployment_manifest.deployment.namespace; -local load_balancer_util = import 'load_balancer_util.jsonnet'; -local alerts = deployment_manifest.deployment.alerts; -local manifest_util = import 'manifest_util.jsonnet'; -local deployment = deployment_manifest.deployment; -local vars = import 'vars.jsonnet'; -local util = import 'util.jsonnet'; - -local isVpaEnabled = deployment_manifest.deployment.isVpaEnabled; -local environment = deployment_manifest.environment; - -local commonAlertFields = { - appName: common.awsTags.Name, - fullName: chart.full_service_name(deployment.name), - namespace: namespace, - environment: environment, -}; - -local loadBalancerAlertFields = commonAlertFields { - albIngressName: load_balancer_util.alb_ingress_name(app_name), -}; - -local databaseAlertFields = commonAlertFields { - dbInstance: deployment_manifest.extraResources.database.instanceName, -}; - -local baseLabels = function(alert) { - labels: { - severity: alert.severity, - alertTeam: deployment_manifest.team.name, - appName: app_name, - [if manifest_util.is_custom_slack_channel_enabled(alert) then 'slackChannel']: alert.slackChannel, - }, -}; - -local baseAnnotations = function(alert) { - annotations: { - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/509936863/Runbook', - }, -}; - -local mapAlerts(alertGroup, alerts) = std.filterMap( - function(alert) alert.type in alertGroup, - function(alert) baseAnnotations(alert) + alertGroup[alert.type](alert) + baseLabels(alert), - alerts -); - -local targetGroupAlerts = { - http4xx: function(alert) { - alert: 'HighHTTP4xx', - annotations+: { - description: '%(namespace)s/%(appName)s has more than %(threshold)s%% http 4xx errors in last %(duration)s' % (loadBalancerAlertFields { threshold: alert.threshold, duration: alert.duration }), - summary: 'Service is facing lot of http 4xx errors', - }, - expr: '((aws_alb_tg_httpcode_target_4_xx_count_sum{tag_Name=~"%(fullName)s",tag_Namespace="%(namespace)s"}/aws_alb_tg_request_count_sum{tag_Name=~"%(fullName)s",tag_Namespace="%(namespace)s"})*100) > %(threshold)s' % (loadBalancerAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, - http5xx: function(alert) { - alert: 'HighHTTP5xx', - annotations+: { - description: '%(namespace)s/%(appName)s has more than %(threshold)s%% http 5xx errors in last %(duration)s' % (loadBalancerAlertFields { threshold: alert.threshold, duration: alert.duration }), - summary: 'Service is facing lot of http 5xx errors', - }, - expr: '((aws_alb_tg_httpcode_target_5_xx_count_sum{tag_Name=~"%(fullName)s",tag_Namespace="%(namespace)s"}/aws_alb_tg_request_count_sum{tag_Name=~"%(fullName)s",tag_Namespace="%(namespace)s"})*100) > %(threshold)s' % (loadBalancerAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, - latency: function(alert) { - alert: 'HighHTTPLatency', - annotations+: { - description: '%(namespace)s/%(appName)s has latency higher than %(threshold)sms in last %(duration)s' % (loadBalancerAlertFields { threshold: alert.threshold, duration: alert.duration }), - summary: 'Service is having high latency', - }, - expr: '(aws_alb_tg_target_response_time_average{tag_Name=~"%(fullName)s",tag_Namespace="%(namespace)s"}) > %(threshold)s' % (loadBalancerAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, -}; - -/* -- TargetGroup will take default Name tag based on service name pass in ingress. -*/ - -local albAlerts = { - elb4xx: function(alert) { - alert: 'HighELB4xx', - annotations+: { - description: '%(namespace)s/%(appName)s has more than %(threshold)s%% elb 4xx errors in last %(duration)s' % (loadBalancerAlertFields { threshold: alert.threshold, duration: alert.duration }), - summary: 'Service is facing lot of elb 4xx errors', - }, - expr: '((sum by (tag_Ingress) (aws_alb_httpcode_elb_4_xx_count_sum{tag_Ingress="%(albIngressName)s"})/(sum by (tag_Ingress) (aws_alb_tg_request_count_sum{tag_Ingress="%(albIngressName)s"})))*100) > %(threshold)s' % (loadBalancerAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, - elb5xx: function(alert) { - alert: 'HighELB5xx', - annotations+: { - description: '%(namespace)s/%(appName)s has more than %(threshold)s%% elb 5xx errors in last %(duration)s' % (loadBalancerAlertFields { threshold: alert.threshold, duration: alert.duration }), - summary: 'Service is facing lot of elb 5xx errors', - }, - expr: '((sum by (tag_Ingress) (aws_alb_httpcode_elb_5_xx_count_sum{tag_Ingress="%(albIngressName)s"})/(sum by (tag_Ingress) (aws_alb_tg_request_count_sum{tag_Ingress="%(albIngressName)s"})))*100) > %(threshold)s' % (loadBalancerAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, -}; - - -// Database alert -local databaseAlerts = { - highActiveConnection: function(alert) { - alert: 'HighActiveConnection', - annotations+: { - description: 'rds {{ $labels.server }} have high number of active connection {{ $value }}', - summary: 'High Active Connections', - }, - expr: '(sum(pg_stat_database_active_connection{server=~"%(dbInstance)s\\\\..*"}) by(server) / on (server) pg_params_max_connections) * 100 > %(threshold)s' % (databaseAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, - provisionedCPUNotEnough: function(alert) { - alert: 'ProvisionedCPUNotEnough', - annotations+: { - description: 'rds {{ $labels.server }} have dip in cpu credit balance {{ $value }}', - summary: 'Fall in CPU credit balance', - }, - expr: 'delta(aws_rds_cpucredit_balance_minimum{dimension_DBInstanceIdentifier=~"%(dbInstance)s\\\\..*"}[10m]) < %(threshold)s' % (databaseAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, - provisionedDiskNotEnough: function(alert) { - alert: 'DBProvisionedDiskNotEnough', - annotations+: { - description: 'rds {{ $labels.server }} have dip in burst balance {{ $value }}', - summary: 'Fall in EBS burst balance', - }, - expr: 'delta(aws_rds_burst_balance_minimum{dimension_DBInstanceIdentifier=~"%(dbInstance)s\\\\..*"}[10m]) < %(threshold)s' % (databaseAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, - connectionAcquireTimeIsHigh: function(alert) { - alert: 'DBConnectionAcquireTimeIsHigh', - annotations+: { - description: 'Namespace: %(appName)s, AppName: %(namespace)s; Acquiring a DB connection for pod {{ $labels.pod }} took more than %(threshold)ss' % (databaseAlertFields { threshold: alert.threshold }), - summary: 'Container is taking too long to connect to database', - }, - expr: 'hikaricp_connections_acquire_seconds_max{pod=~"%(appName)s-.*",namespace="%(namespace)s"} > %(threshold)s AND on(pod,namespace) ((time() - kube_pod_created) >600)' % (databaseAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, - maxConnectionPoolReached: function(alert) { - alert: 'MaxDBConnectionPoolReached', - annotations+: { - description: 'Namespace: %(namespace)s, AppName: %(appName)s; All connection in connection pool for pod {{ $labels.pod }} are used since %(duration)s' % (databaseAlertFields { duration: alert.duration }), - summary: 'All connections in hikari connection pool are used', - }, - expr: 'hikaricp_connections_active{pod=~"%(appName)s-.*",namespace="%(namespace)s"} / hikaricp_connections_max{pod=~"%(appName)s-.*",namespace="%(namespace)s"} == %(threshold)s' % (databaseAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, - rdsCPUUnderUtilised: function(alert) { - alert: 'RdsCPUUnderUtilised', - annotations+: { - description: 'Namespace: %(namespace)s , AppName: %(appName)s; RDS utilised is below benchmark for last one week, consider downscaling. threshold: %(threshold)s percent' % (databaseAlertFields { threshold: alert.threshold }), - summary: 'RDS utilised is below benchmark for last one week', - }, - expr: '(weekly_rds_cpu_usage_average:dimension_DBInstanceIdentifier:labels{dimension_DBInstanceIdentifier=~"%(dbInstance)s.*"} < bool %(threshold)s ) >0' % (databaseAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, -}; - -local underUtilisedResourcesAlerts = { - k8sCpuUnderUtilised: function(alert) { - alert: 'K8sCpuUnderUtilised', - annotations+: { - description: 'Namespace: %(namespace)s , AppName: %(appName)s; K8s utilised is below benchmark for last one week, consider downscaling. threshold: %(threshold)s percent ' % (databaseAlertFields { threshold: alert.threshold }), - summary: 'K8S utilised is below benchmark for last one week', - }, - expr: 'max_over_time(container_cpu_usage_percentage:1h:container:namespace{namespace="%(namespace)s", container =~"%(appName)s.*"}[1w]) < %(threshold)s ' % (databaseAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, - k8sMemoryUnderUtilised: function(alert) { - alert: 'K8sMemoryUnderUtilised', - annotations+: { - description: 'Namespace: %(namespace)s , AppName: %(appName)s; K8s utilised is below benchmark for last one week, consider downscaling. threshold: %(threshold)s percent' % (databaseAlertFields { threshold: alert.threshold }), - summary: 'K8S utilised is below benchmark for last one week', - }, - expr: '(container_memory_usage_percentage:1w:container:namespace{namespace="%(namespace)s", container =~"%(appName)s.*"} ) < %(threshold)s ' % (databaseAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, - -}; - - -local kafkaAlerts = { - consumerGroupLag: function(alert) { - alert: 'HighConsumerGroupLag', - annotations+: { - description: '%(group)s has more than %(threshold)s lag in last %(duration)s' % ({ group: alert.group, threshold: alert.threshold, duration: alert.duration }), - summary: 'High consumergroup lag', - }, - expr: 'sum(kafka_consumergroup_lag{topic=~"%(topic)s",consumergroup=~"%(group)s"}) > %(threshold)s' % ({ group: alert.group, threshold: alert.threshold, topic: alert.topic }), - 'for': alert.duration, - }, - kafkaMessageRate: function(alert) { - alert: 'kafkaMessageRate', - annotations+: { - description: '%(topic)s has more than %(threshold)s message in last %(duration)s' % ({ topic: alert.topic, threshold: alert.threshold, duration: alert.duration }), - summary: 'High Message Rate', - }, - expr: 'sum(increase(kafka_topic_partition_current_offset{topic=~"%(topic)s"}[10m])) > %(threshold)s' % ({ threshold: alert.threshold, topic: alert.topic }), - 'for': alert.duration, - }, -}; - -//Custom Alerts -local customAlerts = { - custom: function(alert) { - alert: alert.name, - annotations+: { - description: 'Namespace:%s; App:%s; ' % [namespace, app_name] + alert.description, - summary: alert.summary, - }, - [if alert.duration != null then 'for']: alert.duration, - expr: alert.expression, - }, -}; - -//Custom RecordingRules -local recordingRulesForm = { - prometheusRecordingRule: function(alert) { - name: '%s' % [alert.name], - interval: '%s' % [alert.duration], - rules: [ - { - record: '%s' % [alert.record], - expr: '%s' % [alert.expression], - }, - ], - }, -}; - -local kongAlerts = { - kong4xx: function(alert) { - alert: 'Kong4xx', - annotations+: { - description: '{{ $labels.exported_service }} URI path has more than %(threshold)s%% http 4xx errors per minute for last %(duration)s' % (loadBalancerAlertFields { threshold: alert.threshold, duration: alert.duration }), - summary: 'One of the URI path in Kong API gateway is facing lot of http 4xx errors', - }, - expr: '((sum by (exported_service) (increase(kong_http_requests_total{exported_service=~".*%(appName)s.*", code=~"4.*"}[1m])) / sum by (exported_service) (increase(kong_http_requests_total{exported_service=~".*%(appName)s.*"}[1m]))) * 100) > %(threshold)s' % (loadBalancerAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, - kong5xx: function(alert) { - alert: 'Kong5xx', - annotations+: { - description: '{{ $labels.exported_service }} URI path has more than %(threshold)s%% http 5xx errors per minute for last %(duration)s' % (loadBalancerAlertFields { threshold: alert.threshold, duration: alert.duration }), - summary: 'One of the URI path in Kong API gateway is facing lot of http 5xx errors', - }, - expr: '((sum by (exported_service) (increase(kong_http_requests_total{exported_service=~".*%(appName)s.*", code=~"5.*"}[1m])) / sum by (exported_service) (increase(kong_http_requests_total{exported_service=~".*%(appName)s.*"}[1m]))) * 100) > %(threshold)s' % (loadBalancerAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, - kongLatency: function(alert) { - alert: 'KongLatency', - annotations+: { - description: '{{ $labels.exported_service }} URI path has a 5 minute average latency higher than %(threshold)sms for last %(duration)s' % (loadBalancerAlertFields { threshold: alert.threshold, duration: alert.duration }), - summary: 'One of the URI path in Kong API gateway has 5 minute average high latency', - }, - expr: '(sum by (exported_service) (rate(kong_kong_latency_ms_sum{exported_service=~".*%(appName)s.*"}[5m]) / rate(kong_kong_latency_ms_count{exported_service=~".*%(appName)s.*"}[5m]))) > %(threshold)s' % (loadBalancerAlertFields { threshold: alert.threshold }), - 'for': alert.duration, - }, -}; - -local podAlerts = { - HighPodRestarts: function(alert) { - alert: 'HighPodRestarts', - annotations: { - description: 'Namespace: %s, AppName: %s; Pod restarted multiple times' % [namespace, app_name], - summary: 'High Pod Restarts', - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/279937094/Act+On+Pod+Alert', - }, - expr: 'sum(increase(kube_pod_container_status_restarts_total{namespace="%s", pod=~"%s.*"}[%s])) > %s' % [namespace, app_name, alert.duration, alert.threshold], - }, - HighPodFailures: function(alert) { - alert: 'HighPodFailures', - annotations: { - description: 'Namespace: %s, AppName: %s; Pods were last terminated due to reason {{ $labels.reason }}' % [namespace, app_name], - summary: 'High Pod Failures', - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/279937094/Act+On+Pod+Alert', - }, - expr: 'sum(increase(kube_pod_container_status_last_terminated_reason{namespace="%s", container=~"%s.*",reason !~ "Completed|Evicted|OOMKilled"}[%s])) by (reason,pod) > %s' % [namespace, app_name, alert.duration, alert.threshold], - }, - FrequentPodOOMKilled: function(alert) { - alert: 'FrequentPodOOMKilled', - annotations: { - description: 'Namespace: %s, AppName: %s; Pod: {{ $labels.pod }} is restarting multiple times because of OOMKilled' % [namespace, app_name], - summary: 'High Pod Failures', - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/279937094/Act+On+Pod+Alert', - }, - expr: 'increase(kube_pod_container_status_restarts_total{namespace="%s", container="%s"}[%s]) >= %s AND ignoring(reason) kube_pod_container_status_last_terminated_reason{namespace="%s", container="%s", reason="OOMKilled"} > 0' % [namespace, app_name, alert.duration, alert.threshold, namespace, app_name], - }, - PodOOMKilled: function(alert) { - alert: 'PodOOMKilled', - annotations: { - description: 'Namespace: %s, AppName: %s; Pod: {{ $labels.pod }} killed because of OOMKilled' % [namespace, app_name], - summary: 'Pod OOMKilled', - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/279937094/Act+On+Pod+Alert', - }, - expr: 'kube_pod_container_status_restarts_total{namespace="%s", container="%s"} - kube_pod_container_status_restarts_total{namespace="%s", container="%s"} offset %s >= %s AND ignoring(reason) kube_pod_container_status_last_terminated_reason{namespace="%s", container="%s", reason="OOMKilled"} > 0' % [namespace, app_name, namespace, app_name, alert.duration, alert.threshold, namespace, app_name], - }, - KubeContainerWaiting: function(alert) { - alert: 'KubeContainerWaiting', - annotations: { - description: 'Namespace: %s, AppName: %s; container in waiting state for one hour' % [namespace, app_name], - summary: 'container is waiting for too long', - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/279937094/Act+On+Pod+Alert', - }, - expr: 'sum by (namespace, pod, container) (kube_pod_container_status_waiting_reason{container="%s", namespace="%s"}) > %s' % [app_name, namespace, alert.threshold], - 'for': alert.duration, - }, -}; - - -local mapRecordingRule(alertGroup, alerts) = std.filterMap( - function(alert) alert.type in alertGroup, - function(alert) alertGroup[alert.type](alert), - alerts -); - -local vpaAlerts(appName, namespace, teamName) = - (if isVpaEnabled then [ - { - alert: 'VPAUncappedTargetGreaterThanCappedTarget', - annotations: { - description: 'Uncapped target is more than bounds Namespace:%s; App:%s; ' % [namespace, app_name], - summary: 'Uncapped target is more than bounds, this means your service is requires lot more resources than what node may have', - }, - labels: { - severity: 'warning', - alertTeam: teamName, - appName: app_name, - }, - 'for': '1m', - expr: 'kube_verticalpodautoscaler_status_recommendation_containerrecommendations_uncappedtarget{container="%s"} / kube_verticalpodautoscaler_status_recommendation_containerrecommendations_target{container="%s"} > 1' % [appName, appName], - }, - ] else []); - -if !util.is_sandbox(environment) then { - apiVersion: 'monitoring.coreos.com/v1', - kind: 'PrometheusRule', - metadata: { - labels: common.labels { - prometheus: 'kube-prometheus', - role: 'alert-rules', - }, - name: app_name, - namespace: namespace, - annotations: common.annotations, - }, - spec: { - groups: [ - { - name: '%s-basic' % [app_name], - rules: (mapAlerts(podAlerts, alerts.pod)) - + (if manifest_util.is_database_present(deployment_manifest) then [ - { - alert: 'CriticalFreeDiskSpace', - annotations: { - description: 'rds {{ $labels.identifier }} have disk space less than {{ $value }}% and disk space autoscaling have reached the allowed limit.', - summary: 'Critical free disk space', - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/269844543/Act+on+DB+alert#CriticalFreeDiskSpace', - }, - expr: '(aws_rds_free_storage_space_average{dimension_DBInstanceIdentifier=~"%(dbInstance)s"}/(1024*1024*1024)/ on () rds_config_AllocatedStorage{identifier=~"%(dbInstance)s"})*100 < 10 And on() (rds_config_AllocatedStorage{identifier=~"%(dbInstance)s"} / rds_config_MaxAllocatedStorage{identifier=~"%(dbInstance)s"}) > 0.9 ' % (databaseAlertFields), - 'for': '5m', - labels: { - severity: 'critical', - alertTeam: deployment_manifest.team.name, - appName: app_name, - }, - }, - ] else []) + (if (deployment.controller == vars.defaultController) then [ - { - alert: 'ReplicaUnavailableAlert', - annotations: { - description: 'Namespace: %s, AppName: %s; Not enough instances available since past 15m' % [namespace, app_name], - summary: 'Low desired replica count', - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/279937094/Act+On+Pod+Alert', - }, - expr: '(kube_deployment_status_replicas_available{deployment="%s", namespace="%s"}) - ignoring(poddisruptionbudget, deployment) (kube_poddisruptionbudget_status_desired_healthy{poddisruptionbudget="%s-pdb",namespace="%s"}) < 0' % [app_name, namespace, app_name, namespace], - 'for': if deployment_manifest.team.name == 'DataScience' then '30m' else '15m', - labels: { - severity: 'critical', - alertTeam: deployment_manifest.team.name, - appName: app_name, - }, - }, - ] else []) - + (if load_balancer_util.is_using_tg(deployment_manifest.deployment.loadBalancers) then - mapAlerts(targetGroupAlerts, alerts.loadBalancer) else []) - + (if load_balancer_util.is_using_lb(deployment_manifest.deployment.loadBalancers, 'alb') then - mapAlerts(albAlerts, alerts.loadBalancer) else []) - + (if load_balancer_util.is_using_lb(deployment_manifest.deployment.loadBalancers, 'commonApiGateway') then - mapAlerts(kongAlerts, alerts.kong) else []) - + (if manifest_util.is_database_present(deployment_manifest) then - mapAlerts(databaseAlerts, alerts.database) else []) - + mapAlerts(kafkaAlerts, alerts.kafka) - + mapAlerts(customAlerts, alerts.custom) - + mapAlerts(underUtilisedResourcesAlerts, alerts.underUtilisedResources) - + vpaAlerts(app_name, namespace, deployment_manifest.team.name), - }, - ] + mapRecordingRule(recordingRulesForm, alerts.prometheusRecordingRule), - }, -} diff --git a/templates/deployment.jsonnet b/templates/deployment.jsonnet deleted file mode 100644 index 0584984d..00000000 --- a/templates/deployment.jsonnet +++ /dev/null @@ -1,29 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment_util = import 'deployment_util.jsonnet'; -local pod_template = import 'pod_template.jsonnet'; -local vars = import 'vars.jsonnet'; -local deployment = deployment_manifest.deployment; - - -if (deployment.controller == vars.defaultController) then { - apiVersion: 'apps/v1', - kind: 'Deployment', - metadata: { - name: chart.full_service_name(deployment.name), - labels: common.labels { - linkConfig: std.toString(deployment_manifest.deployment.isLinkConfig), - }, - annotations: common.annotations, - namespace: deployment_manifest.deployment.namespace, - }, - spec: { - progressDeadlineSeconds: deployment.progressDeadlineSeconds, - selector: { - matchLabels: common.matchLabels, - }, - strategy: deployment_util.strategy.rollingUpdate(), - template: pod_template, - }, -} diff --git a/templates/deployment_manifest.jsonnet b/templates/deployment_manifest.jsonnet deleted file mode 100644 index 5295dbba..00000000 --- a/templates/deployment_manifest.jsonnet +++ /dev/null @@ -1,209 +0,0 @@ -local deployment_manifest_json = import 'deployment_manifest.json'; -local health_check_values = import 'health_check_values.jsonnet'; -local manifest_util = import 'manifest_util.jsonnet'; -local port_map = import 'port_map.jsonnet'; -local probe_values = import 'probe_values.jsonnet'; -local default_service_port = [{ name: 'serviceport', port: 8080, enableGrpc: false }]; -local namespace_values = import 'namespace_values.jsonnet'; -local vars = import 'vars.jsonnet'; -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; - -local alertTypes(alerts) = std.map(function(alert) alert.type, alerts); -local containsAlertType(alerts, type) = if (std.find(type, alertTypes(alerts)) != []) then true else false; -local mergePodAlerts(defaultAlerts, manifestAlerts) = manifestAlerts + std.filter(function(alert) !containsAlertType(manifestAlerts, alert.type), defaultAlerts); -local deployment = deployment_manifest_json.deployment; -local defaultStartupProbe = health_check_values.getDefaultStartupProbe; -local defaultLivenessCheck = health_check_values.getDefaultLivenessCheck; -local defaultReadinessCheck = health_check_values.getDefaultReadinessCheck; -local esImageMapping = { - '7.17.0': vars.esImage_7_17_0, - '8.12.2': vars.esImage_8_12_2, -}; -local kibanaImageMapping = { - '7.17.0': vars.kibanaImage_7_17_0, - '8.12.2': vars.kibanaImage_8_12_2, - }; -local lbFunction = function(lbObject) { - type: if 'type' in lbObject then lbObject.type else error 'Missing loadbalancer type', - endpoint: if 'endpoint' in lbObject then lbObject.endpoint else null, - name: if 'name' in lbObject then lbObject.name else null, - groupName: if 'groupName' in lbObject then lbObject.groupName else null, - stickiness: if 'stickiness' in lbObject then lbObject.stickiness else false, - 'tls-1-1': if 'tls-1-1' in lbObject then lbObject['tls-1-1'] else false, - enableGrpc: if 'enableGrpc' in lbObject then lbObject.enableGrpc else false, - stickinessCookieDuration: if 'stickinessCookieDuration' in lbObject then lbObject.stickinessCookieDuration else 86400, - idleTimeout: if 'idleTimeout' in lbObject then lbObject.idleTimeout else 60, - slowStartDuration: if 'slowStartDuration' in lbObject then lbObject.slowStartDuration else 0, - accessPolicies: if 'accessPolicies' in lbObject then lbObject.accessPolicies else [], - extraSecurityGroups: if 'extraSecurityGroups' in lbObject then lbObject.extraSecurityGroups else [], - accessLog: if 'accessLog' in lbObject then lbObject.accessLog else namespace_values.loadBalancer.annotations.accessLog, - webAcl: if 'webAcl' in lbObject then lbObject.webAcl else namespace_values.loadBalancer.annotations.webAcl, - groupOrder: if 'groupOrder' in lbObject then lbObject.groupOrder else '100', - additionalEndpoints: if 'additionalEndpoints' in lbObject then lbObject.additionalEndpoints else [], - redirects: if 'redirects' in lbObject then lbObject.redirects else [], - exposeToLoadBalancer: false, -}; - -// A mixin that carefully overrides values. It should resemble deployment_manifest.json -local manifest_defaults = { - environment: if 'environment' in super then super.environment else null, - securityGroup: if 'securityGroup' in super then super.securityGroup else null, - metadata: if 'metadata' in super then super.metadata else {}, - sandboxParams: if 'sandboxParams' in super then super.sandboxParams else null, - [if 'flink' in deployment_manifest_json then 'flink' else null]+: { - loadBalancers: std.map(lbFunction, - if ('loadBalancers' in deployment_manifest_json.flink && deployment_manifest_json.flink.loadBalancers != []) then deployment_manifest_json.flink.loadBalancers else [{ type: 'none' }]), - }, - deployment+: { - //TODO: Just support $.name instead of $.deployment.name once all apps have migrated - name: if 'name' in super then super.name else $.name, - image: if 'image' in super then deployment.image else null, - imagePullPolicy: if 'imagePullPolicy' in super then deployment.imagePullPolicy else 'IfNotPresent', - maxSurge: if 'maxSurge' in super then deployment.maxSurge else null, - controller: if 'controller' in super then deployment.controller else vars.defaultController, - strategy: if 'strategy' in super then deployment.strategy else null, - strategyConfig: if 'strategyConfig' in super then deployment.strategyConfig else {}, - exposedPorts: if 'exposedPorts' in super then (if port_map.hasPort(super.exposedPorts, 'serviceport') then super.exposedPorts else super.exposedPorts + default_service_port) else default_service_port, - healthChecks+: { - startupProbeEnabled: if 'startupProbeEnabled' in super then deployment.healthChecks.startupProbeEnabled else false, - startupProbe+: { - type: $.deployment.healthChecks.livenessCheck.type, - port: $.deployment.healthChecks.livenessCheck.port, - path: $.deployment.healthChecks.livenessCheck.path, - successThreshold: defaultStartupProbe.successThreshold, - initialDelaySeconds: defaultStartupProbe.initialDelaySeconds, - periodSeconds: defaultStartupProbe.periodSeconds, - failureThreshold: defaultStartupProbe.failureThreshold, - httpHeaders+: $.deployment.healthChecks.livenessCheck.httpHeaders, - }, - livenessCheck+: { - type: if 'type' in super then super.type else defaultLivenessCheck.type, - port: if 'port' in super then super.port else defaultLivenessCheck.port, - path: if 'path' in super then super.path else defaultLivenessCheck.path, - successThreshold: if 'successThreshold' in super then super.successThreshold else defaultLivenessCheck.successThreshold, - initialDelaySeconds: if $.deployment.healthChecks.startupProbeEnabled then 0 else (if 'initialDelaySeconds' in super then super.initialDelaySeconds else defaultLivenessCheck.initialDelaySeconds), - periodSeconds: if 'periodSeconds' in super then super.periodSeconds else defaultLivenessCheck.periodSeconds, - failureThreshold: if 'failureThreshold' in super then super.failureThreshold else defaultLivenessCheck.failureThreshold, - httpHeaders+: if 'httpHeaders' in super then super.httpHeaders else defaultLivenessCheck.httpHeaders, - }, - readinessCheck+: { - type: if 'type' in super then super.type else defaultReadinessCheck.type, - port: if 'port' in super then super.port else defaultReadinessCheck.port, - path: if 'path' in super then super.path else defaultReadinessCheck.path, - successThreshold: if 'successThreshold' in super then super.successThreshold else defaultReadinessCheck.successThreshold, - initialDelaySeconds: if $.deployment.healthChecks.startupProbeEnabled then 0 else (if 'initialDelaySeconds' in super then super.initialDelaySeconds else defaultReadinessCheck.initialDelaySeconds), - periodSeconds: if 'periodSeconds' in super then super.periodSeconds else defaultReadinessCheck.periodSeconds, - failureThreshold: if 'failureThreshold' in super then super.failureThreshold else defaultReadinessCheck.failureThreshold, - httpHeaders+: if 'httpHeaders' in super then super.httpHeaders else defaultReadinessCheck.httpHeaders, - }, - }, - progressDeadlineSeconds: if 'timeout' in super then super.timeout else (if $.environment != vars.environments.prod then 720 else 540), - terminationGracePeriodSeconds: if 'terminationGracePeriodSeconds' in super then super.terminationGracePeriodSeconds else (if $.environment != vars.environments.prod then 60 else 90), - instance+: { - count: if 'count' in super then super.count else 2, - cpu: if 'cpu' in super then super.cpu else '0.25', - memory: if 'memory' in super then super.memory else '300Mi', - [if $.deployment.isVpaEnabled then 'minCPU']: if 'minCPU' in super then super.minCPU else 0.5, - [if $.deployment.isVpaEnabled then 'minMemory']: if 'minMemory' in super then super.minMemory else '512Mi', - gpu: if 'gpu' in super then super.gpu else 0, - gpuNodeSelector: if 'gpuNodeSelector' in super then super.gpuNodeSelector else { 'nvidia.com/gpu': 'true' }, - gpuTolerations: if 'gpuTolerations' in super then super.gpuTolerations else [{ effect: 'NoSchedule', key: 'nvidia.com/gpu', operator: 'Exists' }], - }, - environmentVariables+: [], - mountSecrets+: [], - namespace: if 'namespace' in super then super.namespace else 'default', - loadBalancers: std.map(lbFunction, - if ( 'loadBalancers' in super && super.loadBalancers != []) then super.loadBalancers else [{ type: 'none' }]), - commonApiGateways: std.map(function(apiGateways) { - commonApiGatewayUrl: if 'commonApiGatewayUrl' in apiGateways then apiGateways.commonApiGatewayUrl else null, - internalCommonApiGatewayUrl: if 'internalCommonApiGatewayUrl' in apiGateways then apiGateways.internalCommonApiGatewayUrl else null, - gatewayAttributes: if 'gatewayAttributes' in apiGateways then apiGateways.gatewayAttributes else [], - }, if ( 'commonApiGateways' in super && super.commonApiGateways != []) then super.commonApiGateways else [{ type: 'none' }]), - serviceMonitor+: { - enabled: if 'enabled' in super then super.enabled else false, - port: if 'port' in super then super.port else 'serviceport', - path: if 'path' in super then super.path else '/actuator/prometheus', - namespace: if 'namespace' in super then super.namespace else 'monitoring', - interval: if 'interval' in super then super.interval else '30s', - metricRelabelings: if 'metricRelabelings' in super then super.metricRelabelings else [], - scrapeTimeout: if 'scrapeTimeout' in super then super.scrapeTimeout else '10s', - }, - elasticSearch+: { - local defaultLabelPrefix = deployment.elasticSearch.instance.instanceName, - local elasticsearchVersion = if 'esVersion' in deployment.elasticSearch.instance then deployment.elasticSearch.instance.esVersion else '7.17.0', - enabled: if 'enabled' in super then super.enabled else false, - esLabels: if 'esLabels' in super then super.esLabels else { app: chart.service_name, chart: chart.service_chart, heritage: 'NaviDeploymentManifest', release: defaultLabelPrefix + '-elasticsearch', Team: deployment_manifest_json.team.name, Environment: deployment_manifest_json.environment, Name: defaultLabelPrefix + '-elasticsearch', Product: namespace_values.additionalTags.product, Owner: if deployment_manifest_json.infraVertical == 'lending' then 'medici' else if deployment_manifest_json.infraVertical == 'insurance' then 'gi' else deployment_manifest_json.infraVertical }, - instanceName: if 'instanceName' in super then super.instanceName else 'default-elasticsearch', - cpu: if 'cpu' in super then super.cpu else '1', - memory: if 'memory' in super then super.memory else '1Gi', - diskSpace: if 'diskSpace' in super then super.diskSpace else '30Gi', - esVersion: elasticsearchVersion, - esImage: esImageMapping[elasticsearchVersion], - esCount: if 'esCount' in super then super.esCount else 3, - esNodeSelector: if 'esNodeSelector' in super then super.esNodeSelector else { 'kops.k8s.io/instancegroup': 'datastore-nodes-1' }, - esTolerations: if 'esTolerations' in super then super.esTolerations else [{ effect: 'NoSchedule', key: 'node', operator: 'Equal', value: 'datastore' }], - kibana: if 'kibana' in super then super.kibana else null, - kibanaLabels: if 'kibanaLabels' in super then super.kibanaLabels else { app: chart.service_name, chart: chart.service_chart, heritage: 'NaviDeploymentManifest', release: defaultLabelPrefix + '-kibana', Team: deployment_manifest_json.team.name, Environment: deployment_manifest_json.environment, Name: defaultLabelPrefix + '-kibana', Product: namespace_values.additionalTags.product, Owner: if deployment_manifest_json.infraVertical == 'lending' then 'medici' else if deployment_manifest_json.infraVertical == 'insurance' then 'gi' else deployment_manifest_json.infraVertical }, - kibanaVersion: elasticsearchVersion, - kibanaImage: kibanaImageMapping[elasticsearchVersion], - }, - perfUtility+: { - mockServerEnabled: if 'mockServer' in super then super.mockServer else false, - mockServerImage: if 'mockServerImage' in super then super.mockServerImage else '193044292705.dkr.ecr.ap-south-1.amazonaws.com/common/perf-mock-server:latest', - postgresServerEnabled: if 'postgresServer' in super then super.postgresServer else false, - postgresServerImage: '193044292705.dkr.ecr.ap-south-1.amazonaws.com/common/postgres:13', - }, - hpa+: { - type: if 'type' in super then super.type else vars.deployment.hpa.type.metrics, - maxReplicas: if 'maxReplicas' in super then super.maxReplicas else $.deployment.instance.count, - minReplicas: if 'minReplicas' in super then super.minReplicas else $.deployment.instance.count, - metrics: if 'metrics' in super then super.metrics else [], - custom_metrics: if 'custom_metrics' in super then super.custom_metrics else [], - cronJobs: if 'cronJobs' in super then super.cronJobs else [], - }, - isVpaEnabled: if 'isVpaEnabled' in super then super.isVpaEnabled else false, - isLinkConfig: if 'linkConfig' in super && super.linkConfig != null then super.linkConfig else false, - vpa+: { - maxAllowed: { - cpu: if 'cpu' in super then super.cpu else vars.vpa.maxAllowedCPU, - memory: if 'memory' in super then super.memory else vars.vpa.maxAllowedMemory, - }, - }, - allowEgress: if 'allowEgress' in super then super.allowEgress else [], - alerts+: { - pod: mergePodAlerts(vars.deployment.alerts.pod, if 'pod' in super then super.pod else []), - loadBalancer+: [], - database+: [], - kafka+: [], - custom+: [], - kong+: [], - prometheusRecordingRule+: [], - underUtilisedResources+: [], - }, - disableIstio: if 'disableIstio' in super then super.disableIstio else false, - }, - team+: { - name: if 'name' in super then super.name else 'Infra', - }, - [if 'flink' in deployment_manifest_json then null else 'labels']+: { - 'micrometer-prometheus': if 'micrometer-prometheus' in super then super['micrometer-prometheus'] - else if ($.deployment.serviceMonitor.enabled == false && port_map.hasPort($.deployment.exposedPorts, 'metrics')) then 'enabled' else 'disabled', - }, - isSwApmEnabled: if 'isSwApmEnabled' in super then super.isSwApmEnabled else namespace_values.isSwApmEnabled, - extraResources: if 'extraResources' in super then super.extraResources else null, -}; - -local deployment_manifest = deployment_manifest_json + manifest_defaults; - -//For Validation -local rateLimitRulesLength(commonApiGateways) = [ - if 'rateLimitRules' in attribute then std.length(attribute.rateLimitRules) else 0 - for gateway in commonApiGateways - for attribute in gateway.gatewayAttributes -]; -local commonApiGateways = if 'flink' in deployment_manifest then [] else deployment_manifest.deployment.commonApiGateways; -assert std.length([value for value in rateLimitRulesLength(commonApiGateways) if value > 1]) == 0 : 'Apigateway has more than one rateLimiting rule configured in at least one of the gateway attributes'; -assert std.isString(deployment_manifest.cluster) : 'ValidationError: cluster must be a non empty string'; - -deployment_manifest diff --git a/templates/deployment_util.jsonnet b/templates/deployment_util.jsonnet deleted file mode 100644 index d582deb6..00000000 --- a/templates/deployment_util.jsonnet +++ /dev/null @@ -1,108 +0,0 @@ -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; -local vars = import 'vars.jsonnet'; -local rolloutController = vars.rolloutController; -local deploymentController = deployment.controller; -local ingress = deployment_manifest.deployment.loadBalancers[0]; -local load_balancer_util = import 'load_balancer_util.jsonnet'; -local chart = import 'chart.jsonnet'; -local port_map = import 'port_map.jsonnet'; -local namespace_values = import 'namespace_values.jsonnet'; -local empty(parent, field) = if (field in parent && parent[field] != {} && parent[field] != [] && parent[field] != '') then false else true; - -{ - stepsValueMap(step):: { - manualPromotion: { pause: {} }, - setWeight: { setWeight: step.value }, - pause: { pause: { duration: step.value } }, - }[step.name], - - getSteps(steps):: [ - $.stepsValueMap(step) - for step in steps - ], - - stickinessConfig(stickinessDuration):: { - enabled: true, - durationSeconds: stickinessDuration, - }, - - getMaxSurge(deployment):: - if deployment.maxSurge == null || deployment.maxSurge == '' then - if deployment.hpa.minReplicas <= 5 then '51%' else '20%' - else - deployment.maxSurge + '%', - - strategy:: { - rollingUpdate():: - if (deploymentController == rolloutController) then { - canary: { - maxSurge: $.getMaxSurge(deployment), - maxUnavailable: 0, - }, - } else { - assert deployment.strategy != 'canary' : '%s controller does not support canary' % deploymentController, - type: 'RollingUpdate', - rollingUpdate: { - maxSurge: $.getMaxSurge(deployment), - maxUnavailable: 0, - }, - } - , - - canary(config={}):: { - assert deploymentController == rolloutController : '%s controller is not supported for canary' % deployment.controller, - assert std.find(ingress.type, ['alb', 'sharedAlbAcrossNamespace']) != [] : '%s is not supported for canary' % ingress.type, - local ingressFullName = load_balancer_util.ingress_name(chart.full_service_name(deployment.name), ingress), - local fullName = chart.full_service_name(deployment.name), - local analysisConfig = if !empty(config, 'analysis') then config.analysis else {}, - canary: { - maxSurge: '51%', - maxUnavailable: 0, - [if analysisConfig != {} then 'analysis']: { - templates: [{ - templateName: chart.full_service_name(deployment.name), - }], - [if !empty(analysisConfig, 'templates') && deployment.analysisTemplate != null then 'templates']: analysisConfig.templates, - [if !empty(analysisConfig, 'args') then 'args']: analysisConfig.args, - [if !empty(analysisConfig, 'startingStep') then 'startingStep']: analysisConfig.startingStep, - }, - steps: if empty(config, 'steps') then vars.defaultCanarySteps else $.getSteps(config.steps), - stableService: '%s-stable' % fullName, - canaryService: '%s-canary' % fullName, - trafficRouting: { - alb: { - ingress: ingressFullName, - rootService: fullName, - servicePort: port_map.getPort('serviceport'), - [if 'stickinessDuration' in config && config.stickinessDuration > 0 then 'stickinessConfig']: $.stickinessConfig(config.stickinessDuration), - }, - }, - }, - }, - rollingUpdateWithCanaryMixIn(config={}):: { - assert deploymentController == rolloutController : '%s controller is not supported for canary' % deployment.controller, - assert std.find(ingress.type, ['alb', 'sharedAlbAcrossNamespace']) != [] : '%s is not supported for canary' % ingress.type, - local ingressFullName = load_balancer_util.ingress_name(chart.full_service_name(deployment.name), ingress), - local fullName = chart.full_service_name(deployment.name), - canary: { - maxSurge: '51%', - maxUnavailable: 0, - stableService: '%s-stable' % fullName, - canaryService: '%s-canary' % fullName, - trafficRouting: { - alb: { - ingress: ingressFullName, - rootService: fullName, - servicePort: port_map.getPort('serviceport'), - [if 'stickinessDuration' in config && config.stickinessDuration > 0 then 'stickinessConfig']: $.stickinessConfig(config.stickinessDuration), - }, - }, - [if config.currentStrategy == 'canary' then 'steps']: [{ pause: {} }], - }, - }, - }, - - isEfsNeeded(deployment):: namespace_values.isEfsSupported && 'efs' in deployment, - isFsxNeeded(deployment):: namespace_values.isFsxSupported && 'fsx' in deployment, -} diff --git a/templates/dynamic_configuration.jsonnet b/templates/dynamic_configuration.jsonnet deleted file mode 100644 index 35a995f7..00000000 --- a/templates/dynamic_configuration.jsonnet +++ /dev/null @@ -1,22 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local manifest_util = import 'manifest_util.jsonnet'; -local dynamicConfiguration = if manifest_util.is_dynamic_config_present(deployment_manifest) then deployment_manifest.dynamicConfiguration else {}; - -if manifest_util.is_dynamic_config_present(deployment_manifest) then { - apiVersion: 'v1', - kind: 'Secret', - metadata: { - name: chart.full_service_name(deployment_manifest.deployment.name) + '-dynamic-secret', - namespace: deployment_manifest.deployment.namespace, - labels: common.labels, - annotations: common.annotations, - }, - stringData: - { - [config.fileName]: config.data - for config in dynamicConfiguration - }, - type: 'Opaque', -} diff --git a/templates/efs_persistent_volume_claim.jsonnet b/templates/efs_persistent_volume_claim.jsonnet deleted file mode 100644 index 94137d23..00000000 --- a/templates/efs_persistent_volume_claim.jsonnet +++ /dev/null @@ -1,34 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment_util = import 'deployment_util.jsonnet'; -local deployment = deployment_manifest.deployment; -local namespace_values = import 'namespace_values.jsonnet'; - -if (deployment_util.isEfsNeeded(deployment)) then - local efs_list = deployment.efs; - if (std.length(efs_list) != 0) then - { - apiVersion: 'v1', - kind: 'List', - items: std.map(function(efs) { - apiVersion: 'v1', - kind: 'PersistentVolumeClaim', - metadata: { - name: chart.full_service_name(deployment.name) + '-' + efs.name, - labels: common.labels, - annotations: common.annotations, - namespace: deployment.namespace, - }, - spec: { - accessModes: ['ReadWriteMany'], - storageClassName: efs.name, - resources: { - requests: { - storage: '1Mi', - }, - }, - }, - }, efs_list), - } - else null diff --git a/templates/elastic_search.jsonnet b/templates/elastic_search.jsonnet deleted file mode 100644 index 13081fb3..00000000 --- a/templates/elastic_search.jsonnet +++ /dev/null @@ -1,90 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; -local PVCAnnotations = '{ "Team": "%s", "Environment": "%s", "Product": "%s" }' % [deployment_manifest.team.name, deployment_manifest.environment, deployment_manifest.metadata.product]; -if deployment_manifest.deployment.elasticSearch.enabled == true then { - apiVersion: 'elasticsearch.k8s.elastic.co/v1', - kind: 'Elasticsearch', - metadata: { - name: deployment.elasticSearch.instance.instanceName + '-elasticsearch', - namespace: deployment_manifest.environment + '-datastores', - labels: deployment.elasticSearch.esLabels, - annotations: common.annotations, - }, - spec: { - version: deployment.elasticSearch.esVersion, - image: deployment.elasticSearch.esImage, - secureSettings: [ - { - secretName: 'aws-credentials-es-backup', - }, - ], - http: { - tls: { - selfSignedCertificate: { - disabled: true, - }, - }, - }, - nodeSets: [ - { - name: 'node', - config: { - 'node.roles': [ - 'master', - 'data', - 'ingest', - ], - 'node.store.allow_mmap': false, - }, - podTemplate: { - metadata: { - labels: deployment.elasticSearch.esLabels, - }, - spec: { - nodeSelector: deployment.elasticSearch.esNodeSelector, - tolerations: deployment.elasticSearch.esTolerations, - containers: [ - { - name: 'elasticsearch', - resources: { - requests: { - memory: deployment.elasticSearch.instance.memory, - cpu: deployment.elasticSearch.instance.cpu, - }, - limits: { - memory: deployment.elasticSearch.instance.memory, - cpu: deployment.elasticSearch.instance.cpu, - }, - }, - }, - ], - }, - }, - count: deployment.elasticSearch.esCount, - volumeClaimTemplates: [ - { - metadata: { - name: 'elasticsearch-data', - annotations: { - 'k8s-pvc-tagger/tags': PVCAnnotations - } - }, - spec: { - accessModes: [ - 'ReadWriteOnce', - ], - resources: { - requests: { - storage: deployment.elasticSearch.instance.diskSpace, - }, - }, - storageClassName: 'gp3-retain-policy', - }, - }, - ], - }, - ], - }, -} diff --git a/templates/elasticsearch_alerts_default.jsonnet b/templates/elasticsearch_alerts_default.jsonnet deleted file mode 100644 index 687dffa2..00000000 --- a/templates/elasticsearch_alerts_default.jsonnet +++ /dev/null @@ -1,186 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local namespace_values = import 'namespace_values.jsonnet'; -local app_name = chart.full_service_name(deployment_manifest.deployment.name); -local namespace = deployment_manifest.deployment.namespace; -local deployment = deployment_manifest.deployment; - -local clusterName = deployment.elasticSearch.instance.instanceName + '-elasticsearch'; - -if deployment_manifest.deployment.elasticSearch.enabled == true then { - apiVersion: 'monitoring.coreos.com/v1', - kind: 'PrometheusRule', - metadata: { - labels: deployment.elasticSearch.esLabels { - prometheus: 'kube-prometheus', - role: 'alert-rules', - }, - annotations: common.annotations, - name: clusterName + '-alerts', - namespace: deployment_manifest.environment + '-datastores', - }, - spec: { - groups: [ - { - name: clusterName + '-alerts', - rules: [ - { - alert: 'ElasticsearchHeapUsageTooHigh', - expr: '(es_jvm_mem_heap_used_bytes{job=~".*http",es_cluster="%(clustername)s"} / es_jvm_mem_heap_max_bytes{job=~".*http",es_cluster="%(clustername)s"}) * 100 > 90' % ({ clustername: clusterName }), - 'for': '20m', - labels: { - severity: 'critical', - alertTeam: deployment_manifest.team.name, - appName: clusterName, - }, - annotations: { - summary: 'Elasticsearch Heap Usage Too High (node `{{ $labels.node }}`)', - description: 'The heap usage is over 90% for 5m VALUE = `{{ $value }}`\n NAME: `{{ $labels.node }}`', - }, - }, - { - alert: 'ElasticsearchHeapUsageWarning', - expr: '(es_jvm_mem_heap_used_bytes{job=~".*http",es_cluster="%(clustername)s"} / es_jvm_mem_heap_max_bytes{job=~".*http",es_cluster="%(clustername)s"}) * 100 > 80' % ({ clustername: clusterName }), - 'for': '15m', - labels: { - severity: 'warning', - alertTeam: deployment_manifest.team.name, - appName: clusterName, - }, - annotations: { - summary: 'Elasticsearch Heap Usage warning (node `{{ $labels.node }}`)', - description: 'The heap usage is over 80% for 15m\n VALUE = `{{ $value }}`\n NAME: `{{ $labels.node }}`', - }, - }, - { - alert: 'ElasticsearchAvgDiskOutOfSpace_Warning', - expr: '(es_fs_total_free_bytes{job=~".*http",es_cluster="%(clustername)s"}/es_fs_total_total_bytes{job=~".*http",es_cluster="%(clustername)s"}) * 100 < 15' % ({ clustername: clusterName }), - 'for': '20m', - labels: { - severity: 'warning', - alertTeam: deployment_manifest.team.name, - appName: clusterName, - }, - annotations: { - summary: 'Elasticsearch average disk out of space (node - `{{ $labels.node }}`). No new shards will be allocated at this node', - description: 'The disk usage is over 85%\n VALUE = `{{ $value }}`', - }, - }, - { - alert: 'ElasticsearchDiskOutOfSpace', - expr: '(es_fs_total_free_bytes{job=~".*http",es_cluster="%(clustername)s"}/es_fs_total_total_bytes{job=~".*http",es_cluster="%(clustername)s"}) * 100 < 10' % ({ clustername: clusterName }), - 'for': '10m', - labels: { - severity: 'critical', - alertTeam: deployment_manifest.team.name, - appName: clusterName, - }, - annotations: { - summary: 'Elasticsearch disk out of space (node `{{ $labels.node }}`). No new shards will be allocated at this node', - description: 'The disk usage is over 90%\n VALUE = `{{ $value }}`\n NAME: `{{ $labels.node }}`', - }, - }, - { - alert: 'ElasticsearchClusterRed', - expr: 'max(es_cluster_status{job=~".*http",es_cluster="%(clustername)s"}) by (es_cluster) == 2' % ({ clustername: clusterName }), - 'for': '5m', - labels: { - severity: 'critical', - alertTeam: deployment_manifest.team.name, - appName: clusterName, - }, - annotations: { - summary: 'Elasticsearch Cluster Red (cluster - `{{ $labels.es_cluster }}`)', - description: 'Elastic Cluster Red', - }, - }, - { - alert: 'ElasticsearchClusterYellow', - expr: 'max(es_cluster_status{job=~".*http",es_cluster="%(clustername)s"}) by (es_cluster) == 1' % ({ clustername: clusterName }), - 'for': '15m', - labels: { - severity: 'warning', - alertTeam: deployment_manifest.team.name, - appName: clusterName, - }, - annotations: { - summary: 'Elasticsearch Cluster Yellow (cluster - `{{ $labels.es_cluster }}`)', - description: 'Elastic Cluster Yellow for 15 minutes', - }, - }, - { - alert: 'ElasticsearchClusterIndexReplicaUnavailable', - expr: 'min(es_index_replicas_number{job=~".*http",es_cluster="%(clustername)s",index!~"^[.].*"}) by (es_cluster,index) < 1' % ({ clustername: clusterName }), - 'for': '15m', - labels: { - severity: 'warning', - alertTeam: deployment_manifest.team.name, - appName: clusterName, - }, - annotations: { - summary: 'Elasticsearch Cluster Index Replica less than 1 (cluster - `{{ $labels.es_cluster }}`)', - description: 'Elastic Cluster Index Replica less than 1 for 15 minutes\n VALUE = `{{ $value }}`', - }, - }, - { - alert: 'ElasticsearchInitializingShards', - expr: 'max(es_cluster_shards_number{type="initializing",job=~".*http",es_cluster="%(clustername)s"}) by (es_cluster) > 0' % ({ clustername: clusterName }), - 'for': '10m', - labels: { - severity: 'warning', - alertTeam: deployment_manifest.team.name, - appName: clusterName, - }, - annotations: { - summary: 'Elasticsearch initializing shards (cluster `{{ $labels.es_cluster }}`)', - description: 'Number of initializing shards for 10 min\n VALUE = `{{ $value }}`', - }, - }, - { - alert: 'ElasticsearchUnassignedShards', - expr: 'max(es_cluster_shards_number{type="unassigned",job=~".*http",es_cluster="%(clustername)s"}) by (es_cluster) > 0' % ({ clustername: clusterName }), - 'for': '30m', - labels: { - severity: 'critical', - alertTeam: deployment_manifest.team.name, - appName: clusterName, - }, - annotations: { - summary: 'Elasticsearch unassigned shards (cluster `{{ $labels.es_cluster }}`)', - description: 'Number of unassigned shards for 30 min\n VALUE = `{{ $value }}`', - }, - }, - { - alert: 'ElasticsearchUnassignedShards', - expr: 'max(es_cluster_shards_number{type="unassigned",job=~".*http",es_cluster="%(clustername)s"}) by (es_cluster) > 0' % ({ clustername: clusterName }), - 'for': '15m', - labels: { - severity: 'warning', - alertTeam: deployment_manifest.team.name, - appName: clusterName, - }, - annotations: { - summary: 'Elasticsearch unassigned shards (cluster `{{ $labels.es_cluster }}`)', - description: 'Number of unassigned shards for 15 min\n VALUE = `{{ $value }}`', - }, - }, - { - alert: 'ElasticsearchPendingTasks', - expr: 'max(es_cluster_pending_tasks_number{job=~".*http",es_cluster="%(clustername)s"}) by (es_cluster) > 0' % ({ clustername: clusterName }), - 'for': '15m', - labels: { - severity: 'warning', - alertTeam: deployment_manifest.team.name, - appName: clusterName, - }, - annotations: { - summary: 'Elasticsearch pending tasks (cluster `{{ $labels.es_cluster }}`)', - description: 'Number of pending tasks for 15 min. Cluster works slowly.\n VALUE = `{{ $value }}`', - }, - }, - ], - }, - ], - }, -} diff --git a/templates/elasticsearch_secrets.jsonnet b/templates/elasticsearch_secrets.jsonnet deleted file mode 100644 index 17e1b275..00000000 --- a/templates/elasticsearch_secrets.jsonnet +++ /dev/null @@ -1,18 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; - -if deployment_manifest.deployment.elasticSearch.enabled == true then { - apiVersion: 'v1', - kind: 'Secret', - metadata: { - name: deployment.elasticSearch.instance.instanceName + '-elasticsearch' + '-es-elastic-user', - namespace: deployment_manifest.environment + '-datastores', - labels: deployment.elasticSearch.esLabels, - annotations: common.annotations, - }, - - data: { [e.name]: std.base64(e.value) for e in deployment_manifest.environmentVariables if std.toString(e.name) == 'elastic' }, - type: 'Opaque', -} diff --git a/templates/elasticsearch_servicemonitor.jsonnet b/templates/elasticsearch_servicemonitor.jsonnet deleted file mode 100644 index 646af3e9..00000000 --- a/templates/elasticsearch_servicemonitor.jsonnet +++ /dev/null @@ -1,75 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; - -if deployment_manifest.deployment.elasticSearch.enabled == true then { - apiVersion: 'monitoring.coreos.com/v1', - kind: 'ServiceMonitor', - metadata: { - labels: deployment.elasticSearch.esLabels, - name: deployment.elasticSearch.instance.instanceName + '-elasticsearch-monitor', - namespace: deployment_manifest.environment + '-datastores', - annotations: common.annotations, - }, - spec: { - endpoints: [ - { - metricRelabelings: [ - { - action: 'drop', - regex: 'es_index_segments_memory_bytes', - sourceLabels: ['__name__'], - }, - { - action: 'drop', - regex: '.*es-node', - sourceLabels: ['job'], - }, - { - action: 'drop', - regex: 'es_cluster.*;.*es-node-[1-9]+', - sourceLabels: ['__name__', 'pod'], - }, - { - sourceLabels: ['cluster'], - targetLabel: 'es_cluster', - replacement: '$1' - }, - { - action: 'labeldrop', - regex: '^cluster$', - } - ], - interval: '30s', - path: '/_prometheus/metrics', - port: 'http', - scheme: 'http', - tlsConfig: { - insecureSkipVerify: true, - }, - basicAuth: { - password: { - name: deployment.elasticSearch.instance.instanceName + '-elasticsearch' + '-sm-secret', - key: 'password', - }, - username: { - name: deployment.elasticSearch.instance.instanceName + '-elasticsearch' + '-sm-secret', - key: 'username', - }, - }, - }, - ], - namespaceSelector: { - matchNames: [ - deployment_manifest.environment + '-datastores', - ], - }, - selector: { - matchLabels: { - 'common.k8s.elastic.co/type': 'elasticsearch', - 'elasticsearch.k8s.elastic.co/cluster-name': deployment.elasticSearch.instance.instanceName + '-elasticsearch', - }, - }, - }, -} diff --git a/templates/elasticsearch_sm_secrets.jsonnet b/templates/elasticsearch_sm_secrets.jsonnet deleted file mode 100644 index 2295b1b1..00000000 --- a/templates/elasticsearch_sm_secrets.jsonnet +++ /dev/null @@ -1,18 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; - -if deployment_manifest.deployment.elasticSearch.enabled == true then { - apiVersion: 'v1', - kind: 'Secret', - metadata: { - name: deployment.elasticSearch.instance.instanceName + '-elasticsearch' + '-sm-secret', - namespace: deployment_manifest.environment + '-datastores', - labels: deployment.elasticSearch.esLabels, - annotations: common.annotations, - }, - - data: { ['username']: std.base64(e.name) for e in deployment_manifest.environmentVariables if std.toString(e.name) == 'elastic' } + { ['password']: std.base64(e.value) for e in deployment_manifest.environmentVariables if std.toString(e.name) == 'elastic' }, - type: 'Opaque', -} diff --git a/templates/elasticsearch_snapshots.jsonnet b/templates/elasticsearch_snapshots.jsonnet deleted file mode 100644 index 2962a335..00000000 --- a/templates/elasticsearch_snapshots.jsonnet +++ /dev/null @@ -1,122 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; - -if deployment_manifest.deployment.elasticSearch.enabled == true then { - apiVersion: 'batch/v1', - kind: 'Job', - metadata: { - name: deployment.elasticSearch.instance.instanceName + '-elasticsearch' + '-init-snapshots', - namespace: deployment_manifest.environment + '-datastores', - labels: deployment.elasticSearch.esLabels, - annotations: common.annotations, - }, - spec: { - template: { - spec: { - initContainers: [ - { - name: 'elasticsearch-s3-repository', - image: '193044292705.dkr.ecr.ap-south-1.amazonaws.com/common/centos:7-custom', - imagePullPolicy: 'IfNotPresent', - volumeMounts: [ - { - name: 'es-basic-auth', - mountPath: '/mnt/elastic/es-basic-auth', - }, - ], - env: [ - { - name: 'ES_HOST', - value: deployment.elasticSearch.instance.instanceName + '-elasticsearch-es-http.' + deployment_manifest.environment + '-datastores.' + 'svc.cluster.local', - }, - { - name: 'ES_PORT', - value: '9200', - }, - { - name: 'ES_REPOSITORY', - value: 'snapshots', - }, - { - name: 'S3_REGION', - value: 'ap-south-1', - }, - { - name: 'S3_BUCKET', - valueFrom: { - secretKeyRef: { - name: 's3-bucket-es-backup', - key: 'bucket', - }, - }, - }, - { - name: 'S3_BASE_PATH', - value: deployment.elasticSearch.instance.instanceName, - }, - { - name: 'S3_COMPRESS', - value: 'true', - }, - { - name: 'S3_STORAGE_CLASS', - value: 'standard', - }, - ], - command: [ - '/bin/sh', - '-c', - ], - args: [ - "dockerize -wait tcp://${ES_HOST}:${ES_PORT} -timeout 600s && curl -s -i -k -u \"elastic:$(\"'\",\n \"repository\": \"'\"${ES_REPOSITORY}\"'\",\n \"config\": {\n \"indices\": \"'\"*\"'\",\n \"include_global_state\": \"'\"true\"'\"\n },\n \"retention\": {\n \"expire_after\": \"7d\",\n \"min_count\": 7,\n \"max_count\": 14\n }\n}'\n", - ], - }, - ], - restartPolicy: 'Never', - volumes: [ - { - name: 'es-basic-auth', - secret: { - secretName: deployment.elasticSearch.instance.instanceName + '-elasticsearch' + '-es-elastic-user', - }, - }, - ], - }, - }, - }, -} diff --git a/templates/flink_default_alerts.jsonnet b/templates/flink_default_alerts.jsonnet deleted file mode 100644 index 7b510440..00000000 --- a/templates/flink_default_alerts.jsonnet +++ /dev/null @@ -1,238 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local namespace_values = import 'namespace_values.jsonnet'; -local app_name = chart.full_service_name(deployment_manifest.name); -local namespace = deployment_manifest.flink.namespace; -local load_balancer_util = import 'load_balancer_util.jsonnet'; -local manifest_util = import 'manifest_util.jsonnet'; -local flink = deployment_manifest.flink; -local vars = import 'vars.jsonnet'; -local util = import 'util.jsonnet'; - -local environment = deployment_manifest.environment; -local commonAlertFields = { - appName: common.awsTags.Name, - fullName: chart.full_service_name(deployment_manifest.name), - namespace: namespace, - environment: environment, -}; -local baseLabels = function(alert) { - labels: { - severity: alert.severity, - alertTeam: deployment_manifest.team.name, - appName: app_name, - [if manifest_util.is_custom_slack_channel_enabled(alert) then 'slackChannel']: alert.slackChannel, - }, -}; -local baseAnnotations = function(alert) { - annotations: { - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/509936863/Runbook', - }, -}; -local mapAlerts(alertGroup, alerts) = std.filterMap( - function(alert) alert.type in alertGroup, - function(alert) baseAnnotations(alert) + alertGroup[alert.type](alert) + baseLabels(alert), - alerts -); - -local alerts = { - "pod": [ - { - "type": "HighPodRestarts", - "duration": "30m", - "severity": "critical", - "threshold": 3 - }, - { - "type": "HighPodFailures", - "duration": "3h", - "severity": "warning", - "threshold": 2 - }, - { - "type": "FrequentPodOOMKilled", - "duration": "10m", - "severity": "critical", - "threshold": 2 - }, - { - "type": "PodOOMKilled", - "duration": "5m", - "severity": "warning", - "threshold": 1 - }, - { - "type": "KubeContainerWaiting", - "duration": "1h", - "severity": "critical", - "threshold": 0 - } - ], - "flink": [ - { - "type": "JobManagerJvmMemoryUsageHigh", - "duration": "10m", - "severity": "critical", - "threshold": 85 - }, - { - "type": "JobManagerCpuLoadHigh", - "duration": "10m", - "severity": "critical", - "threshold": 75 - }, - { - "type": "TaskManagerJvmCpuLoadHigh", - "duration": "10m", - "severity": "critical", - "threshold": 75 - }, - { - "type": "TaskManagerJvmMemoryUsageHigh", - "duration": "10m", - "severity": "critical", - "threshold": 85 - }, - { - "type": "JobManagerFailedCheckpointIncreased", - "duration": "5m", - "severity": "critical", - "threshold": 0 - }, - { - "type": "FlinkTaskFailed", - "duration": "5m", - "severity": "critical", - "threshold": 0 - } - ], - "custom": [] -}; - -local podAlerts = { - HighPodRestarts: function(alert) ({ - alert: 'HighPodRestarts', - annotations: { - description: 'Namespace: %s, AppName: %s; Pod restarted multiple times' % [namespace, app_name], - summary: 'High Pod Restarts', - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/279937094/Act+On+Pod+Alert', - }, - expr: 'sum(increase(kube_pod_container_status_restarts_total{namespace="%s", pod=~"%s.*"}[%s])) > %s' % [namespace, app_name, alert.duration, alert.threshold], - }), - HighPodFailures: function(alert) ({ - alert: 'HighPodFailures', - annotations: { - description: 'Namespace: %s, AppName: %s; Pods were last terminated due to reason {{ $labels.reason }}' % [namespace, app_name], - summary: 'High Pod Failures', - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/279937094/Act+On+Pod+Alert', - }, - expr: 'sum(increase(kube_pod_container_status_last_terminated_reason{namespace="%s", container=~"%s.*",reason !~ "Completed|Evicted|OOMKilled"}[%s])) by (reason,pod) > %s' % [namespace, app_name, alert.duration, alert.threshold], - }), - FrequentPodOOMKilled: function(alert) ({ - alert: 'FrequentPodOOMKilled', - annotations: { - description: 'Namespace: %s, AppName: %s; Pod: {{ $labels.pod }} is restarting multiple times because of OOMKilled' % [namespace, app_name], - summary: 'High Pod Failures', - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/279937094/Act+On+Pod+Alert', - }, - expr: 'increase(kube_pod_container_status_restarts_total{namespace="%s", container="%s"}[%s]) >= %s AND ignoring(reason) kube_pod_container_status_last_terminated_reason{namespace="%s", container="%s", reason="OOMKilled"} > 0' % [namespace, app_name, alert.duration, alert.threshold, namespace, app_name], - }), - PodOOMKilled: function(alert) ({ - alert: 'PodOOMKilled', - annotations: { - description: 'Namespace: %s, AppName: %s; Pod: {{ $labels.pod }} killed because of OOMKilled' % [namespace, app_name], - summary: 'Pod OOMKilled', - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/279937094/Act+On+Pod+Alert', - }, - expr: 'kube_pod_container_status_restarts_total{namespace="%s", container="%s"} - kube_pod_container_status_restarts_total{namespace="%s", container="%s"} offset %s >= %s AND ignoring(reason) kube_pod_container_status_last_terminated_reason{namespace="%s", container="%s", reason="OOMKilled"} > 0' % [namespace, app_name, namespace, app_name, alert.duration, alert.threshold, namespace, app_name], - }), - KubeContainerWaiting: function(alert) ({ - alert: 'KubeContainerWaiting', - annotations: { - description: 'Namespace: %s, AppName: %s; container in waiting state for one hour' % [namespace, app_name], - summary: 'container is waiting for too long', - runbook: 'https://navihq.atlassian.net/wiki/spaces/IN/pages/279937094/Act+On+Pod+Alert', - }, - expr: 'sum by (namespace, pod, container) (kube_pod_container_status_waiting_reason{container="%s", namespace="%s"}) > %s' % [app_name, namespace, alert.threshold], - 'for': alert.duration, - }), -}; - -local flinkAlerts = { - JobManagerJvmMemoryUsageHigh: function(alert) ({ - alert: 'JobManagerJvmMemoryUsageHigh', - annotations: { - description: 'Namespace: %s, AppName: %s; JVM Memory usage more than 80 percent for flink job {{ $labels.job }} since last %s ' % [namespace, app_name, alert.duration], - summary: 'Job Manager JVM Memory Usage High', - }, - expr: '( flink_jobmanager_Status_JVM_Memory_Heap_Used / flink_jobmanager_Status_JVM_Memory_Heap_Max ) * 100 > %s ' % [alert.threshold], - 'for': alert.duration, - }), - JobManagerCpuLoadHigh: function(alert) ({ - alert: 'JobManagerCpuLoadHigh', - annotations: { - description: 'Namespace: %s, AppName: %s; JVM CPU Load more than %s for flink job {{ $labels.job }} since last %s.' % [namespace, app_name,alert.threshold, alert.duration], - summary: 'Job Manager CPU Load High', - }, - expr: 'flink_jobmanager_Status_JVM_CPU_Load > %s' % alert.threshold, - 'for': alert.duration, - }), - TaskManagerJvmCpuLoadHigh: function(alert) ({ - alert: 'TaskManagerJvmCpuLoadHigh', - annotations: { - description: 'Namespace: %s, AppName: %s; JVM CPU Load more than %s for flink taskmanager {{ $labels.tm_id }} for job {{ $labels.job }} since last %s.' % [namespace, app_name, alert.threshold, alert.duration], - summary: 'Task Manager JVM CPU Load High', - }, - expr: 'flink_taskmanager_Status_JVM_CPU_Load > %s' % alert.threshold, - 'for': alert.duration, - }), - TaskManagerJvmMemoryUsageHigh: function(alert) ({ - alert: 'TaskManagerJvmMemoryUsageHigh', - annotations: { - description: 'Namespace: %s, AppName: %s; JVM Memory usage more than 80 percent for TaskManager {{ $labels.tm_id }} for job {{ $labels.job }} since last %s.' % [namespace, app_name, alert.duration], - summary: 'Task Manager JVM Memory Usage High', - }, - expr: '(flink_taskmanager_Status_JVM_Memory_Heap_Used / flink_taskmanager_Status_JVM_Memory_Heap_Max) * 100 > %s' % alert.threshold, - 'for': alert.duration, - }), - JobManagerFailedCheckpointIncreased: function(alert) ({ - alert: 'JobManagerFailedCheckpointIncreased', - annotations: { - description: 'Namespace: %s, AppName: %s; Number of failed checkpoints increased in last %s for job {{ $labels.job }}' % [namespace, app_name, alert.duration], - summary: 'Job Manager Failed Checkpoint Increased', - }, - expr: 'increase(flink_jobmanager_job_numberOfFailedCheckpoints[%s]) > 0' % alert.duration, - }), - FlinkTaskFailed: function(alert) ({ - alert: 'FlinkTaskFailed', - annotations: { - description: 'Namespace: %s, AppName: %s; The Flink job {{ $labels.job }} has tasks that failed.' % [namespace, app_name], - summary: 'Flink Task Failed', - }, - expr: 'rate(flink_taskmanager_job_task_failed{job="{{ $labels.job }}"}[%s]) > 0' % alert.duration, - 'for': alert.duration, - }), -}; - -{ - apiVersion: 'monitoring.coreos.com/v1', - kind: 'PrometheusRule', - metadata: { - labels: common.labels { - prometheus: 'kube-prometheus', - role: 'alert-rules', - }, - name: app_name, - namespace: namespace, - annotations: common.annotations, - }, - spec: { - groups: [ - { - name: '%s-basic' % [app_name], - rules: (mapAlerts(podAlerts, alerts.pod) + mapAlerts(flinkAlerts, alerts.flink)), - }, - ], - }, -} diff --git a/templates/flink_deployment.jsonnet b/templates/flink_deployment.jsonnet deleted file mode 100644 index 0f6906f0..00000000 --- a/templates/flink_deployment.jsonnet +++ /dev/null @@ -1,172 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local flink = deployment_manifest.flink; -local namespace_values = import 'namespace_values.jsonnet'; -local flinkBucket = namespace_values.flinkBucket; -local flinkBucketBaseDir = 's3://' + flinkBucket + '/jobs/' + deployment_manifest.environment + '/' + deployment_manifest.name; -local util = import 'util.jsonnet'; -local needsAWSAccess = if util.is_field_present(deployment_manifest.extraResources, 'aws_access') - && util.is_field_present(deployment_manifest.extraResources.aws_access, 'policies') - && std.length(deployment_manifest.extraResources.aws_access.policies) > 0 then true else false; - -local roleName = chart.full_service_name(deployment_manifest.name) + '-' + deployment_manifest.environment; - -local awsAccess = { - volumeName:: 'aws-iam-credentials', - volumeMountPath:: '/meta/aws-iam', - - volume: if (needsAWSAccess && namespace_values.zalandoEnabled) then [ - { name: $.volumeName, secret: { secretName: roleName, defaultMode: 420 } }, - ] else [], - mount: if (needsAWSAccess && namespace_values.zalandoEnabled) then [ - { name: $.volumeName, mountPath: $.volumeMountPath }, - ] else [], - env: if (needsAWSAccess && namespace_values.zalandoEnabled) then [ - { name: 'AWS_DEFAULT_REGION', value: 'ap-south-1' }, - { name: 'AWS_SHARED_CREDENTIALS_FILE', value: $.volumeMountPath + '/credentials.process' }, - { name: 'AWS_CREDENTIAL_PROFILES_FILE', value: $.volumeMountPath + '/credentials' }, - ] else [], -}; - -local rocksDbSupport = { - name:: 'rocksdb-storage', - storageClassName:: 'gp2', - mountPath:: '/opt/flink/rocksdb', - accessModes:: ['ReadWriteOnce'], - - volume: { - name: $.name, - ephemeral: { - volumeClaimTemplate: { - metadata: { - labels: common.labels, - }, - spec: { - accessModes: $.accessModes, - storageClassName: $.storageClassName, - resources: { - requests: { - storage: flink.flinkDeployment.taskManager.volumeSize, - }, - }, - }, - }, - }, - }, - mount: { - name: $.name, - mountPath: $.mountPath, - }, -}; - -{ - mainContainerName:: 'flink-main-container', - image:: '193044292705.dkr.ecr.ap-south-1.amazonaws.com/common/flink:1.17.2-s3-hadoop', - flinkVersion:: 'v1_17', - defaultStateBackendType:: 'filesystem', - isRocksDbSupportEnabled:: ('volumeSize' in flink.flinkDeployment.taskManager), - isCustomTaskManagerPodTemplateRequired:: ($.isRocksDbSupportEnabled), - stateBackendType:: ( - if $.isRocksDbSupportEnabled then - 'rocksdb' - else - $.defaultStateBackendType - ), - - apiVersion: 'flink.apache.org/v1beta1', - kind: 'FlinkDeployment', - metadata: { - name: deployment_manifest.name, - namespace: flink.namespace, - }, - spec: { - image: $.image, - imagePullPolicy: 'IfNotPresent', - flinkVersion: $.flinkVersion, - restartNonce: flink.flinkDeployment.restartNonce, - flinkConfiguration: { - 'taskmanager.numberOfTaskSlots': std.toString(flink.flinkDeployment.flinkConfiguration.taskManagerSlots), - 'high-availability': 'KUBERNETES', - 'high-availability.storageDir': flinkBucketBaseDir + '/recovery', - 'state.backend.type': $.stateBackendType, - [if $.isRocksDbSupportEnabled then 'state.backend.rocksdb.localdir']: rocksDbSupport.mountPath, - 'state.checkpoints.dir': flinkBucketBaseDir + '/checkpoints', - 'state.savepoints.dir': flinkBucketBaseDir + '/savepoints', - 'kubernetes.operator.periodic.savepoint.interval': flink.flinkDeployment.flinkConfiguration.savepointFrequency, - 'kubernetes.operator.savepoint.history.max.count': '24', - 'kubernetes.operator.pod-template.merge-arrays-by-name': 'true', - 'restart-strategy': 'exponentialdelay', - 'execution.checkpointing.interval': '30s', - 'restart-strategy.exponential-delay.initial-backoff': '10s', - 'restart-strategy.exponential-delay.max-backoff': '2min', - 'restart-strategy.exponential-delay.backoff-multiplier': '2.0', - 'restart-strategy.exponential-delay.reset-backoff-threshold': '10min', - 'restart-strategy.exponential-delay.jitter-factor': '0.1', - 'metrics.reporter.promgateway.jobName': deployment_manifest.name, - 'metrics.reporter.promgateway.groupingKey': 'tag_team=' + deployment_manifest.team.name, - }, - serviceAccount: roleName, - podTemplate: { - apiVersion: 'v1', - kind: 'Pod', - metadata: { - name: deployment_manifest.name, - labels: common.labels, - }, - spec: { - containers: [ - { - name: $.mainContainerName, - env: [ - { - name: e.name, - valueFrom: { - secretKeyRef: { - name: chart.full_service_name(deployment_manifest.name) + '-secret', - key: e.name, - }, - }, - } - for e in deployment_manifest.environmentVariables - ] + - // Adding md5 to make sure deployment is retrigerred if just values are changed - ([{ name: 'secretMd5', value: std.md5(std.toString(deployment_manifest.environmentVariables)) }]) + - awsAccess.env, - volumeMounts: awsAccess.mount, - }, - ], - volumes: awsAccess.volume, - serviceAccountName: roleName, - }, - }, - jobManager: { - replicas: flink.flinkDeployment.jobManager.replicas, - resource: { - memory: flink.flinkDeployment.jobManager.resources.memory, - cpu: flink.flinkDeployment.jobManager.resources.cpu, - }, - }, - taskManager: { - [if $.isCustomTaskManagerPodTemplateRequired then 'podTemplate']: { - spec: { - securityContext: { - fsGroup: 9999, - }, - containers: [ - { - name: $.mainContainerName, - volumeMounts: [rocksDbSupport.mount], - }, - ], - volumes: [rocksDbSupport.volume], - }, - }, - replicas: flink.flinkDeployment.taskManager.replicas, - resource: { - memory: flink.flinkDeployment.taskManager.resources.memory, - cpu: flink.flinkDeployment.taskManager.resources.cpu, - }, - }, - }, -} diff --git a/templates/flink_role_binding.jsonnet b/templates/flink_role_binding.jsonnet deleted file mode 100644 index 7685f52b..00000000 --- a/templates/flink_role_binding.jsonnet +++ /dev/null @@ -1,27 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local namespace = deployment_manifest.flink.namespace; - -local serviceAccountName = chart.full_service_name(deployment_manifest.name) + '-' + deployment_manifest.environment; -{ - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'RoleBinding', - metadata: { - name: 'flink' + '-' + serviceAccountName, - namespace: namespace, - labels: common.labels, - }, - roleRef: { - apiGroup: 'rbac.authorization.k8s.io', - kind: 'Role', - name: 'flink', - }, - subjects: [ - { - kind: 'ServiceAccount', - name: serviceAccountName, - namespace: namespace, - }, - ], -} diff --git a/templates/flink_service_account.jsonnet b/templates/flink_service_account.jsonnet deleted file mode 100644 index 5225463f..00000000 --- a/templates/flink_service_account.jsonnet +++ /dev/null @@ -1,27 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local namespace = deployment_manifest.flink.namespace; -local namespace_values = import 'namespace_values.jsonnet'; -local util = import 'util.jsonnet'; -local needsAWSAccess = if util.is_field_present(deployment_manifest.extraResources, 'aws_access') - && util.is_field_present(deployment_manifest.extraResources.aws_access, 'policies') - && std.length(deployment_manifest.extraResources.aws_access.policies) > 0 then true else false; - -local roleName = chart.full_service_name(deployment_manifest.name) + '-' + deployment_manifest.environment; - - -{ - apiVersion: 'v1', - kind: 'ServiceAccount', - metadata: ({ - name: roleName, - namespace: namespace, - labels: common.labels, - [if !namespace_values.zalandoEnabled then 'annotations' else null]: { - 'eks.amazonaws.com/role-arn': 'arn:aws:iam::' + namespace_values.awsAccountId + ':role/' + roleName, - 'eks.amazonaws.com/sts-regional-endpoints': 'true', - 'eks.amazonaws.com/token-expiration': '10800', - }, - }), -} diff --git a/templates/flink_session_job.jsonnet b/templates/flink_session_job.jsonnet deleted file mode 100644 index c99993f9..00000000 --- a/templates/flink_session_job.jsonnet +++ /dev/null @@ -1,24 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local flink = deployment_manifest.flink; -local namespace_values = import 'namespace_values.jsonnet'; -{ - apiVersion: 'flink.apache.org/v1beta1', - kind: 'FlinkSessionJob', - metadata: { - name: deployment_manifest.name, - namespace: flink.namespace, - }, - spec: { - deploymentName: deployment_manifest.name, - job: { - jarURI: std.extVar('IMAGE'), - parallelism: flink.flinkJob.parallelism, - allowNonRestoredState: true, - upgradeMode: 'savepoint', - [if 'entryClass' in flink.flinkJob then 'entryClass' else null]: flink.flinkJob.entryClass, - args: [flink.flinkJob.jobArguments], - }, - }, -} diff --git a/templates/health_check_values.jsonnet b/templates/health_check_values.jsonnet deleted file mode 100644 index f0b7da71..00000000 --- a/templates/health_check_values.jsonnet +++ /dev/null @@ -1,65 +0,0 @@ -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local port_map = import 'port_map.jsonnet'; -local exposedPorts = deployment_manifest.deployment.exposedPorts; - - -local isMicrometerPrometheusEnabled = deployment_manifest.labels['micrometer-prometheus'] == 'enabled'; -local error_message = 'Metrics port not specified with micrometer-prometheus enabled'; - -local defaultReadinessCheck = { - type: 'tcp', - port: 'serviceport', - path: '/actuator/health', - successThreshold: 1, - initialDelaySeconds: 60, - periodSeconds: 30, - failureThreshold: 5, - httpHeaders: [], -}; - -local defaultLivenessCheck = { - type: 'tcp', - port: 'serviceport', - path: '/actuator/health', - successThreshold: 1, - initialDelaySeconds: 60, - periodSeconds: 30, - failureThreshold: 5, - httpHeaders: [], -} + if isMicrometerPrometheusEnabled then { port: 'metrics', type: 'http' } else {}; - -local defaultStartupProbe = { - successThreshold: 1, - initialDelaySeconds: 0, - periodSeconds: 10, - failureThreshold: 30, - httpHeaders: [], -}; - -{ - generator(healthCheck): { - http:: { - httpGet: { - port: port_map.getPort(healthCheck.port), - path: healthCheck.path, - httpHeaders: healthCheck.httpHeaders, - }, - successThreshold: healthCheck.successThreshold, - initialDelaySeconds: healthCheck.initialDelaySeconds, - periodSeconds: healthCheck.periodSeconds, - failureThreshold: healthCheck.failureThreshold, - }, - tcp:: { - tcpSocket: { - port: port_map.getPort(healthCheck.port), - }, - successThreshold: healthCheck.successThreshold, - initialDelaySeconds: healthCheck.initialDelaySeconds, - periodSeconds: healthCheck.periodSeconds, - failureThreshold: healthCheck.failureThreshold, - }, - }, - getDefaultReadinessCheck:: defaultReadinessCheck, - getDefaultStartupProbe:: defaultStartupProbe, - getDefaultLivenessCheck:: if (isMicrometerPrometheusEnabled && !port_map.hasPort(exposedPorts, 'metrics')) then error error_message else defaultLivenessCheck, -} diff --git a/templates/hpa.jsonnet b/templates/hpa.jsonnet deleted file mode 100644 index 945db992..00000000 --- a/templates/hpa.jsonnet +++ /dev/null @@ -1,70 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; -local hpa = deployment.hpa; -local vars = import 'vars.jsonnet'; -local util = import 'util.jsonnet'; - -local hpa_custom_metrics = [ - item { name: super.name + '_' + deployment.name + '_' + deployment_manifest.environment } - for item in hpa.custom_metrics -]; - -local basename = chart.full_service_name(deployment.name); -local isHpaEnabled = hpa.type == vars.deployment.hpa.type.metrics; -local name = if isHpaEnabled then - basename -else - basename + '-disabled'; - -{ - apiVersion: 'autoscaling/v2beta2', - kind: 'HorizontalPodAutoscaler', - metadata: { - name: name, - labels: common.labels, - namespace: deployment_manifest.deployment.namespace, - annotations: common.annotations + { - [std.format('metric-config.external.prometheus-query.prometheus/%s', metric.name)]: metric.query - for metric in hpa_custom_metrics - }, - }, - spec: { - maxReplicas: hpa.maxReplicas, - minReplicas: if hpa.minReplicas == 0 then 1 else hpa.minReplicas, - metrics: [ - { - resource: { - name: metric.name, - target: { - averageUtilization: metric.threshold, - type: 'Utilization', - }, - }, - type: 'Resource', - } - for metric in hpa.metrics - ] + [ - { - external: { - metric: { - name: 'prometheus-query', - selector: { - matchLabels: { - 'query-name': metric.name, - }, - }, - }, - target: { - type: 'Value', - value: metric.threshold, - }, - }, - type: 'External', - } - for metric in hpa_custom_metrics - ], - scaleTargetRef: util.hpa_scale_target_ref(deployment.name, deployment.controller, !isHpaEnabled), - }, -} diff --git a/templates/ingress.jsonnet b/templates/ingress.jsonnet deleted file mode 100644 index ef700e6c..00000000 --- a/templates/ingress.jsonnet +++ /dev/null @@ -1,189 +0,0 @@ -//Imports -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local load_balancer_util = import 'load_balancer_util.jsonnet'; -local namespace_values = import 'namespace_values.jsonnet'; -local port_map = import 'port_map.jsonnet'; -local util = import 'util.jsonnet'; -local flink = deployment_manifest.flink; -local sandbox = import './sandbox/main.jsonnet'; -local isSandbox = util.is_sandbox(deployment_manifest.environment); -local vars = import 'vars.jsonnet'; -local isflinkJob = std.objectHas(deployment_manifest, 'flink'); -local loadBalancers = if isflinkJob then deployment_manifest.flink.loadBalancers else deployment_manifest.deployment.loadBalancers; -local namespace = if isflinkJob then deployment_manifest.flink.namespace else deployment_manifest.deployment.namespace; -local exposedPorts = deployment_manifest.deployment.exposedPorts; - -local albScheme = { - internetFacing: 'internet-facing', - internal: 'internal', - cdn: 'internet-facing', - internetFacingRestricted: 'internet-facing', -}; - -local albTags = common.awsTags + if isSandbox then { - Environment: deployment_manifest.sandboxParams.source.environment, - Namespace: deployment_manifest.sandboxParams.source.namespace, -} else {}; - -local nginxClass(environment, serviceName) = '%s-%s-nginx' % [environment, serviceName]; - -local ingress_annotations(lbObject, clusterAnnotationValues, exposePortToLb=false, enableGrpc=false) = { - local subnetScheme = load_balancer_util.subnet_scheme(lbObject.accessPolicies), - local groupName = load_balancer_util.group_name(lbObject), - local ingressName = load_balancer_util.ingress_name(chart.full_service_name(deployment_manifest.name), lbObject), - - local sslCerts = clusterAnnotationValues.sslCert, - local certificateArns = std.join(',', std.set( - [sslCerts[util.get_certs(std.objectFieldsAll(sslCerts), lbObject.endpoint)]] + - [sslCerts[util.get_certs(std.objectFieldsAll(sslCerts), host.hostname)] for host in lbObject.redirects] + - [sslCerts[util.get_certs(std.objectFieldsAll(sslCerts), host)] for host in lbObject.additionalEndpoints] - )), - local redirect_annotations(destinationHost) = { ['alb.ingress.kubernetes.io/actions.redirect-%s' % i]: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301", "Host": "%(destinationHost)s","Path": "%(destinationPath)s"}}' % (lbObject.redirects[i] { destinationHost: destinationHost }) for i in std.range(0, std.length(lbObject.redirects) - 1) }, - - nginxLb: namespace_values.loadBalancer.annotations { - 'kubernetes.io/ingress.class': nginxClass(deployment_manifest.environment, deployment_manifest.name), - 'nginx.ingress.kubernetes.io/rewrite-target': '/', - }, - sharedAlbAcrossNamespace: common.annotations + namespace_values.loadBalancer.annotations { - local sortedPolicies = std.sort(lbObject.accessPolicies), - local sgs = [if accessPolicy in clusterAnnotationValues.securityGroups then clusterAnnotationValues.securityGroups[accessPolicy] for accessPolicy in sortedPolicies], - 'kubernetes.io/ingress.class': 'alb', - 'alb.ingress.kubernetes.io/target-type': 'ip', - 'alb.ingress.kubernetes.io/listen-ports': load_balancer_util.listener_ports(lbObject), - 'alb.ingress.kubernetes.io/certificate-arn': certificateArns, - 'alb.ingress.kubernetes.io/actions.ssl-redirect': '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}', - } - + ( - if load_balancer_util.target_group_attribute_list(lbObject) != null then { - 'alb.ingress.kubernetes.io/target-group-attributes': load_balancer_util.target_group_attribute_list(lbObject), - } else {} - ) - + (if subnetScheme == 'internetFacing' then { - 'alb.ingress.kubernetes.io/ip-address-type': 'dualstack', // exclusive - } else {}) - + (if groupName == null then {} else { - 'alb.ingress.kubernetes.io/group.name': '%s' % groupName, - 'alb.ingress.kubernetes.io/group.order': lbObject.groupOrder, - }) - + redirect_annotations(lbObject.endpoint), - alb: common.annotations + namespace_values.loadBalancer.annotations { - 'kubernetes.io/ingress.class': 'alb', - 'alb.ingress.kubernetes.io/target-type': 'ip', - [if enableGrpc then 'alb.ingress.kubernetes.io/backend-protocol-version']: 'GRPC', - [if !lbObject['tls-1-1'] then 'alb.ingress.kubernetes.io/ssl-policy']: 'ELBSecurityPolicy-TLS-1-2-2017-01', - 'alb.ingress.kubernetes.io/listen-ports': load_balancer_util.listener_ports(lbObject, exposePortToLb), - 'alb.ingress.kubernetes.io/certificate-arn': certificateArns, - 'alb.ingress.kubernetes.io/scheme': albScheme[subnetScheme], - 'alb.ingress.kubernetes.io/security-groups': (load_balancer_util.security_group_list(lbObject.accessPolicies, clusterAnnotationValues.securityGroups, lbObject.extraSecurityGroups)) - + (if (subnetScheme == 'internetFacing' || subnetScheme == 'internetFacingRestricted') then (',' + clusterAnnotationValues.securityGroups.http) else ''), - 'alb.ingress.kubernetes.io/load-balancer-attributes': load_balancer_util.load_balancer_attribute_list(lbObject, namespace_values.loadBalancer.annotations, deployment_manifest.name), - 'alb.ingress.kubernetes.io/tags': 'Environment=%(Environment)s,Owner=%(Owner)s,Name=%(Name)s,Team=%(Team)s,Namespace=%(Namespace)s,Ingress=%(ingressName)s,Product=%(Product)s' % (albTags { ingressName: ingressName }), - [if !exposePortToLb then 'alb.ingress.kubernetes.io/actions.ssl-redirect']: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}', - } + redirect_annotations(lbObject.endpoint) - + ( - if load_balancer_util.target_group_attribute_list(lbObject) != null then { - 'alb.ingress.kubernetes.io/target-group-attributes': load_balancer_util.target_group_attribute_list(lbObject), - } else {} - ) - + (if subnetScheme in (clusterAnnotationValues.subnets) then { - 'alb.ingress.kubernetes.io/subnets': clusterAnnotationValues.subnets[subnetScheme], - } else {}) - + (if subnetScheme == 'internetFacing' then { - 'alb.ingress.kubernetes.io/ip-address-type': 'dualstack', - [if lbObject.webAcl != 'false' then 'alb.ingress.kubernetes.io/wafv2-acl-arn']: lbObject.webAcl, - } else {}) - + (if subnetScheme == 'internetFacingRestricted' then { - 'alb.ingress.kubernetes.io/ip-address-type': 'dualstack', - } else {}) - + (if subnetScheme == 'cdn' then { - 'alb.ingress.kubernetes.io/ip-address-type': 'dualstack', - 'external-dns.alpha.kubernetes.io/exclude': 'true', - } else {}) - + (if deployment_manifest.environment != vars.environments.prod then { - 'alb.ingress.kubernetes.io/group.name': std.join('-', [ingressName, namespace]), - 'alb.ingress.kubernetes.io/group.order': lbObject.groupOrder, - } else {}) - + (if lbObject.groupName != '' then { - 'alb.ingress.kubernetes.io/group.name': std.join('-', [ingressName, namespace]), - } else {}), -}[lbObject.type]; - - -//Filter alb & sharedAlbAcrossNamespace type of loadbalancer configurations -local filteredLbs = std.filter(function(lbObject) std.find(lbObject.type, ['alb', 'sharedAlbAcrossNamespace', 'nginxLb']) != [], loadBalancers); - -local ports = [ - { port: port_map.getPort('serviceport'), exposeToLoadBalancer: false, portFieldKey: 'number', enableGrpc: port_map.isGrpcEnabled('serviceport') }, - { port: port_map.getPort('secondary-service-port'), exposeToLoadBalancer: true, portFieldKey: 'number', enableGrpc: port_map.isGrpcEnabled('secondary-service-port') }, - { port: port_map.getPort(chart.full_service_name(deployment_manifest.name) + '-rest'), exposeToLoadBalancer: false, portFieldKey: 'name' }, -]; -local loadbalancerWithAllPorts = [ - lb + port - for lb in filteredLbs - for port in ports - if port.port != null -]; - -// this is to ensure only in case of new load balancers,( which will not have groupName as empty string ), exposed ingress is created -local isOldALB(lbObject) = lbObject.groupName == ''; - -local filteredLoadBalancerWithAllPorts = [ - lbObject - for lbObject in loadbalancerWithAllPorts - if !isOldALB(lbObject) || (isOldALB(lbObject) && !lbObject.exposeToLoadBalancer) -]; - -std.map( - //Generate ingress objects based on above filtered configurations - function(lbIndex) { - config:: { - lbObject: filteredLoadBalancerWithAllPorts[lbIndex], - subnetScheme: load_balancer_util.subnet_scheme($.config.lbObject.accessPolicies), - serviceName: if isflinkJob then (deployment_manifest.name + '-rest') else chart.full_service_name(deployment_manifest.name), - servicePort: $.config.lbObject.port, - exposePortToLoadBalancer: $.config.lbObject.exposeToLoadBalancer, - enableGrpc: $.config.lbObject.enableGrpc, - portFieldKey: $.config.lbObject.portFieldKey, - name: load_balancer_util.ingress_name(chart.full_service_name(deployment_manifest.name), $.config.lbObject, $.config.exposePortToLoadBalancer), - }, - assert std.length($.config.name) <= 253 : 'Ingress name must be less than 253 characters. name: %s' % $.config.name, - apiVersion: 'networking.k8s.io/v1', - kind: 'Ingress', - metadata: { - name: $.config.name, - labels: common.labels, - annotations: ingress_annotations($.config.lbObject, namespace_values.loadBalancer.annotations, $.config.exposePortToLoadBalancer, $.config.enableGrpc) + if isSandbox then sandbox.sandbox($.config).albIngress.annotations else {}, - namespace: namespace, - }, - spec: { - rules: [ - { - host: if $.config.lbObject.endpoint != null && $.config.lbObject.endpoint != '' then $.config.lbObject.endpoint else namespace_values.loadBalancer.fixedHostNames[deployment_manifest.name], - http: { - paths: (if $.config.exposePortToLoadBalancer then [] else load_balancer_util.http_redirect_config) - + load_balancer_util.weighted_path_config($.config.serviceName) - + (if isSandbox then sandbox.sandbox($.config).albIngress.host.paths else - (load_balancer_util.path_config($.config.serviceName, $.config.servicePort, $.config.portFieldKey))), - }, - }, - ] + [ - { - host: endpoint, - http: { - paths: if $.config.subnetScheme == 'internetFacing' || - $.config.subnetScheme == 'internetFacingRestricted' then - load_balancer_util.http_redirect_config - else - load_balancer_util.create_sandbox_or_standard_paths($.config, isSandbox, sandbox), - }, - } - for endpoint in $.config.lbObject.additionalEndpoints - ] + [load_balancer_util.redirect_config($.config.lbObject.redirects[i], 'redirect-%s' % i) for i in std.range(0, std.length($.config.lbObject.redirects) - 1)], - - }, - }, - - std.range(0, std.length(filteredLoadBalancerWithAllPorts) - 1) -) diff --git a/templates/kibana.jsonnet b/templates/kibana.jsonnet deleted file mode 100644 index 6fb3c7e6..00000000 --- a/templates/kibana.jsonnet +++ /dev/null @@ -1,60 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; - -if deployment_manifest.deployment.elasticSearch.kibana != null then { - apiVersion: 'kibana.k8s.elastic.co/v1', - kind: 'Kibana', - metadata: { - name: deployment.elasticSearch.instance.instanceName + '-kibana', - namespace: deployment_manifest.environment + '-datastores', - labels: deployment.elasticSearch.kibanaLabels, - annotations: common.annotations, - }, - spec: { - version: deployment.elasticSearch.kibanaVersion, - image: deployment.elasticSearch.kibanaImage, - config: { - 'xpack.monitoring.enabled': true, - 'xpack.monitoring.ui.enabled': true, - 'xpack.monitoring.kibana.collection.enabled': true, - 'server.publicBaseUrl': 'https://' + deployment.elasticSearch.kibana, - }, - http: { - tls: { - selfSignedCertificate: { - disabled: true, - }, - }, - }, - count: 2, - elasticsearchRef: { - name: deployment.elasticSearch.instance.instanceName + '-elasticsearch', - }, - podTemplate: { - metadata: { - labels: deployment.elasticSearch.kibanaLabels, - }, - spec: { - nodeSelector: deployment.elasticSearch.esNodeSelector, - tolerations: deployment.elasticSearch.esTolerations, - containers: [ - { - name: 'kibana', - resources: { - requests: { - memory: '1Gi', - cpu: 0.5, - }, - limits: { - memory: '4Gi', - cpu: 2, - }, - }, - }, - ], - }, - }, - }, -} diff --git a/templates/kibana_ingress_endpoint.jsonnet b/templates/kibana_ingress_endpoint.jsonnet deleted file mode 100644 index e0416cf4..00000000 --- a/templates/kibana_ingress_endpoint.jsonnet +++ /dev/null @@ -1,83 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; -local namespace_values = import 'namespace_values.jsonnet'; -local load_balancer_util = import 'load_balancer_util.jsonnet'; -local util = import 'util.jsonnet'; - -local albTags = common.awsTags; -local ingressName = deployment.elasticSearch.instance.instanceName + '-kibana'; -local groupName = '%s-datastores-services-alb' % deployment_manifest.environment; -local annotations = namespace_values.loadBalancer.annotations; -local securityGroups = std.join(',', [ - annotations.securityGroups.internal, - annotations.securityGroups.officeIp, -]); -local lbObject = { - idleTimeout: 60, - accessPolicies: ['internal'], - accessLog: true, -}; -local subnetScheme = load_balancer_util.subnet_scheme(lbObject.accessPolicies); - -if deployment_manifest.deployment.elasticSearch.kibana != null then { - apiVersion: 'networking.k8s.io/v1', - kind: 'Ingress', - metadata: { - name: deployment.elasticSearch.instance.instanceName + '-kibana', - namespace: deployment_manifest.environment + '-datastores', - annotations: common.annotations { - 'kubernetes.io/ingress.class': 'alb', - 'alb.ingress.kubernetes.io/target-type': 'ip', - 'alb.ingress.kubernetes.io/ssl-policy': 'ELBSecurityPolicy-TLS-1-2-2017-01', - 'alb.ingress.kubernetes.io/listen-ports': load_balancer_util.listener_ports(lbObject), - 'alb.ingress.kubernetes.io/certificate-arn': annotations.sslCert[util.get_certs(std.objectFieldsAll(annotations.sslCert), deployment_manifest.deployment.elasticSearch.kibana)], - 'alb.ingress.kubernetes.io/scheme': 'internal', - 'alb.ingress.kubernetes.io/security-groups': securityGroups, - 'alb.ingress.kubernetes.io/load-balancer-attributes': load_balancer_util.load_balancer_attribute_list(lbObject, namespace_values.loadBalancer.annotations, groupName), - 'alb.ingress.kubernetes.io/tags': 'Name=shared-alb-%(name)s,Ingress=shared-alb-%(name)s,Owner=shared,Team=Shared,Product=%(Product)s,Environment=%(Environment)s' % (albTags { name: groupName }), - 'alb.ingress.kubernetes.io/actions.ssl-redirect': '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}', - 'alb.ingress.kubernetes.io/group.name': '%s' % groupName, - } - + ( - if load_balancer_util.subnet_scheme(lbObject.accessPolicies) in (annotations.subnets) then { - 'alb.ingress.kubernetes.io/subnets': annotations.subnets[subnetScheme], - } else {} - ), - }, - spec: { - rules: [ - { - host: deployment_manifest.deployment.elasticSearch.kibana, - http: { - paths: [ - { - backend: { - service: { - name: 'ssl-redirect', - port: { - name: 'use-annotation', - }, - }, - }, - pathType: 'ImplementationSpecific', - path: '/*', - }, - { - pathType: 'ImplementationSpecific', - backend: { - service: { - name: deployment.elasticSearch.instance.instanceName + '-kibana' + '-kb-http', - port: { - number: 5601, - }, - }, - }, - }, - ], - }, - }, - ], - }, -} diff --git a/templates/load_balancer_util.jsonnet b/templates/load_balancer_util.jsonnet deleted file mode 100644 index e226e5c6..00000000 --- a/templates/load_balancer_util.jsonnet +++ /dev/null @@ -1,142 +0,0 @@ -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local util = import 'util.jsonnet'; -local vars = import 'vars.jsonnet'; -local isSandbox = util.is_sandbox(deployment_manifest.environment); - -local alias(type) = if type == 'sharedalbacrossnamespace' then 'sharedalb' else type; - -{ - // Creates a comma separated list of security groups - security_group_list(accessPolicies, securityGroups, extraSecurityGroups):: - local accessPolicySecurityGroups = [if accessPolicy in securityGroups then securityGroups[accessPolicy] for accessPolicy in accessPolicies]; - local extraSGs = if std.objectHas(deployment_manifest.deployment, 'securityGroup') then std - .flattenArrays([if std.objectHas(sg, 'ids') then sg.ids for sg in deployment_manifest - .deployment.securityGroup]) else []; - std.join(',', accessPolicySecurityGroups + extraSGs), - - // Determines kind of subnet(internal or internetFacing or cdn) to use based on access policy. - subnet_scheme(accessPolicies):: - local scheme = std.setInter(std.set(accessPolicies), ['internal', 'internetFacing', 'internetFacingRestricted', 'cdn']); - assert std.length(scheme) == 1 : 'ValidationError: accessPolicies can only contain one out of internal, internetFacing, interetFacingRestricted & cdn'; - { internal: 'internal', internetFacing: 'internetFacing', internetFacingRestricted: 'internetFacingRestricted', cdn: 'cdn' }[scheme[0]], - - // Returns true if application is using aws application load balancer - is_using_lb(lbObjects, lbName):: - std.length(std.filter(function(lbObject) lbObject.type == lbName, lbObjects)) > 0, - - // Returns group name for sharedAlbAcrossNamespace if any - group_name(lbObject):: - if lbObject.groupName != null && lbObject.groupName != '' then - lbObject.groupName - else null, - - // Returns true if application is using aws target groups - is_using_tg(lbObjects):: - std.length(std.filter(function(lbObject) std.find(lbObject.type, ['alb', 'sharedAlbAcrossNamespace']) != [], lbObjects)) > 0, - - ingress_name(full_service_name, lbObject, expose=false):: - local name = if lbObject.name != null && lbObject.name != '' then - full_service_name + '-' + alias(std.asciiLower(lbObject.type)) + '-' + std.asciiLower(lbObject.name) - else - full_service_name + '-' + alias(std.asciiLower(lbObject.type)); - local finalName = if expose then name + '-exposed' else name; - finalName, - - alb_ingress_name(full_service_name):: - self.ingress_name(full_service_name, { type: 'alb', name: null }), - - load_balancer_attribute_list(lbObject, namespace_annotations, s3_key_prefix):: - local idleTimeout = 'idle_timeout.timeout_seconds=%s' % lbObject.idleTimeout; - local baseAttributes = if namespace_annotations.deletionProtection then idleTimeout + ',deletion_protection.enabled=true' else idleTimeout; - local accessLogAttributes = 'access_logs.s3.enabled=true,access_logs.s3.bucket=%s,access_logs.s3.prefix=%s' % [namespace_annotations.accessLogBucket, s3_key_prefix]; - std.join(',', [ - baseAttributes, - if lbObject.accessLog then accessLogAttributes, - ],), - - target_group_attribute_list(lbObject):: - local slowStartDurationAttribute = 'slow_start.duration_seconds=%s' % lbObject.slowStartDuration; - local sticknessAttribute = 'stickiness.enabled=true,stickiness.lb_cookie.duration_seconds=%s' % lbObject.stickinessCookieDuration; - local tg_annotation = [ - if lbObject.slowStartDuration > 0 then slowStartDurationAttribute, - if lbObject.stickiness then sticknessAttribute, - ]; - std.join(',', std.prune(tg_annotation)), - - //Determines listener-ports to be added to the load-balaner - listener_ports(lbObject, exposeToLoadBalancer=false):: - local subnetScheme = $.subnet_scheme(lbObject.accessPolicies); - if exposeToLoadBalancer then - if lbObject.type == 'alb' then '[{"HTTPS": %s}]' % lbObject.port - else error 'ValidationError: secondary port can only be used with alb. Please change the loadbalancer type' - else - '[{ "HTTPS": 443 },{"HTTP": 80}]', - - //Returns path to be added to alb to enable HTTP to HTTPS redirection - http_redirect_config:: [{ - path: '/*', - pathType: 'ImplementationSpecific', - backend: { - service: { - name: 'ssl-redirect', - port: { - name: 'use-annotation', - }, - }, - }, - }], - - redirect_config(host, actionNaem):: { - host: host.hostname, - http: { - paths: [{ - path: host.path, - pathType: 'ImplementationSpecific', - backend: { - service: { - name: actionNaem, - port: { - name: 'use-annotation', - }, - }, - }, - }], - }, - }, - - weighted_path_config(serviceName):: if 'flink' in deployment_manifest then [] - else (if (deployment_manifest.deployment.controller == vars.rolloutController && deployment_manifest.deployment.strategy != vars.defaultDeploymentStrategy && !isSandbox) then [{ - path: '/*', - pathType: 'ImplementationSpecific', - backend: { - service: { - name: serviceName, - port: { - name: 'use-annotation', - }, - }, - }, - }] else []), - - path_config(serviceName, servicePort, portFieldKey='number'):: - [ - { - pathType: 'ImplementationSpecific', - backend: { - service: { - name: serviceName, - port: { - [portFieldKey]: servicePort, - }, - }, - }, - }, - ], - - create_sandbox_or_standard_paths(config, isSandboxEnabled=false, sandbox={}):: ( - if isSandboxEnabled then - sandbox.sandbox(config).albIngress.host.paths - else - $.path_config(config.serviceName, config.servicePort) - ), -} diff --git a/templates/main.jsonnet b/templates/main.jsonnet deleted file mode 100644 index d13b745e..00000000 --- a/templates/main.jsonnet +++ /dev/null @@ -1,97 +0,0 @@ -local common_api_gateways = import 'common_api_gateway.jsonnet'; -local configmap = import 'configmap.jsonnet'; -local cron_hpa_autoscaler = import 'cron_hpa_autoscaler.jsonnet'; -local default_alerts = import 'default_alerts.jsonnet'; -local deployment = import 'deployment.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local rollout = import 'rollout.jsonnet'; -local hpa = import 'hpa.jsonnet'; -local ingresses = import 'ingress.jsonnet'; -local kibana = import 'kibana.jsonnet'; -local kibana_ingress_endpoint = import 'kibana_ingress_endpoint.jsonnet'; -local pdb = import 'pdb.jsonnet'; -local perf_utility = import 'perf_utility.jsonnet'; -local rollout_analysis_template = import 'rollout_analysis_template.jsonnet'; -local sandbox = import 'sandbox/main.jsonnet'; -local secret = import 'secret.jsonnet'; -local security_group = import 'security_group.jsonnet'; -local service = import 'service.jsonnet'; -local service_monitor = import 'service_monitor.jsonnet'; -local sidecar = import 'sidecar.jsonnet'; -local cron_hpa_autoscaler = import 'cron_hpa_autoscaler.jsonnet'; -local elastic_search_secrets = import 'elasticsearch_secrets.jsonnet'; -local elastic_search = import 'elastic_search.jsonnet'; -local kibana = import 'kibana.jsonnet'; -local kibana_ingress_endpoint = import 'kibana_ingress_endpoint.jsonnet'; -local elasticsearch_sm_secrets = import 'elasticsearch_sm_secrets.jsonnet'; -local elasticsearch_servicemonitor = import 'elasticsearch_servicemonitor.jsonnet'; -local elasticsearch_alerts_default = import 'elasticsearch_alerts_default.jsonnet'; -local elasticsearch_snapshots = import 'elasticsearch_snapshots.jsonnet'; -local dynamic_configuration = import 'dynamic_configuration.jsonnet'; -local perf_utility = import 'perf_utility.jsonnet'; -local vpa = import 'vpa.jsonnet'; -local efs_pvc = import 'efs_persistent_volume_claim.jsonnet'; -local common_api_gateways = import 'common_api_gateway.jsonnet'; -local sandbox = import 'sandbox/main.jsonnet'; -local util = import 'util.jsonnet'; -local isSandbox = util.is_sandbox(deployment_manifest.environment); -local flink_deployment = import 'flink_deployment.jsonnet'; -local flink_session_job = import 'flink_session_job.jsonnet'; -local flink_service_account = import 'flink_service_account.jsonnet'; -local flink_role_binding = import 'flink_role_binding.jsonnet'; -local flink_default_alerts = import 'flink_default_alerts.jsonnet'; -local isflinkJob = std.objectHas(deployment_manifest, 'flink'); - -if isflinkJob then - ({ - '0_secret.json': secret, - '0_0_flink_deployment.json': flink_deployment, - '0_1_flink_session_job.json': flink_session_job, - '0_2_flink_service_account.json': flink_service_account, - '0_3_flink_role_binding.json': flink_role_binding, - '0_4_flink_default_alerts.json': flink_default_alerts, - } + { ['5_%s_ingress.json' % index]: ingresses[index] for index in std.range(0, std.length(ingresses) - 1) }) -else ({ - '0_secret.json': secret, - '1_configmap.json': configmap, - '2_sidecar.json': sidecar, - '3_service.json': service, - '4_deployment.json': deployment, - '4_rollout.json': rollout, - '4_0_rollout_analysis_template.json': rollout_analysis_template, - '6_pdb.json': pdb, - '7_service_monitor.json': service_monitor, - '8_default_alerts.json': default_alerts, - '9_hpa.json': hpa, - '11_cron_hpa_autoscaler.json': cron_hpa_autoscaler, - '12_elastic_search_secrets.json': elastic_search_secrets, - '13_elastic_search.json': elastic_search, - '14_kibana.json': kibana, - '15_kibana_ingress_endpoint.json': kibana_ingress_endpoint, - '16_elasticsearch_sm_secrets.json': elasticsearch_sm_secrets, - '17_elasticsearch_servicemonitor.json': elasticsearch_servicemonitor, - '18_elasticsearch_alerts_default.json': elasticsearch_alerts_default, - '19_elasticsearch_snapshots.json': elasticsearch_snapshots, - '20_dynamic_configuration.json': dynamic_configuration, - '21_perf_utility.json': perf_utility, - '22_vpa.json': vpa, - '23_efs_pvc.json': efs_pvc, - }) - + - (if isSandbox then { - '0_0_namespace.json': sandbox.sandbox().namespace, - '0_1_iam_role.json': sandbox.sandbox().iamRole, - '30_role_binding.json': sandbox.sandbox().roleBinding, - '31_access_role_binding.json': sandbox.sandbox().accessRoleBinding, - '32_access_role.json': sandbox.sandbox().accessRole, - } else {}) - + - (if ingresses != null then - { ['5_%s_ingress.json' % index]: ingresses[index] for index in std.range(0, std.length(ingresses) - 1) } - + - if security_group != null then - { ['10_%s_security_group.json' % index]: security_group[index] for index in std.range(0, std.length - (security_group) - 1) } else {}) - + - (if common_api_gateways != null then - { ['23_%s_common_api_gateways.json' % index]: common_api_gateways[0].items[index] for index in std.range(0, std.length(common_api_gateways[0].items) - 1) }) diff --git a/templates/manifest_util.jsonnet b/templates/manifest_util.jsonnet deleted file mode 100644 index d1b886dd..00000000 --- a/templates/manifest_util.jsonnet +++ /dev/null @@ -1,17 +0,0 @@ -{ - is_alert_defined(deployment, alertName):: - if ('alerts' in deployment && alertName in deployment.alerts) then true else false, - - is_database_present(deploymentManifest):: - if ('extraResources' in deploymentManifest && deploymentManifest.extraResources != null) then - if ('database' in deploymentManifest.extraResources) then - local database = deploymentManifest.extraResources.database; - 'instanceName' in database && database.instanceName != '' - else false - else false, - is_dynamic_config_present(deploymentManifest):: - if ('dynamicConfiguration' in deploymentManifest && deploymentManifest.dynamicConfiguration != null && deploymentManifest.dynamicConfiguration != []) then true else false, - - is_custom_slack_channel_enabled(alert):: - if ('slackChannel' in alert && alert.slackChannel != null && alert.slackChannel != '') then true else false, -} diff --git a/templates/namespace_values.jsonnet b/templates/namespace_values.jsonnet deleted file mode 100644 index dca39ab1..00000000 --- a/templates/namespace_values.jsonnet +++ /dev/null @@ -1,19 +0,0 @@ -local cluster_values = import 'cluster_values.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; - -assert deployment_manifest.cluster in cluster_values : - 'ValidationError: Unrecognized cluster - %s' % deployment_manifest.cluster; - -local cluster_config = cluster_values[deployment_manifest.cluster]; -local manifest_namespace = if 'flink' in deployment_manifest then deployment_manifest.flink.namespace else deployment_manifest.deployment.namespace; - - -// Use default namespace values for a cluster if specific namespace values not present -local namespace_values = - if manifest_namespace in cluster_config - then - cluster_config[manifest_namespace] - else - cluster_config.default; - -namespace_values diff --git a/templates/pdb.jsonnet b/templates/pdb.jsonnet deleted file mode 100644 index efb1d588..00000000 --- a/templates/pdb.jsonnet +++ /dev/null @@ -1,20 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; - -if deployment_manifest.deployment.instance.count > 1 then { - apiVersion: 'policy/v1beta1', - kind: 'PodDisruptionBudget', - metadata: { - name: chart.full_service_name(deployment_manifest.deployment.name) + '-pdb', - labels: common.labels, - namespace: deployment_manifest.deployment.namespace, - annotations: common.annotations, - }, - spec: { - maxUnavailable: '15%', - selector: { - matchLabels: common.matchLabels, - }, - }, -} diff --git a/templates/perf_utility.jsonnet b/templates/perf_utility.jsonnet deleted file mode 100644 index e17421cf..00000000 --- a/templates/perf_utility.jsonnet +++ /dev/null @@ -1,289 +0,0 @@ -local chart = import 'chart.jsonnet'; -local cluster_values = import 'cluster_values.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; -local namespace_values = import 'namespace_values.jsonnet'; -local util = import 'util.jsonnet'; -local load_balancer_util = import 'load_balancer_util.jsonnet'; - -local albTags = common.awsTags; -local ingressName = deployment.name + '-mock-server'; -local postgresServiceName = deployment.name + '-postgres-server'; -local mockEndpointName = deployment.name + '-perf-mock'; -local postgresEndpointName = deployment.name + '-perf-postgres'; -local domainEndpoint = cluster_values.perfDomainEndpoint[deployment_manifest.infraVertical]; -local lbObject = { - idleTimeout: 60, - accessPolicies: ['internal'], - accessLog: true, -}; -local subnetScheme = load_balancer_util.subnet_scheme(lbObject.accessPolicies); -local annotations = namespace_values.loadBalancer.annotations; -local groupName = 'perf-internal'; -local securityGroups = std.join(',', [ - annotations.securityGroups.internal, - annotations.securityGroups.officeIp, -]); - -if deployment_manifest.environment == 'perf' && (deployment_manifest.deployment.perfUtility.mockServerEnabled || deployment_manifest.deployment.perfUtility.postgresServerEnabled) == true then { - apiVersion: 'v1', - kind: 'List', - items: - (if deployment_manifest.deployment.perfUtility.mockServerEnabled then [ - { - apiVersion: 'apps/v1', - kind: 'Deployment', - metadata: { - name: deployment.name + '-mock-server', - labels: common.perfMockServerLabels, - namespace: deployment_manifest.deployment.namespace, - annotations: common.annotations, - }, - spec: { - progressDeadlineSeconds: 1500, - selector: { - matchLabels: { - app: chart.service_name, - release: deployment.name + '-mock-server', - }, - }, - template: { - metadata: { - labels: common.perfMockServerLabels, - }, - spec: { - containers: [{ - name: 'mock-server', - image: deployment_manifest.deployment.perfUtility.mockServerImage, - imagePullPolicy: 'IfNotPresent', - resources: { - requests: { - memory: '2Gi', - cpu: '1', - }, - limits: { - memory: '2Gi', - cpu: '1', - }, - }, - }], - }, - }, - }, - }, - { - apiVersion: 'v1', - kind: 'Service', - metadata: { - name: deployment.name + '-mock-server', - labels: common.perfMockServerLabels, - namespace: deployment_manifest.deployment.namespace, - }, - spec: { - selector: { - app: chart.service_name, - release: deployment.name + '-mock-server', - }, - type: 'ClusterIP', - ports: [ - { - name: 'service-port', - port: 1080, - protocol: 'TCP', - targetPort: 1080, - }, - ], - }, - }, - { - apiVersion: 'networking.k8s.io/v1', - kind: 'Ingress', - metadata: { - name: deployment.name + '-mock-server', - annotations: { - 'kubernetes.io/ingress.class': 'alb', - 'alb.ingress.kubernetes.io/target-type': 'ip', - 'alb.ingress.kubernetes.io/ssl-policy': 'ELBSecurityPolicy-TLS-1-2-2017-01', - 'alb.ingress.kubernetes.io/listen-ports': load_balancer_util.listener_ports(lbObject), - 'alb.ingress.kubernetes.io/certificate-arn': annotations.sslCert[util.get_certs(std.objectFieldsAll(annotations.sslCert), mockEndpointName + domainEndpoint)], - 'alb.ingress.kubernetes.io/scheme': 'internal', - 'alb.ingress.kubernetes.io/security-groups': securityGroups, - 'alb.ingress.kubernetes.io/load-balancer-attributes': load_balancer_util.load_balancer_attribute_list(lbObject, namespace_values.loadBalancer.annotations, groupName), - 'alb.ingress.kubernetes.io/tags': 'Name=shared-alb-%(name)s,Ingress=shared-alb-%(name)s,Owner=shared,Team=Shared,Product=%(Product)s,Environment=%(Environment)s' % (albTags { name: groupName }), - 'alb.ingress.kubernetes.io/actions.ssl-redirect': '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}', - 'alb.ingress.kubernetes.io/group.name': '%s' % groupName, - } - + ( - if load_balancer_util.subnet_scheme(lbObject.accessPolicies) in (annotations.subnets) then { - 'alb.ingress.kubernetes.io/subnets': annotations.subnets[subnetScheme], - } else {} - ), - namespace: deployment_manifest.deployment.namespace, - }, - spec: { - rules: [ - { - host: mockEndpointName + domainEndpoint, - http: { - paths: [ - { - pathType: 'ImplementationSpecific', - backend: { - service: { - name: 'ssl-redirect', - port: { - name: 'use-annotation', - }, - }, - }, - path: '/*', - }, - { - pathType: 'ImplementationSpecific', - backend: { - service: { - name: deployment.name + '-mock-server', - port: { - number: 1080, - }, - }, - }, - }, - ], - }, - }, - ], - }, - }, - ] else []) + - (if deployment_manifest.deployment.perfUtility.postgresServerEnabled then [ - { - apiVersion: 'v1', - kind: 'Secret', - metadata: { - name: deployment.name + '-postgres-secret', - labels: common.perfPostgresServerLabels, - namespace: deployment_manifest.deployment.namespace, - }, - type: 'Opaque', - data: { password: 'cG9zdGdyZXNwZXJmcGFzc3dvcmQK' }, - }, - { - apiVersion: 'v1', - kind: 'PersistentVolumeClaim', - metadata: { - name: deployment.name + '-postgres-storage', - labels: common.perfPostgresServerLabels, - namespace: deployment_manifest.deployment.namespace, - }, - spec: { - accessModes: ['ReadWriteOnce'], - resources: { - requests: { - storage: deployment_manifest.deployment.perfUtility.postgresDbConfig.storage, - }, - }, - storageClassName: 'gp2', - }, - }, - { - apiVersion: 'apps/v1', - kind: 'Deployment', - metadata: { - name: deployment.name + '-postgres-server', - labels: common.perfPostgresServerLabels, - namespace: deployment_manifest.deployment.namespace, - }, - spec: { - progressDeadlineSeconds: 1500, - selector: { - matchLabels: { - app: chart.service_name, - release: deployment.name + '-postgres-server', - }, - }, - template: { - metadata: { - labels: common.perfPostgresServerLabels, - }, - spec: { - containers: [{ - name: 'postgres', - image: deployment_manifest.deployment.perfUtility.postgresServerImage, - imagePullPolicy: 'IfNotPresent', - env: [ - { - name: 'POSTGRES_PASSWORD', - valueFrom: { - secretKeyRef: { - name: deployment.name + '-postgres-secret', - key: 'password', - }, - }, - }, - { - name: 'PGDATA', - value: '/var/lib/postgresql/data/pgdata', - }, - ], - resources: { - requests: { - memory: deployment_manifest.deployment.perfUtility.postgresDbConfig.memory, - cpu: deployment_manifest.deployment.perfUtility.postgresDbConfig.cpu, - }, - limits: { - memory: deployment_manifest.deployment.perfUtility.postgresDbConfig.memory, - cpu: deployment_manifest.deployment.perfUtility.postgresDbConfig.cpu, - }, - }, - volumeMounts: [ - { - name: deployment.name + '-postgres-storage', - mountPath: '/var/lib/postgresql/data', - }, - ], - }], - volumes: [ - { - name: deployment.name + '-postgres-storage', - persistentVolumeClaim: { - claimName: deployment.name + '-postgres-storage', - }, - }, - ], - }, - }, - }, - }, - { - apiVersion: 'v1', - kind: 'Service', - metadata: { - name: deployment.name + '-postgres-server', - labels: common.perfPostgresServerLabels, - annotations: { - 'external-dns.alpha.kubernetes.io/hostname': postgresEndpointName + domainEndpoint, - 'service.beta.kubernetes.io/aws-load-balancer-internal': '0.0.0.0/0', - 'service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags': 'Environment=%(Environment)s,Owner=%(Owner)s,Name=%(Name)s,Team=%(Team)s,Product=%(Product)s' % (albTags { ingressName: postgresServiceName }), - }, - namespace: deployment_manifest.deployment.namespace, - }, - spec: { - selector: { - app: chart.service_name, - release: deployment.name + '-postgres-server', - }, - type: 'LoadBalancer', - ports: [ - { - name: 'service-port', - port: 5432, - protocol: 'TCP', - targetPort: 5432, - }, - ], - }, - }, - ] else []), -} diff --git a/templates/pod_template.jsonnet b/templates/pod_template.jsonnet deleted file mode 100644 index 5b4da4bb..00000000 --- a/templates/pod_template.jsonnet +++ /dev/null @@ -1,363 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment_util = import 'deployment_util.jsonnet'; -local health_check_values = import 'health_check_values.jsonnet'; -local port_map = import 'port_map.jsonnet'; -local util = import 'util.jsonnet'; -local vars = import 'vars.jsonnet'; -local environments = vars.environments; -local deployment = deployment_manifest.deployment; -local environment = deployment_manifest.environment; -local readinessCheck = deployment.healthChecks.readinessCheck; -local livenessCheck = deployment.healthChecks.livenessCheck; -local startupProbe = deployment.healthChecks.startupProbe; -local exposedPorts = deployment_manifest.deployment.exposedPorts; -local manifest_util = import 'manifest_util.jsonnet'; -local namespace_values = import 'namespace_values.jsonnet'; -local vars = import 'vars.jsonnet'; -local image = util.get_image(deployment.image, environment); -assert image != 'null' : '[IMAGE or deployment.image] cannot be null'; - -local isSandbox = util.is_sandbox(environment); -local sandbox = import 'sandbox/main.jsonnet'; -local sandboxConfig = sandbox.sandbox(); - -// Conditions to check if heap-dump sidecar has to be enabled or not -local isEfsNeeded = deployment_util.isEfsNeeded(deployment); -local isFsxNeeded = deployment_util.isFsxNeeded(deployment); -local mandatoryHeapDumpString = '-XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/dumps'; -local errorLogFileString = '-XX:ErrorFile=/dumps/hs_err_pid%p.log'; -local envKeys = [e.name for e in deployment_manifest.environmentVariables]; -local jvmOptionsExists = std.length(std.find('JVM_OPTS', envKeys)); -local isSwApmEnabled = deployment_manifest.isSwApmEnabled; -local jvmParameter = [e for e in deployment_manifest.environmentVariables if std.toString(e.name) == 'JVM_OPTS'][0]; -local heapDumpEnabled = if !isSandbox && (jvmOptionsExists > 0 && (std.length(std.findSubstr(mandatoryHeapDumpString, std.toString(jvmParameter.value))) > 0 - || std.length(std.findSubstr(errorLogFileString, std.toString(jvmParameter.value))) > 0)) then true else false; - -//# Sandbox - -// GPU -local isGPUEnabled = if deployment.instance.gpu == 0 then false else true; - -// Required to form S3 bucket name for heap-dumps -local bucketEnvironment = if deployment_manifest.environment == environments.prod then environments.prod else 'nonprod'; -local bucketName = 'java-heap-dumps-' + deployment_manifest.infraVertical + '-' + bucketEnvironment; -local hasEnvironmentFile = if 'environmentFile' in deployment then true else false; - -local needsAWSAccess = if util.is_field_present(deployment_manifest.extraResources, 'aws_access') - && util.is_field_present(deployment_manifest.extraResources.aws_access, 'policies') - && std.length(deployment_manifest.extraResources.aws_access.policies) > 0 then true else false; - -local roleName = (if ('roleName' in deployment_manifest.extraResources.aws_access && deployment_manifest.extraResources.aws_access.roleName != '') then deployment_manifest.extraResources.aws_access.roleName else chart.full_service_name(deployment.name)) + '-' + deployment_manifest.environment; - -local istioInboundPortsAnnotation = if deployment.disableIstio then - { 'sidecar.istio.io/inject': 'false' } -else - { - 'traffic.sidecar.istio.io/excludeInboundPorts': std.join(',', std.map(function(exposedPort) std.toString(exposedPort.port), exposedPorts)), - 'traffic.sidecar.istio.io/includeInboundPorts': '*', - }; - -local injectSwAgent(isSwApmEnabled) = ( - if isSwApmEnabled then [ - { - name: 'agent-container', - image: '193044292705.dkr.ecr.ap-south-1.amazonaws.com/common/skywalking-java-agent:8.7.0-alpine', - volumeMounts: [ - { - name: 'skywalking-agent', - mountPath: '/agent', - }, - ], - command: [ - '/bin/sh', - ], - args: [ - '-c', - 'cp -R /skywalking/agent /agent/ && cp /skywalking/agent/optional-plugins/apm-kotlin-coroutine-plugin-8.7.0.jar /agent/agent/plugins', - ], - securityContext: { - runAsUser: 4000, - }, - }, - ] - else null -); - -local topologicalSpreadConstraints = [ - { - maxSkew: 1, - topologyKey: 'topology.kubernetes.io/zone', - whenUnsatisfiable: 'DoNotSchedule', - labelSelector: { - matchLabels: common.matchLabels, - }, - }, -]; - -{ - metadata: { - labels: common.labels, - annotations: common.annotations + istioInboundPortsAnnotation, - }, - spec: { - [if isSandbox then 'securityContext']: sandboxConfig.securityContext, - initContainers: injectSwAgent(isSwApmEnabled), - [if deployment_manifest.environment == environments.prod then 'topologySpreadConstraints' else null]: topologicalSpreadConstraints, - [if isGPUEnabled then 'nodeSelector']: deployment.instance.gpuNodeSelector, - [if isGPUEnabled then 'tolerations']: deployment.instance.gpuTolerations, - containers: - (if heapDumpEnabled then [{ - name: 'push-heap-dump', - image: '193044292705.dkr.ecr.ap-south-1.amazonaws.com/common/java-heap-dump-manager:v7d6dad2b5a2431412b8183c9707f93b5dcb05287', - resources: { - limits: { - memory: '128Mi', - cpu: '100m', - }, - requests: { - memory: '128Mi', - cpu: '100m', - }, - }, - env: [ - { - name: 'AWS_DEFAULT_REGION', - value: 'ap-south-1', - }, - { - name: 'AWS_SHARED_CREDENTIALS_FILE', - value: '/meta/aws-iam/credentials.process', - }, - { - name: 'AWS_CREDENTIAL_PROFILES_FILE', - value: '/meta/aws-iam/credentials', - }, - { - name: 'SERVICE_NAME', - value: chart.full_service_name(deployment.name), - }, - { - name: 'S3_BUCKET', - value: if 'heapDumpBucket' in namespace_values then namespace_values.heapDumpBucket else bucketName, - }, - { - name: 'ENVIRONMENT', - value: deployment_manifest.environment, - }, - ], - volumeMounts: [ - { - name: 'aws-iam-credentials-heap-dump', - mountPath: '/meta/aws-iam', - readOnly: true, - }, - { - name: 'heap-dumps', - mountPath: '/dumps', - }, - ], - }] else []) + - [ - { - env: [ - { - name: e.name, - valueFrom: { - secretKeyRef: { - name: chart.full_service_name(deployment.name) + '-secret', - key: e.name, - }, - }, - } - for e in deployment_manifest.environmentVariables - ] + (if needsAWSAccess && namespace_values.zalandoEnabled then [ - { - name: 'AWS_SHARED_CREDENTIALS_FILE', - value: '/meta/aws-iam/credentials.process', - }, - { - name: 'AWS_CREDENTIAL_PROFILES_FILE', - value: '/meta/aws-iam/credentials', - }, - ] else []) - // Adding md5 to make sure deployment is retrigerred if just values are changed - + [{ name: 'secretMd5', value: std.md5(std.toString(deployment_manifest.environmentVariables)) }] - + (if 'environmentFile' in deployment then - [{ name: 'environmentFileMd5', value: std.md5(std.toString(deployment.environmentFile)) }] - else []) - + ( - if isSwApmEnabled then - [ - { - name: 'JAVA_TOOL_OPTIONS', - value: '-javaagent:/skywalking/agent/skywalking-agent.jar', - }, - { - name: 'SW_AGENT_COLLECTOR_BACKEND_SERVICES', - value: vars.swBackend + ':' + vars.swPort, - }, - { - name: 'SW_AGENT_NAMESPACE', - value: deployment_manifest.deployment.namespace, - }, - { - name: 'SW_AGENT_NAME', - value: deployment.name, - }, - { - name: 'SW_LOGGING_OUTPUT', - value: 'CONSOLE', - }, - { - name: 'ELASTIC_APM_ENABLED', - value: 'false', - }, - { - name: 'ELASTIC_APM_ACTIVE', - value: 'false', - }, - ] else [] - ), - image: image, //Directly passed to jssonnet via --ext-str command - imagePullPolicy: deployment.imagePullPolicy, - lifecycle: { - preStop: { - exec: { - command: ['sleep', if deployment_manifest.environment == 'prod' then std.toString - (0.8 * $.spec.terminationGracePeriodSeconds) else std.toString(0.5 * $.spec.terminationGracePeriodSeconds)], - }, - }, - }, - resources: { - limits: { - memory: if deployment.isVpaEnabled then deployment.instance.minMemory else deployment.instance.memory, - cpu: ( - if deployment.isVpaEnabled then - (if environment == environments.prod then deployment.instance.minCPU * 1.75 else deployment.instance.minCPU * 1.5) - else deployment.instance.cpu - ), - } + (if isGPUEnabled then { 'nvidia.com/gpu': deployment.instance.gpu } else {}), - requests: { - memory: if deployment.isVpaEnabled then deployment.instance.minMemory else deployment.instance.memory, - cpu: if deployment.isVpaEnabled then deployment.instance.minCPU else deployment.instance.cpu, - } + (if isGPUEnabled then { 'nvidia.com/gpu': deployment.instance.gpu } else {}), - }, - name: chart.full_service_name(deployment.name), - ports: port_map.getContainerPorts, - volumeMounts: - (if (isFsxNeeded) then - std.map(function(fsx) { - name: fsx.name, - mountPath: fsx.mountPath, - }, deployment.fsx) - else []) + - (if (isEfsNeeded) then - std.map(function(efs) { - name: efs.name, - mountPath: efs.mountPath, - }, deployment.efs) - else []) + - (if needsAWSAccess && namespace_values.zalandoEnabled then - [{ - name: 'aws-iam-credentials', - mountPath: '/meta/aws-iam', - readOnly: true, - }] else []) + - (if hasEnvironmentFile then - [{ - mountPath: util.parent_dir(deployment.environmentFile.path), - name: 'environment-file-volume', - }] else []) + - (if manifest_util.is_dynamic_config_present(deployment_manifest) then - [{ - mountPath: '/var/navi-app/dynamic_configuration', - name: 'dynamic-config-volume', - }] else []) + - (if heapDumpEnabled then - [{ - mountPath: '/dumps', - name: 'heap-dumps', - }] else []) + - (if isSwApmEnabled then - [{ - name: 'skywalking-agent', - mountPath: '/skywalking', - }] else []) + - [{ - mountPath: secret.path, - name: secret.name, - } for secret in deployment.mountSecrets], - [if util.is_readiness_probe_enabled(deployment.image, environment) then 'readinessProbe']: health_check_values.generator(readinessCheck)[readinessCheck.type], - [if util.is_liveness_probe_enabled(deployment.image, environment) then 'livenessProbe']: health_check_values.generator(livenessCheck)[livenessCheck.type], - [if util.is_startup_probe_enabled(deployment.healthChecks.startupProbeEnabled, deployment.image, environment) then 'startupProbe']: health_check_values.generator(startupProbe)[startupProbe.type], - }, - ], - terminationGracePeriodSeconds: deployment.terminationGracePeriodSeconds, - dnsConfig: { - options: [ - { - name: 'ndots', - value: '2', - }, - ], - }, - volumes: - (if (isFsxNeeded) then - std.map(function(fsx) { - name: fsx.name, - persistentVolumeClaim: { - claimName: fsx.name, - }, - }, deployment.fsx) - else []) + - (if (isEfsNeeded) then - std.map(function(efs) { - name: efs.name, - persistentVolumeClaim: { - claimName: chart.full_service_name(deployment.name) + '-' + efs.name, - }, - }, deployment.efs) - else []) + - (if hasEnvironmentFile then - [{ - configMap: { - name: chart.full_service_name(deployment.name) + '-cm', - }, - name: 'environment-file-volume', - }] else []) + - (if manifest_util.is_dynamic_config_present(deployment_manifest) then - [{ - name: 'dynamic-config-volume', - secret: { - secretName: chart.full_service_name(deployment_manifest.deployment.name) + '-dynamic-secret', - }, - }] else []) + - (if needsAWSAccess && namespace_values.zalandoEnabled then - [{ - name: 'aws-iam-credentials', - secret: { - secretName: roleName, - }, - }] else []) + - (if heapDumpEnabled then - [{ - name: 'heap-dumps', - emptyDir: {}, - }] else []) + - (if heapDumpEnabled then - [{ - name: 'aws-iam-credentials-heap-dump', - secret: { - secretName: 'java-heap-dump-bucket-role', - }, - }] else []) + - (if isSwApmEnabled then - [{ - name: 'skywalking-agent', - emptyDir: {}, - }] else []) + - [{ name: secret.name, secret: { secretName: secret.name } } for secret in deployment.mountSecrets], - } + (if (needsAWSAccess && !namespace_values.zalandoEnabled) then { serviceAccountName: roleName } else {}), -} diff --git a/templates/port_map.jsonnet b/templates/port_map.jsonnet deleted file mode 100644 index a502209e..00000000 --- a/templates/port_map.jsonnet +++ /dev/null @@ -1,50 +0,0 @@ -local chart = import 'chart.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local exposedPorts = if std.objectHas(deployment_manifest, 'flink') then - [{ name: chart.full_service_name(deployment_manifest.name) + '-rest', port: 'rest' }] -else - deployment_manifest.deployment.exposedPorts; - -{ - hasPort(ports, portName):: if portName in self.parsePorts(ports) then true else false, - parsePorts(ports):: { - [port.name]: port.port - for port in ports - }, - getServicePorts:: [ - { - name: port.name, - port: port.port, - protocol: 'TCP', - targetPort: port.port, - } - for port in exposedPorts - ], - getPortsforClusterIPService:: [ - { - name: port.name, - port: port.port, - protocol: 'TCP', - nodePort: null, - targetPort: port.port, - } - for port in exposedPorts - ], - getContainerPorts:: [ - { - containerPort: port.port, - protocol: 'TCP', - } - for port in exposedPorts - ], - getPort(portName):: if portName in self.parsePorts(exposedPorts) then self.parsePorts(exposedPorts)[portName] else null, - isGrpcEnabled(name):: ( - local result = std.filter(function(obj) obj.name == name, exposedPorts); - if std.length(result) == 0 then - false - else if 'enableGrpc' in result[0] then - result[0].enableGrpc - else - false - ), -} diff --git a/templates/rollout.jsonnet b/templates/rollout.jsonnet deleted file mode 100644 index 47ff281f..00000000 --- a/templates/rollout.jsonnet +++ /dev/null @@ -1,31 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment_util = import 'deployment_util.jsonnet'; -local pod_template = import 'pod_template.jsonnet'; -local deployment = deployment_manifest.deployment; -local vars = import 'vars.jsonnet'; -local strategyConfig = deployment.strategy.config; - -if (deployment.controller == vars.rolloutController) then { - apiVersion: 'argoproj.io/v1alpha1', - kind: 'Rollout', - metadata: { - name: chart.full_service_name(deployment.name), - labels: common.labels { - linkConfig: std.toString(deployment_manifest.deployment.isLinkConfig), - }, - namespace: deployment_manifest.deployment.namespace, - annotations: common.annotations, - }, - spec: { - progressDeadlineSeconds: deployment.progressDeadlineSeconds, - selector: { - matchLabels: common.matchLabels, - }, - template: pod_template, - strategy: if deployment.strategy == 'canary' then deployment_util.strategy.canary(if 'canaryConfig' in deployment.strategyConfig then deployment.strategyConfig.canaryConfig else {}) - else if deployment.strategy == 'rollingUpdateWithCanaryMixIn' then deployment_util.strategy.rollingUpdateWithCanaryMixIn(deployment.strategyConfig.rollingUpdateWithCanaryMixInConfig) - else deployment_util.strategy.rollingUpdate(), - }, -} diff --git a/templates/rollout_analysis_template.jsonnet b/templates/rollout_analysis_template.jsonnet deleted file mode 100644 index 8519c12c..00000000 --- a/templates/rollout_analysis_template.jsonnet +++ /dev/null @@ -1,33 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; -local vars = import 'vars.jsonnet'; -local templateEnabled = if 'analysisTemplate' in deployment.strategyConfig then true else false; - -if (deployment.controller == vars.rolloutController && templateEnabled) then { - apiVersion: 'argoproj.io/v1alpha1', - kind: 'AnalysisTemplate', - metadata: { - name: chart.full_service_name(deployment.name), - labels: common.labels, - namespace: deployment_manifest.deployment.namespace, - annotations: common.annotations, - }, - spec: { - metrics: [ - { - name: 'degrade-rollout', - interval: deployment.strategyConfig.analysisTemplate.interval, - successCondition: 'result' + deployment.strategyConfig.analysisTemplate.operator + deployment.strategyConfig.analysisTemplate.threshold, - failureLimit: deployment.strategyConfig.analysisTemplate.failureLimit, - provider: { - prometheus: { - address: 'http://prometheus-kube-prometheus.monitoring.svc.cluster.local:9090', - query: deployment.strategyConfig.analysisTemplate.query, - }, - }, - }, - ], - }, -} diff --git a/templates/sandbox/access_role.jsonnet b/templates/sandbox/access_role.jsonnet deleted file mode 100644 index ad929e2f..00000000 --- a/templates/sandbox/access_role.jsonnet +++ /dev/null @@ -1,80 +0,0 @@ -local common = import '../common.jsonnet'; -local deployment_manifest = import '../deployment_manifest.jsonnet'; -local namespace = deployment_manifest.deployment.namespace; - -{ - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'Role', - metadata: { - name: namespace + '-full-access', - namespace: namespace, - labels: common.labels - }, - rules: [ - { - apiGroups: [""], - resources: [ - "configmaps", - "endpoints", - "persistentvolumeclaims", - "pods", - "replicationcontrollers", - "replicationcontrollers/scale", - "serviceaccounts", - "services", - "events", - "limitranges", - "pods/log", - "pods/status", - "replicationcontrollers/status", - "resourcequotas", - "resourcequotas/status", - ], - verbs: ["get", "list", "watch"], - }, - { - apiGroups: ["apps"], - resources: [ - "controllerrevisions", - "daemonsets", - "deployments", - "deployments/scale", - "replicasets", - "replicasets/scale", - "statefulsets", - "statefulsets/scale", - ], - verbs: ["get", "list", "watch"], - }, - { - apiGroups: ["autoscaling"], - resources: ["horizontalpodautoscalers"], - verbs: ["get", "list", "watch"], - }, - { - apiGroups: ["batch"], - resources: ["cronjobs", "jobs"], - verbs: ["get", "list", "watch"], - }, - { - apiGroups: ["policy"], - resources: ["poddisruptionbudgets"], - verbs: ["get", "list", "watch"], - }, - { - apiGroups: ["networking.k8s.io"], - resources: ["ingresses", "networkpolicies"], - verbs: ["get", "list", "watch"], - }, - { - apiGroups: [""], - resources: ["configmaps", "pods/portforward", "pods/exec"], - verbs: ["get", "update", "create"], - }, - { - apiGroups: ["apps"], - resources: ["deployments"], - verbs: ["create", "update", "patch", "delete"], - }, - ], -} \ No newline at end of file diff --git a/templates/sandbox/access_role_binding.jsonnet b/templates/sandbox/access_role_binding.jsonnet deleted file mode 100644 index 0a9e7887..00000000 --- a/templates/sandbox/access_role_binding.jsonnet +++ /dev/null @@ -1,26 +0,0 @@ -local common = import '../common.jsonnet'; -local deployment_manifest = import '../deployment_manifest.jsonnet'; -local sandboxParams = deployment_manifest.sandboxParams; -local namespace = deployment_manifest.deployment.namespace; - -{ - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'RoleBinding', - metadata: { - name: namespace + "-full-access", - namespace: namespace, - labels: common.labels - }, - roleRef: { - apiGroup: 'rbac.authorization.k8s.io', - kind: 'Role', - name: namespace + '-full-access', - }, - subjects: [ - { - apiGroup: "rbac.authorization.k8s.io", - kind: "User", - name: "remote-"+sandboxParams.email+"-teleport.cmd.navi-tech.in" - } - ] -} \ No newline at end of file diff --git a/templates/sandbox/aws_iam_role.jsonnet b/templates/sandbox/aws_iam_role.jsonnet deleted file mode 100644 index e8ed2973..00000000 --- a/templates/sandbox/aws_iam_role.jsonnet +++ /dev/null @@ -1,36 +0,0 @@ -local chart = import '../chart.jsonnet'; -local common = import '../common.jsonnet'; -local deployment_manifest = import '../deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; -local sourceEnvironment = deployment_manifest.sandboxParams.source.environment; -local environment = deployment_manifest.environment; -local full_name = chart.full_service_name(deployment.name); -local namespace_values = import '../namespace_values.jsonnet'; - -if (deployment_manifest.extraResources != null - && 'aws_access' in deployment_manifest.extraResources) then - if (namespace_values.zalandoEnabled) then { - apiVersion: 'zalando.org/v1', - kind: 'AWSIAMRole', - metadata: { - name: '%s-%s' % [full_name, environment], - namespace: deployment_manifest.deployment.namespace, - annotations: common.annotations, - }, - spec: { - roleReference: '%s-%s' % [full_name, sourceEnvironment], - }, - } else { - apiVersion: 'v1', - kind: 'ServiceAccount', - metadata: { - annotations: { - 'eks.amazonaws.com/role-arn': 'arn:aws:iam::%s:role/%s-%s' % [namespace_values.awsAccountId, full_name, sourceEnvironment], - 'eks.amazonaws.com/sts-regional-endpoints': 'true', - 'eks.amazonaws.com/token-expiration': '10800', - }, - name: '%s-%s' % [full_name, environment], - namespace: deployment_manifest.deployment.namespace, - }, - } -else null diff --git a/templates/sandbox/main.jsonnet b/templates/sandbox/main.jsonnet deleted file mode 100644 index a52f1b1d..00000000 --- a/templates/sandbox/main.jsonnet +++ /dev/null @@ -1,53 +0,0 @@ -local namespace = import "namespace.jsonnet"; -local roleBinding = import "role_binding.jsonnet"; -local accessRole = import "access_role.jsonnet"; -local accessRoleBinding = import "access_role_binding.jsonnet"; -local deployment_manifest = import '../deployment_manifest.jsonnet'; -local namespace = import 'namespace.jsonnet'; -local sandboxParams = deployment_manifest.sandboxParams; -local roleBinding = import 'role_binding.jsonnet'; -local groupOrder = '20'; -local awsIamRole = import 'aws_iam_role.jsonnet'; -{ - sandbox: function(config={}) { - local _config = { - routingKey: if sandboxParams != null then sandboxParams.routingKey, - serviceName: null, - servicePort: null, - } + config, - namespace: namespace, - roleBinding: roleBinding, - securityContext: { - runAsUser: 0, - }, - albIngress: { - annotations: { - assert _config.serviceName != null : 'serviceName is required', - assert _config.servicePort != null : 'servicePort is required', - assert _config.routingKey != null : 'routingKey is required', - 'alb.ingress.kubernetes.io/actions.sandbox': '{"Type":"forward","ForwardConfig":{"TargetGroups":[{"ServiceName":"%s","ServicePort":"%s","Weight":100}]}}' % [_config.serviceName, _config.servicePort], - 'alb.ingress.kubernetes.io/conditions.sandbox': '[{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "routing_key", "values":["%s"]}}]' % _config.routingKey, - 'alb.ingress.kubernetes.io/group.order': groupOrder, - }, - host: { - paths: [ - { - pathType: 'ImplementationSpecific', - backend: { - service: { - name: 'sandbox', - port: { - name: 'use-annotation', - }, - }, - }, - }, - ], - }, - }, - rolebinding: roleBinding, - accessRoleBinding: accessRoleBinding, - accessRole: accessRole, - iamRole: awsIamRole - }, -} \ No newline at end of file diff --git a/templates/sandbox/namespace.jsonnet b/templates/sandbox/namespace.jsonnet deleted file mode 100644 index bbcbb52f..00000000 --- a/templates/sandbox/namespace.jsonnet +++ /dev/null @@ -1,17 +0,0 @@ -local common = import '../common.jsonnet'; -local deployment_manifest = import '../deployment_manifest.jsonnet'; -local namespace = deployment_manifest.deployment.namespace; - -local metadata = { - labels: { - privilege: 'true', - prometheus: 'kube-prometheus', - }, - name: namespace, -}; - -{ - apiVersion: 'v1', - kind: 'Namespace', - metadata: metadata, -} diff --git a/templates/sandbox/role_binding.jsonnet b/templates/sandbox/role_binding.jsonnet deleted file mode 100644 index 76232fa6..00000000 --- a/templates/sandbox/role_binding.jsonnet +++ /dev/null @@ -1,25 +0,0 @@ -local common = import '../common.jsonnet'; -local deployment_manifest = import '../deployment_manifest.jsonnet'; -local namespace = deployment_manifest.deployment.namespace; - -{ - apiVersion: 'rbac.authorization.k8s.io/v1', - kind: 'RoleBinding', - metadata: { - name: 'psp:privileged:' + namespace, - labels: common.labels, - namespace: namespace, - }, - roleRef: { - apiGroup: 'rbac.authorization.k8s.io', - kind: 'ClusterRole', - name: 'psp:privileged', - }, - subjects: [ - { - apiGroup: 'rbac.authorization.k8s.io', - kind: 'Group', - name: 'system:serviceaccounts:' + namespace, - }, - ], -} diff --git a/templates/secret.jsonnet b/templates/secret.jsonnet deleted file mode 100644 index d400d9b2..00000000 --- a/templates/secret.jsonnet +++ /dev/null @@ -1,18 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local namespace = if 'flink' in deployment_manifest then deployment_manifest.flink.namespace else deployment_manifest.deployment.namespace; - -{ - apiVersion: 'v1', - kind: 'Secret', - metadata: { - name: chart.full_service_name(deployment_manifest.name) + '-secret', - labels: common.labels, - namespace: namespace, - annotations: common.annotations, - }, - - data: { [e.name]: std.base64(e.value) for e in deployment_manifest.environmentVariables }, - type: 'Opaque', -} diff --git a/templates/security_group.jsonnet b/templates/security_group.jsonnet deleted file mode 100644 index 337c0023..00000000 --- a/templates/security_group.jsonnet +++ /dev/null @@ -1,32 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; -if 'securityGroup' in deployment then - local security_group = deployment.securityGroup; - [{ - apiVersion: 'aws.navi.com/v1', - kind: 'SecurityGroup', - metadata: { - name: '%s-%s' % [chart.full_service_name(deployment_manifest.deployment.name), sg.name], - labels: common.labels, - namespace: deployment_manifest.deployment.namespace, - annotations: common.annotations, - }, - spec: { - rules: [ - { - local ipv4_cidrs = [cidr for cidr in rule.ingressCidr if std.findSubstr(':',cidr) == []], - local ipv6_cidrs = [cidr for cidr in rule.ingressCidr if std.findSubstr(':',cidr) != []], - [if 'fromPort' in rule then 'fromPort']: rule.fromPort, - [if 'toPort' in rule then 'toPort']: rule.toPort, - [if 'protocol' in rule then 'protocol']: rule.protocol, - [if 'description' in rule then 'description']: rule.description, - [if 'ingressCidr' in rule then 'ingressCidr']: ipv4_cidrs, - [if 'ingressCidr' in rule then 'ipv6ingressCidr']: ipv6_cidrs, - } - for rule in sg.rules - ], - [if 'vpcId' in sg then 'vpcId']: sg.vpcId, - }, - } for sg in security_group] diff --git a/templates/service.jsonnet b/templates/service.jsonnet deleted file mode 100644 index 79af347d..00000000 --- a/templates/service.jsonnet +++ /dev/null @@ -1,119 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local health_check_values = import 'health_check_values.jsonnet'; -local load_balancer_util = import 'load_balancer_util.jsonnet'; -local namespace_values = import 'namespace_values.jsonnet'; -local port_map = import 'port_map.jsonnet'; -local util = import 'util.jsonnet'; -local vars = import 'vars.jsonnet'; -local deployment = deployment_manifest.deployment; -local livenessCheck = deployment.healthChecks.livenessCheck; - -local elbScheme = { - internetFacing: 'false', - internal: 'true', -}; - -local name = chart.full_service_name(deployment.name); -local services = [name] + if (deployment.controller == vars.rolloutController) then ['%s-canary' % name, '%s-stable' % name] else []; - -local albTags = common.awsTags; - -local load_balancer_spec = { - alb: { - type: 'ClusterIP', - ports: port_map.getServicePorts, - }, - //If shared Alb is used all accessPolicies are ignored for now - sharedAlbAcrossNamespace: self.alb, - nodePort: self.alb, - commonApiGateway: self.alb, - - elb: { - type: 'LoadBalancer', - loadBalancerSourceRanges: namespace_values.loadBalancer.sourceRanges, - ports: [{ - port: 443, - targetPort: port_map.getPort('serviceport'), - protocol: 'TCP', - name: 'https', - }] + port_map.getServicePorts, - }, - - // If elb or alb is being created, a clusterIP is created by default - kubeLb: { - type: 'ClusterIP', - ports: port_map.getServicePorts, - }, - - nginxLb: self.kubeLb, - - // Creates a kubernetes headless service - none: { - type: 'ClusterIP', - ports: port_map.getServicePorts, - }, -}; - -local lb_annotations_mixin(albTags) = - local elbObjects = std.filter(function(lbObject) lbObject.type == 'elb', deployment.loadBalancers); - - // Only first elb loadbalancer configuration is considered - local elb_annotations_mixin = - if elbObjects != [] then - { - 'service.beta.kubernetes.io/aws-load-balancer-ssl-ports': 'https', - 'service.beta.kubernetes.io/aws-load-balancer-backend-protocol': 'http', - 'service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout': '3600', - 'service.beta.kubernetes.io/aws-load-balancer-extra-security-groups': - load_balancer_util.security_group_list(elbObjects[0].accessPolicies, super.securityGroups, elbObjects[0].extraSecurityGroups), - 'service.beta.kubernetes.io/aws-load-balancer-ssl-cert': super.sslCert[util.get_certs(std - .objectFieldsAll(super.sslCert), elbObjects[0].endpoint)], - 'service.beta.kubernetes.io/aws-load-balancer-internal': elbScheme[load_balancer_util.subnet_scheme(elbObjects[0].accessPolicies)], - 'external-dns.alpha.kubernetes.io/hostname': elbObjects[0].endpoint, - 'external-dns.alpha.kubernetes.io/ttl': '60', - } - else {}; - - local albObjects = std.filter(function(lbObject) std.prune([std.find(loadBalancers.type, ['alb', 'sharedAlbAcrossNamespace']) for loadBalancers in deployment.loadBalancers]) != [], deployment.loadBalancers); - - // Only first alb/sharedAlbAcrossNamespace loadbalancer configuration is considered - local alb_annotations_mixin = - if albObjects != [] then - { - 'alb.ingress.kubernetes.io/healthcheck-path': livenessCheck.path, - 'alb.ingress.kubernetes.io/healthcheck-port': std.toString(port_map.getPort(livenessCheck.port)), - 'alb.ingress.kubernetes.io/tags': 'Environment=%(Environment)s,Owner=%(Owner)s,Name=%(Name)s,Team=%(Team)s,Namespace=%(Namespace)s' % (albTags), - } - else {}; - - elb_annotations_mixin + alb_annotations_mixin; - - -//Kubernetes Service Object - -local create_service(name) = { - local tags = albTags { Name: name }, - apiVersion: 'v1', - kind: 'Service', - metadata: { - labels: common.labels, - name: name, - annotations: common.annotations + namespace_values.loadBalancer.annotations + lb_annotations_mixin(tags), - namespace: deployment_manifest.deployment.namespace, - }, - - spec: { - selector: { - app: chart.service_name, - release: deployment.name, - }, - } + load_balancer_spec[deployment.loadBalancers[0].type], -}; -// this if condition is only added so older test get passed. we need to update older tests fixture and than remove this -if (std.length(services) == 1) then create_service(name) else { - apiVersion: 'v1', - kind: 'List', - items: [create_service(service) for service in services], -} diff --git a/templates/service_monitor.jsonnet b/templates/service_monitor.jsonnet deleted file mode 100644 index 95462ea1..00000000 --- a/templates/service_monitor.jsonnet +++ /dev/null @@ -1,37 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; - -if deployment_manifest.deployment.serviceMonitor.enabled == true then { - apiVersion: 'monitoring.coreos.com/v1', - kind: 'ServiceMonitor', - metadata: { - labels: common.labels, - name: chart.full_service_name(deployment_manifest.deployment.name) + '-monitor', - namespace: deployment_manifest.deployment.namespace, - annotations: common.annotations, - }, - spec: - { - endpoints: [ - { - honorLabels: false, - interval: deployment_manifest.deployment.serviceMonitor.interval, - path: deployment_manifest.deployment.serviceMonitor.path, - port: deployment_manifest.deployment.serviceMonitor.port, - metricRelabelings: deployment_manifest.deployment.serviceMonitor.metricRelabelings, - scrapeTimeout: deployment_manifest.deployment.serviceMonitor.scrapeTimeout, - }, - ], - namespaceSelector: { - matchNames: [ - deployment_manifest.deployment.namespace, - ], - }, - //adding hard limit on scrape sample per target - sampleLimit: 20000, - selector: { - matchLabels: common.matchLabels, - }, - }, -} diff --git a/templates/shared_ingress_config/main.jsonnet b/templates/shared_ingress_config/main.jsonnet deleted file mode 100644 index 51da141f..00000000 --- a/templates/shared_ingress_config/main.jsonnet +++ /dev/null @@ -1,5 +0,0 @@ -local shared_ingress = import 'shared_ingress.libsonnet'; - -function(cluster, namespace, group_name, environment, product="shared") { - '10_ingress.json': shared_ingress.create(cluster, namespace, group_name, environment, product) -} diff --git a/templates/shared_ingress_config/shared_ingress.libsonnet b/templates/shared_ingress_config/shared_ingress.libsonnet deleted file mode 100644 index db88eb0e..00000000 --- a/templates/shared_ingress_config/shared_ingress.libsonnet +++ /dev/null @@ -1,75 +0,0 @@ -local cluster_values = import '../cluster_values.jsonnet'; - -local defaults = { - idle_timeout_seconds: 60, - access_logs_enable: true, - ssl_policy: 'ELBSecurityPolicy-TLS-1-2-2017-01', - team_name: 'Shared', - labels: { - product: 'shared', - owner: 'shared', - heritage: 'NaviDeploymentManifest', - }, -}; - -{ - namespace_values(cluster, namespace):: - local cluster_value = cluster_values[cluster]; - if namespace in cluster_value - then cluster_value[namespace] - else cluster_value.default, - - annotations(cluster, namespace, group_name, environment, product):: - local namespace_values = $.namespace_values(cluster, namespace); - local cluster_annotations = namespace_values.loadBalancer.annotations; - local security_groups = cluster_annotations.securityGroups; - local ingress_sg = std.join(',', [security_groups.officeIp, security_groups.internal]); - local loadbalancer_attributes = std.join(',', [ - 'idle_timeout.timeout_seconds=%s' % defaults.idle_timeout_seconds, - 'access_logs.s3.enabled=%s' % defaults.access_logs_enable, - 'access_logs.s3.bucket=%s' % cluster_annotations.accessLogBucket, - 'access_logs.s3.prefix=%s' % group_name, - ]); - - { - 'alb.ingress.kubernetes.io/ssl-policy': defaults.ssl_policy, - 'alb.ingress.kubernetes.io/scheme': 'internal', - 'alb.ingress.kubernetes.io/security-groups': ingress_sg, - 'alb.ingress.kubernetes.io/load-balancer-attributes': loadbalancer_attributes, - [if cluster != 'spike.np.navi-tech.in' then 'alb.ingress.kubernetes.io/subnets']: cluster_annotations.subnets.internal, - 'alb.ingress.kubernetes.io/group.name': group_name, - 'alb.ingress.kubernetes.io/tags': 'Name=shared-alb-%(name)s,Ingress=shared-alb-%(name)s,Owner=shared,Team=Shared,Product=%(product)s,Environment=%(environment)s' % { name: group_name, product: product, environment: environment }, - 'kubernetes.io/ingress.class': 'alb', - }, - - labels(name, environment, product):: - { - app: name, - chart: name, - heritage: defaults.labels.heritage, - release: name, - Team: defaults.team_name, - Environment: environment, - Name: name, - Product: product, - Owner: defaults.labels.owner, - }, - - name(group_name):: '%s-shared-alb-config' % [group_name], - - create(cluster, namespace, group_name, environment, product=defaults.labels.product):: - local name = $.name(group_name); - { - apiVersion: 'networking.k8s.io/v1', - kind: 'Ingress', - metadata: { - name: name, - labels: $.labels(name, environment, product), - namespace: namespace, - annotations: $.annotations(cluster, namespace, group_name, environment, product), - }, - spec: { - rules: [{}], - }, - }, -} diff --git a/templates/shared_ingress_config/tests/expected/ingress/nonprod.np.navi-tech.in:dev-internal:custom-group-name:dev.json b/templates/shared_ingress_config/tests/expected/ingress/nonprod.np.navi-tech.in:dev-internal:custom-group-name:dev.json deleted file mode 100644 index 435667f4..00000000 --- a/templates/shared_ingress_config/tests/expected/ingress/nonprod.np.navi-tech.in:dev-internal:custom-group-name:dev.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "apiVersion": "networking.k8s.io/v1", - "kind": "Ingress", - "metadata": { - "annotations": { - "alb.ingress.kubernetes.io/group.name": "custom-group-name", - "alb.ingress.kubernetes.io/load-balancer-attributes": "idle_timeout.timeout_seconds=60,access_logs.s3.enabled=true,access_logs.s3.bucket=navi-nonprod-lb-access-logs,access_logs.s3.prefix=custom-group-name", - "alb.ingress.kubernetes.io/scheme": "internal", - "alb.ingress.kubernetes.io/security-groups": "sg-01a64c085bfdb2cbb,sg-0bc07e856d000a5f4", - "alb.ingress.kubernetes.io/ssl-policy": "ELBSecurityPolicy-TLS-1-2-2017-01", - "alb.ingress.kubernetes.io/subnets": "internal-lb-ap-south-1a.nonprod.np.navi-tech.in,internal-lb-ap-south-1b.nonprod.np.navi-tech.in", - "alb.ingress.kubernetes.io/tags": "Name=shared-alb-custom-group-name,Ingress=shared-alb-custom-group-name,Owner=shared,Team=Shared,Product=shared,Environment=dev", - "kubernetes.io/ingress.class": "alb" - }, - "labels": { - "Environment": "dev", - "Name": "custom-group-name-shared-alb-config", - "Owner": "shared", - "Product": "shared", - "Team": "Shared", - "app": "custom-group-name-shared-alb-config", - "chart": "custom-group-name-shared-alb-config", - "heritage": "NaviDeploymentManifest", - "release": "custom-group-name-shared-alb-config" - }, - "name": "custom-group-name-shared-alb-config", - "namespace": "dev-internal" - }, - "spec": { - "rules": [ - {} - ] - } -} diff --git a/templates/shared_ingress_config/tests/jsonnetfile.json b/templates/shared_ingress_config/tests/jsonnetfile.json deleted file mode 100644 index 65c2176d..00000000 --- a/templates/shared_ingress_config/tests/jsonnetfile.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "version": 1, - "dependencies": [ - { - "source": { - "git": { - "remote": "https://github.com/yugui/jsonnetunit.git", - "subdir": "jsonnetunit" - } - }, - "version": "master" - } - ], - "legacyImports": true -} diff --git a/templates/shared_ingress_config/tests/jsonnetfile.lock.json b/templates/shared_ingress_config/tests/jsonnetfile.lock.json deleted file mode 100644 index b2f6ed72..00000000 --- a/templates/shared_ingress_config/tests/jsonnetfile.lock.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": 1, - "dependencies": [ - { - "source": { - "git": { - "remote": "https://github.com/yugui/jsonnetunit.git", - "subdir": "jsonnetunit" - } - }, - "version": "6927c58cae7624a00f368b977ccc477d4f74071f", - "sum": "9FFqqln65hooRF0l6rjICDtnTxUlmDj34+sKMh4sjPI=" - } - ], - "legacyImports": false -} diff --git a/templates/shared_ingress_config/tests/shared_ingress.jsonnet b/templates/shared_ingress_config/tests/shared_ingress.jsonnet deleted file mode 100644 index 232f43af..00000000 --- a/templates/shared_ingress_config/tests/shared_ingress.jsonnet +++ /dev/null @@ -1,49 +0,0 @@ -local shared_ingress = import '../shared_ingress.libsonnet'; -local test = import './vendor/jsonnetunit/test.libsonnet'; - -test.suite({ - testName: { - actual: shared_ingress.name('group-name'), - expect: 'group-name-shared-alb-config', - }, - testAnnotations: { - actual: shared_ingress.annotations('nonprod.np.navi-tech.in', 'dev', 'group_name', 'dev', product='shared'), - expect: { - 'alb.ingress.kubernetes.io/group.name': 'group_name', - 'alb.ingress.kubernetes.io/load-balancer-attributes': 'idle_timeout.timeout_seconds=60,access_logs.s3.enabled=true,access_logs.s3.bucket=navi-nonprod-lb-access-logs,access_logs.s3.prefix=group_name', - 'alb.ingress.kubernetes.io/scheme': 'internal', - 'alb.ingress.kubernetes.io/security-groups': 'sg-01a64c085bfdb2cbb,sg-0bc07e856d000a5f4', - 'alb.ingress.kubernetes.io/ssl-policy': 'ELBSecurityPolicy-TLS-1-2-2017-01', - 'alb.ingress.kubernetes.io/subnets': 'internal-lb-ap-south-1a.nonprod.np.navi-tech.in,internal-lb-ap-south-1b.nonprod.np.navi-tech.in', - 'alb.ingress.kubernetes.io/tags': 'Name=shared-alb-group_name,Ingress=shared-alb-group_name,Owner=shared,Team=Shared,Product=shared,Environment=dev', - 'kubernetes.io/ingress.class': 'alb', - }, - }, - testLabels: { - local name = 'group-name-shared-alb-config', - local env = 'dev', - local product = 'shared', - - actual: shared_ingress.labels(name, env, product), - expect: { - app: name, - chart: name, - heritage: 'NaviDeploymentManifest', - release: name, - Team: 'Shared', - Environment: env, - Name: name, - Product: 'shared', - Owner: 'shared', - }, - }, - testIngress: { - local cluster = 'nonprod.np.navi-tech.in', - local namespace = 'dev-internal', - local environment = 'dev', - local group_name = 'custom-group-name', - - actual: shared_ingress.create(cluster, namespace, group_name, environment), - expect: import './expected/ingress/nonprod.np.navi-tech.in:dev-internal:custom-group-name:dev.json', - }, -}) diff --git a/templates/sidecar.jsonnet b/templates/sidecar.jsonnet deleted file mode 100644 index 00e9484c..00000000 --- a/templates/sidecar.jsonnet +++ /dev/null @@ -1,87 +0,0 @@ -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local deployment = deployment_manifest.deployment; -local namespace_values = import 'namespace_values.jsonnet'; -local vars = import 'vars.jsonnet'; -local util = import 'util.jsonnet'; -local cluster = deployment_manifest.cluster; -local namespace = deployment.namespace; - -local outboundTrafficPolicy = { - "nonprod.np.navi-tech.in": { - "dev": { mode: 'ALLOW_ANY' }, - "qa": { mode: 'ALLOW_ANY' }, - }, -}; - -local getOutboundTrafficPolicy(cluster, namespace) = ( - local envConf = util.get(outboundTrafficPolicy, cluster, {}); - local policy = util.get(envConf, namespace, {}); - policy -); - -// Istio sidecar need not be deployed for Infra team or applications in command cluster -if (deployment_manifest.team.name != 'Infra' && namespace_values.sidecarEnabled -&& !deployment.disableIstio) then { - local chart = import 'chart.jsonnet', - local common = import 'common.jsonnet', - local util = import 'util.jsonnet', - - local default_egress_list = [ - 'istio-system/*', - '*/' + vars.swBackend, - ], - - - // Applies namespace prefix as required by sidecar configuration - // FROM [ "dev-payment.np.navi-tech.in", - // "dev-camunda.np.navi-tech.in", - // "192.168.1.1", - // - // TO [ "*/dev-payment.np.navi-tech.in", - // "*/dev-camunda.np.navi-tech.in", - // "192.168.1.1" ] - local sidecar_egress_list(egressEndpoints) = - std.map(function(egressEndpoint) if util.is_ipv4_address(egressEndpoint) then egressEndpoint else '*/' + egressEndpoint, egressEndpoints), - - // Converts a array of endpoint urls to flat array of hostnames - // FROM [ "https://dev-payment.np.navi-tech.in", - // "https://dev-camunda.np.navi-tech.in", - // "192.168.1.1", - // "kafka-0.np.navi-tech.in:19092,kafka-1.np.navi-tech.in:19092,kafka-2.np.navi-tech.in:19092" ] - // - // TO [ "dev-payment.np.navi-tech.in", - // "dev-camunda.np.navi-tech.in", - // "192.168.1.1", - // "kafka-0.np.navi-tech.in", - // "kafka-1.np.navi-tech.in", - // "kafka-2.np.navi-tech.in" ] - local host_list(egressEndpoints) = - std.flattenArrays([ - if std.findSubstr(',', egressEndpoint) != [] then std.map(util.host_name, std.split(egressEndpoint, ',')) - else [util.host_name(egressEndpoint)] - for egressEndpoint in egressEndpoints - ]), - - apiVersion: 'networking.istio.io/v1alpha3', - kind: 'Sidecar', - metadata: { - name: chart.full_service_name(deployment.name) + '-sidecar', - labels: common.labels, - namespace: deployment.namespace, - annotations: common.annotations, - }, - spec: { - workloadSelector: { - labels: { - app: chart.service_name, - release: deployment.name, - }, - }, - outboundTrafficPolicy: getOutboundTrafficPolicy(cluster, namespace), - egress: [ - { - hosts: sidecar_egress_list(host_list(deployment.allowEgress)) + default_egress_list, - }, - ], - }, -} diff --git a/templates/util.jsonnet b/templates/util.jsonnet deleted file mode 100644 index de9ce6de..00000000 --- a/templates/util.jsonnet +++ /dev/null @@ -1,96 +0,0 @@ -local chart = import 'chart.jsonnet'; -local vars = import 'vars.jsonnet'; - -{ - parent_dir(filePath):: - std.splitLimit(filePath, '/', 1)[0], - - file_name(filePath):: - local words = std.split(filePath, '/'); - words[std.length(words) - 1], - - // Returns the root domain for given domain - // dev-camunda.np.navi-tech.in => navi-tech.in - // dev-camunda.np.navi-ext.com => navi-ext.com - root_domain(domain):: - local words = std.split(domain, '.'); - words[std.length(words) - 2] + '.' + words[std.length(words) - 1], - - get_certs(ssls, domain):: - local qualified_certificates = std.prune([if std.findSubstr(ssl, domain) != [] then ssl for ssl in std.sort(ssls)]); - if std.length(qualified_certificates) == 0 then error 'No cert found for domain: %s' % domain - else qualified_certificates[std.length(qualified_certificates) - 1], - - // Returns hostname for given full endpoint urls like following - // https://dev-camunda.np.navi-tech.in => dev-camuna.np.navi-tech.in - // https://dev-camunda.np.navi-tech.in/camunda => dev-camuna.np.navi-tech.in - // dev-camunda.np.navi-tech.in:3131 => dev-camuna.np.navi-tech.in - // 192.168.1.1 => 192.168.1.1 - host_name(endpoint):: - if std.findSubstr('://', endpoint) != [] then local hostNameStart = std.findSubstr('://', endpoint); self.host_name(std.substr(endpoint, hostNameStart[0] + 3, 9999)) - else if std.findSubstr(':', endpoint) != [] then self.host_name(std.split(endpoint, ':')[0]) - else if std.findSubstr('/', endpoint) != [] then self.host_name(std.split(endpoint, '/')[0]) - else endpoint, - - is_ipv4_address(endpoint):: - local ipChars = std.split(endpoint, '.'); - std.length(ipChars) == 4 && std.length(std.filter(function(ipChar) std.length(ipChar) >= 1 && std.length(ipChar) <= 3, ipChars)) == 4, - - is_field_present(object, field):: - if object == null then false - else std.objectHas(object, field), - - memory_in_mb(memory):: - local unitMap = { - Mi: 1, - Gi: 1024, - }; - local length = std.length(memory); - local value = std.parseInt(std.substr(memory, 0, length - 2)); - local unit = std.substr(memory, length - 2, 2); - value * unitMap[unit], - - cpu_in_milli_core(cpu):: - local cpuStr = cpu + ''; - if std.substr(cpuStr, std.length(cpuStr) - 1, 1) == 'm' then cpu else '%dm' % (cpu * 1000), - - replace_character_in_string(str, a, b):: ( - assert std.length(a) == 1; - std.join(b, std.split(str, a)) - ), - - is_sandbox(env):: if env == 'sandbox' then true else false, - - is_local_sandbox(image, env):: std.extVar('IMAGE') == 'null' && $.is_sandbox(env) && (image == null || image == 'null'), - - get_image(image, env):: - if std.extVar('IMAGE') == 'null' then - if $.is_local_sandbox(image, env) then - vars.sandboxImage - else - image - else - std.extVar('IMAGE'), - - is_readiness_probe_enabled(image, environment):: !$.is_local_sandbox(image, environment), - - is_liveness_probe_enabled(image, environment):: !$.is_local_sandbox(image, environment), - - is_startup_probe_enabled(is_enabled, image, environment):: is_enabled && !$.is_local_sandbox(image, environment), - - hpa_scale_target_ref(name, controller, isDisabled):: if isDisabled then { - apiVersion: 'apps/v1', - kind: 'Deployment', - name: 'disabled', - } else if (controller == vars.rolloutController) then { - apiVersion: 'argoproj.io/v1alpha1', - kind: 'Rollout', - name: chart.full_service_name(name), - } else { - apiVersion: 'apps/v1', - kind: 'Deployment', - name: chart.full_service_name(name), - }, - - get( object, key, defaultValue ):: if std.objectHas(object, key) then object[key] else defaultValue, -} diff --git a/templates/vars.jsonnet b/templates/vars.jsonnet deleted file mode 100644 index cf0ef47f..00000000 --- a/templates/vars.jsonnet +++ /dev/null @@ -1,44 +0,0 @@ -{ - esImage_7_17_0:: '193044292705.dkr.ecr.ap-south-1.amazonaws.com/common/elastic-search:7.17.0-withplugins', - esImage_8_12_2:: '193044292705.dkr.ecr.ap-south-1.amazonaws.com/common/elastic-search:8.12.2-withplugins', - kibanaImage_7_17_0:: '193044292705.dkr.ecr.ap-south-1.amazonaws.com/common/kibana:7.17.0', - kibanaImage_8_12_2:: '193044292705.dkr.ecr.ap-south-1.amazonaws.com/common/kibana:8.12.2', - sandboxImage:: '193044292705.dkr.ecr.ap-south-1.amazonaws.com/common/busybox:navicli', - swBackend:: 'skywalking-skywalking-helm-oap.skywalking.svc.cluster.local', - swPort:: '11800', - rolloutController:: 'argo', - defaultController:: 'default', - defaultDeploymentStrategy:: 'rollingUpdate', - defaultCanarySteps: [ - { setWeight: 20 }, - { pause: {} }, - ], - environments: { - prod: 'prod', - dev: 'dev', - qa: 'qa', - perf: 'perf', - cmd: 'cmd', - }, - vpa:: { - maxAllowedCPU: '7200m', - maxAllowedMemory: '16Gi', - }, - deployment:: { - hpa:: { - type:: { - metrics:: 'metrics', - cron:: 'cron', - }, - }, - alerts:: { - pod:: [ - { type: 'HighPodRestarts', threshold: 3, duration: '30m', severity: 'critical' }, - { type: 'HighPodFailures', threshold: 2, duration: '3h', severity: 'warning' }, - { type: 'FrequentPodOOMKilled', threshold: 2, duration: '10m', severity: 'critical' }, - { type: 'PodOOMKilled', threshold: 1, duration: '5m', severity: 'warning' }, - { type: 'KubeContainerWaiting', threshold: 0, duration: '1h', severity: 'critical' }, - ], - }, - }, -} diff --git a/templates/vpa.jsonnet b/templates/vpa.jsonnet deleted file mode 100644 index 5630ec61..00000000 --- a/templates/vpa.jsonnet +++ /dev/null @@ -1,60 +0,0 @@ -local chart = import 'chart.jsonnet'; -local common = import 'common.jsonnet'; -local deployment_manifest = import 'deployment_manifest.jsonnet'; -local vars = import 'vars.jsonnet'; -local deployment = deployment_manifest.deployment; -local vpaEnabled = deployment.isVpaEnabled; -local namespace_values = import 'namespace_values.jsonnet'; -local util = import 'util.jsonnet'; - -local name = chart.full_service_name(deployment.name); -local vpaAllowed = namespace_values.isVpaDeployed; - -local minAllowed = { - cpu: util.cpu_in_milli_core(deployment.instance.minCPU), - memory: deployment.instance.minMemory, -}; - -local maxAllowed = { - cpu: util.cpu_in_milli_core(deployment.vpa.maxAllowed.cpu), - memory: deployment.vpa.maxAllowed.memory, -}; - -if vpaAllowed then { - apiVersion: 'autoscaling.k8s.io/v1', - kind: 'VerticalPodAutoscaler', - metadata: { - name: name, - labels: common.labels, - namespace: deployment_manifest.deployment.namespace, - annotations: common.annotations, - }, - spec: { - targetRef: if (deployment.controller == vars.rolloutController) then { - apiVersion: 'argoproj.io/v1alpha1', - kind: 'Rollout', - name: name, - } else { - apiVersion: 'apps/v1', - kind: 'Deployment', - name: name, - }, - [if !vpaEnabled then 'updatePolicy']: { - updateMode: 'Off', - }, - [if vpaEnabled then 'resourcePolicy']: { - containerPolicies: [ - { - containerName: name, - minAllowed: minAllowed, - maxAllowed: maxAllowed, - controlledResources: ['cpu', 'memory'], - }, - { - containerName: '*', - mode: 'Off', - }, - ], - }, - }, -}