Merge branch 'master' into feature/refaktorere-dokumenter-fra-bestill…

…ing-og-maler

.github/workflows/app.altinn3-tilgang-service-prod.yml

@@ -0,0 +1,24 @@
+name: altinn3-tilgang-service-prod
+
+on:
+  push:
+    paths:
+      - "plugins/**"
+      - "libs/reactive-core/**"
+      - "libs/reactive-security/**"
+      - "apps/altinn3-tilgang-service/**"
+      - ".github/workflows/app.altinn3-tilgang-service.yml"
+
+jobs:
+  workflow:
+    uses: ./.github/workflows/common.workflow.backend.yml
+    with:
+      working-directory: "apps/altinn3-tilgang-service"
+      deploy-tag: "#deploy-altinn3-tilgang-service-prod"
+      nais-manifest: "config.prod.yml"
+      cluster: "prod-gcp"
+    permissions:
+      contents: read
+      id-token: write
+    secrets: inherit
+

.github/workflows/app.organisasjon-tilgang-service.yml → .github/workflows/app.altinn3-tilgang-service.yml

@@ -1,21 +1,23 @@
-name: organisasjon-tilgang-service
+name: altinn3-tilgang-service
 
 on:
   push:
     paths:
       - "plugins/**"
       - "libs/reactive-core/**"
       - "libs/reactive-security/**"
-      - "apps/organisasjon-tilgang-service/**"
-      - ".github/workflows/app.organisasjon-tilgang-service.yml"
+      - "apps/altinn3-tilgang-service/**"
+      - ".github/workflows/app.altinn3-tilgang-service.yml"
 
 jobs:
   workflow:
     uses: ./.github/workflows/common.workflow.backend.yml
     with:
-      working-directory: "apps/organisasjon-tilgang-service"
-      deploy-tag: "#deploy-organisasjon-tilgang-service"
+      working-directory: "apps/altinn3-tilgang-service"
+      deploy-tag: "#deploy-altinn3-tilgang-service"
+      nais-manifest: "config.dev.yml"
     permissions:
       contents: read
       id-token: write
     secrets: inherit
+

.github/workflows/integration-tests.yml

@@ -3,7 +3,6 @@ on:
   push:
     paths:
       - 'apps/bruker-service/**'
-      - 'apps/person-organisasjon-tilgang-service/**'
   workflow_dispatch:
 
 jobs:
@@ -14,11 +13,4 @@ jobs:
       working-directory: 'apps/bruker-service/'
       healthcheck: 'http://localhost:8002/internal/isAlive'
     secrets:
-      NAV_TOKEN: ${{ secrets.NAV_TOKEN }}
-  person-organisasjon-tilgang-service:
-    if: github.event.pull_request.draft == false
-    uses: ./.github/workflows/common.integration-test.yml
-    with:
-      working-directory: 'apps/person-organisasjon-tilgang-service/'
-      healthcheck: 'http://localhost:8001/internal/isAlive'
-    secrets: inherit
+      NAV_TOKEN: ${{ secrets.NAV_TOKEN }}

.github/workflows/proxy.altinn3-tilgang-proxy.yml

@@ -0,0 +1,23 @@
+name: altinn3-tilgang-proxy
+
+on:
+  push:
+    paths:
+      - "plugins/**"
+      - "libs/reactive-core/**"
+      - "libs/reactive-proxy/**"
+      - "libs/security-core/**"
+      - "libs/servlet-insecure-security/**"
+      - "proxies/altinn3-tilgang-proxy/**"
+      - ".github/workflows/proxy.altinn3-tilgang-proxy.yml"
+
+jobs:
+  workflow:
+    uses: ./.github/workflows/common.workflow.backend.yml
+    with:
+      working-directory: "proxies/altinn3-tilgang-proxy"
+      deploy-tag: "#deploy-proxy-altinn3-tilgang"
+    permissions:
+      contents: read
+      id-token: write
+    secrets: inherit

apps/adresse-service/src/main/resources/application-local.yml

@@ -0,0 +1,7 @@
+AZURE_APP_CLIENT_ID: ${sm://azure-app-client-id}
+AZURE_APP_CLIENT_SECRET: ${sm://azure-app-client-secret}
+TOKEN_X_CLIENT_ID: dev-gcp:dolly:testnav-adresse-service
+
+spring:
+  config:
+    import: "sm://"

apps/adresse-service/src/main/resources/application.yaml → apps/adresse-service/src/main/resources/application.yml

@@ -34,12 +34,13 @@ management:
     enabled-by-default: true
     web:
       base-path: /internal
-      exposure.include: prometheus,heapdump,health
+      exposure:
+        include: prometheus,health
       path-mapping:
         prometheus: metrics
   endpoint:
-    prometheus.enabled: true
-    heapdump.enabled: true
+    prometheus:
+      enabled: true
   prometheus:
     metrics:
       export:

apps/altinn3-tilgang-service/99-dolly-convert-to-pk8.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+
+#
+# Converts NAIS provided key.pem to PKCS#8 PEM format, which can be used by R2dbc.
+#
+openssl pkey -in /var/run/secrets/nais.io/sqlcertificate/key.pem -out /tmp/pk8.pem

apps/organisasjon-tilgang-service/Dockerfile → apps/altinn3-tilgang-service/Dockerfile

@@ -1,8 +1,9 @@
 FROM ghcr.io/navikt/baseimages/temurin:21
 LABEL maintainer="Team Dolly"
 
-ADD build/libs/app.jar /app/app.jar
-
 ENV JAVA_OPTS="--add-opens java.base/java.lang=ALL-UNNAMED"
 
+COPY 99-dolly-convert-to-pk8.sh /init-scripts/
+COPY /build/libs/app.jar /app/
+
 EXPOSE 8080

apps/altinn3-tilgang-service/README.md

@@ -0,0 +1,13 @@
+## altinn3-tilgang-service
+
+Service som godkjenner tilganger for en spesifisert organisasjoner mot Dolly ved bruk av bankid.
+
+## Swagger
+
+Swagger finnes under [/swagger-ui.html](https://testnav-altinn3-tilgang-service.intern.dev.nav.no/swagger-ui.html)
+-endepunktet til applikasjonen.
+
+## Lokal kjøring
+* [Generelt.](../../docs/local_general.md)
+* [Secret Manager.](../../docs/local_secretmanager.md)
+* [Database i GCP.](../../docs/gcp_db.md)

apps/organisasjon-tilgang-service/build.gradle → apps/altinn3-tilgang-service/build.gradle

@@ -4,29 +4,32 @@ plugins {
 
 sonarqube {
     properties {
-        property "sonar.projectKey", "testnav-organisasjon-tilgang-service"
-        property "sonar.projectName", "testnav-organisasjon-tilgang-service"
+        property "sonar.projectKey", "testnav-altinn3-tilgang-service"
+        property "sonar.projectName", "testnav-altinn3-tilgang-service"
     }
 }
 
 dependencies {
+    implementation "no.nav.testnav.libs:data-transfer-objects"
     implementation "no.nav.testnav.libs:reactive-core"
     implementation "no.nav.testnav.libs:reactive-security"
 
+    implementation "org.springframework.boot:spring-boot-starter-data-r2dbc"
     implementation "org.springframework.boot:spring-boot-starter-oauth2-resource-server"
+    implementation "org.springframework.boot:spring-boot-starter-security"
 
-    implementation "org.springframework.boot:spring-boot-starter-data-r2dbc"
-    runtimeOnly "org.postgresql:postgresql"
-    implementation "io.r2dbc:r2dbc-h2"
-    implementation "org.postgresql:r2dbc-postgresql"
     implementation "org.flywaydb:flyway-core"
     implementation "org.flywaydb:flyway-database-postgresql"
 
+    runtimeOnly "org.postgresql:postgresql"
+    runtimeOnly "org.postgresql:r2dbc-postgresql"
+
     implementation "ma.glasnost.orika:orika-core:$versions.orika"
 
     implementation "org.springdoc:springdoc-openapi-starter-webflux-ui:$versions.springdoc"
     implementation "io.swagger.core.v3:swagger-annotations-jakarta:$versions.swagger"
 
-    testImplementation "org.springframework.cloud:spring-cloud-contract-wiremock"
+    implementation "io.r2dbc:r2dbc-h2"
+    testRuntimeOnly "com.h2database:h2"
 }
 

apps/organisasjon-tilgang-service/config.yml → apps/altinn3-tilgang-service/config.dev.yml

@@ -1,7 +1,7 @@
 apiVersion: "nais.io/v1alpha1"
 kind: "Application"
 metadata:
-  name: testnav-organisasjon-tilgang-service
+  name: testnav-altinn3-tilgang-service
   namespace: dolly
   labels:
     team: dolly
@@ -10,27 +10,33 @@ spec:
     enabled: true
   image: "{{image}}"
   port: 8080
-  webproxy: true
   azure:
     application:
       enabled: true
       tenant: nav.no
       claims:
         groups:
           - id: 9c7efec1-1599-4216-a67e-6fd53a6a951c
+  maskinporten:
+    enabled: true
+    scopes:
+      consumes:
+        - name: altinn:resourceregistry/accesslist.read
+        - name: altinn:resourceregistry/accesslist.write
+        - name: altinn:accessmanagement/authorizedparties.resourceowner
   accessPolicy:
     inbound:
       rules:
-        - application: dolly-frontend
         - application: dolly-frontend-dev
         - application: dolly-frontend-dev-unstable
-        - application: dolly-idporten
         - application: team-dolly-lokal-app
         - application: testnav-oversikt-frontend
+        - application: testnav-bruker-service-dev
+        - application: testnorge-profil-api-dev
     outbound:
       external:
-        - host: altinn.no
-        - host: maskinporten.no
+        - host: platform.tt02.altinn.no
+        - host: data.brreg.no
   liveness:
     path: /internal/isAlive
     initialDelay: 10
@@ -51,10 +57,6 @@ spec:
   prometheus:
     enabled: true
     path: /internal/metrics
-  envFrom:
-    - secret: altinn-prod
-    - secret: google-sql-testnav-organisasjon-tilgang-service
-    - secret: maskinporten-dolly-prod
   replicas:
     min: 1
     max: 1
@@ -64,16 +66,16 @@ spec:
       memory: 1024Mi
     limits:
       memory: 2048Mi
-  ingresses:
-    - "https://testnav-organisasjon-tilgang-service.intern.dev.nav.no"
   env:
     - name: SPRING_PROFILES_ACTIVE
-      value: prod
+      value: dev
+  ingresses:
+    - "https://testnav-altinn3-tilgang-service.intern.dev.nav.no"
   gcp:
     sqlInstances:
-      - type: POSTGRES_15
+      - type: POSTGRES_16
         tier: db-custom-1-3840
-        name: testnav-organisasjon-tilganger
+        name: testnav-altinn3-tilgang
         databases:
-          - name: testnav-organisasjon-tilganger
+          - name: testnav-altinn3-tilgang
         autoBackupHour: 2