Working version except RabbitMQ with Istio

README.md

@@ -0,0 +1 @@
+![Figure 2.1.1 Azure cloud infrastructure deployed automatically via Terraform](https://github.com/user-attachments/assets/1c17cd6d-572b-4426-9d60-d5d1800c0c2d)

infrastructure/dev/docker-compose.yaml

@@ -1,34 +1,9 @@
 services:
 
-  # API GATEWAY
-
-  kong-cp:
-    image: '${GW_IMAGE:-kong/kong-gateway:3.11.0.2}'
-    restart: on-failure
-    environment:
-      KONG_DATABASE: off
-      KONG_DECLARATIVE_CONFIG: /kong/declarative/kong.yaml
-      KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 ssl
-      KONG_ADMIN_GUI_LISTEN: 0.0.0.0:8002, 0.0.0.0:8445 ssl
-      KONG_ADMIN_GUI_URL: http://${GW_HOST:-localhost}:8002
-      KONG_PASSWORD: handyshake
-    ports:
-      - "8000:8000"  # Proxy HTTP
-      - "8443:8443"  # Proxy HTTPS
-      - "8001:8001"  # Admin API HTTP
-      - "8444:8444"  # Admin API HTTPS
-      - "8002:8002"  # Kong Manager HTTP
-      - "8445:8445"  # Kong Manager HTTPS
-    networks:
-      - backend-network
-    volumes:
-      - ./kong/kong.yaml:/kong/declarative/kong.yaml
-    command: kong start
-
   # MICROSERVICES
 
   storage-service:
-    image: storage-service:dev
+    image: acrdevopsprojectprod.azurecr.io/storage-service:v1.0
     build:
       context: ../../storage-service
       dockerfile: Dockerfile
@@ -38,6 +13,8 @@ services:
       RABBITMQ_HOST: rabbitmq
       BUCKET_ENDPOINT: http://minio:9000
       AWS_BUCKET_NAME : devops
+    ports:
+      - "8080:8080"
     networks:
       - backend-network
       - db-network
@@ -51,15 +28,17 @@ services:
       start_interval: 5s
 
   user-service:
-    image: user-service:dev
+    image: acrdevopsprojectprod.azurecr.io/user-service:v1.0
     build:
       context: ../../user-service
       dockerfile: Dockerfile
     restart: on-failure
     environment:
       SERVER_PORT: 8080
       RABBITMQ_HOST: rabbitmq
-      POSTGRESQL_URL: jdbc:postgresql://postgresql/devops
+      POSTGRESQL_URI: jdbc:postgresql://postgresql/devops
+    ports:
+      - "8081:8080"
     networks:
       - backend-network
       - db-network
@@ -151,7 +130,7 @@ services:
       PGADMIN_DEFAULT_EMAIL: kacper@kacper.pl
       PGADMIN_DEFAULT_PASSWORD: kacper
     ports:
-      - "8080:80"
+      - "8880:80"
     networks:
       - db-network
     volumes:
@@ -161,7 +140,7 @@ services:
     image: mongo-express:latest
     restart: on-failure
     ports:
-      - "8081:8081"
+      - "8881:8081"
     environment:
       ME_CONFIG_MONGODB_ADMINUSERNAME: kacper
       ME_CONFIG_MONGODB_ADMINPASSWORD: kacper

infrastructure/prod/kubernetes/argocd-app-of-apps/config-rabbitmq.yaml

@@ -25,6 +25,5 @@ spec:
         app.kubernetes.io/component: rabbitmq-operator
         app.kubernetes.io/name: rabbitmq-system
         app.kubernetes.io/part-of: rabbitmq
-        istio-injection: enabled  # To inject sidecar proxy automatically we need set this label
     syncOptions:
       - CreateNamespace=true

infrastructure/prod/kubernetes/argocd-app-of-apps/helm-istio-base.yaml

@@ -10,7 +10,7 @@ spec:
   source:
     chart: base
     repoURL: https://istio-release.storage.googleapis.com/charts
-    targetRevision: 1.28.1
+    targetRevision: 1.28.2
     helm:
       releaseName: istio-base
       parameters:

infrastructure/prod/kubernetes/argocd-app-of-apps/helm-istio-d.yaml

@@ -10,7 +10,7 @@ spec:
   source:
     chart: istiod
     repoURL: https://istio-release.storage.googleapis.com/charts
-    targetRevision: 1.28.1
+    targetRevision: 1.28.2
     helm:
       releaseName: istiod
   destination:

infrastructure/prod/kubernetes/argocd-app-of-apps/helm-istio-egress-controller.yaml

@@ -12,7 +12,7 @@ spec:
   source:
     chart: gateway
     repoURL: https://istio-release.storage.googleapis.com/charts
-    targetRevision: 1.28.1
+    targetRevision: 1.28.2
     helm:
       releaseName: istio-egressgateway
       values: |

infrastructure/prod/kubernetes/argocd-app-of-apps/helm-istio-ingress-controller.yaml

@@ -12,7 +12,7 @@ spec:
   source:
     chart: gateway
     repoURL: https://istio-release.storage.googleapis.com/charts
-    targetRevision: 1.28.1
+    targetRevision: 1.28.2
     helm:
       releaseName: istio-ingressgateway
       values: |

infrastructure/prod/kubernetes/external-secrets-manifests/key-vault-external-secrets.yaml

@@ -11,7 +11,7 @@ spec:
   refreshInterval: 0h5m0s
   target:
     name: cloudflare-api-token-secret
-    creationPolicy: Owner   # Creates Kubernetes secret if ExternalSecret created
+    creationPolicy: Owner # Creates Kubernetes secret if ExternalSecret created
   data:
     - secretKey: api-token
       remoteRef:
@@ -53,19 +53,78 @@ spec:
     template:
       type: kubernetes.io/dockerconfigjson
       data:
-        .dockerconfigjson: |
+        .dockerconfigjson: | # Token username is the same as ACR name
           {
             "auths": {
-              "acrdevopsprojectprod.azurecr.io": {
+              "{{ .acrName }}.azurecr.io": {
                 "username": "{{ .token }}",
                 "password": "{{ .password }}"
               }
             }
           }
   data:
+    - secretKey: acrName
+      remoteRef:
+        key: secret/acr-name
     - secretKey: token
       remoteRef:
         key: secret/aks-acr-token
     - secretKey: password
       remoteRef:
-        key: secret/aks-acr-password
+        key: secret/aks-acr-password
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: postgresql-credentials
+  namespace: prod
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: azure-cluster-secret-store
+  refreshPolicy: Periodic
+  refreshInterval: 0h5m0s
+  target:
+    name: postgresql-credentials
+    creationPolicy: Owner
+    template: # Here we are using templating engine to create secret ready to be used in Spring application
+      engineVersion: v2
+      data: # Complete URI for JDBC with TLS required
+        uri: "jdbc:postgresql://{{ .uri }}/devops?&sslmode=require"
+        username: "{{ .username }}"
+        password: "{{ .password }}"
+  data:
+    - secretKey: uri
+      remoteRef:
+        key: secret/postgresql-uri
+    - secretKey: username
+      remoteRef:
+        key: secret/postgresql-username
+    - secretKey: password
+      remoteRef:
+        key: secret/postgresql-password
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-r2-credentials
+  namespace: prod
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: azure-cluster-secret-store
+  refreshPolicy: Periodic
+  refreshInterval: 0h5m0s
+  target:
+    name: cloudflare-r2-credentials
+    creationPolicy: Owner
+  data:
+    - secretKey: apiUri
+      remoteRef:
+        key: secret/cloudflare-r2-api-uri
+    - secretKey: accessKeyId
+      remoteRef:
+        key: secret/cloudflare-r2-account-id
+    - secretKey: secretAccessKey
+      remoteRef:
+        key: secret/cloudflare-api-token

infrastructure/prod/kubernetes/istio-manifests/mtls-lockdown-peer-authentication.yaml

@@ -5,4 +5,4 @@ metadata:
   namespace: istio-system
 spec:
   mtls:
-    mode: PERMISSIVE  # Lock down workloads in all namespaces to prioritise accept mTLS traffic
+    mode: STRICT  # Lock down workloads in all namespaces to prioritise accept mTLS traffic

infrastructure/prod/kubernetes/istio-manifests/rabbitmq-virtual-service.yaml

@@ -28,9 +28,16 @@ spec:
     - devops-project-cluster.rabbitmq-system.svc.cluster.local
   tcp:
     - match:
-        - port: 5672
+        - port: 5672  # TCP AMQP
       route:
         - destination:
             host: devops-project-cluster.rabbitmq-system.svc.cluster.local
             port:
-              number: 5672
+              number: 5672
+    - match:
+        - port: 15692  # TCP Prometheus port
+      route:
+        - destination:
+            host: devops-project-cluster.rabbitmq-system.svc.cluster.local
+            port:
+              number: 15692

infrastructure/prod/kubernetes/istio-manifests/storage-service-virtual-service.yaml

@@ -15,13 +15,19 @@ spec:
       route:
         - destination:
             host: storage-service.prod.svc.cluster.local
+            port:
+              number: 8080
             subset: v1
           weight: 100   # We declare that all traffic is routed to v1.0 version
         - destination:
             host: storage-service.prod.svc.cluster.local
+            port:
+              number: 8080
             subset: v2
           weight: 0
         - destination:
             host: storage-service.prod.svc.cluster.local
+            port:
+              number: 8080
             subset: v3
           weight: 0

infrastructure/prod/kubernetes/istio-manifests/user-service-virtual-service.yaml

@@ -15,13 +15,19 @@ spec:
       route:
         - destination:
             host: user-service.prod.svc.cluster.local
+            port:
+              number: 8080
             subset: v1
           weight: 100   # We declare that all traffic is routed to v1.0 version
         - destination:
             host: user-service.prod.svc.cluster.local
+            port:
+              number: 8080
             subset: v2
           weight: 0
         - destination:
             host: user-service.prod.svc.cluster.local
+            port:
+              number: 8080
             subset: v3
           weight: 0

infrastructure/prod/kubernetes/rabbitmq-manifests/rabbitmq-cluster-config.yaml

@@ -3,14 +3,15 @@ kind: RabbitmqCluster
 metadata:
   name: devops-project-cluster
   namespace: rabbitmq-system
-  labels:
-    istio-injection: enabled  # To inject sidecar proxy automatically we need to set this label
 spec:
   replicas: 1
   override:
     statefulSet:
       spec:
         template:
+          metadata:
+            labels: # To inject sidecar proxy automatically we need to set this label (Pod level) That way we prevent injecting to deployments where there is no need
+              sidecar.istio.io/inject: "true" # Same problem as with ArgoCD but I found solution :)
           spec:
             containers:
               - name: rabbitmq

infrastructure/prod/kubernetes/storage-service-manifests/storage-service-deployment-v1.0.yaml

@@ -18,12 +18,30 @@ spec:
         app: storage-service
         version: v1.0
     spec:
-      imagePullSecrets: # Setting credentials to Azure Container Registry, synchronized with Key Vault
-        - name: azurecr-credentials
       containers:
         - name: storage-service
-          image: storage-service:dev
+          image: acrdevopsprojectprod.azurecr.io/storage-service:v1.0
           imagePullPolicy: IfNotPresent
+          env:
+            - name: SERVER_PORT
+              value: "8080"
+            - name: RABBITMQ_HOST
+              value: rabbitmq.rabbitmq-system.svc.cluster.local
+            - name: BUCKET_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: cloudflare-r2-credentials
+                  key: apiUri
+            - name: BUCKET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: cloudflare-r2-credentials
+                  key:  accessKeyId
+            - name: BUCKET_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: cloudflare-r2-credentials
+                  key: secretAccessKey
           ports:
             - containerPort: 8080
               protocol: TCP
@@ -45,5 +63,7 @@ spec:
               port: 8080
             initialDelaySeconds: 15
             periodSeconds: 10
-      serviceAccountName: storage-service
-      restartPolicy: Always
+      imagePullSecrets: # Setting credentials to Azure Container Registry, synchronized with Key Vault
+        - name: azurecr-credentials
+      restartPolicy: Always
+      serviceAccountName: storage-service