feat: ORV2-2223 New Policy Microservice - part 1 (#1471)

Co-authored-by: John Fletcher <[email protected]>

.github/CODEOWNERS

@@ -13,6 +13,9 @@
 # Dops:
 /dops/**  @gchauhan-aot @praju-aot
 
+# Policy:
+/policy/**  @gchauhan-aot @praju-aot
+
 # Database:
 /database/** @gchauhan-aot @john-fletcher-aot @praju-aot
 

.github/workflows/analysis.yml

@@ -79,12 +79,16 @@ jobs:
           - 5432:5432
     strategy:
       matrix:
-        dir: [vehicles, dops, frontend, scheduler]
+        dir: [vehicles, dops, frontend, scheduler, policy]
         include:
           - dir: dops
             sonar_projectKey: onroutebc_dops
             token: SONAR_TOKEN_DOPS
             triggers: ('dops')
+          - dir: policy
+            sonar_projectKey: onroutebc_policy
+            token: SONAR_TOKEN_POLICY
+            triggers: ('policy')            
           - dir: vehicles
             sonar_projectKey: onroutebc_vehicles
             token: SONAR_TOKEN_VEHICLES

.github/workflows/merge.yml

@@ -59,7 +59,7 @@ jobs:
       packages: write
     strategy:
       matrix:
-        package: [dops, vehicles, frontend, scheduler]
+        package: [dops, vehicles, frontend, scheduler, policy]
     timeout-minutes: 2
     steps:
       - uses: shrink/actions-docker-registry-tag@v4
@@ -94,7 +94,7 @@ jobs:
       packages: write
     strategy:
       matrix:
-        package: [dops, vehicles, frontend, scheduler]
+        package: [dops, vehicles, frontend, scheduler, policy]
     timeout-minutes: 2
     steps:
       - uses: shrink/actions-docker-registry-tag@v4

.github/workflows/pr-close.yml

@@ -18,4 +18,4 @@ jobs:
       oc_token: ${{ secrets.OC_TOKEN }}
     with:
       cleanup: helm
-      packages: dops frontend scheduler vehicles
+      packages: dops frontend scheduler vehicles policy

.github/workflows/pr-open.yml

@@ -33,6 +33,7 @@ jobs:
             - [Frontend](https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }})
             - [Vehicles](https://${{ env.PREFIX }}-vehicles.${{ env.DOMAIN }}/api)
             - [Dops](https://${{ env.PREFIX }}-dops.${{ env.DOMAIN }}/api)
+            - [Policy](https://${{ env.PREFIX }}-policy.${{ env.DOMAIN }}/api)
             - [Scheduler](https://${{ env.PREFIX }}-scheduler.${{ env.DOMAIN }}/api)
 
             Please create PRs in draft mode.  Mark as ready to enable:
@@ -61,7 +62,7 @@ jobs:
       packages: write
     strategy:
       matrix:
-        package: [dops, vehicles, frontend, scheduler]
+        package: [dops, vehicles, frontend, scheduler, policy]
     timeout-minutes: 10
     steps:
       - uses: bcgov-nr/[email protected]
@@ -94,4 +95,5 @@ jobs:
         --set-json dops.containers[0].resources='{"limits": {"cpu": "1000m", "memory": "2000Mi"}, "requests": {"cpu": "25m", "memory": "50Mi"}}' \
         --set-json frontend.containers[0].resources='{"limits": {"cpu": "75m", "memory": "150Mi"}, "requests": {"cpu": "25m", "memory": "50Mi"}}' \
         --set-json scheduler.containers[0].resources='{"limits": {"cpu": "75m", "memory": "150Mi"}, "requests": {"cpu": "25m", "memory": "50Mi"}}' \
+        --set-json policy.containers[0].resources='{"limits": {"cpu": "75m", "memory": "150Mi"}, "requests": {"cpu": "25m", "memory": "50Mi"}}' \
         --set-json vehicles.containers[0].resources='{"limits": {"cpu": "300m", "memory": "500Mi"}, "requests": {"cpu": "200m", "memory": "400Mi"}}' \

.github/workflows/scheduled.yml

@@ -17,7 +17,7 @@ jobs:
       PREFIX: ${{ github.event.repository.name }}-test
     strategy:
       matrix:
-        name: [dops, frontend, vehicles]
+        name: [dops, frontend, vehicles, policy, scheduler]
     steps:
       - name: ZAP Scan
         uses: zaproxy/[email protected]

charts/onroutebc/Chart.yaml

@@ -18,6 +18,10 @@ dependencies: # A list of the chart requirements (optional)
     repository: "https://bcgov.github.io/helm-service"
     alias: dops
     version: 0.3.0
+  - name: component
+    repository: "https://bcgov.github.io/helm-service"
+    alias: policy
+    version: 0.3.0    
   - name: component
     repository: "https://bcgov.github.io/helm-service"
     alias: scheduler

charts/onroutebc/values.yaml

@@ -32,12 +32,14 @@ frontend:
     enabled: true
     data:
       ACCESS_API_URL: "https://{{.Release.Name}}-vehicles.apps.silver.devops.gov.bc.ca"
+      POLICY_URL: "https://{{.Release.Name}}-policy.apps.silver.devops.gov.bc.ca"
       DEPLOY_ENVIRONMENT: "{{.Values.global.vault.zone}}"
       FRONTEND_PR_NUM: "{{.Values.global.pr_num}}"
       config.js.template: |-
         const envConfig = (() => { return {
             "VITE_DEPLOY_ENVIRONMENT":"$DEPLOY_ENVIRONMENT",
             "VITE_API_VEHICLE_URL":"$ACCESS_API_URL",
+            "VITE_POLICY_URL":"$POLICY_URL",
             "VITE_KEYCLOAK_ISSUER_URL":"$KEYCLOAK_ISSUER_URL",
             "VITE_KEYCLOAK_AUDIENCE":"$KEYCLOAK_AUDIENCE",
             "VITE_SITEMINDER_LOG_OFF_URL":"$SITEMINDER_LOG_OFF_URL",
@@ -58,6 +60,8 @@ frontend:
         fromLocalConfigmap: 
           - name: ACCESS_API_URL
             key: ACCESS_API_URL
+          - name: POLICY_URL
+            key: POLICY_URL            
           - name: DEPLOY_ENVIRONMENT
             key: DEPLOY_ENVIRONMENT
           - name: FRONTEND_PR_NUM
@@ -167,6 +171,7 @@ vehicles:
     enabled: true
     data:
       DOPS_URL: "https://{{.Release.Name}}-dops.apps.silver.devops.gov.bc.ca"
+      POLICY_URL: "https://{{.Release.Name}}-policy.apps.silver.devops.gov.bc.ca"
       FRONTEND_URL: "https://{{.Release.Name}}-frontend.apps.silver.devops.gov.bc.ca"      
       ACCESS_API_URL: "https://{{.Release.Name}}-vehicles.apps.silver.devops.gov.bc.ca"
       PAYBC_REDIRECT: "https://{{.Release.Name}}-frontend.apps.silver.devops.gov.bc.ca/payment"
@@ -184,6 +189,8 @@ vehicles:
         fromLocalConfigmap: 
           - name: DOPS_URL 
             key: DOPS_URL
+          - name: POLICY_URL 
+            key: POLICY_URL            
           - name: FRONTEND_URL
             key: FRONTEND_URL
           - name: ACCESS_API_URL
@@ -535,3 +542,126 @@ scheduler:
       - "scheduler-{{tpl $.Values.vault.zone $}}"
       - "s3-{{tpl $.Values.vault.zone $}}"
     zone: "{{.Values.global.vault.zone}}"
+
+policy:
+  enabled: true
+  deployment: # can be either a statefulSet or a deployment not both
+    enabled: true
+  statefulSet: # can be either a statefulSet or a deployment not both
+    enabled: false
+  secret:
+    enabled: false
+  configmap:
+    enabled: false
+  containers:
+    - name: policy
+      command:
+        - "sh"
+        - "-c"
+        - "source /vault/secrets/keycloak-{{.Values.global.vault.zone}} && source /vault/secrets/mssql-{{.Values.global.vault.zone}} && source /vault/secrets/policy-{{.Values.global.vault.zone}} && npm run start:prod"
+      registry: '{{ .Values.global.registry }}'
+      repository: '{{ .Values.global.repository }}' # example, it includes registry and repository
+      image: policy
+      tag: "{{tpl .Values.global.tag .}}"
+      env:        
+        fromValues:
+          - name: POLICY_PR_NUM
+            value: '{{.Values.global.pr_num}}'
+      ports:
+        - name: policy-api
+          containerPort: 5002
+          protocol: TCP
+      readinessProbe:
+        httpGet:
+          path: /
+          port: 5002
+          scheme: HTTP
+        initialDelaySeconds: 60
+        periodSeconds: 15
+        timeoutSeconds: 5
+      livenessProbe:
+        successThreshold: 1
+        failureThreshold: 3
+        httpGet:
+          path: /
+          port: 5002
+          scheme: HTTP
+        initialDelaySeconds: 60
+        periodSeconds: 30
+        timeoutSeconds: 5
+      resources: # this is optional
+        limits:
+          cpu: 75m
+          memory: 150Mi
+        requests:
+          cpu: 25m
+          memory: 50Mi
+  autoscaling:
+    #-- enable or disable autoscaling.
+    enabled: true
+    #-- the minimum number of replicas.
+    minReplicas: 2
+    #-- the maximum number of replicas.
+    maxReplicas: 3
+    #-- the target cpu utilization percentage, is from request cpu and NOT LIMIT CPU.
+    targetCPUUtilizationPercentage: 80
+    #-- the behavior for the autoscaling. it is optional and is an object.
+    behavior:
+      scaleDown:
+        stabilizationWindowSeconds: 300
+        policies:
+          - type: Percent
+            value: 10
+            periodSeconds: 60
+          - type: Pods
+            value: 2
+            periodSeconds: 60
+        selectPolicy: Min
+      scaleUp:
+        stabilizationWindowSeconds: 0
+        policies:
+          - type: Percent
+            value: 100
+            periodSeconds: 30
+          - type: Pods
+            value: 2
+            periodSeconds: 30
+        selectPolicy: Max
+  ingress:
+    className: openshift-default
+    annotations:
+      route.openshift.io/termination: "edge"
+    enabled: true
+    hosts: 
+      - host: "{{.Release.Name}}-policy.apps.silver.devops.gov.bc.ca"
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+    tls:
+      - {}
+  service:
+    enabled: true
+    type: ClusterIP
+    ports:
+      - name: 5002-tcp
+        protocol: TCP
+        port: 80
+        targetPort: 5002
+  serviceAccount:
+    name: "{{ .Values.global.license }}-vault"
+  vault:
+    enabled: true
+    resources: # this is optional
+      limits:
+        cpu: 100m
+        memory: 200Mi
+      requests:
+        cpu: 75m
+        memory: 100Mi
+    role: "{{.Values.global.vault.role}}"
+    license: "{{.Values.global.license}}"
+    secretPaths:
+      - "keycloak-{{tpl $.Values.vault.zone $}}"
+      - "mssql-{{tpl $.Values.vault.zone $}}"      
+      - "policy-{{tpl $.Values.vault.zone $}}"
+    zone: "{{.Values.global.vault.zone}}"

docker-compose.yml

@@ -82,18 +82,21 @@ services:
       CFS_CREDIT_ACCOUNT_CLIENT_ID: ${CFS_CREDIT_ACCOUNT_CLIENT_ID}
       CFS_CREDIT_ACCOUNT_CLIENT_SECRET: ${CFS_CREDIT_ACCOUNT_CLIENT_SECRET}
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:5000/"]
+      test: "curl --silent --fail http://localhost:5000/ > /dev/null || exit 1"
       interval: 1m30s
       timeout: 10s
       retries: 3
       start_period: 40s
     depends_on:
       sql-server-db:
         condition: service_healthy
+      policy-api:
+        condition: service_healthy
     hostname: vehicles-api
     links:
       - sql-server-db
       - dops-api
+      - policy-api
     ports:
       - "5000:5000"
 
@@ -139,7 +142,7 @@ services:
       ORBC_SERVICE_ACCOUNT_CLIENT_SECRET: ${ORBC_SERVICE_ACCOUNT_CLIENT_SECRET}
       ORBC_SERVICE_ACCOUNT_AUDIENCE: ${ORBC_SERVICE_ACCOUNT_AUDIENCE}
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:5001/"]
+      test: "curl --silent --fail http://localhost:5001/ > /dev/null || exit 1"
       interval: 1m30s
       timeout: 10s
       retries: 3
@@ -153,6 +156,43 @@ services:
     ports:
       - "5001:5001"
 
+  policy-api:
+    container_name: policy-api
+    build:
+      context: ./policy/
+      dockerfile: Dockerfile
+    environment:
+      NODE_ENV: development
+      POLICY_API_LOG_LEVEL: ${POLICY_API_LOG_LEVEL}
+      POLICY_API_TYPEORM_LOG_LEVEL: ${POLICY_API_TYPEORM_LOG_LEVEL}
+      POLICY_API_MAX_QUERY_EXECUTION_TIME_MS: ${POLICY_API_MAX_QUERY_EXECUTION_TIME_MS}
+      DB_TYPE: ${DB_TYPE}
+      MSSQL_HOST: sql-server-db
+      MSSQL_PORT: ${MSSQL_PORT}
+      MSSQL_DB: ${MSSQL_DB}
+      MSSQL_SA_USER: ${MSSQL_SA_USER}
+      MSSQL_SA_PASSWORD: ${MSSQL_SA_PASSWORD}
+      MSSQL_ENCRYPT: ${MSSQL_ENCRYPT}
+      KEYCLOAK_ISSUER_URL: ${KEYCLOAK_ISSUER_URL}
+      KEYCLOAK_AUDIENCE: ${KEYCLOAK_AUDIENCE}
+      KEYCLOAK_IGNORE_EXP: ${KEYCLOAK_IGNORE_EXP}      
+      ORBC_SERVICE_ACCOUNT_CLIENT_ID: ${ORBC_SERVICE_ACCOUNT_CLIENT_ID}
+      ORBC_SERVICE_ACCOUNT_AUDIENCE: ${ORBC_SERVICE_ACCOUNT_AUDIENCE}      
+    healthcheck:
+      test: "curl --silent --fail http://localhost:5002/ > /dev/null || exit 1"
+      interval: 1m30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    depends_on:
+      sql-server-db:
+        condition: service_healthy
+    hostname: policy-api
+    links:
+      - sql-server-db      
+    ports:
+      - "5002:5002"
+
   frontend:
     container_name: frontend
     build:
@@ -165,7 +205,7 @@ services:
         VITE_KEYCLOAK_AUDIENCE: ${VITE_KEYCLOAK_AUDIENCE}
         VITE_SITEMINDER_LOG_OFF_URL: ${VITE_SITEMINDER_LOG_OFF_URL}
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:3000"]
+      test: "curl --silent --fail http://localhost:3000/ > /dev/null || exit 1"
       interval: 1m30s
       timeout: 10s
       retries: 3
@@ -174,6 +214,7 @@ services:
     links:
       - vehicles-api
       - dops-api
+      - policy-api
     ports:
       - "3000:3000"
     volumes:
@@ -225,7 +266,7 @@ services:
       DOC_GEN_LIMIT: ${DOC_GEN_LIMIT}
       PERMIT_SCHEDULE_POLLING_INTERVAL: ${PERMIT_SCHEDULE_POLLING_INTERVAL}
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:5050/"]
+      test: "curl --silent --fail http://localhost:5050/ > /dev/null || exit 1"
       interval: 1m30s
       timeout: 10s
       retries: 3

dops/Dockerfile

@@ -80,7 +80,8 @@ RUN apk add --no-cache \
       freetype \
       harfbuzz \
       ca-certificates \
-      ttf-freefont 
+      ttf-freefont \
+      curl
 
 ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser
 
@@ -101,4 +102,4 @@ EXPOSE 5001
 CMD ["npm", "run", "start:prod"]
 
 # Health check
-HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost/:5001
+HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost:5001/

frontend/Dockerfile

@@ -46,5 +46,7 @@ COPY nginx.conf /etc/nginx/nginx.conf
 COPY static_home_page /usr/share/nginx/html
 CMD ["nginx", "-g", "daemon off;"]
 
+RUN apk add --no-cache curl
+
 # Health check
-HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost/:3000
+HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost:3000/

policy-engine/.prettierrc.json

@@ -0,0 +1,5 @@
+{
+  "singleQuote": true,
+  "trailingComma": "all",
+  "endOfLine":"auto"
+}