Merge pull request #11 from EarSEO/feat/springHelmEnv/#10

[#10] 스프링 헬름 패키지 환경변수 활용 변경

Author: jaewonLeeKOR

helm/spring/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: spring
 description: A Helm chart for EarSEO Spring
 type: application
-version: 0.1.0
+version: 0.1.2
 appVersion: "1.16.0"

helm/spring/templates/configmap.yaml

@@ -5,6 +5,5 @@ metadata:
   labels:
     app: {{ .Values.name }}
 data:
-  application-config.yaml: |
-{{ .Values.config | nindent 4 }}
+{{- toYaml .Values.env | nindent 2 }}
 ---

helm/spring/templates/deployment.yaml

@@ -33,14 +33,29 @@ spec:
           env:
             - name: SPRING_PROFILES_ACTIVE
               value: {{ .Values.profile }}
+            - name: NODE_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.hostIP
+            {{- if .Values.kafkaUser.enabled }}
+            - name: SPRING_KAFKA_PROPERTIES_SASL_JAAS_CONFIG
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.kafkaUser.secretName }}
+                  name: {{ .Values.kafkaUser.secretName }}
+                  {{- else }}
+                  name: {{ .Values.name }}-kafka-user
+                  {{- end }}
+                  key: sasl.jaas.config
+            {{- end }}
+          envFrom:
+            - configMapRef:
+                name: {{ .Values.name }}-config
           ports:
             - containerPort: 8080
               protocol: TCP
               name: http
           volumeMounts:
-            - mountPath: /etc/config
-              name: configmap
-              readOnly: true
             - mountPath: /etc/secret
               name: secret
               readOnly: true
@@ -61,12 +76,6 @@ spec:
             timeoutSeconds: 3
             failureThreshold: 3
       volumes:
-        - name: configmap
-          configMap:
-            name: {{ .Values.name }}-config
-            items:
-              - key: application-config.yaml
-                path: application-config.yaml
         - name: secret
           secret:
             secretName: {{ .Values.name }}-secret

helm/spring/templates/service.yaml

@@ -8,6 +8,9 @@ spec:
   type: {{ .Values.service.type }}
   ports:
     - port: {{ .Values.service.port }}
+      {{- if .Values.service.nodePort }}
+      nodePort: {{ .Values.service.nodePort }}
+      {{- end }}
       targetPort: 8080
       protocol: TCP
       name: http

helm/spring/values.yaml

@@ -27,6 +27,7 @@ resources:
 service:
   type: ClusterIP
   port: 8080
+#  nodePort: 8080
 
 # Autoscaling
 autoscaling:
@@ -53,10 +54,15 @@ monitor:
   service:
     interval: 10s
 
-# Configmap
-config: |
-  server:
-    port: 8080
+# Configmap (환경변수)
+env:
+  EXAMPLE_ENV: empty_value
 
+# Secret (yaml 마운트)
 secret: |
   secret: i-am-secret
+
+# KafkaUser
+kafkaUser:
+  enabled: false
+  secretName: "" # 필요시 오버라이드

k8s-manifests/middleware/kafka/resources/kafka-topic.yaml

@@ -0,0 +1,53 @@
+# Kafka Topic 생성
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+  name: member-level
+  namespace: kafka
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+  labels:
+    strimzi.io/cluster: kafka-earseo-cluster
+spec:
+  # 파티션 설정
+  partitions: 1
+  # 레플리카 설정 (1 master, 2 slave)
+  replicas: 3
+  config:
+    # 메시지 보관 기간 (1 day)
+    retention.ms: 86400000
+    # 세그먼트 파일 크기 100MB
+    segment.bytes: 104857600
+    # 2개 이상의 레플리카에 저장되어야 저장 성공
+    min.insync.replicas: 2
+    # Zstandard 압축
+    compression.type: zstd
+    # 오래된 메시지 삭제 정책
+    cleanup.policy: delete
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+  name: story-test
+  namespace: kafka
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+  labels:
+    strimzi.io/cluster: kafka-earseo-cluster
+spec:
+  # 파티션 설정
+  partitions: 1
+  # 레플리카 설정 (1 master, 2 slave)
+  replicas: 3
+  config:
+    # 메시지 보관 기간 (1 day)
+    retention.ms: 86400000
+    # 세그먼트 파일 크기 100MB
+    segment.bytes: 104857600
+    # 2개 이상의 레플리카에 저장되어야 저장 성공
+    min.insync.replicas: 2
+    # Zstandard 압축
+    compression.type: zstd
+    # 오래된 메시지 삭제 정책
+    cleanup.policy: delete
+---

k8s-manifests/middleware/kafka/resources/kafka-user-secret-syncer.yaml

@@ -0,0 +1,82 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kafka-user-secret-syncer
+  namespace: backend
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kafka-user-secret-syncer-role
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+rules:
+  - verbs:
+      - get
+      - list
+      - create
+      - update
+      - patch
+    apiGroups: [""]
+    resources: ["secrets"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kafka-user-secret-syncer-backend
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+subjects:
+  - kind: ServiceAccount
+    name: kafka-user-secret-syncer
+    namespace: backend
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kafka-user-secret-syncer-role
+---
+# Kafka User Secret backend 네임스페이스로 이동
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: sync-kafka-user-secret
+  namespace: backend
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  schedule: "*/10 * * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      backoffLimit: 10
+      template:
+        spec:
+          serviceAccountName: kafka-user-secret-syncer
+          restartPolicy: OnFailure
+          containers:
+            - name: cluster-init
+              image: bitnami/kubectl:latest
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  set -e
+                  
+                  # KafkaUser 등록으로 같이 생성된 KafkaUser Secret 
+                  SECRETS=(
+                    "backend-core-kafka-user:kafka:backend"
+                    "backend-story-kafka-user:kafka:backend"
+                  )
+                  
+                  for secret_info in "${SECRETS[@]}"; do
+                    IFS=':' read -r secret_name src_ns dst_ns <<< "$secret_info"
+                  
+                    echo "Syncing $secret_name from $src_ns to $dst_ns..."
+                  
+                    kubectl get secret "$secret_name" -n "$src_ns" -o json \
+                      | jq 'del(.metadata.namespace, .metadata.resourceVersion, .metadata.uid, .metadata.creationTimestamp, .metadata.selfLink, .metadata.ownerReferences)' \
+                      | kubectl apply -n "$dst_ns" -f -
+                  done

k8s-manifests/middleware/kafka/resources/kafka-user.yaml

@@ -0,0 +1,88 @@
+# Kafka User 생성 (SASL_PLAINTEXT 인증)
+# KafkaUser의 이름은 ${서비스 레포지토리명}-kafka-user 패턴이어야함
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaUser
+metadata:
+  name: backend-core-kafka-user
+  namespace: kafka
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+  labels:
+    strimzi.io/cluster: kafka-earseo-cluster
+spec:
+  authentication:
+    type: scram-sha-512
+  authorization:
+    type: simple
+    acls:
+      # core 토픽 읽기 권한
+      - resource:
+          type: topic
+          name: "core-"
+          patternType: prefix
+        operations:
+          - Read
+          - Write
+          - Describe
+          - DescribeConfigs
+      # sight 토픽 쓰기권한
+      - resource:
+          type: topic
+          name: "sight-"
+          patternType: prefix
+        operations:
+          - Write
+          - Describe
+          - DescribeConfigs
+      # backend-core 컨슈머 그룹 읽기권한
+      - resource:
+          type: group
+          name: "backend-core-consumer-group"
+          patternType: literal
+        operations:
+          - Read
+          - Describe
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaUser
+metadata:
+  name: backend-story-kafka-user
+  namespace: kafka
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+  labels:
+    strimzi.io/cluster: kafka-earseo-cluster
+spec:
+  authentication:
+    type: scram-sha-512
+  authorization:
+    type: simple
+    acls:
+      # story 토픽 읽기 권한
+      - resource:
+          type: topic
+          name: "story-"
+          patternType: prefix
+        operations:
+          - Read
+          - Write
+          - Describe
+          - DescribeConfigs
+      # member 토픽 쓰기권한
+      - resource:
+          type: topic
+          name: "member-"
+          patternType: prefix
+        operations:
+          - Write
+          - Describe
+          - DescribeConfigs
+      # backend-story 컨슈머 그룹 읽기권한
+      - resource:
+          type: group
+          name: "backend-story-consumer-group"
+          patternType: literal
+        operations:
+          - Read
+          - Describe
+---

k8s-manifests/middleware/postgres/postgres-manifests.yaml

@@ -41,7 +41,7 @@ data:
 apiVersion: v1
 kind: Service
 metadata:
-  name: postgres
+  name: postgres-svc
   namespace: postgres
   annotations:
     argocd.argoproj.io/sync-wave: "0"
@@ -64,7 +64,7 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "1"
 spec:
-  serviceName: postgres
+  serviceName: postgres-svc
   replicas: 1
   selector:
     matchLabels:

k8s-manifests/monitoring/otel-collector.yaml

@@ -3,7 +3,8 @@ mode: daemonset
 image:
   repository: otel/opentelemetry-collector-contrib
   tag: 0.134.1
-
+hostNetwork: true
+dnsPolicy: ClusterFirstWithHostNet
 clusterRole:
   create: true
   rules:
@@ -46,10 +47,16 @@ config:
     jaeger: null
     prometheus: null
     zipkin: null
+    otlp:
+      protocols:
+        grpc:
+          endpoint: 0.0.0.0:4317
+        http:
+          endpoint: 0.0.0.0:4318
   processors: # {}
-    batch: {}
-#      send_batch_size: 100
-#      timeout: 50ms
+    batch:
+      send_batch_size: 1024
+      timeout: 5s
 #      send_batch_max_size: 500
 
   exporters: