Merge from Main

.github/workflows/cd.yaml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+  workflow_dispatch:
 
 jobs:
   build:
@@ -13,6 +14,9 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v3
 
+    - name: Setup env
+      run: echo "VERSION=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_ENV
+
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v2
 
@@ -30,6 +34,61 @@ jobs:
       with:
         context: .
         push: true
-        tags: ${{ secrets.DOCKER_USERNAME }}/fast-food:latest
-
-  # TODO: deploy to k8s
+        tags: ${{ secrets.DOCKER_USERNAME }}/fast-food:${{ env.VERSION }}
+
+  k8s-deploy:
+    needs: build
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: ${{ secrets.AWS_REGION }}
+
+    - name: Install kubectl
+      run: |
+        curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+        chmod +x kubectl
+        sudo mv kubectl /usr/local/bin/kubectl
+    
+    - name: Verify kubectl version
+      run: kubectl version --client
+
+    - name: Setup kubectl
+      run: aws eks --region ${{ secrets.AWS_REGION }} update-kubeconfig --name ${{ secrets.K8S_CLUSTER_NAME }}
+
+    - name: Setup env
+      run: echo "VERSION=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_ENV
+
+    - name: Create dir for parsed k8s templates
+      run: |
+        mkdir -p ./k8s-deploy
+
+    - name: Prepare k8s resource templates
+      env:
+        DB_HOSTNAME: ${{ secrets.DB_HOSTNAME }}
+        DB_DATABASE: ${{ secrets.DB_DATABASE }}
+        DB_USERNAME: ${{ secrets.DB_USERNAME }}
+        DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
+        MERCADOPAGO_PUBLIC_KEY: ${{ secrets.MERCADOPAGO_PUBLIC_KEY }}
+        MERCADOPAGO_PRIVATE_ACCESS_TOKEN: ${{ secrets.MERCADOPAGO_PRIVATE_ACCESS_TOKEN }}
+        MERCADOPAGO_APP_USER_ID: ${{ secrets.MERCADOPAGO_APP_USER_ID }}
+        MERCADOPAGO_POINT_OF_SALE_ID: ${{ secrets.MERCADOPAGO_POINT_OF_SALE_ID }}
+        MERCADOPAGO_NOTIFICATIONS_URL: ${{ secrets.MERCADOPAGO_NOTIFICATIONS_URL }}
+        VERSION: ${{ env.VERSION }}
+        ENVIRONMENT: prod
+      run: |
+        for file in ./k8s/*.yaml; do
+          envsubst < "$file" > "./k8s-deploy/$(basename "$file")"
+        done
+
+    - name: Deploy to k8s cluster
+      run: |
+        kubectl apply -f ./k8s-deploy/
+

build.gradle

@@ -57,6 +57,7 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
     implementation 'org.springframework.boot:spring-boot-starter-validation'
     implementation 'org.springframework.boot:spring-boot-starter-web'
+    implementation 'io.jsonwebtoken:jjwt:0.9.1'
     implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.5.0'
     implementation 'org.apache.httpcomponents:httpclient:4.5'
     compileOnly 'org.projectlombok:lombok'

k8s/api-deployment.yaml → k8s/api-deployment.template.yaml

@@ -5,7 +5,6 @@ metadata:
   labels:
     app: api-deployment
 spec:
-  replicas: 1
   selector:
     matchLabels:
       app: api-deployment
@@ -18,10 +17,24 @@ spec:
         - name: app
           env:
             - name: DB_URL
-              value: "jdbc:postgresql://postgres-svc:5432/fastfood"
+              value: "jdbc:postgresql://$DB_HOSTNAME:5432/$DB_DATABASE"
+            - name: DB_USERNAME
+              value: "$DB_USERNAME"
+            - name: DB_PASSWORD
+              value: "$DB_PASSWORD"
+            - name: MERCADOPAGO_PUBLIC_KEY
+              value: "$MERCADOPAGO_PUBLIC_KEY"
+            - name: MERCADOPAGO_PRIVATE_ACCESS_TOKEN
+              value: "$MERCADOPAGO_PRIVATE_ACCESS_TOKEN"
+            - name: MERCADOPAGO_APP_USER_ID
+              value: "$MERCADOPAGO_APP_USER_ID"
+            - name: MERCADOPAGO_POINT_OF_SALE_ID
+              value: "$MERCADOPAGO_POINT_OF_SALE_ID"
+            - name: MERCADOPAGO_NOTIFICATIONS_URL
+              value: "$MERCADOPAGO_NOTIFICATIONS_URL"
             - name: SPRING_PROFILES_ACTIVE
-              value: "dev"
-          image: fiap7soat30/fast-food:latest
+              value: "$ENVIRONMENT"
+          image: fiap7soat30/fast-food:$VERSION
           imagePullPolicy: Always
           ports:
           - containerPort: 8080

k8s/api-hpa.yaml

@@ -7,8 +7,8 @@ spec:
     apiVersion: apps/v1
     kind: Deployment
     name: api-deployment
-  minReplicas: 3
-  maxReplicas: 10
+  minReplicas: 2
+  maxReplicas: 4
   metrics:
   - type: Resource
     resource:

k8s/api-svc.yaml

@@ -2,12 +2,13 @@ apiVersion: v1
 kind: Service
 metadata:
   name: api-svc
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
 spec:
   selector:
     app: api-deployment
   ports:
     - protocol: TCP
       port: 80
       targetPort: 8080
-      nodePort: 30007
-  type: NodePort
+  type: LoadBalancer

scripts/deploy-k8s.sh

@@ -1,15 +1,3 @@
-# metric server
-kubectl apply -f ./k8s/metrics.yaml
-
-# database
-kubectl create configmap cm-init --from-file=init.sql
-kubectl apply -f ./k8s/configmap.yaml
-kubectl apply -f ./k8s/postgres-pv.yaml
-kubectl apply -f ./k8s/postgres-pvc.yaml
-kubectl apply -f ./k8s/postgres-svc.yaml
-kubectl apply -f ./k8s/postgres-deployment.yaml
-
-# application
 kubectl apply -f ./k8s/api-svc.yaml
 kubectl apply -f ./k8s/api-hpa.yaml
 kubectl apply -f ./k8s/api-deployment.yaml

src/main/java/br/com/fiap/grupo30/fastfood/FastfoodApplication.java

@@ -1,9 +1,20 @@
 package br.com.fiap.grupo30.fastfood;
 
+import io.swagger.v3.oas.annotations.OpenAPIDefinition;
+import io.swagger.v3.oas.annotations.info.Info;
+import io.swagger.v3.oas.annotations.servers.Server;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 
 @SpringBootApplication
+@OpenAPIDefinition(
+        info = @Info(title = "My API", version = "v1"),
+        servers = {
+            @Server(url = "http://localhost:8080", description = "Local Development"),
+            @Server(
+                    url = "https://29glms05ff.execute-api.us-east-1.amazonaws.com",
+                    description = "Production Server")
+        })
 public class FastfoodApplication {
 
     public static void main(String[] args) {

src/main/java/br/com/fiap/grupo30/fastfood/infrastructure/auth/AdminAuthorizationAspect.java

@@ -0,0 +1,64 @@
+package br.com.fiap.grupo30.fastfood.infrastructure.auth;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.util.Base64;
+import java.util.List;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.springframework.stereotype.Component;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+@Aspect
+@Component
+public class AdminAuthorizationAspect {
+
+    private final ObjectMapper objectMapper = new ObjectMapper();
+    private static String ADMIN_ROLE = "admin-group";
+    private static String BEARER_TYPE = "Bearer";
+    private static Integer JWT_PARTS = 3;
+
+    @Before("@annotation(AdminRequired)")
+    public void checkAdminRole() throws Exception {
+        ServletRequestAttributes attrs =
+                (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
+        HttpServletRequest request = attrs.getRequest();
+        HttpServletResponse response = attrs.getResponse();
+
+        String authorizationHeader = request.getHeader("Authorization");
+
+        if (authorizationHeader == null || !authorizationHeader.startsWith(BEARER_TYPE)) {
+            response.sendError(
+                    HttpServletResponse.SC_UNAUTHORIZED, "Missing or invalid Authorization header");
+            return;
+        }
+
+        String jwtToken = authorizationHeader.substring(7);
+
+        String[] tokenParts = jwtToken.split("\\.");
+
+        if (tokenParts.length != JWT_PARTS) {
+            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid JWT token structure");
+            return;
+        }
+
+        String payload = new String(Base64.getDecoder().decode(tokenParts[1]));
+        JsonNode jsonNode = objectMapper.readTree(payload);
+
+        JsonNode groupsNode = jsonNode.get("cognito:groups");
+        if (groupsNode != null && groupsNode.isArray()) {
+            List<String> groups = objectMapper.convertValue(groupsNode, List.class);
+            if (!groups.contains(ADMIN_ROLE)) {
+                response.sendError(
+                        HttpServletResponse.SC_UNAUTHORIZED, "User does not have admin role");
+                return;
+            }
+        } else {
+            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "No cognito:groups found");
+            return;
+        }
+    }
+}

src/main/java/br/com/fiap/grupo30/fastfood/infrastructure/auth/AdminRequired.java

@@ -0,0 +1,10 @@
+package br.com.fiap.grupo30.fastfood.infrastructure.auth;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target(ElementType.METHOD)
+@Retention(RetentionPolicy.RUNTIME)
+public @interface AdminRequired {}