fix(application-system-api): add secret from aws parameter store for national registry client v3

[thorkellmani]

What

• correct secret

Why

• broke

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• Formatting passes locally with my changes
• I have rebased against main before asking for a review

Summary by CodeRabbit

• New Features

  • Introduced a new secret, NATIONAL_REGISTRY_B2C_CLIENT_SECRET, enhancing security across multiple services.
  • Standardized health check paths for improved monitoring.

• Resource Management

  • Increased memory and CPU allocations for various services to optimize performance.

• Horizontal Pod Autoscaler (HPA)

  • Updated scaling metrics and replica counts for better traffic management.

• Ingress Configuration

  • Enhanced routing and service management through updated ingress annotations.

[coderabbitai]

Walkthrough

The changes in this pull request involve updates to the configuration files for the application system API and associated services. Key modifications include the addition of a new secret, NATIONAL_REGISTRY_B2C_CLIENT_SECRET, across multiple services, enhancements to resource management with updated memory and CPU allocations, and standardization of health check paths. The ingress configurations have also been updated to improve routing. Overall, these changes reflect a comprehensive enhancement of service configurations, focusing on security, resource management, and consistency.

Changes

File Path	Change Summary
apps/application-system/api/infra/application-system-api.ts	- Added secret: NATIONAL_REGISTRY_B2C_CLIENT_SECRET. - Updated serviceSetup memory request from 384Mi to 512Mi and limit from 768Mi to 1024Mi. - workerSetup function remains unchanged.
charts/islandis/values.dev.yaml	- Added environment variable: NATIONAL_REGISTRY_B2C_CLIENT_SECRET for multiple services. - Standardized health check paths. - Updated resource limits and requests for various services. - Modified HPA configurations.
charts/islandis/values.prod.yaml	- Added environment variable: NATIONAL_REGISTRY_B2C_CLIENT_SECRET for multiple services. - Standardized health check paths. - Updated HPA configurations and resource limits. - Included init containers for services.
charts/islandis/values.staging.yaml	- Added environment variable: NATIONAL_REGISTRY_B2C_CLIENT_SECRET for application-system-api. - Updated health check paths. - Adjusted resource limits for web and services-university-gateway services. - Modified HPA metrics.

Possibly related PRs

• fix(new-primary-school): Add missing config for X-Road path to application-system-api #15327: This PR modifies the application-system-api.ts file, which is also changed in the main PR, specifically regarding service configurations.
• fix: fixed application system api staging path #15875: This PR updates the application-system-api.ts file, which is relevant to the changes made in the main PR regarding service configurations.
• fix(chore): missing env for application system #15926: This PR adds new entities to the application-system-api.ts, which is related to the changes in the main PR that also involves modifications to this file.
• fix(application-system): Add notification url (#16503) #16507: This PR adds a new environment variable to the application-system-api.ts, which aligns with the main PR's focus on enhancing service configurations.
• fix(application-system-api): Add missing national registry v3 xroad client config #16770: This PR adds missing configurations to the application-system-api.ts, directly related to the changes made in the main PR regarding the national registry client configuration.

Suggested labels

automerge, high priority

Suggested reviewers

• thordurhhh
• robertaandersen
• brynjarorng

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[svanaeinars]

LGTM

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

charts/islandis/values.dev.yaml (1)

Line range hint 1-1000: Security implementation follows best practices

The National Registry B2C client secret implementation follows security best practices:

1. Centralized secret storage in AWS Parameter Store
2. Consistent secret path across services
3. Proper integration with Kubernetes secrets

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 7bbf5b8 and 39ed79b.

📒 Files selected for processing (4)

• apps/application-system/api/infra/application-system-api.ts (1 hunks)
• charts/islandis/values.dev.yaml (1 hunks)
• charts/islandis/values.prod.yaml (1 hunks)
• charts/islandis/values.staging.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

apps/application-system/api/infra/application-system-api.ts (1)

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

🔇 Additional comments (6)

apps/application-system/api/infra/application-system-api.ts (1)

342-343: LGTM! Verify secret configuration in AWS Parameter Store.

The secret addition follows the established naming conventions and is properly integrated with the NationalRegistryB2C xroad client.

Run the following script to verify the secret configuration:

✅ Verification successful

Secret configuration is properly integrated across services

The verification shows that:

• The secret path /k8s/api/NATIONAL_REGISTRY_B2C_CLIENT_SECRET is consistently configured across all environment values files (dev, staging, prod)
• The secret is used by multiple services that integrate with NationalRegistryB2C client
• The NationalRegistryB2C client is properly defined in the xroad configuration and imported where needed

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that the secret exists in AWS Parameter Store across environments

# Test: Check if the secret path exists in the codebase
rg -l '/k8s/api/NATIONAL_REGISTRY_B2C_CLIENT_SECRET'

# Test: Search for any references to the NationalRegistryB2C client to ensure proper integration
ast-grep --pattern 'NationalRegistryB2C'

Length of output: 1845

charts/islandis/values.staging.yaml (2)

796-796: LGTM: Secret configuration added correctly

The addition of NATIONAL_REGISTRY_B2C_CLIENT_SECRET is properly configured to use AWS Parameter Store and follows the established pattern for sensitive values in the configuration.

---

793-796: Verify B2C client configuration completeness

The B2C client configuration appears complete with all required parameters:

• CLIENT_ID
• ENDPOINT
• PATH
• SCOPE
• CLIENT_SECRET (newly added)

Let's verify no other services require this secret.

✅ Verification successful

Let me search for where this client secret is being used to ensure completeness of verification.

---

B2C client configuration is properly configured across services

Based on the verification results:

• The National Registry B2C client secret is consistently configured in all required services
• The secret is properly referenced in the national registry client configuration (libs/clients/national-registry/v3)
• All necessary services (application-system, user-profile, endorsements, regulations-admin, etc.) have the correct secret path configured
• The configuration is consistent across all environments (dev, staging, prod)

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for other services using the National Registry B2C client
rg "NATIONAL_REGISTRY_B2C_CLIENT_ID" -A 5

Length of output: 18993

---

Script:

#!/bin/bash
# Search for usage of the National Registry B2C client secret
rg "NATIONAL_REGISTRY_B2C_CLIENT_SECRET" -A 2

Length of output: 10326

charts/islandis/values.prod.yaml (1)

787-787: LGTM: Secret configuration for National Registry B2C client looks correct.

The addition of NATIONAL_REGISTRY_B2C_CLIENT_SECRET is properly configured and aligns with the other National Registry B2C environment variables already defined in the service.

✅ Verification successful

Let me generate one more verification script to understand which services are using this secret to ensure consistency.

---

Let me try one final verification to get the complete context of the services.

---

The National Registry B2C client secret configuration is consistent across environments

Based on the verification results:

• The secret is properly configured in all environments (dev, staging, prod)
• The secret path /k8s/api/NATIONAL_REGISTRY_B2C_CLIENT_SECRET is consistent across islandis services
• Identity Server uses a different path /k8s/services-auth/NATIONAL_REGISTRY_B2C_CLIENT_SECRET which is expected as it's a separate application
• The secret is referenced in the config file nationalRegistryV3.config.ts where it's used

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify consistent usage of National Registry B2C secret across services
# that have the related environment variables configured.

# Test: Find all services that use National Registry B2C and verify they have the secret configured
rg -l "NATIONAL_REGISTRY_B2C_CLIENT_ID" | while read -r file; do
  echo "Checking $file for B2C secret..."
  rg "NATIONAL_REGISTRY_B2C_CLIENT_SECRET" "$file"
done

Length of output: 4174

---

Script:

#!/bin/bash
# Get the context of NATIONAL_REGISTRY_B2C_CLIENT_SECRET usage in values files
# to see which services are configuring it

rg -B 5 "NATIONAL_REGISTRY_B2C_CLIENT_SECRET" "charts/islandis/values.prod.yaml" | grep -E "name:|NATIONAL_REGISTRY_B2C"

Length of output: 734

---

Script:

#!/bin/bash
# Get more context around the secret usage to identify services
rg -B 10 "NATIONAL_REGISTRY_B2C_CLIENT_SECRET" "charts/islandis/values.prod.yaml" | grep -E "name:|NATIONAL_REGISTRY_B2C|application-system-api"

Length of output: 857

charts/islandis/values.dev.yaml (2)

799-799: LGTM: National Registry B2C client secret addition

The secret addition follows the correct pattern for AWS Parameter Store integration and matches the PR objective.

---

Line range hint 1-1000: Verify consistent secret configuration across services

Let's verify that all services using National Registry B2C have consistent configuration.

✅ Verification successful

Based on the search results, I can see that all services using the National Registry B2C client ID also have the corresponding client secret properly configured in their secrets section. The client secret is consistently referenced from /k8s/api/NATIONAL_REGISTRY_B2C_CLIENT_SECRET for most services, with identity-server using its own path /k8s/services-auth/NATIONAL_REGISTRY_B2C_CLIENT_SECRET.

Secret configuration is consistent across services

The configuration shows proper secret management practices:

• Each service that uses B2C client ID has corresponding secret configured
• Secret paths are consistently defined
• Environment-specific values are properly separated

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if all services with B2C client ID also have the secret configured

echo "Services with B2C client ID configuration:"
rg "NATIONAL_REGISTRY_B2C_CLIENT_ID" -B 2 -A 2

echo -e "\nServices with B2C client secret configuration:"
rg "NATIONAL_REGISTRY_B2C_CLIENT_SECRET" -B 2 -A 2

Length of output: 32665

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.54%. Comparing base (1d99e3f) to head (de173f4).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #16782      +/-   ##
==========================================
- Coverage   36.54%   36.54%   -0.01%     
==========================================
  Files        6892     6892              
  Lines      143811   143811              
  Branches    40986    40986              
==========================================
- Hits        52562    52561       -1     
- Misses      91249    91250       +1     

Flag	Coverage Δ
air-discount-scheme-backend	54.04% <ø> (ø)
air-discount-scheme-web	0.00% <ø> (ø)
api	3.35% <ø> (ø)
api-catalogue-services	77.85% <ø> (ø)
api-domains-air-discount-scheme	36.99% <ø> (ø)
api-domains-assets	26.71% <ø> (ø)
api-domains-auth-admin	48.48% <ø> (ø)
api-domains-communications	39.79% <ø> (ø)
api-domains-criminal-record	47.44% <ø> (ø)
api-domains-driving-license	44.46% <ø> (ø)
api-domains-education	31.24% <ø> (ø)
api-domains-health-insurance	34.28% <ø> (ø)
api-domains-mortgage-certificate	34.65% <ø> (ø)
api-domains-payment-schedule	41.22% <ø> (ø)
application-api-files	56.54% <ø> (ø)
application-core	71.06% <ø> (+0.39%)	⬆️
application-system-api	41.11% <ø> (ø)
application-template-api-modules	27.68% <ø> (+0.01%)	⬆️
application-templates-accident-notification	28.98% <ø> (ø)
application-templates-car-recycling	3.12% <ø> (ø)
application-templates-criminal-record	25.87% <ø> (ø)
application-templates-driving-license	18.26% <ø> (ø)
application-templates-estate	12.17% <ø> (ø)
application-templates-example-payment	24.80% <ø> (ø)
application-templates-financial-aid	15.48% <ø> (ø)
application-templates-general-petition	23.07% <ø> (ø)
application-templates-inheritance-report	6.52% <ø> (ø)
application-templates-marriage-conditions	15.04% <ø> (ø)
application-templates-mortgage-certificate	43.22% <ø> (ø)
application-templates-parental-leave	29.83% <ø> (ø)
application-types	6.60% <ø> (ø)
application-ui-components	1.27% <ø> (ø)
application-ui-shell	20.80% <ø> (ø)
auth-admin-web	2.43% <ø> (ø)
auth-nest-tools	30.20% <ø> (ø)
auth-react	21.92% <ø> (ø)
auth-shared	75.00% <ø> (ø)
clients-charge-fjs-v2	24.11% <ø> (ø)
clients-driving-license	40.16% <ø> (ø)
clients-driving-license-book	43.41% <ø> (ø)
clients-financial-statements-inao	48.94% <ø> (ø)
clients-license-client	1.26% <ø> (ø)
clients-middlewares	73.22% <ø> (ø)
clients-regulations	42.23% <ø> (ø)
clients-rsk-company-registry	29.76% <ø> (ø)
clients-rsk-personal-tax-return	38.00% <ø> (ø)
clients-smartsolutions	12.77% <ø> (ø)
clients-syslumenn	49.17% <ø> (ø)
clients-zendesk	50.24% <ø> (ø)
cms	0.42% <ø> (ø)
cms-translations	38.89% <ø> (ø)
content-search-index-manager	95.65% <ø> (ø)
content-search-toolkit	8.14% <ø> (ø)
contentful-apps	4.69% <ø> (ø)
dokobit-signing	62.50% <ø> (ø)
download-service	44.24% <ø> (ø)
email-service	60.33% <ø> (ø)
feature-flags	90.40% <ø> (ø)
file-storage	52.53% <ø> (ø)
financial-aid-backend	51.25% <ø> (ø)
financial-aid-shared	17.81% <ø> (ø)
icelandic-names-registry-backend	54.34% <ø> (ø)
infra-nest-server	48.37% <ø> (ø)
infra-tracing	43.24% <ø> (ø)
island-ui-core	28.94% <ø> (ø)
judicial-system-api	19.62% <ø> (ø)
judicial-system-audit-trail	68.61% <ø> (ø)
judicial-system-backend	55.18% <ø> (ø)
judicial-system-formatters	79.97% <ø> (ø)
judicial-system-message	66.79% <ø> (ø)
judicial-system-message-handler	47.71% <ø> (ø)
judicial-system-scheduler	70.45% <ø> (ø)
judicial-system-types	43.99% <ø> (ø)
judicial-system-web	27.55% <ø> (ø)
license-api	42.64% <ø> (ø)
localization	10.15% <ø> (ø)
logging	48.43% <ø> (ø)
message-queue	67.80% <ø> (-0.79%)	⬇️
nest-audit	68.20% <ø> (ø)
nest-aws	61.15% <ø> (ø)
nest-config	77.81% <ø> (ø)
nest-core	43.54% <ø> (ø)
nest-feature-flags	50.90% <ø> (+0.64%)	⬆️
nest-problem	45.82% <ø> (ø)
nest-sequelize	94.44% <ø> (ø)
nest-swagger	51.71% <ø> (ø)
nova-sms	61.80% <ø> (ø)
portals-admin-regulations-admin	1.85% <ø> (ø)
portals-core	15.95% <ø> (ø)
reference-backend	49.74% <ø> (ø)
regulations	16.78% <ø> (ø)
residence-history	85.00% <ø> (ø)
services-auth-admin-api	52.46% <ø> (ø)
services-auth-delegation-api	58.26% <ø> (+0.06%)	⬆️
services-auth-ids-api	52.07% <ø> (+0.01%)	⬆️
services-auth-personal-representative	45.52% <ø> (-0.04%)	⬇️
services-auth-personal-representative-public	41.66% <ø> (-0.06%)	⬇️
services-auth-public-api	49.56% <ø> (ø)
services-documents	60.81% <ø> (ø)
services-endorsements-api	53.59% <ø> (ø)
services-sessions	65.38% <ø> (+0.04%)	⬆️
services-university-gateway	49.38% <ø> (+0.08%)	⬆️
services-user-notification	46.84% <ø> (ø)
services-user-profile	61.83% <ø> (ø)
shared-components	26.95% <ø> (ø)
shared-form-fields	31.35% <ø> (ø)
shared-mocking	60.89% <ø> (ø)
shared-pii	92.85% <ø> (ø)
shared-problem	87.50% <ø> (ø)
shared-utils	27.69% <ø> (ø)
skilavottord-ws	24.14% <ø> (ø)
testing-e2e	66.66% <ø> (ø)
web	1.80% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 2 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1d99e3f...de173f4. Read the comment docs.

[datadog-island-is]

Datadog Report

All test runs ca5dc81 🔗

✅ 101 Total Test Services: 0 Failed, 98 Passed
🔻 Test Sessions change in coverage: 3 decreased, 3 increased, 194 no change

Test Services

This report shows up to 10 services

Service Name	Failed	Known Flaky	New Flaky	Passed	Skipped	Total Time	Code Coverage Change	Test Service View
air-discount-scheme-backend	0	0	0	82	0	31.73s	N/A	Link
air-discount-scheme-web	0	0	0	2	0	7.02s	N/A	Link
api	0	0	0	4	0	2.43s	N/A	Link
api-catalogue-services	0	0	0	23	0	9.13s	N/A	Link
api-domains-air-discount-scheme	0	0	0	6	0	16.02s	N/A	Link
api-domains-assets	0	0	0	3	0	9.51s	N/A	Link
api-domains-auth-admin	0	0	0	18	0	10.09s	N/A	Link
api-domains-communications	0	0	0	5	0	28.55s	N/A	Link
api-domains-criminal-record	0	0	0	5	0	8.24s	N/A	Link
api-domains-driving-license	0	0	0	23	0	28.38s	N/A	Link

🔻 Code Coverage Decreases vs Default Branch (3)

• message-queue - jest 68.26% (-0.9%) - Details
• services-auth-personal-representative-public - jest 40.99% (-0.03%) - Details
• services-auth-personal-representative - jest 44.23% (-0.01%) - Details