diff --git a/Makefile b/Makefile index 903a8dff4..5e1bf623a 100644 --- a/Makefile +++ b/Makefile @@ -361,3 +361,37 @@ tilt-up: ## start tilt - k8s local development release: ## helper for release and deployment python scripts/release.py .PHONY: release + +install-secret: ## install the kubernetes secrets from Vaultwarden + if kubectl -n desk get secrets bitwarden-cli-desk; then \ + echo "Secret already present"; \ + else \ + echo "Please provide the following information:"; \ + read -p "Enter your vaultwarden email login: " LOGIN; \ + read -p "Enter your vaultwarden password: " PASSWORD; \ + read -p "Enter your vaultwarden server url: " URL; \ + echo "\nCreate vaultwarden secret"; \ + echo "apiVersion: v1" > /tmp/secret.yaml; \ + echo "kind: Secret" >> /tmp/secret.yaml; \ + echo "metadata:" >> /tmp/secret.yaml; \ + echo " name: bitwarden-cli-desk" >> /tmp/secret.yaml; \ + echo " namespace: desk" >> /tmp/secret.yaml; \ + echo "type: Opaque" >> /tmp/secret.yaml; \ + echo "stringData:" >> /tmp/secret.yaml; \ + echo " BW_HOST: $$URL" >> /tmp/secret.yaml; \ + echo " BW_PASSWORD: $$PASSWORD" >> /tmp/secret.yaml; \ + echo " BW_USERNAME: $$LOGIN" >> /tmp/secret.yaml; \ + kubectl -n desk apply -f /tmp/secret.yaml;\ + rm -f /tmp/secret.yaml; \ + fi; \ + if kubectl get ns external-secrets; then \ + echo "External secret already deployed"; \ + else \ + helm repo add external-secrets https://charts.external-secrets.io; \ + helm upgrade --install external-secrets \ + external-secrets/external-secrets \ + -n external-secrets \ + --create-namespace \ + --set installCRDs=true; \ + fi +.PHONY: build-k8s-cluster diff --git a/bin/Tiltfile b/bin/Tiltfile index 0f62e3cf6..abef0b992 100644 --- a/bin/Tiltfile +++ b/bin/Tiltfile @@ -29,7 +29,7 @@ docker_build( ] ) -k8s_yaml(local('cd ../src/helm && helmfile -n desk -e dev template .')) +k8s_yaml(local('cd ../src/helm && helmfile -n desk -e ${DEV_ENV:-dev} template .')) migration = ''' set -eu diff --git a/bin/start-kind.sh b/bin/start-kind.sh index 9ff239cc6..dcf50feec 100755 --- a/bin/start-kind.sh +++ b/bin/start-kind.sh @@ -1,102 +1,3 @@ -#!/bin/sh -set -o errexit +#!/usr/bin/env bash -CURRENT_DIR=$(pwd) - -# 0. Create ca -echo "0. Create ca" -mkcert -install -cd /tmp -mkcert "127.0.0.1.nip.io" "*.127.0.0.1.nip.io" -cd $CURRENT_DIR - -# 1. Create registry container unless it already exists -echo "1. Create registry container unless it already exists" -reg_name='kind-registry' -reg_port='5001' -if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then - docker run \ - -d --restart=always -p "127.0.0.1:${reg_port}:5000" --network bridge --name "${reg_name}" \ - registry:2 -fi - -# 2. Create kind cluster with containerd registry config dir enabled -echo "2. Create kind cluster with containerd registry config dir enabled" -# TODO: kind will eventually enable this by default and this patch will -# be unnecessary. -# -# See: -# https://github.com/kubernetes-sigs/kind/issues/2875 -# https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration -# See: https://github.com/containerd/containerd/blob/main/docs/hosts.md -cat <$PRE_COMMIT_FILE -#!/bin/bash +#!/usr/bin/env bash # directories containing potential secrets DIRS="." diff --git a/src/helm/desk/README.md b/src/helm/desk/README.md index 2ece71eff..9e4b6f3ac 100644 --- a/src/helm/desk/README.md +++ b/src/helm/desk/README.md @@ -35,49 +35,52 @@ ### backend -| Name | Description | Value | -| ----------------------------------------------------- | ---------------------------------------------------------------------------------- | ----------------------------------------------- | -| `backend.command` | Override the backend container command | `[]` | -| `backend.args` | Override the backend container args | `[]` | -| `backend.replicas` | Amount of backend replicas | `3` | -| `backend.shareProcessNamespace` | Enable share process namespace between containers | `false` | -| `backend.sidecars` | Add sidecars containers to backend deployment | `[]` | -| `backend.securityContext` | Configure backend Pod security context | `nil` | -| `backend.envVars` | Configure backend container environment variables | `undefined` | -| `backend.envVars.BY_VALUE` | Example environment variable by setting value directly | | -| `backend.envVars.FROM_CONFIGMAP.configMapKeyRef.name` | Name of a ConfigMap when configuring env vars from a ConfigMap | | -| `backend.envVars.FROM_CONFIGMAP.configMapKeyRef.key` | Key within a ConfigMap when configuring env vars from a ConfigMap | | -| `backend.envVars.FROM_SECRET.secretKeyRef.name` | Name of a Secret when configuring env vars from a Secret | | -| `backend.envVars.FROM_SECRET.secretKeyRef.key` | Key within a Secret when configuring env vars from a Secret | | -| `backend.podAnnotations` | Annotations to add to the backend Pod | `{}` | -| `backend.service.type` | backend Service type | `ClusterIP` | -| `backend.service.port` | backend Service listening port | `80` | -| `backend.service.targetPort` | backend container listening port | `8000` | -| `backend.service.annotations` | Annotations to add to the backend Service | `{}` | -| `backend.migrate.command` | backend migrate command | `["python","manage.py","migrate","--no-input"]` | -| `backend.migrate.restartPolicy` | backend migrate job restart policy | `Never` | -| `backend.probes.liveness.path` | Configure path for backend HTTP liveness probe | `/__heartbeat__` | -| `backend.probes.liveness.targetPort` | Configure port for backend HTTP liveness probe | `undefined` | -| `backend.probes.liveness.initialDelaySeconds` | Configure initial delay for backend liveness probe | `10` | -| `backend.probes.liveness.initialDelaySeconds` | Configure timeout for backend liveness probe | `10` | -| `backend.probes.startup.path` | Configure path for backend HTTP startup probe | `undefined` | -| `backend.probes.startup.targetPort` | Configure port for backend HTTP startup probe | `undefined` | -| `backend.probes.startup.initialDelaySeconds` | Configure initial delay for backend startup probe | `undefined` | -| `backend.probes.startup.initialDelaySeconds` | Configure timeout for backend startup probe | `undefined` | -| `backend.probes.readiness.path` | Configure path for backend HTTP readiness probe | `/__lbheartbeat__` | -| `backend.probes.readiness.targetPort` | Configure port for backend HTTP readiness probe | `undefined` | -| `backend.probes.readiness.initialDelaySeconds` | Configure initial delay for backend readiness probe | `10` | -| `backend.probes.readiness.initialDelaySeconds` | Configure timeout for backend readiness probe | `10` | -| `backend.resources` | Resource requirements for the backend container | `{}` | -| `backend.nodeSelector` | Node selector for the backend Pod | `{}` | -| `backend.tolerations` | Tolerations for the backend Pod | `[]` | -| `backend.affinity` | Affinity for the backend Pod | `{}` | -| `backend.persistence` | Additional volumes to create and mount on the backend. Used for debugging purposes | `{}` | -| `backend.persistence.volume-name.size` | Size of the additional volume | | -| `backend.persistence.volume-name.type` | Type of the additional volume, persistentVolumeClaim or emptyDir | | -| `backend.persistence.volume-name.mountPath` | Path where the volume should be mounted to | | -| `backend.extraVolumeMounts` | Additional volumes to mount on the backend. | `[]` | -| `backend.extraVolumes` | Additional volumes to mount on the backend. | `[]` | +| Name | Description | Value | +| ----------------------------------------------------- | ---------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | +| `backend.dpAnnotations` | Annotations to add to the backend Deployment | `{}` | +| `backend.command` | Override the backend container command | `[]` | +| `backend.args` | Override the backend container args | `[]` | +| `backend.replicas` | Amount of backend replicas | `3` | +| `backend.shareProcessNamespace` | Enable share process namespace between containers | `false` | +| `backend.sidecars` | Add sidecars containers to backend deployment | `[]` | +| `backend.migrateJobAnnotations` | Annotations for the migrate job | `{}` | +| `backend.securityContext` | Configure backend Pod security context | `nil` | +| `backend.envVars` | Configure backend container environment variables | `undefined` | +| `backend.envVars.BY_VALUE` | Example environment variable by setting value directly | | +| `backend.envVars.FROM_CONFIGMAP.configMapKeyRef.name` | Name of a ConfigMap when configuring env vars from a ConfigMap | | +| `backend.envVars.FROM_CONFIGMAP.configMapKeyRef.key` | Key within a ConfigMap when configuring env vars from a ConfigMap | | +| `backend.envVars.FROM_SECRET.secretKeyRef.name` | Name of a Secret when configuring env vars from a Secret | | +| `backend.envVars.FROM_SECRET.secretKeyRef.key` | Key within a Secret when configuring env vars from a Secret | | +| `backend.podAnnotations` | Annotations to add to the backend Pod | `{}` | +| `backend.service.type` | backend Service type | `ClusterIP` | +| `backend.service.port` | backend Service listening port | `80` | +| `backend.service.targetPort` | backend container listening port | `8000` | +| `backend.service.annotations` | Annotations to add to the backend Service | `{}` | +| `backend.migrate.command` | backend migrate command | `["python","manage.py","migrate","--no-input"]` | +| `backend.migrate.restartPolicy` | backend migrate job restart policy | `Never` | +| `backend.probes.liveness.path` | Configure path for backend HTTP liveness probe | `/__heartbeat__` | +| `backend.probes.liveness.targetPort` | Configure port for backend HTTP liveness probe | `undefined` | +| `backend.probes.liveness.initialDelaySeconds` | Configure initial delay for backend liveness probe | `10` | +| `backend.probes.liveness.initialDelaySeconds` | Configure timeout for backend liveness probe | `10` | +| `backend.probes.startup.path` | Configure path for backend HTTP startup probe | `undefined` | +| `backend.probes.startup.targetPort` | Configure port for backend HTTP startup probe | `undefined` | +| `backend.probes.startup.initialDelaySeconds` | Configure initial delay for backend startup probe | `undefined` | +| `backend.probes.startup.initialDelaySeconds` | Configure timeout for backend startup probe | `undefined` | +| `backend.probes.readiness.path` | Configure path for backend HTTP readiness probe | `/__lbheartbeat__` | +| `backend.probes.readiness.targetPort` | Configure port for backend HTTP readiness probe | `undefined` | +| `backend.probes.readiness.initialDelaySeconds` | Configure initial delay for backend readiness probe | `10` | +| `backend.probes.readiness.initialDelaySeconds` | Configure timeout for backend readiness probe | `10` | +| `backend.resources` | Resource requirements for the backend container | `{}` | +| `backend.nodeSelector` | Node selector for the backend Pod | `{}` | +| `backend.tolerations` | Tolerations for the backend Pod | `[]` | +| `backend.affinity` | Affinity for the backend Pod | `{}` | +| `backend.persistence` | Additional volumes to create and mount on the backend. Used for debugging purposes | `{}` | +| `backend.persistence.volume-name.size` | Size of the additional volume | | +| `backend.persistence.volume-name.type` | Type of the additional volume, persistentVolumeClaim or emptyDir | | +| `backend.persistence.volume-name.mountPath` | Path where the volume should be mounted to | | +| `backend.extraVolumeMounts` | Additional volumes to mount on the backend. | `[]` | +| `backend.extraVolumes` | Additional volumes to mount on the backend. | `[]` | +| `backend.createsuperuser.command` | The command to create the django super user | `python manage.py createsuperuser --username admin@example.com --password admin` | ### frontend @@ -86,6 +89,7 @@ | `frontend.image.repository` | Repository to use to pull desk's frontend container image | `lasuite/people-frontend` | | `frontend.image.tag` | desk's frontend container tag | `latest` | | `frontend.image.pullPolicy` | frontend container image pull policy | `IfNotPresent` | +| `frontend.dpAnnotations` | Annotations to add to the frontend Deployment | `{}` | | `frontend.command` | Override the frontend container command | `[]` | | `frontend.args` | Override the frontend container args | `[]` | | `frontend.replicas` | Amount of frontend replicas | `3` | diff --git a/src/helm/desk/generate-readme.sh b/src/helm/desk/generate-readme.sh index edbd28063..cc689ba9d 100755 --- a/src/helm/desk/generate-readme.sh +++ b/src/helm/desk/generate-readme.sh @@ -1,10 +1,10 @@ -#!/bin/bash +#!/usr/bin/env bash docker image ls | grep readme-generator-for-helm if [ "$?" -ne "0" ]; then - git clone https://github.com/bitnami/readme-generator-for-helm.git /tmp/readme-generator-for-helm - cd /tmp/readme-generator-for-helm - docker build -t readme-generator-for-helm:latest . - cd $(dirname -- "${BASH_SOURCE[0]}") + git clone https://github.com/bitnami/readme-generator-for-helm.git /tmp/readme-generator-for-helm + cd /tmp/readme-generator-for-helm + docker build -t readme-generator-for-helm:latest . + cd $(dirname -- "${BASH_SOURCE[0]}") fi -docker run --rm -it -v ./values.yaml:/app/values.yaml -v ./README.md:/app/README.md readme-generator-for-helm:latest readme-generator -v values.yaml -r README.md +docker run --rm -it -v .:/source -w /source readme-generator-for-helm:latest readme-generator -v values.yaml -r README.md diff --git a/src/helm/desk/templates/backend_deployment.yaml b/src/helm/desk/templates/backend_deployment.yaml index ddc88f2b0..9fdbabe49 100644 --- a/src/helm/desk/templates/backend_deployment.yaml +++ b/src/helm/desk/templates/backend_deployment.yaml @@ -5,6 +5,10 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ $fullName }} + annotations: + {{- with .Values.backend.dpAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "desk.common.labels" (list . $component) | nindent 4 }} diff --git a/src/helm/desk/templates/frontend_deployment.yaml b/src/helm/desk/templates/frontend_deployment.yaml index 9bea804b7..0ba61f6b8 100644 --- a/src/helm/desk/templates/frontend_deployment.yaml +++ b/src/helm/desk/templates/frontend_deployment.yaml @@ -5,6 +5,10 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ $fullName }} + annotations: + {{- with .Values.frontend.dpAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "desk.common.labels" (list . $component) | nindent 4 }} diff --git a/src/helm/desk/templates/secrets.yaml b/src/helm/desk/templates/secrets.yaml deleted file mode 100644 index 1c9f9c6f3..000000000 --- a/src/helm/desk/templates/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: backend - namespace: {{ .Release.Namespace | quote }} - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation -stringData: - DJANGO_SUPERUSER_EMAIL: {{ .Values.djangoSuperUserEmail }} - DJANGO_SUPERUSER_PASSWORD: {{ .Values.djangoSuperUserPass }} - DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }} - OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }} - OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }} -{{- if .Values.resourceServer }} - OIDC_RS_CLIENT_ID: {{ .Values.resourceServer.clientId }} - OIDC_RS_CLIENT_SECRET: {{ .Values.resourceServer.clientSecret }} - OIDC_RS_PRIVATE_KEY_STR: | -{{ .Values.resourceServer.privateKey | indent 4 }} -{{- end }} -{{- if .Values.mail_provisioning_api_credentials }} - MAIL_PROVISIONING_API_CREDENTIALS: {{ .Values.mail_provisioning_api_credentials }} -{{- end }} -{{- if .Values.djangoEmailHostUser }} - DJANGO_EMAIL_HOST_USER: {{ .Values.djangoEmailHostUser }} -{{- end }} -{{- if .Values.djangoEmailHostPassword }} - DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.djangoEmailHostPassword }} -{{- end }} diff --git a/src/helm/desk/values.yaml b/src/helm/desk/values.yaml index ab76642d7..8def21810 100644 --- a/src/helm/desk/values.yaml +++ b/src/helm/desk/values.yaml @@ -72,6 +72,8 @@ ingressAdmin: ## @section backend backend: + ## @param backend.dpAnnotations Annotations to add to the backend Deployment + dpAnnotations: {} ## @param backend.command Override the backend container command command: [] @@ -117,8 +119,8 @@ backend: targetPort: 8000 annotations: {} - ## @param backend.migrate.command backend migrate command - ## @param backend.migrate.restartPolicy backend migrate job restart policy + ## @param backend.migrate.command backend migrate command + ## @param backend.migrate.restartPolicy backend migrate job restart policy migrate: command: - "python" @@ -171,9 +173,11 @@ backend: ## @param backend.extraVolumes Additional volumes to mount on the backend. extraVolumes: [] + ## @param backend.createsuperuser.command The command to create the django super user + createsuperuser: + command: python manage.py createsuperuser --username admin@example.com --password admin ## @section frontend - frontend: ## @param frontend.image.repository Repository to use to pull desk's frontend container image ## @param frontend.image.tag desk's frontend container tag @@ -183,6 +187,9 @@ frontend: pullPolicy: IfNotPresent tag: "latest" + ## @param frontend.dpAnnotations Annotations to add to the frontend Deployment + dpAnnotations: {} + ## @param frontend.command Override the frontend container command command: [] diff --git a/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl b/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl new file mode 100644 index 000000000..9da723d62 --- /dev/null +++ b/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl @@ -0,0 +1,104 @@ +image: + repository: localhost:5001/people-backend + pullPolicy: Always + tag: "latest" + +backend: + replicas: 1 + envVars: + DJANGO_CSRF_TRUSTED_ORIGINS: https://desk.127.0.0.1.nip.io,http://desk.127.0.0.1.nip.io + DJANGO_CONFIGURATION: Local + DJANGO_ALLOWED_HOSTS: "*" + DJANGO_SECRET_KEY: kkdsjfhkjhsfdkjhsd76kjhkjh + DJANGO_SETTINGS_MODULE: people.settings + DJANGO_SUPERUSER_PASSWORD: admin + DJANGO_SUPERUSER_EMAIL: admin@example.com + DJANGO_EMAIL_HOST_PASSWORD: changeme + DJANGO_EMAIL_HOST: "mailcatcher" + DJANGO_EMAIL_PORT: 1025 + DJANGO_EMAIL_USE_SSL: False + OIDC_RS_CLIENT_ID: changeme + OIDC_RS_CLIENT_SECRET: changeme + OIDC_RS_PRIVATE_KEY_STR: "lkj" + OIDC_OP_JWKS_ENDPOINT: https://keycloak.127.0.0.1.nip.io/realms/people/protocol/openid-connect/certs + OIDC_OP_AUTHORIZATION_ENDPOINT: https://keycloak.127.0.0.1.nip.io/realms/people/protocol/openid-connect/auth + OIDC_OP_TOKEN_ENDPOINT: https://keycloak.127.0.0.1.nip.io/realms/people/protocol/openid-connect/token + OIDC_OP_USER_ENDPOINT: https://keycloak.127.0.0.1.nip.io/realms/people/protocol/openid-connect/userinfo + OIDC_OP_LOGOUT_ENDPOINT: https://keycloak.127.0.0.1.nip.io/realms/people/protocol/openid-connect/logout + OIDC_ORGANIZATION_REGISTRATION_ID_FIELD: "siret" + OIDC_RP_CLIENT_ID: people + OIDC_RP_CLIENT_SECRET: ThisIsAnExampleKeyForDevPurposeOnly + OIDC_RP_SIGN_ALGO: RS256 + OIDC_RP_SCOPES: "openid email siret" + OIDC_REDIRECT_ALLOWED_HOSTS: https://desk.127.0.0.1.nip.io + OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}" + ORGANIZATION_PLUGINS: "plugins.organizations.NameFromSiretOrganizationPlugin" + ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]' + LOGIN_REDIRECT_URL: https://desk.127.0.0.1.nip.io + LOGIN_REDIRECT_URL_FAILURE: https://desk.127.0.0.1.nip.io + LOGOUT_REDIRECT_URL: https://desk.127.0.0.1.nip.io + DB_HOST: postgres-postgresql + DB_NAME: people + DB_USER: dinum + DB_PASSWORD: pass + DB_PORT: 5432 + POSTGRES_DB: people + POSTGRES_USER: dinum + POSTGRES_PASSWORD: pass + REDIS_URL: redis://default:pass@redis-master:6379/1 + WEBMAIL_URL: "https://onestendev.yapasdewebmail.fr" + MAIL_PROVISIONING_API_URL: "http://dimail:8000" + MAIL_PROVISIONING_API_CREDENTIALS: changeme + SENTRY_DSN: "https://b72746c73d669421e7a8ccd3fab0fad2@sentry.incubateur.net/171" + command: + - "gunicorn" + - "-c" + - "/usr/local/etc/gunicorn/people.py" + - "people.wsgi:application" + - "--reload" + + createsuperuser: + command: + - "/bin/sh" + - "-c" + - python manage.py createsuperuser --username ${DJANGO_SUPERUSER_EMAIL} --password ${DJANGO_SUPERUSER_PASSWORD} || echo ok + restartPolicy: Never + + # Extra volume mounts to manage our local custom CA and avoid to set ssl_verify: false + extraVolumeMounts: + - name: certs + mountPath: /usr/local/lib/python3.12/site-packages/certifi/cacert.pem + subPath: cacert.pem + + # Exra volumes to manage our local custom CA and avoid to set ssl_verify: false + extraVolumes: + - name: certs + configMap: + name: certifi + items: + - key: cacert.pem + path: cacert.pem + +frontend: + envVars: + PORT: 8080 + NEXT_PUBLIC_API_ORIGIN: https://desk.127.0.0.1.nip.io + + replicas: 1 + command: + - yarn + - dev + + image: + repository: localhost:5001/people-frontend + pullPolicy: Always + tag: "latest" + +ingress: + enabled: true + host: desk.127.0.0.1.nip.io + +ingressAdmin: + enabled: true + host: desk.127.0.0.1.nip.io + diff --git a/src/helm/env.d/dev/secrets.enc.yaml b/src/helm/env.d/dev/secrets.enc.yaml deleted file mode 100644 index a65d395e4..000000000 --- a/src/helm/env.d/dev/secrets.enc.yaml +++ /dev/null @@ -1,80 +0,0 @@ -djangoSecretKey: ENC[AES256_GCM,data:MeAsS1OoGaC1yKvK4jlsvtM/tnXdy3AiZItRafBIvHJzz2D1fQ2Ol85cX6cJ1H7XGRs=,iv:cV/H03WnCYiPgjvuQTUXuhsPd/mHforbI818lkv4Tcw=,tag:ofJ9+AA+aMxuAt03n2j6sQ==,type:str] -djangoSuperUserPass: ENC[AES256_GCM,data:CrUCj+w=,iv:VvCIQYDvhbIeWI2lJt6kw4hBxzERY4H9OOV6CkCxXg4=,tag:e6LLH8bBenG7ZlWutkiECQ==,type:str] -mail_provisioning_api_credentials: ENC[AES256_GCM,data:2iDJSkOV/muVZQ5ZrWyBB+uslzEj/4Yv,iv:awJgZ4wUl1xM19yTFooa1e/U91awm8xraZWEYI5ZIh4=,tag:/n64HEwNVO5f1XuoYBTI6g==,type:str] -oidc: - clientId: ENC[AES256_GCM,data:C7WWJAC02IZ47FVtHUoFMX/t9u9Ar1wU0xN54IR+TcVmNLR6,iv:GCu4unvxtV2sxxR+Jo9c39Zyo21utQPM4/iyk0OIFOE=,tag:qU5Vcfq9LRxffRJW/h1taA==,type:str] - clientSecret: ENC[AES256_GCM,data:0FttMuHtz3zciIoGZl+2ele2SR2IGSW12RXZuYMZtHZBT71jgN4v9cR9zKPvpbudqGvoF86doPfHWZvBCcx6zA==,iv:HyfUnSsWWTVEK4Pf7kgK0MtlZvQiy6cKODjCw0WDG4w=,tag:0NbQK6+SWB82ul89kmzRHA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObklxN2hPUEd2bkZQSE1j - MWE0a1dJcVloOTcyOHNmcC84dytaZ0NXNVJFCkl2eGFLUTh3LzFIRzNRNUhMT2Ir - aWpxK2cvcVZXbUVTbFFUSFZnaGtuekEKLS0tIFJ2NnJMejZuYWFTbkFYNGYrSS9X - aUxCb21NTlpYQWdraTA0djBsRkVCbGcK8l3yr3Wsit1bjWrHahdY4bPdVjz76WHC - ESSR0ekaHw+7jXe8yhfalLrFTyN9aa5/wJOy51oNIh6i9J9qiGpt5A== - -----END AGE ENCRYPTED FILE----- - - recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRldFY3lFUkJ6UmhVUkJ5 - ZmlQczJ2MklFSy9BVVV3K0UwWVpIOW5FYkc0CnI4WHNhTk1qa1BmOU16L0k2YzV5 - Z25tT244NnlibVdMcWRWNlFleG1FYlUKLS0tIGpMcktpQjcva29TWVJkWGRNL0Vi - RTZ2V2luMTdaUGU3a04xSU1aSFJ4WWsKqTKbwlTGmTc99D4Ud/ohQNWamGX9QR06 - jLLK2ySKP2EbBZxLe+3MZlufPPiESY8246pfdaymrdWZ1PS00TOdhA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaMTVWNHlXc0k2UUM4b3Q2 - VTNQSmYySXc3Y0tWUHU2czhVWWt4bldabFdrClg2TWRvbHZkYVpiMnF2U2tPYXJy - ZXNwQzBVcnBXMkxEMmNXeWFXWGNVb2sKLS0tIGduOWpSTkxCKzNXY2xtQS9rWGp2 - WTEyeDlRYlVtQTJ3N3RPMVpla0U3MTgK87FDs8GwhUGwgV5aLTWYAaVi+4QkWCmv - BG/RfGeYAm87FGGg/UUEPUCZgLnYPZwz/SzKfAZQlRP5s3POFRGpEg== - -----END AGE ENCRYPTED FILE----- - - recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZHZCVlIwM2cyeVMzWUpR - ZlFPSmthdGF2MVNwOFpjSWJmV1ptV3BZVHo0Ckh3ckc1K013YkdxUzNsMEUwa0pw - SFdGR3lmTlpJRzRFVTRqRmc4SFlMMW8KLS0tIGxnSWhmWlpPelhlZTkwOXBrMDRT - U1JPK3Z6NzBxNFNWenEyYVJZRzF2T1kKyFhaWvQ2/ZttyBDshz6fmhd3cgL31rhO - 0EtPVQO5p7kDDyG2/TyrfR32C5/5+YNqS+Cggk31jon7blNvV3asVA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1hnhuzj96ktkhpyygvmz0x9h8mfvssz7ss6emmukags644mdhf4msajk93r - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUzVTRCtOWlBMOGwwMTNp - ZndVZVZ4bXlPUHJCeFVhRVVpKzlmWnNZS0N3CjdWOGRNQmZkM2tib29NK0NXT3pH - alNnVDhiUWlTUXJkc0ZRb3MyLzhjY3cKLS0tIENzRDllUVV0dkdyeVNoclUwc21Z - amd2TEttd25PN2NNY0RFclZISFBaUVkKGUYbTjt/cw7KzHeSNt9Kem+Xhy7zcxC+ - JPEliPnJiMuzoZNIoKq0Ta1aWaC9leN5k5JAbFOpqQTkcY+38V3Fpw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1tl80n23wq6zxegupwn70ew0yp225ua5v4dk800x7g2w6pvlxz46qk592pa - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuWlkvaWNjdnFFTG44UkN6 - Q3RaeUk3T3N1RFlISm1HQzkwa3MzdmtQSGdJCmdwM241WmhpS2ZKWVFNSmE5MTRQ - c3FGeWFhZFpobjQ1SEV4OWR0ZDNLMWsKLS0tIGpqaU5jZ1NhakErd2JsZG53RDNv - SXdwdThDSnRrRktSMW9xckpsNDNKV1kKI+iCo2o87qVA9E2dtnmIu251Xg0KbgVF - /J/M1HQVnIEHxhQYSjXat0ZAZDs5B1YnZ+nUG3iJ8q1hOKp2O9xtIw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1rjchule5sncn8r8gfph07muee6vzx4wqfrtldt5jjzke4vlfxy2qqplfvc - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYUhBcjdGQTBTUWJ3cGgy - NXJHYnM5dXZHTzNzL1NWSitEYit3NWNhN2hjClErOGNFLzZ6VHVnaFRyZk05dFB4 - M29ybkduSE44Uk9BcGN0aVQ0TUxxUVkKLS0tIGtsUGhMdXdIQlZNKzJNRzNnWUhF - M2hQY3kraFNqbjU3SkIzcWdZeDZIWFkK7Z39fJzr7a7/Lk62hU9GUjQPeA6C4Jp7 - 3Nj8sGpGKbt83u2tNYTHtpNa2a6MFqKfccxRKxwYUf9DfPRhH5p9nQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-23T09:37:33Z" - mac: ENC[AES256_GCM,data:L6tN1Lx4FtDUty2OKHIS9KiaayX9mTwiXzBsrPP8rEM3Gs/Z/v4XMfiIylBs6m1XUwrOy7kFNUGfnu1d72nB4ukWZBHTmcE9wZ3U1AaEnjjMPdIlUtyaNxmAbw5/QprZcempMLd5750QjEUHqDTzmF2+yI+Jt0mRMQEAFYY/5b4=,iv:vyRwRl1minGkv3XJMORWaf5NwJXWGa8us/x/DAyRDrQ=,tag:zgKEgD7IH/b1x7LRzq2NXg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.0 diff --git a/src/helm/env.d/dev/values.desk.yaml.gotmpl b/src/helm/env.d/dev/values.desk.yaml.gotmpl index eaac1d125..c14fdbd9b 100644 --- a/src/helm/env.d/dev/values.desk.yaml.gotmpl +++ b/src/helm/env.d/dev/values.desk.yaml.gotmpl @@ -1,3 +1,19 @@ +secrets: + - name: oidcLogin + itemId: 753d95be-f0d0-44ff-b8b9-bdd905f2ae1d + field: username + podVariable: OIDC_RP_CLIENT_ID + clusterSecretStore: bitwarden-login-desk + - name: oidcPass + itemId: 753d95be-f0d0-44ff-b8b9-bdd905f2ae1d + field: password + podVariable: OIDC_RP_CLIENT_SECRET + clusterSecretStore: bitwarden-login-desk + - name: mail_provisioning_api_credentials + itemId: 2fcb5d3c-d037-4ec5-967d-3d15b261e2ab + field: password + podVariable: MAIL_PROVISIONING_API_CREDENTIALS + clusterSecretStore: bitwarden-login-desk image: repository: localhost:5001/people-backend pullPolicy: Always @@ -9,15 +25,10 @@ backend: DJANGO_CSRF_TRUSTED_ORIGINS: https://desk.127.0.0.1.nip.io,http://desk.127.0.0.1.nip.io DJANGO_CONFIGURATION: Local DJANGO_ALLOWED_HOSTS: "*" - DJANGO_SECRET_KEY: - secretKeyRef: - name: backend - key: DJANGO_SECRET_KEY + DJANGO_SECRET_KEY: changeme DJANGO_SETTINGS_MODULE: people.settings - DJANGO_SUPERUSER_PASSWORD: - secretKeyRef: - name: backend - key: DJANGO_SUPERUSER_PASSWORD + DJANGO_SUPERUSER_EMAIL: admin@example.com + DJANGO_SUPERUSER_PASSWORD: admin DJANGO_EMAIL_HOST: "mailcatcher" DJANGO_EMAIL_PORT: 1025 DJANGO_EMAIL_USE_SSL: False @@ -71,7 +82,7 @@ backend: command: - "/bin/sh" - "-c" - - python manage.py createsuperuser --username admin@example.com --password admin + - python manage.py createsuperuser --username ${DJANGO_SUPERUSER_EMAIL} --password ${DJANGO_SUPERUSER_PASSWORD} || echo ok restartPolicy: Never frontend: diff --git a/src/helm/env.d/preprod/secrets.enc.yaml b/src/helm/env.d/preprod/secrets.enc.yaml deleted file mode 120000 index 7aac53461..000000000 --- a/src/helm/env.d/preprod/secrets.enc.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../../secrets/numerique-gouv/people/env/preprod/secrets.enc.yaml \ No newline at end of file diff --git a/src/helm/env.d/preprod/values.desk.yaml.gotmpl b/src/helm/env.d/preprod/values.desk.yaml.gotmpl deleted file mode 100644 index fb71d0bfa..000000000 --- a/src/helm/env.d/preprod/values.desk.yaml.gotmpl +++ /dev/null @@ -1,139 +0,0 @@ -image: - repository: lasuite/people-backend - pullPolicy: Always - tag: "v1.9.1" - -backend: - migrateJobAnnotations: - argocd.argoproj.io/hook: PreSync - argocd.argoproj.io/hook-delete-policy: HookSucceeded - envVars: - DJANGO_CSRF_TRUSTED_ORIGINS: https://desk-preprod.beta.numerique.gouv.fr - DJANGO_CONFIGURATION: PreProduction - DJANGO_ALLOWED_HOSTS: "*" - DJANGO_SECRET_KEY: - secretKeyRef: - name: backend - key: DJANGO_SECRET_KEY - DJANGO_SETTINGS_MODULE: people.settings - DJANGO_SUPERUSER_EMAIL: - secretKeyRef: - name: backend - key: DJANGO_SUPERUSER_EMAIL - DJANGO_SUPERUSER_PASSWORD: - secretKeyRef: - name: backend - key: DJANGO_SUPERUSER_PASSWORD - DJANGO_EMAIL_HOST: "smtp.tem.scw.cloud" - DJANGO_EMAIL_PORT: 587 - DJANGO_EMAIL_USE_TLS: True - DJANGO_EMAIL_FROM: "noreply@regie.beta.numerique.gouv.fr" - DJANGO_EMAIL_HOST_USER: - secretKeyRef: - name: backend - key: DJANGO_EMAIL_HOST_USER - DJANGO_EMAIL_HOST_PASSWORD: - secretKeyRef: - name: backend - key: DJANGO_EMAIL_HOST_PASSWORD - DJANGO_SILENCED_SYSTEM_CHECKS: security.W008,security.W004 - OIDC_OP_JWKS_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/jwks - OIDC_OP_AUTHORIZATION_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/authorize - OIDC_OP_TOKEN_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/token - OIDC_OP_USER_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo - OIDC_OP_LOGOUT_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/session/end - OIDC_ORGANIZATION_REGISTRATION_ID_FIELD: "siret" - OIDC_RP_CLIENT_ID: - secretKeyRef: - name: backend - key: OIDC_RP_CLIENT_ID - OIDC_RP_CLIENT_SECRET: - secretKeyRef: - name: backend - key: OIDC_RP_CLIENT_SECRET - OIDC_RP_SIGN_ALGO: RS256 - OIDC_RP_SCOPES: "openid email siret" - OIDC_REDIRECT_ALLOWED_HOSTS: https://desk-preprod.beta.numerique.gouv.fr - OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}" - ORGANIZATION_PLUGINS: "plugins.organizations.NameFromSiretOrganizationPlugin" - ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]' - LOGIN_REDIRECT_URL: https://desk-preprod.beta.numerique.gouv.fr - LOGIN_REDIRECT_URL_FAILURE: https://desk-preprod.beta.numerique.gouv.fr - LOGOUT_REDIRECT_URL: https://desk-preprod.beta.numerique.gouv.fr - DB_HOST: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: host - DB_NAME: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: database - DB_USER: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: username - DB_PASSWORD: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: password - DB_PORT: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: port - POSTGRES_USER: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: username - POSTGRES_DB: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: database - POSTGRES_PASSWORD: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: password - REDIS_URL: - secretKeyRef: - name: redis.redis.libre.sh - key: url - WEBMAIL_URL: "https://webmail.test.ox.numerique.gouv.fr" - MAIL_PROVISIONING_API_URL: "https://api.ovhdev.dimail1.numerique.gouv.fr" - MAIL_PROVISIONING_API_CREDENTIALS: - secretKeyRef: - name: backend - key: MAIL_PROVISIONING_API_CREDENTIALS - FEATURE_TEAMS_DISPLAY: False - FEATURE_CONTACTS_DISPLAY: False - FEATURE_CONTACTS_CREATE: False - FEATURE_TEAMS_CREATE: False - FEATURE_MAILBOXES_CREATE: False - SENTRY_DSN: "https://b72746c73d669421e7a8ccd3fab0fad2@sentry.incubateur.net/171" - - createsuperuser: - command: - - "/bin/sh" - - "-c" - - python manage.py createsuperuser --username $DJANGO_SUPERUSER_EMAIL --password $DJANGO_SUPERUSER_PASSWORD - restartPolicy: Never - -frontend: - image: - repository: lasuite/people-frontend - pullPolicy: Always - tag: "v1.9.1" - -ingress: - enabled: true - host: desk-preprod.beta.numerique.gouv.fr - className: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - -ingressAdmin: - enabled: true - host: desk-preprod.beta.numerique.gouv.fr - className: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/start - nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/auth diff --git a/src/helm/env.d/production/secrets.enc.yaml b/src/helm/env.d/production/secrets.enc.yaml deleted file mode 120000 index 9118865fb..000000000 --- a/src/helm/env.d/production/secrets.enc.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../../secrets/numerique-gouv/people/env/production/secrets.enc.yaml \ No newline at end of file diff --git a/src/helm/env.d/production/values.desk.yaml.gotmpl b/src/helm/env.d/production/values.desk.yaml.gotmpl deleted file mode 100644 index 54bd8c8a1..000000000 --- a/src/helm/env.d/production/values.desk.yaml.gotmpl +++ /dev/null @@ -1,141 +0,0 @@ -image: - repository: lasuite/people-backend - pullPolicy: Always - tag: "v1.9.1" - -backend: - migrateJobAnnotations: - argocd.argoproj.io/hook: PostSync - argocd.argoproj.io/hook-delete-policy: HookSucceeded - envVars: - DJANGO_ADMIN_HEADER_BACKGROUND: "#dc3545" - DJANGO_ADMIN_HEADER_COLOR: "#ffffff" - DJANGO_CSRF_TRUSTED_ORIGINS: https://regie.numerique.gouv.fr - DJANGO_CONFIGURATION: Production - DJANGO_ALLOWED_HOSTS: "*" - DJANGO_SECRET_KEY: - secretKeyRef: - name: backend - key: DJANGO_SECRET_KEY - DJANGO_SETTINGS_MODULE: people.settings - DJANGO_SUPERUSER_EMAIL: - secretKeyRef: - name: backend - key: DJANGO_SUPERUSER_EMAIL - DJANGO_SUPERUSER_PASSWORD: - secretKeyRef: - name: backend - key: DJANGO_SUPERUSER_PASSWORD - DJANGO_EMAIL_HOST: "smtp.tem.scw.cloud" - DJANGO_EMAIL_PORT: 587 - DJANGO_EMAIL_USE_TLS: True - DJANGO_EMAIL_FROM: "noreply@regie.beta.numerique.gouv.fr" - DJANGO_EMAIL_HOST_USER: - secretKeyRef: - name: backend - key: DJANGO_EMAIL_HOST_USER - DJANGO_EMAIL_HOST_PASSWORD: - secretKeyRef: - name: backend - key: DJANGO_EMAIL_HOST_PASSWORD - DJANGO_SILENCED_SYSTEM_CHECKS: security.W008,security.W004 - OIDC_OP_JWKS_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/jwks - OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/authorize - OIDC_OP_TOKEN_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/token - OIDC_OP_USER_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/userinfo - OIDC_OP_LOGOUT_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/session/end - ORGANIZATION_PLUGINS: "plugins.organizations.NameFromSiretOrganizationPlugin" - OIDC_ORGANIZATION_REGISTRATION_ID_FIELD: "siret" - OIDC_RP_CLIENT_ID: - secretKeyRef: - name: backend - key: OIDC_RP_CLIENT_ID - OIDC_RP_CLIENT_SECRET: - secretKeyRef: - name: backend - key: OIDC_RP_CLIENT_SECRET - OIDC_RP_SIGN_ALGO: RS256 - OIDC_RP_SCOPES: "openid email siret" - OIDC_REDIRECT_ALLOWED_HOSTS: https://regie.numerique.gouv.fr - OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}" - ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]' - LOGIN_REDIRECT_URL: https://regie.numerique.gouv.fr - LOGIN_REDIRECT_URL_FAILURE: https://regie.numerique.gouv.fr - LOGOUT_REDIRECT_URL: https://regie.numerique.gouv.fr - DB_HOST: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: host - DB_NAME: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: database - DB_USER: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: username - DB_PASSWORD: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: password - DB_PORT: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: port - POSTGRES_USER: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: username - POSTGRES_DB: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: database - POSTGRES_PASSWORD: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: password - REDIS_URL: - secretKeyRef: - name: redis.redis.libre.sh - key: url - WEBMAIL_URL: "https://webmail.numerique.gouv.fr" - MAIL_PROVISIONING_API_URL: "https://api.ovhprod.dimail1.numerique.gouv.fr" - MAIL_PROVISIONING_API_CREDENTIALS: - secretKeyRef: - name: backend - key: MAIL_PROVISIONING_API_CREDENTIALS - FEATURE_TEAMS_DISPLAY: False - FEATURE_CONTACTS_DISPLAY: False - FEATURE_CONTACTS_CREATE: False - FEATURE_TEAMS_CREATE: False - FEATURE_MAILBOXES_CREATE: False - SENTRY_DSN: "https://b72746c73d669421e7a8ccd3fab0fad2@sentry.incubateur.net/171" - - createsuperuser: - command: - - "/bin/sh" - - "-c" - - python manage.py createsuperuser --username $DJANGO_SUPERUSER_EMAIL --password $DJANGO_SUPERUSER_PASSWORD - restartPolicy: Never - -frontend: - image: - repository: lasuite/people-frontend - pullPolicy: Always - tag: "v1.9.1" - -ingress: - enabled: true - host: regie.numerique.gouv.fr - className: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt - -ingressAdmin: - enabled: true - host: regie.numerique.gouv.fr - className: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt - nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/start - nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/auth diff --git a/src/helm/env.d/staging/secrets.enc.yaml b/src/helm/env.d/staging/secrets.enc.yaml deleted file mode 120000 index f1fdbedd8..000000000 --- a/src/helm/env.d/staging/secrets.enc.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../../secrets/numerique-gouv/people/env/staging/secrets.enc.yaml \ No newline at end of file diff --git a/src/helm/env.d/staging/values.desk.yaml.gotmpl b/src/helm/env.d/staging/values.desk.yaml.gotmpl deleted file mode 100644 index 1b5d52baf..000000000 --- a/src/helm/env.d/staging/values.desk.yaml.gotmpl +++ /dev/null @@ -1,150 +0,0 @@ -image: - repository: lasuite/people-backend - pullPolicy: Always - tag: "main" - -backend: - migrateJobAnnotations: - argocd.argoproj.io/hook: PreSync - argocd.argoproj.io/hook-delete-policy: HookSucceeded - envVars: - DJANGO_ADMIN_HEADER_BACKGROUND: "#0f5132" - DJANGO_ADMIN_HEADER_COLOR: "#ffffff" - DJANGO_CSRF_TRUSTED_ORIGINS: http://desk-staging.beta.numerique.gouv.fr,https://desk-staging.beta.numerique.gouv.fr - DJANGO_CONFIGURATION: Staging - DJANGO_ALLOWED_HOSTS: "*" - DJANGO_SECRET_KEY: - secretKeyRef: - name: backend - key: DJANGO_SECRET_KEY - DJANGO_SETTINGS_MODULE: people.settings - DJANGO_SUPERUSER_EMAIL: - secretKeyRef: - name: backend - key: DJANGO_SUPERUSER_EMAIL - DJANGO_SUPERUSER_PASSWORD: - secretKeyRef: - name: backend - key: DJANGO_SUPERUSER_PASSWORD - DJANGO_EMAIL_HOST: "smtp.tem.scw.cloud" - DJANGO_EMAIL_PORT: 587 - DJANGO_EMAIL_USE_TLS: True - DJANGO_EMAIL_FROM: "noreply@regie.beta.numerique.gouv.fr" - DJANGO_EMAIL_HOST_USER: - secretKeyRef: - name: backend - key: DJANGO_EMAIL_HOST_USER - DJANGO_EMAIL_HOST_PASSWORD: - secretKeyRef: - name: backend - key: DJANGO_EMAIL_HOST_PASSWORD - DJANGO_SILENCED_SYSTEM_CHECKS: security.W008,security.W004 - OIDC_OP_JWKS_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/jwks - OIDC_OP_AUTHORIZATION_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/authorize - OIDC_OP_TOKEN_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/token - OIDC_OP_USER_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo - OIDC_OP_LOGOUT_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/session/end - OIDC_OP_INTROSPECTION_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/checktoken - OIDC_OP_URL: https://fca.integ01.dev-agentconnect.fr/api/v2 - OIDC_ORGANIZATION_REGISTRATION_ID_FIELD: "siret" - OIDC_RP_CLIENT_ID: - secretKeyRef: - name: backend - key: OIDC_RP_CLIENT_ID - OIDC_RP_CLIENT_SECRET: - secretKeyRef: - name: backend - key: OIDC_RP_CLIENT_SECRET - OIDC_RS_CLIENT_ID: - secretKeyRef: - name: backend - key: OIDC_RS_CLIENT_ID - OIDC_RS_CLIENT_SECRET: - secretKeyRef: - name: backend - key: OIDC_RS_CLIENT_SECRET - OIDC_RS_PRIVATE_KEY_STR: - secretKeyRef: - name: backend - key: OIDC_RS_PRIVATE_KEY_STR - OIDC_RP_SIGN_ALGO: RS256 - OIDC_RP_SCOPES: "openid email siret" - OIDC_REDIRECT_ALLOWED_HOSTS: https://desk-staging.beta.numerique.gouv.fr - OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}" - ORGANIZATION_PLUGINS: "plugins.organizations.NameFromSiretOrganizationPlugin" - ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]' - LOGIN_REDIRECT_URL: https://desk-staging.beta.numerique.gouv.fr - LOGIN_REDIRECT_URL_FAILURE: https://desk-staging.beta.numerique.gouv.fr - LOGOUT_REDIRECT_URL: https://desk-staging.beta.numerique.gouv.fr - DB_HOST: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: host - DB_NAME: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: database - DB_USER: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: username - DB_PASSWORD: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: password - DB_PORT: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: port - POSTGRES_USER: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: username - POSTGRES_DB: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: database - POSTGRES_PASSWORD: - secretKeyRef: - name: postgresql.postgres.libre.sh - key: password - REDIS_URL: - secretKeyRef: - name: redis.redis.libre.sh - key: url - WEBMAIL_URL: "https://webmail.test.ox.numerique.gouv.fr" - MAIL_PROVISIONING_API_URL: "https://api.ovhdev.dimail1.numerique.gouv.fr" - MAIL_PROVISIONING_API_CREDENTIALS: - secretKeyRef: - name: backend - key: MAIL_PROVISIONING_API_CREDENTIALS - SENTRY_DSN: "https://b72746c73d669421e7a8ccd3fab0fad2@sentry.incubateur.net/171" - - createsuperuser: - command: - - "/bin/sh" - - "-c" - - python manage.py createsuperuser --username $DJANGO_SUPERUSER_EMAIL --password $DJANGO_SUPERUSER_PASSWORD - restartPolicy: Never - -frontend: - image: - repository: lasuite/people-frontend - pullPolicy: Always - tag: "main" - -ingress: - enabled: true - host: desk-staging.beta.numerique.gouv.fr - className: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - -ingressAdmin: - enabled: true - host: desk-staging.beta.numerique.gouv.fr - className: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/start - nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/auth diff --git a/src/helm/extra/Chart.yaml b/src/helm/extra/Chart.yaml index f489dbf1a..94fed4146 100644 --- a/src/helm/extra/Chart.yaml +++ b/src/helm/extra/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 name: extra -description: A Helm chart to add some manifests to desk +description: A Helm chart to add some manifests to meet type: application version: 0.1.0 diff --git a/src/helm/extra/templates/clustersecretstore.yaml b/src/helm/extra/templates/clustersecretstore.yaml new file mode 100644 index 000000000..db3fc543c --- /dev/null +++ b/src/helm/extra/templates/clustersecretstore.yaml @@ -0,0 +1,34 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: bitwarden-login-{{ $.Release.Namespace }} + namespace: external-secrets +spec: + provider: + webhook: + url: "http://bitwarden-cli-{{ $.Release.Namespace }}.{{ $.Release.Namespace }}.svc.cluster.local:8087/object/item/{{`{{ .remoteRef.key }}`}}" + headers: + Content-Type: application/json + result: + jsonPath: "$.data.login.{{`{{ .remoteRef.property }}`}}" +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: bitwarden-fields-{{ $.Release.Namespace }} +spec: + provider: + webhook: + url: "http://bitwarden-cli-{{ $.Release.Namespace }}.{{ $.Release.Namespace }}.svc.cluster.local:8087/object/item/{{`{{ .remoteRef.key }}`}}" + result: + jsonPath: "$.data.fields[?@.name==\"{{`{{ .remoteRef.property }}`}}\"].value" +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: bitwarden-attachments-{{ $.Release.Namespace }} +spec: + provider: + webhook: + url: "http://bitwarden-cli-{{ $.Release.Namespace }}.{{ $.Release.Namespace }}.svc.cluster.local:8087/object/attachment/{{`{{ .remoteRef.property }}`}}?itemid={{`{{ .remoteRef.key }}`}}" + result: {} diff --git a/src/helm/extra/templates/external_secret.yaml b/src/helm/extra/templates/external_secret.yaml new file mode 100644 index 000000000..cdf7ee273 --- /dev/null +++ b/src/helm/extra/templates/external_secret.yaml @@ -0,0 +1,28 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: backend + namespace: {{ .Release.Namespace | quote }} +spec: + refreshInterval: "1m" + target: + name: backend + deletionPolicy: Delete + template: + type: Opaque + data: +{{- range .Values.secrets }} + {{ .podVariable }}: |- + {{`{{`}} {{ print "." .name }} {{`}}`}} +{{- end }} + data: +{{- range .Values.secrets }} + - secretKey: {{ .name }} + sourceRef: + storeRef: + name: {{ .clusterSecretStore }} + kind: ClusterSecretStore + remoteRef: + key: {{ .itemId }} + property: {{ .field }} +{{- end }} diff --git a/src/helm/extra/templates/external_secret_deployment.yaml b/src/helm/extra/templates/external_secret_deployment.yaml new file mode 100644 index 000000000..bd5dc23aa --- /dev/null +++ b/src/helm/extra/templates/external_secret_deployment.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bitwarden-cli-{{ $.Release.Namespace }} + namespace: {{ $.Release.Namespace | quote }} + labels: + app.kubernetes.io/instance: bitwarden-cli + app.kubernetes.io/name: bitwarden-cli +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: bitwarden-cli + app.kubernetes.io/instance: bitwarden-cli + template: + metadata: + labels: + app.kubernetes.io/name: bitwarden-cli + app.kubernetes.io/instance: bitwarden-cli + spec: + containers: + - name: bitwarden-cli + image: lasuite/vaultwarden-api:0.1 + imagePullPolicy: Always + env: + - name: BW_HOST + valueFrom: + secretKeyRef: + name: bitwarden-cli-{{ $.Release.Namespace }} + key: BW_HOST + - name: BW_USER + valueFrom: + secretKeyRef: + name: bitwarden-cli-{{ $.Release.Namespace }} + key: BW_USERNAME + - name: BW_PASSWORD + valueFrom: + secretKeyRef: + name: bitwarden-cli-{{ $.Release.Namespace }} + key: BW_PASSWORD + ports: + - name: http + containerPort: 8087 + protocol: TCP + livenessProbe: + exec: + command: + - wget + - -q + - http://127.0.0.1:8087/sync?force=true + - --post-data='' + initialDelaySeconds: 20 + failureThreshold: 3 + timeoutSeconds: 10 + periodSeconds: 120 + readinessProbe: + tcpSocket: + port: 8087 + initialDelaySeconds: 20 + failureThreshold: 3 + timeoutSeconds: 1 + periodSeconds: 10 + startupProbe: + tcpSocket: + port: 8087 + initialDelaySeconds: 10 + failureThreshold: 30 + timeoutSeconds: 1 + periodSeconds: 5 +--- +apiVersion: v1 +kind: Service +metadata: + name: bitwarden-cli-{{ $.Release.Namespace }} + namespace: {{ $.Release.Namespace | quote }} + labels: + app.kubernetes.io/instance: bitwarden-cli + app.kubernetes.io/name: bitwarden-cli + annotations: +spec: + type: ClusterIP + ports: + - port: 8087 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: bitwarden-cli + app.kubernetes.io/instance: bitwarden-cli diff --git a/src/helm/extra/templates/keydb.yaml b/src/helm/extra/templates/keydb.yaml deleted file mode 100644 index 00898ae9d..000000000 --- a/src/helm/extra/templates/keydb.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: core.libre.sh/v1alpha1 -kind: Redis -metadata: - name: redis - namespace: {{ .Release.Namespace | quote }} -spec: - disableAuth: false diff --git a/src/helm/extra/templates/postgresql.yaml b/src/helm/extra/templates/postgresql.yaml deleted file mode 100644 index c5a77c5c6..000000000 --- a/src/helm/extra/templates/postgresql.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: core.libre.sh/v1alpha1 -kind: Postgres -metadata: - name: postgresql - namespace: {{ .Release.Namespace | quote }} -spec: - database: desk diff --git a/src/helm/helmfile.yaml b/src/helm/helmfile.yaml index 1db1f7f17..3e04b9a11 100644 --- a/src/helm/helmfile.yaml +++ b/src/helm/helmfile.yaml @@ -1,11 +1,60 @@ +environments: + dev: + values: + - version: 0.0.1 + dev-keycloak: + values: + - version: 0.0.1 +--- repositories: - name: bitnami url: registry-1.docker.io/bitnamicharts oci: true releases: + - name: keycloak + installed: {{ eq .Environment.Name "dev-keycloak" | toYaml }} + missingFileHandler: Warn + namespace: {{ .Namespace }} + chart: bitnami/keycloak + version: 17.3.6 + values: + - postgresql: + auth: + username: keycloak + password: keycloak + database: keycloak + - extraEnvVars: + - name: KEYCLOAK_EXTRA_ARGS + value: "--import-realm" + - name: KC_HOSTNAME_URL + value: https://keycloak.127.0.0.1.nip.io + - extraVolumes: + - name: import + configMap: + name: desk-keycloak + - extraVolumeMounts: + - name: import + mountPath: /opt/bitnami/keycloak/data/import/ + - auth: + adminUser: su + adminPassword: su + - proxy: edge + - ingress: + enabled: true + hostname: keycloak.127.0.0.1.nip.io + - extraDeploy: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: desk-keycloak + data: + meet.json: | +{{ readFile "../../docker/auth/realm.json" | replace "http://localhost:3200" "https://desk.127.0.0.1.nip.io" | indent 14 }} + - name: postgres - installed: {{ eq .Environment.Name "dev" | toYaml }} + installed: {{ regexMatch "^dev.*" .Environment.Name | toYaml }} + missingFileHandler: Warn namespace: {{ .Namespace }} chart: bitnami/postgresql version: 13.1.5 @@ -19,7 +68,8 @@ releases: autoGenerated: true - name: redis - installed: {{ eq .Environment.Name "dev" | toYaml }} + installed: {{ regexMatch "^dev.*" .Environment.Name | toYaml }} + missingFileHandler: Warn namespace: {{ .Namespace }} chart: bitnami/redis version: 18.19.2 @@ -28,40 +78,19 @@ releases: password: pass architecture: standalone - - name: extra - installed: {{ ne .Environment.Name "dev" | toYaml }} - namespace: {{ .Namespace }} - chart: ./extra - secrets: - - env.d/{{ .Environment.Name }}/secrets.enc.yaml - - name: desk - version: {{ .Values.version }} + installed: {{ regexMatch "^dev.*" .Environment.Name | toYaml }} + missingFileHandler: Warn namespace: {{ .Namespace }} chart: ./desk values: - env.d/{{ .Environment.Name }}/values.desk.yaml.gotmpl - secrets: - - env.d/{{ .Environment.Name }}/secrets.enc.yaml -environments: - dev: - values: - - version: 0.0.1 - secrets: - - env.d/{{ .Environment.Name }}/secrets.enc.yaml - staging: - values: - - version: 0.0.1 - secrets: - - env.d/{{ .Environment.Name }}/secrets.enc.yaml - preprod: - values: - - version: 0.0.1 - secrets: - - env.d/{{ .Environment.Name }}/secrets.enc.yaml - production: + - name: extra + installed: {{ eq .Environment.Name "dev" | toYaml }} + missingFileHandler: Warn + namespace: {{ .Namespace }} + chart: ./extra values: - - version: 0.0.1 - secrets: - - env.d/{{ .Environment.Name }}/secrets.enc.yaml + - env.d/{{ .Environment.Name }}/values.desk.yaml.gotmpl +