diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml index 1a99c7ce..d3cf2f22 100644 --- a/.github/workflows/docker-hub.yml +++ b/.github/workflows/docker-hub.yml @@ -31,7 +31,7 @@ jobs: images: lasuite/impress-backend - name: Login to DockerHub - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'preview') uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_HUB_USER }} @@ -49,7 +49,7 @@ jobs: context: . target: backend-production build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000 - push: ${{ github.event_name != 'pull_request' }} + push: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'preview') }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} @@ -67,7 +67,7 @@ jobs: images: lasuite/impress-frontend - name: Login to DockerHub - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'preview') uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_HUB_USER }} @@ -88,7 +88,7 @@ jobs: build-args: | DOCKER_USER=${{ env.DOCKER_USER }}:-1000 PUBLISH_AS_MIT=false - push: ${{ github.event_name != 'pull_request' }} + push: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'preview') }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} @@ -106,7 +106,7 @@ jobs: images: lasuite/impress-y-provider - name: Login to DockerHub - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'preview') run: echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_HUB_USER }}" --password-stdin - name: Run trivy scan @@ -122,7 +122,7 @@ jobs: file: ./src/frontend/servers/y-provider/Dockerfile target: y-provider build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000 - push: ${{ github.event_name != 'pull_request' }} + push: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'preview') }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} @@ -131,7 +131,7 @@ jobs: - build-and-push-frontend - build-and-push-backend runs-on: ubuntu-latest - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'preview') steps: - uses: numerique-gouv/action-argocd-webhook-notification@main id: notify diff --git a/src/helm/env.d/dev/values.dev-backend.yaml.gotmpl b/src/helm/env.d/dev/values.dev-backend.yaml.gotmpl new file mode 100644 index 00000000..76ab8bad --- /dev/null +++ b/src/helm/env.d/dev/values.dev-backend.yaml.gotmpl @@ -0,0 +1,59 @@ +postgres: + enabled: true + name: postgres + #serviceNameOverride: postgres + image: postgres:16-alpine + username: dinum + password: pass + database: docs + size: 1Gi +redis: + enabled: true + name: redis + image: redis:8.2-alpine + username: user + password: pass +minio: + enabled: true + image: minio/minio + name: minio + ingress: + enabled: true + hostname: docs-minio.127.0.0.1.nip.io + tls: + enabled: true + secretName: docs-tls + consoleIngress: + enabled: true + hostname: docs-minio-console.127.0.0.1.nip.io + tls: + enabled: true + secretName: docs-tls + username: dinum + password: password + bucket: docs-media-storage + versioning: true + size: 1Gi +keycloak: + enabled: true + image: quay.io/keycloak/keycloak:20.0.1 + name: keycloak + #serviceNameOverride: keycloak + hostname: docs-keycloak.127.0.0.1.nip.io + username: admin + password: pass + tls: + enabled: true + secretName: docs-tls + db: + username: dinum + password: pass + database: keycloak + size: 1Gi + image: postgres:16-alpine + realm: + name: docs + username: docs + password: docs + email: docs@example.com + diff --git a/src/helm/env.d/feature/values.dev-backend.yaml.gotmpl b/src/helm/env.d/feature/values.dev-backend.yaml.gotmpl new file mode 100644 index 00000000..242c17d4 --- /dev/null +++ b/src/helm/env.d/feature/values.dev-backend.yaml.gotmpl @@ -0,0 +1,61 @@ +postgres: + enabled: true + name: postgres + #serviceNameOverride: postgres + image: postgres:16-alpine + username: dinum + password: pass + database: docs + size: 5Gi +redis: + enabled: true + name: redis + image: redis:8.2-alpine + username: user + password: pass +minio: + enabled: true + image: minio/minio + name: minio + ingress: + enabled: true + hostname: {{ .Values.feature }}-minio.{{ .Values.domain }} + tls: + enabled: true + secretName: docs-tls + consoleIngress: + enabled: true + hostname: {{ .Values.feature }}-minio-console.{{ .Values.domain }} + tls: + enabled: true + secretName: docs-tls + username: dinum + password: password + bucket: docs-media-storage + versioning: true + size: 5Gi +keycloak: + enabled: true + image: quay.io/keycloak/keycloak:20.0.1 + name: keycloak + annotations: + cert-manager.io/cluster-issuer: letsencrypt + #serviceNameOverride: keycloak + hostname: {{ .Values.feature }}-docs-keycloak.{{ .Values.domain }} + username: admin + password: pass + tls: + enabled: true + secretName: docs-tls + db: + username: dinum + password: pass + database: keycloak + size: 5Gi + image: postgres:16-alpine + realm: + name: docs + username: docs + password: docs + email: docs@example.com + diff --git a/src/helm/env.d/feature/values.impress.yaml.gotmpl b/src/helm/env.d/feature/values.impress.yaml.gotmpl new file mode 100644 index 00000000..c6c7fe8c --- /dev/null +++ b/src/helm/env.d/feature/values.impress.yaml.gotmpl @@ -0,0 +1,182 @@ +djangoSecretKey: &djangoSecretKey "lkjsdlfkjsldkfjslkdfjslkdjfslkdjf" +tag: &tag "{{ .Values.imageTag }}" +djangoSuperUserEmail: admin@example.com +djangoSuperUserPass: admin +aiApiKey: changeme +aiBaseUrl: changeme +oidc: + clientId: impress + clientSecret: ThisIsAnExampleKeyForDevPurposeOnly + +image: + repository: lasuite/impress-backend + pullPolicy: Always + tag: *tag + +backend: + replicas: 1 + envVars: + COLLABORATION_SERVER_SECRET: my-secret + DJANGO_CSRF_TRUSTED_ORIGINS: https://{{ .Values.feature }}-docs.{{ .Values.domain }} + DJANGO_CONFIGURATION: Feature + DJANGO_ALLOWED_HOSTS: {{ .Values.feature }}-docs.{{ .Values.domain }} + DJANGO_SERVER_TO_SERVER_API_TOKENS: secret-api-key + DJANGO_SECRET_KEY: *djangoSecretKey + DJANGO_SETTINGS_MODULE: impress.settings + DJANGO_SUPERUSER_PASSWORD: admin + DJANGO_EMAIL_BRAND_NAME: "La Suite Numérique" + DJANGO_EMAIL_HOST: "mailcatcher" + DJANGO_EMAIL_LOGO_IMG: https://{{ .Values.feature }}-docs.{{ .Values.domain }}/assets/logo-suite-numerique.png + DJANGO_EMAIL_PORT: 1025 + DJANGO_EMAIL_USE_SSL: False + LOGGING_LEVEL_HANDLERS_CONSOLE: ERROR + LOGGING_LEVEL_LOGGERS_ROOT: INFO + LOGGING_LEVEL_LOGGERS_APP: INFO + OIDC_USERINFO_SHORTNAME_FIELD: "given_name" + OIDC_USERINFO_FULLNAME_FIELDS: "given_name,usual_name" + OIDC_OP_JWKS_ENDPOINT: https://{{ .Values.feature }}-docs-keycloak.{{ .Values.domain }}/realms/docs/protocol/openid-connect/certs + OIDC_OP_AUTHORIZATION_ENDPOINT: https://{{ .Values.feature }}-docs-keycloak.{{ .Values.domain }}/realms/docs/protocol/openid-connect/auth + OIDC_OP_TOKEN_ENDPOINT: https://{{ .Values.feature }}-docs-keycloak.{{ .Values.domain }}/realms/docs/protocol/openid-connect/token + OIDC_OP_USER_ENDPOINT: https://{{ .Values.feature }}-docs-keycloak.{{ .Values.domain }}/realms/docs/protocol/openid-connect/userinfo + OIDC_OP_LOGOUT_ENDPOINT: https://{{ .Values.feature }}-docs-keycloak.{{ .Values.domain }}/realms/docs/protocol/openid-connect/logout + OIDC_RP_CLIENT_ID: docs + OIDC_RP_CLIENT_SECRET: ThisIsAnExampleKeyForDevPurposeOnly + OIDC_RP_SIGN_ALGO: RS256 + OIDC_RP_SCOPES: "openid email" + LOGIN_REDIRECT_URL: https://{{ .Values.feature }}-docs.{{ .Values.domain }} + LOGIN_REDIRECT_URL_FAILURE: https://{{ .Values.feature }}-docs.{{ .Values.domain }} + LOGOUT_REDIRECT_URL: https://{{ .Values.feature }}-docs.{{ .Values.domain }} + DB_HOST: dev-backend-postgres + DB_NAME: + secretKeyRef: + name: dev-backend-postgres + key: database + DB_USER: + secretKeyRef: + name: dev-backend-postgres + key: username + DB_PASSWORD: + secretKeyRef: + name: dev-backend-postgres + key: password + DB_PORT: 5432 + REDIS_URL: redis://user:pass@dev-backend-redis:6379/1 + DJANGO_CELERY_BROKER_URL: redis://user:pass@dev-backend-redis:6379/1 + AWS_S3_ENDPOINT_URL: http://dev-backend-minio.{{ .Namespace }}.svc.cluster.local:9000 + AWS_S3_ACCESS_KEY_ID: dinum + AWS_S3_SECRET_ACCESS_KEY: password + AWS_STORAGE_BUCKET_NAME: docs-media-storage + STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage + Y_PROVIDER_API_BASE_URL: http://impress-y-provider:443/api/ + Y_PROVIDER_API_KEY: my-secret + CACHES_KEY_PREFIX: "{{ now | unixEpoch }}" + migrate: + command: + - "/bin/sh" + - "-c" + - | + while ! python manage.py check --database default > /dev/null 2>&1 + do + echo "Database not ready" + sleep 2 + done + + echo "Database is ready" + + python manage.py migrate --no-input + restartPolicy: Never + + command: + - "gunicorn" + - "-c" + - "/usr/local/etc/gunicorn/impress.py" + - "impress.wsgi:application" + - "--reload" + + createsuperuser: + command: + - "/bin/sh" + - "-c" + - | + while ! python manage.py check --database default > /dev/null 2>&1 + do + echo "Database not ready" + sleep 2 + done + + echo "Database is ready" + python manage.py createsuperuser --email admin@example.com --password admin + restartPolicy: Never + + # Extra volume mounts to manage our local custom CA and avoid to set ssl_verify: false + extraVolumeMounts: {} + + # Extra volumes to manage our local custom CA and avoid to set ssl_verify: false + extraVolumes: {} + +frontend: + envVars: + PORT: 8080 + NEXT_PUBLIC_API_ORIGIN: https://{{ .Values.feature }}-docs.{{ .Values.domain }} + + replicas: 1 + + image: + repository: lasuite/impress-frontend + pullPolicy: Always + tag: *tag + +yProvider: + replicas: 1 + + image: + repository: lasuite/impress-y-provider + pullPolicy: Always + tag: *tag + + envVars: + COLLABORATION_BACKEND_BASE_URL: https://{{ .Values.feature }}-docs.{{ .Values.domain }} + COLLABORATION_LOGGING: true + COLLABORATION_SERVER_ORIGIN: https://{{ .Values.feature }}-docs.{{ .Values.domain }} + COLLABORATION_SERVER_SECRET: my-secret + Y_PROVIDER_API_KEY: my-secret + +ingress: + enabled: true + host: {{ .Values.feature }}-docs.{{ .Values.domain }} + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: 10m + cert-manager.io/cluster-issuer: letsencrypt + +ingressCollaborationWS: + enabled: true + host: {{ .Values.feature }}-docs.{{ .Values.domain }} + +ingressCollaborationApi: + enabled: true + host: {{ .Values.feature }}-docs.{{ .Values.domain }} + +ingressAdmin: + enabled: true + host: {{ .Values.feature }}-docs.{{ .Values.domain }} + +posthog: + ingress: + enabled: false + + ingressAssets: + enabled: false + +ingressMedia: + enabled: true + host: {{ .Values.feature }}-docs.{{ .Values.domain }} + + annotations: + nginx.ingress.kubernetes.io/auth-url: https://{{ .Values.feature }}-docs.{{ .Values.domain }}/api/v1.0/documents/media-auth/ + nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256" + nginx.ingress.kubernetes.io/upstream-vhost: dev-backend-minio.{{ .Namespace }}.svc.cluster.local:9000 + nginx.ingress.kubernetes.io/rewrite-target: /docs-media-storage/$1 + +serviceMedia: + host: dev-backend-minio.{{ .Namespace }}.svc.cluster.local + port: 9000 diff --git a/src/helm/helmfile.yaml b/src/helm/helmfile.yaml index 7a33d848..5bdb957a 100644 --- a/src/helm/helmfile.yaml +++ b/src/helm/helmfile.yaml @@ -2,6 +2,12 @@ environments: dev: values: - version: 3.7.0 + feature: + values: + - version: 3.7.0 + feature: ci + domain: example.com + imageTag: demo --- repositories: - name: dev-backends @@ -12,66 +18,9 @@ releases: - name: dev-backend namespace: {{ .Namespace }} chart: dev-backends/dev-backend - version: 0.0.2 + version: 0.0.4 values: - - postgres: - enabled: true - name: postgres - #serviceNameOverride: postgres - image: postgres:16-alpine - username: dinum - password: pass - database: docs - size: 1Gi - - redis: - enabled: true - name: redis - image: redis:8.2-alpine - username: user - password: pass - - minio: - enabled: true - image: minio/minio - name: minio - ingress: - enabled: true - hostname: docs-minio.127.0.0.1.nip.io - tls: - enabled: true - secretName: docs-tls - consoleIngress: - enabled: true - hostname: docs-minio-console.127.0.0.1.nip.io - tls: - enabled: true - secretName: docs-tls - username: dinum - password: password - bucket: docs-media-storage - versioning: true - size: 1Gi - - keycloak: - enabled: true - image: quay.io/keycloak/keycloak:20.0.1 - name: keycloak - #serviceNameOverride: keycloak - hostname: docs-keycloak.127.0.0.1.nip.io - username: admin - password: pass - tls: - enabled: true - secretName: docs-tls - db: - username: dinum - password: pass - database: keycloak - size: 1Gi - image: postgres:16-alpine - realm: - name: docs - username: docs - password: docs - email: docs@example.com + - env.d/{{ .Environment.Name }}/values.dev-backend.yaml.gotmpl - name: impress @@ -79,4 +28,4 @@ releases: namespace: {{ .Namespace }} chart: ./impress values: - - env.d/{{ .Environment.Name }}/values.impress.yaml.gotmpl \ No newline at end of file + - env.d/{{ .Environment.Name }}/values.impress.yaml.gotmpl