From dc319578b6776d8eafd3cec367ff4b43324eee63 Mon Sep 17 00:00:00 2001 From: Anthony LC Date: Tue, 21 May 2024 15:08:44 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=91=B7(helm)=20production=20configuration?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR adds the production configuration for the helm chart. --- src/helm/env.d/production/secrets.enc.yaml | 62 ++++++++ .../production/values.impress.yaml.gotmpl | 140 ++++++++++++++++++ src/helm/extra/templates/secrets.yaml | 1 + src/helm/helmfile.yaml | 5 + 4 files changed, 208 insertions(+) create mode 100644 src/helm/env.d/production/secrets.enc.yaml create mode 100644 src/helm/env.d/production/values.impress.yaml.gotmpl diff --git a/src/helm/env.d/production/secrets.enc.yaml b/src/helm/env.d/production/secrets.enc.yaml new file mode 100644 index 00000000..71780889 --- /dev/null +++ b/src/helm/env.d/production/secrets.enc.yaml @@ -0,0 +1,62 @@ +djangoSuperUserEmail: ENC[AES256_GCM,data:m+NiMlUXrTyTgi9P9s5K1Kgh11w7Vjk1YpPxPZzgp38=,iv:mFff/stfKLgoSlf+K9WwDoZ5tYDZEqNwYUxf9QuTJE4=,tag:DTEl01eR2ATj9TRR5Dn2RA==,type:str] +djangoSuperUserPass: ENC[AES256_GCM,data:fNyk7zyNbsCf9CoxOEpn/bBVnRx8,iv:ODKdG754Qsf1udLDJo8aSQ7IVq89NTnEEOcLlryWrRE=,tag:Gqr2zGbpIZf6OiH4/2dj9g==,type:str] +djangoSecretKey: ENC[AES256_GCM,data:EjjuNq1DqqXu70AhhrK36SaJ9sw=,iv:FQ/nYB/Otp04qdMV6NqnRgLHRqJ7bk658MZ0eHK0+a4=,tag:a1i5k4PZ4qX6LMJtFVsawg==,type:str] +oidc: + clientId: ENC[AES256_GCM,data:lsybigXVABEzh/ii3bydX6EvNUKK2Hza0J8T5xvG2Us6tN2D,iv:sk0vuH9Gnkrz1Qmav0R2Vw2ov9UwHNKPFnZhIyLw6To=,tag:EKSziVRCm0yOfxgtvjGZpw==,type:str] + clientSecret: ENC[AES256_GCM,data:jlyIMvkRorq+s/XXFfKTd+aeI+tjaX+5UPFA09LX04qj7eSBfmDMEjDPw/RsXHbtKiqPRaQA6efKdMzDPPgGTA==,iv:jEoZa1e7cVffN9Oojj8Zz3clh+4+Hs0CQ7Pn3+kSrWU=,tag:BpNdhJrTOd6pkEAvafVgyw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqcW9vRnNTSzNMdnhNa3Y0 + KytNd1pMaTdhUmdqek1JWFQ1ZHNpQ2tyTUFJCncyTjkxbWdqbFU0UVZZN2JpUkh5 + MWZjQzRLRUNSdEIzU01xZmo4VWJNUGcKLS0tIGZ6RUZpV2RnMnhKWEl5amdsakJS + RXRZQ0JTR2xWOWtmNlRBVXpnaDVSdzgK/M75CMrIhT1WT21M52/LjmgaN+8ty1t3 + 6qmLPXBucl0MoX915/oCatNJ3KU5fMNaZrZ/bYS1R/ThVxsp3h2q/g== + -----END AGE ENCRYPTED FILE----- + - recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKUW44cXNPT1M3TUJnYzBP + NkwvUVM0aGNpdFl5eDdxclZiQXF3VS9QOXgwCjgrL3lWMWxBaW1aT0NTM1BUTElo + SVVJd2RLU0dEZlNJcS8rbm5TcDZuVjQKLS0tIEdYRlZCYjVTWDhuTTNPNk9WZkNI + Rkg3eVVSTEV4M2QwY3FJTUx1Z1lEZUEK6sIJCpFOrFf9XspRyV1alvi4TTczIAos + IncTCQtr+MhOC37EdIrXUKBWFJ2LCIBrYJkdpcxpDhFr0Eo2zEFuXg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPMHNPN1Fuai9NUzRROFk2 + RGVpNVBjazI4QTQ1clFvMXlxb01oOHpMR1ZvCmRDa1dqSjdxdGlKQUZ1UGxVVnR5 + K1E1WUxUMjI4d1FLWlFYVmJUelYxT1UKLS0tIHQyVUNnYVpoRkNUUUxidVBOYkRI + NXFleVlpKzl4TVRFMTZRemJrYmpmVGsKfYgxd/ejE5AQVx3u+1u0c7QLy519c2hf + Mrk8+uM1OVOXyYslMEwj40HW/sb6yUzkz+kcSKotDy8ZEHu6WzaCbw== + -----END AGE ENCRYPTED FILE----- + - recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYK29HR2pVVW5LUnRBZkZs + WlpZdlRXbkRuUGRhODFOcDYzc3hWNWtBMGdJCm9tS3R2Sk1UOXNMN0lQS0Q5UUdN + K2thQlp6Z3p1Uk9qUCtUWGJpWVhYVjQKLS0tIDBwcTRFdFRMQmpGQ0JBU1k5d3Er + N1lFdmNtVG5sKzRoaTc3cmU3T2Mrdm8KknJBCHMdiyOMRymNti8E7xLW/3P+ZLOx + tadj5YD42WDMMTLrMCaQ3HbcnoC9Bs+OJ6Nqy9owiHtnvM5nGkkopw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVb3JOT0F4elBNeFZOcVRo + d3ZSY3lIZm5JUVZoVnhyeXM0dDh3UzlRdWxzCnlGOU1ORzdBSmpFeGZPSlhTUzh4 + N0p0bzlZZ3ZBZG9sKzhiOVl3Z1B4TzQKLS0tIGs3a2xRR0NPWTJvNTFBUGdoRG1z + dnRuVnlkK0N3Q2RFbEpYWDV5WkZQcVEKVR9Jb+hp0lN/AkYt5cCWlNAita+mfMAG + WvEUMEsDUG/ziRr1vQybh+4W62FQo/nvFNQFA63aNK0RHHIv32PR0g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-21T13:04:00Z" + mac: ENC[AES256_GCM,data:SU0DELUktpCpZXtfFnbTRzv3uvAZUOYQHZ86j0zUId3K9JqrbuhJPloosl7iwsMd0IXB19VXIQFgnXWvv1aBj96Lz5JRGaB31lLsWCEAK7iALQhUMO8EUsLVIDIn0c4g1ytz2EAI+tInSbcKrwQxvO00Nbqouu+MJpWESCkK9EQ=,iv:3xXOjSqi/swTQwDSMn6+w6B7U+oB6A/COX8uRZLjxNM=,tag:+p3UvY9y4LVGVK5DXoT73g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/src/helm/env.d/production/values.impress.yaml.gotmpl b/src/helm/env.d/production/values.impress.yaml.gotmpl new file mode 100644 index 00000000..b9c83f9f --- /dev/null +++ b/src/helm/env.d/production/values.impress.yaml.gotmpl @@ -0,0 +1,140 @@ +image: + repository: lasuite/impress-backend + pullPolicy: Always + tag: "main" + +backend: + migrateJobAnnotations: + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/hook-delete-policy: HookSucceeded + envVars: + DJANGO_CSRF_TRUSTED_ORIGINS: https://docs.numerique.gouv.fr + DJANGO_CONFIGURATION: Production + DJANGO_ALLOWED_HOSTS: "*" + DJANGO_SECRET_KEY: + secretKeyRef: + name: backend + key: DJANGO_SECRET_KEY + DJANGO_SETTINGS_MODULE: impress.settings + DJANGO_SUPERUSER_EMAIL: + secretKeyRef: + name: backend + key: DJANGO_SUPERUSER_EMAIL + DJANGO_SUPERUSER_PASSWORD: + secretKeyRef: + name: backend + key: DJANGO_SUPERUSER_PASSWORD + DJANGO_EMAIL_HOST: "snap-mail.numerique.gouv.fr" + DJANGO_EMAIL_PORT: 465 + DJANGO_EMAIL_USE_SSL: True + DJANGO_SILENCED_SYSTEM_CHECKS: security.W008,security.W004 + OIDC_OP_JWKS_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/jwks + OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/authorize + OIDC_OP_TOKEN_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/token + OIDC_OP_USER_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/userinfo + OIDC_OP_LOGOUT_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/session/end + OIDC_RP_CLIENT_ID: + secretKeyRef: + name: backend + key: OIDC_RP_CLIENT_ID + OIDC_RP_CLIENT_SECRET: + secretKeyRef: + name: backend + key: OIDC_RP_CLIENT_SECRET + OIDC_RP_SIGN_ALGO: RS256 + OIDC_RP_SCOPES: "openid email" + OIDC_REDIRECT_ALLOWED_HOSTS: https://docs.numerique.gouv.fr + OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}" + LOGIN_REDIRECT_URL: https://docs.numerique.gouv.fr + LOGIN_REDIRECT_URL_FAILURE: https://docs.numerique.gouv.fr + LOGOUT_REDIRECT_URL: https://docs.numerique.gouv.fr + DB_HOST: + secretKeyRef: + name: postgresql.postgres.libre.sh + key: host + DB_NAME: + secretKeyRef: + name: postgresql.postgres.libre.sh + key: database + DB_USER: + secretKeyRef: + name: postgresql.postgres.libre.sh + key: username + DB_PASSWORD: + secretKeyRef: + name: postgresql.postgres.libre.sh + key: password + DB_PORT: + secretKeyRef: + name: postgresql.postgres.libre.sh + key: port + POSTGRES_USER: + secretKeyRef: + name: postgresql.postgres.libre.sh + key: username + POSTGRES_DB: + secretKeyRef: + name: postgresql.postgres.libre.sh + key: database + POSTGRES_PASSWORD: + secretKeyRef: + name: postgresql.postgres.libre.sh + key: password + REDIS_URL: + secretKeyRef: + name: redis.redis.libre.sh + key: url + AWS_S3_ENDPOINT_URL: + secretKeyRef: + name: impress-media-storage.bucket.libre.sh + key: url + AWS_S3_ACCESS_KEY_ID: + secretKeyRef: + name: impress-media-storage.bucket.libre.sh + key: accessKey + AWS_S3_SECRET_ACCESS_KEY: + secretKeyRef: + name: impress-media-storage.bucket.libre.sh + key: secretKey + AWS_STORAGE_BUCKET_NAME: + secretKeyRef: + name: impress-media-storage.bucket.libre.sh + key: bucket + AWS_S3_REGION_NAME: local + STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage + + createsuperuser: + command: + - "/bin/sh" + - "-c" + - | + python manage.py createsuperuser --email $DJANGO_SUPERUSER_EMAIL --password $DJANGO_SUPERUSER_PASSWORD + restartPolicy: Never + +frontend: + image: + repository: lasuite/impress-frontend + pullPolicy: Always + tag: "main" + +webrtc: + image: + repository: lasuite/impress-y-webrtc-signaling + pullPolicy: Always + tag: "main" + +ingress: + enabled: true + host: docs.numerique.gouv.fr + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt + +ingressAdmin: + enabled: true + host: docs.numerique.gouv.fr + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt + nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/start + nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/auth diff --git a/src/helm/extra/templates/secrets.yaml b/src/helm/extra/templates/secrets.yaml index 011f357d..e0e78492 100644 --- a/src/helm/extra/templates/secrets.yaml +++ b/src/helm/extra/templates/secrets.yaml @@ -3,6 +3,7 @@ kind: Secret metadata: name: backend stringData: + DJANGO_SUPERUSER_EMAIL: {{ .Values.djangoSuperUserEmail }} DJANGO_SUPERUSER_PASSWORD: {{ .Values.djangoSuperUserPass }} DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }} OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }} diff --git a/src/helm/helmfile.yaml b/src/helm/helmfile.yaml index 89535352..6930686c 100644 --- a/src/helm/helmfile.yaml +++ b/src/helm/helmfile.yaml @@ -70,4 +70,9 @@ environments: - version: 0.0.1 secrets: - env.d/{{ .Environment.Name }}/secrets.enc.yaml + production: + values: + - version: 0.0.1 + secrets: + - env.d/{{ .Environment.Name }}/secrets.enc.yaml