👷(helm) production configuration

This PR adds the production configuration
for the helm chart.

src/helm/env.d/production/secrets.enc.yaml

@@ -0,0 +1,62 @@
+djangoSuperUserEmail: ENC[AES256_GCM,data:m+NiMlUXrTyTgi9P9s5K1Kgh11w7Vjk1YpPxPZzgp38=,iv:mFff/stfKLgoSlf+K9WwDoZ5tYDZEqNwYUxf9QuTJE4=,tag:DTEl01eR2ATj9TRR5Dn2RA==,type:str]
+djangoSuperUserPass: ENC[AES256_GCM,data:fNyk7zyNbsCf9CoxOEpn/bBVnRx8,iv:ODKdG754Qsf1udLDJo8aSQ7IVq89NTnEEOcLlryWrRE=,tag:Gqr2zGbpIZf6OiH4/2dj9g==,type:str]
+djangoSecretKey: ENC[AES256_GCM,data:EjjuNq1DqqXu70AhhrK36SaJ9sw=,iv:FQ/nYB/Otp04qdMV6NqnRgLHRqJ7bk658MZ0eHK0+a4=,tag:a1i5k4PZ4qX6LMJtFVsawg==,type:str]
+oidc:
+    clientId: ENC[AES256_GCM,data:lsybigXVABEzh/ii3bydX6EvNUKK2Hza0J8T5xvG2Us6tN2D,iv:sk0vuH9Gnkrz1Qmav0R2Vw2ov9UwHNKPFnZhIyLw6To=,tag:EKSziVRCm0yOfxgtvjGZpw==,type:str]
+    clientSecret: ENC[AES256_GCM,data:jlyIMvkRorq+s/XXFfKTd+aeI+tjaX+5UPFA09LX04qj7eSBfmDMEjDPw/RsXHbtKiqPRaQA6efKdMzDPPgGTA==,iv:jEoZa1e7cVffN9Oojj8Zz3clh+4+Hs0CQ7Pn3+kSrWU=,tag:BpNdhJrTOd6pkEAvafVgyw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqcW9vRnNTSzNMdnhNa3Y0
+            KytNd1pMaTdhUmdqek1JWFQ1ZHNpQ2tyTUFJCncyTjkxbWdqbFU0UVZZN2JpUkh5
+            MWZjQzRLRUNSdEIzU01xZmo4VWJNUGcKLS0tIGZ6RUZpV2RnMnhKWEl5amdsakJS
+            RXRZQ0JTR2xWOWtmNlRBVXpnaDVSdzgK/M75CMrIhT1WT21M52/LjmgaN+8ty1t3
+            6qmLPXBucl0MoX915/oCatNJ3KU5fMNaZrZ/bYS1R/ThVxsp3h2q/g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKUW44cXNPT1M3TUJnYzBP
+            NkwvUVM0aGNpdFl5eDdxclZiQXF3VS9QOXgwCjgrL3lWMWxBaW1aT0NTM1BUTElo
+            SVVJd2RLU0dEZlNJcS8rbm5TcDZuVjQKLS0tIEdYRlZCYjVTWDhuTTNPNk9WZkNI
+            Rkg3eVVSTEV4M2QwY3FJTUx1Z1lEZUEK6sIJCpFOrFf9XspRyV1alvi4TTczIAos
+            IncTCQtr+MhOC37EdIrXUKBWFJ2LCIBrYJkdpcxpDhFr0Eo2zEFuXg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPMHNPN1Fuai9NUzRROFk2
+            RGVpNVBjazI4QTQ1clFvMXlxb01oOHpMR1ZvCmRDa1dqSjdxdGlKQUZ1UGxVVnR5
+            K1E1WUxUMjI4d1FLWlFYVmJUelYxT1UKLS0tIHQyVUNnYVpoRkNUUUxidVBOYkRI
+            NXFleVlpKzl4TVRFMTZRemJrYmpmVGsKfYgxd/ejE5AQVx3u+1u0c7QLy519c2hf
+            Mrk8+uM1OVOXyYslMEwj40HW/sb6yUzkz+kcSKotDy8ZEHu6WzaCbw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYK29HR2pVVW5LUnRBZkZs
+            WlpZdlRXbkRuUGRhODFOcDYzc3hWNWtBMGdJCm9tS3R2Sk1UOXNMN0lQS0Q5UUdN
+            K2thQlp6Z3p1Uk9qUCtUWGJpWVhYVjQKLS0tIDBwcTRFdFRMQmpGQ0JBU1k5d3Er
+            N1lFdmNtVG5sKzRoaTc3cmU3T2Mrdm8KknJBCHMdiyOMRymNti8E7xLW/3P+ZLOx
+            tadj5YD42WDMMTLrMCaQ3HbcnoC9Bs+OJ6Nqy9owiHtnvM5nGkkopw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVb3JOT0F4elBNeFZOcVRo
+            d3ZSY3lIZm5JUVZoVnhyeXM0dDh3UzlRdWxzCnlGOU1ORzdBSmpFeGZPSlhTUzh4
+            N0p0bzlZZ3ZBZG9sKzhiOVl3Z1B4TzQKLS0tIGs3a2xRR0NPWTJvNTFBUGdoRG1z
+            dnRuVnlkK0N3Q2RFbEpYWDV5WkZQcVEKVR9Jb+hp0lN/AkYt5cCWlNAita+mfMAG
+            WvEUMEsDUG/ziRr1vQybh+4W62FQo/nvFNQFA63aNK0RHHIv32PR0g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-21T13:04:00Z"
+    mac: ENC[AES256_GCM,data:SU0DELUktpCpZXtfFnbTRzv3uvAZUOYQHZ86j0zUId3K9JqrbuhJPloosl7iwsMd0IXB19VXIQFgnXWvv1aBj96Lz5JRGaB31lLsWCEAK7iALQhUMO8EUsLVIDIn0c4g1ytz2EAI+tInSbcKrwQxvO00Nbqouu+MJpWESCkK9EQ=,iv:3xXOjSqi/swTQwDSMn6+w6B7U+oB6A/COX8uRZLjxNM=,tag:+p3UvY9y4LVGVK5DXoT73g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

src/helm/env.d/production/values.impress.yaml.gotmpl

@@ -0,0 +1,140 @@
+image:
+  repository: lasuite/impress-backend
+  pullPolicy: Always
+  tag: "main"
+
+backend:
+  migrateJobAnnotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+  envVars:
+    DJANGO_CSRF_TRUSTED_ORIGINS: https://docs.numerique.gouv.fr
+    DJANGO_CONFIGURATION: Production
+    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_SECRET_KEY:
+      secretKeyRef:
+        name: backend
+        key: DJANGO_SECRET_KEY
+    DJANGO_SETTINGS_MODULE: impress.settings
+    DJANGO_SUPERUSER_EMAIL:
+      secretKeyRef:
+        name: backend
+        key: DJANGO_SUPERUSER_EMAIL
+    DJANGO_SUPERUSER_PASSWORD:
+      secretKeyRef:
+        name: backend
+        key: DJANGO_SUPERUSER_PASSWORD
+    DJANGO_EMAIL_HOST: "snap-mail.numerique.gouv.fr"
+    DJANGO_EMAIL_PORT: 465
+    DJANGO_EMAIL_USE_SSL: True
+    DJANGO_SILENCED_SYSTEM_CHECKS: security.W008,security.W004
+    OIDC_OP_JWKS_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/jwks
+    OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/authorize
+    OIDC_OP_TOKEN_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/token
+    OIDC_OP_USER_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/userinfo
+    OIDC_OP_LOGOUT_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/session/end
+    OIDC_RP_CLIENT_ID:
+      secretKeyRef:
+        name: backend
+        key: OIDC_RP_CLIENT_ID
+    OIDC_RP_CLIENT_SECRET:
+      secretKeyRef:
+        name: backend
+        key: OIDC_RP_CLIENT_SECRET
+    OIDC_RP_SIGN_ALGO: RS256
+    OIDC_RP_SCOPES: "openid email"
+    OIDC_REDIRECT_ALLOWED_HOSTS: https://docs.numerique.gouv.fr
+    OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
+    LOGIN_REDIRECT_URL: https://docs.numerique.gouv.fr
+    LOGIN_REDIRECT_URL_FAILURE: https://docs.numerique.gouv.fr
+    LOGOUT_REDIRECT_URL: https://docs.numerique.gouv.fr
+    DB_HOST:
+      secretKeyRef:
+        name: postgresql.postgres.libre.sh
+        key: host
+    DB_NAME:
+      secretKeyRef:
+        name: postgresql.postgres.libre.sh
+        key: database
+    DB_USER:
+      secretKeyRef:
+        name: postgresql.postgres.libre.sh
+        key: username
+    DB_PASSWORD:
+      secretKeyRef:
+        name: postgresql.postgres.libre.sh
+        key: password
+    DB_PORT:
+      secretKeyRef:
+        name: postgresql.postgres.libre.sh
+        key: port
+    POSTGRES_USER:
+      secretKeyRef:
+        name: postgresql.postgres.libre.sh
+        key: username
+    POSTGRES_DB:
+      secretKeyRef:
+        name: postgresql.postgres.libre.sh
+        key: database
+    POSTGRES_PASSWORD:
+      secretKeyRef:
+        name: postgresql.postgres.libre.sh
+        key: password
+    REDIS_URL:
+      secretKeyRef:
+        name: redis.redis.libre.sh
+        key: url
+    AWS_S3_ENDPOINT_URL:
+      secretKeyRef:
+        name: impress-media-storage.bucket.libre.sh
+        key: url
+    AWS_S3_ACCESS_KEY_ID:
+      secretKeyRef:
+        name: impress-media-storage.bucket.libre.sh
+        key: accessKey
+    AWS_S3_SECRET_ACCESS_KEY:
+      secretKeyRef:
+        name: impress-media-storage.bucket.libre.sh
+        key: secretKey
+    AWS_STORAGE_BUCKET_NAME:
+      secretKeyRef:
+        name: impress-media-storage.bucket.libre.sh
+        key: bucket
+    AWS_S3_REGION_NAME: local
+    STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage
+
+  createsuperuser:
+    command:
+      - "/bin/sh"
+      - "-c"
+      - |
+        python manage.py createsuperuser --email $DJANGO_SUPERUSER_EMAIL --password $DJANGO_SUPERUSER_PASSWORD
+    restartPolicy: Never
+
+frontend:
+  image:
+    repository: lasuite/impress-frontend
+    pullPolicy: Always
+    tag: "main"
+
+webrtc:
+  image:
+    repository: lasuite/impress-y-webrtc-signaling
+    pullPolicy: Always
+    tag: "main"
+
+ingress:
+  enabled: true
+  host: docs.numerique.gouv.fr
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+
+ingressAdmin:
+  enabled: true
+  host: docs.numerique.gouv.fr
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/start
+    nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/auth

src/helm/extra/templates/secrets.yaml

@@ -3,6 +3,7 @@ kind: Secret
 metadata:
   name: backend
 stringData:
+  DJANGO_SUPERUSER_EMAIL: {{ .Values.djangoSuperUserEmail }}
   DJANGO_SUPERUSER_PASSWORD: {{ .Values.djangoSuperUserPass }}
   DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }}
   OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }}

src/helm/helmfile.yaml

@@ -70,4 +70,9 @@ environments:
       - version: 0.0.1
     secrets:
       - env.d/{{ .Environment.Name }}/secrets.enc.yaml
+  production:
+    values:
+      - version: 0.0.1
+    secrets:
+      - env.d/{{ .Environment.Name }}/secrets.enc.yaml