🔧(helm) offer a standalone dev environment

Offer a standalone dev environment or a dinum specific dev
environment with ProConnect authentication.

Needed to refactor the way secrets are managed in the project,
and also re-organize the Helm chart to make it totally standalone.

Particulary useful for external wanting to run the project.
Work done by @rouja.

Makefile

@@ -301,6 +301,36 @@ build-k8s-cluster: ## build the kubernetes cluster using kind
 	./bin/start-kind.sh
 .PHONY: build-k8s-cluster
 
+install-secret: ## install the kubernetes secrets from Vaultwarden
+	if kubectl -n meet get secrets bitwarden-cli-visio; then \
+		echo "Secret already present"; \
+	else \
+		echo "Please provide the following information:"; \
+		read -p "Enter your vaultwarden email login: " LOGIN; \
+		read -p "Enter your vaultwarden password: " PASSWORD; \
+		read -p "Enter your vaultwarden server url: " URL; \
+		echo "\nCreate vaultwarden secret"; \
+		echo "apiVersion: v1" > /tmp/secret.yaml; \
+		echo "kind: Secret" >> /tmp/secret.yaml; \
+		echo "metadata:" >> /tmp/secret.yaml; \
+		echo "  name: bitwarden-cli-visio" >> /tmp/secret.yaml; \
+		echo "  namespace: meet" >> /tmp/secret.yaml; \
+		echo "type: Opaque" >> /tmp/secret.yaml; \
+		echo "stringData:" >> /tmp/secret.yaml; \
+		echo "  BW_HOST: $$URL" >> /tmp/secret.yaml; \
+		echo "  BW_PASSWORD: $$PASSWORD" >> /tmp/secret.yaml; \
+		echo "  BW_USERNAME: $$LOGIN" >> /tmp/secret.yaml; \
+		kubectl -n meet apply -f /tmp/secret.yaml;\
+		rm -f /tmp/secret.yaml; \
+		helm repo add external-secrets https://charts.external-secrets.io; \
+		helm upgrade --install external-secrets \
+      external-secrets/external-secrets \
+       -n meet \
+       --create-namespace \
+       --set installCRDs=true; \
+	fi
+.PHONY: build-k8s-cluster
+
 start-tilt: ## start the kubernetes cluster using kind
 	tilt up -f ./bin/Tiltfile
 .PHONY: build-k8s-cluster

src/helm/env.d/dev-keycloak/values.meet.yaml.gotmpl

@@ -21,14 +21,8 @@ backend:
     OIDC_OP_TOKEN_ENDPOINT: https://keycloak.127.0.0.1.nip.io/realms/meet/protocol/openid-connect/token
     OIDC_OP_USER_ENDPOINT: https://keycloak.127.0.0.1.nip.io/realms/meet/protocol/openid-connect/userinfo
     OIDC_OP_LOGOUT_ENDPOINT: https://keycloak.127.0.0.1.nip.io/realms/meet/protocol/openid-connect/session/end
-    OIDC_RP_CLIENT_ID:
+    OIDC_RP_CLIENT_ID: meet
-      secretKeyRef:
+    OIDC_RP_CLIENT_SECRET: ThisIsAnExampleKeyForDevPurposeOnly
-        name: backend
-        key: OIDC_RP_CLIENT_ID
-    OIDC_RP_CLIENT_SECRET:
-      secretKeyRef:
-        name: backend
-        key: OIDC_RP_CLIENT_SECRET
     OIDC_RP_SIGN_ALGO: RS256
     OIDC_RP_SCOPES: "openid email"
     OIDC_REDIRECT_ALLOWED_HOSTS: https://meet.127.0.0.1.nip.io
@@ -118,7 +112,7 @@ ingressAdmin:
 posthog:
   ingress:
     enabled: false
-
+  
   ingressAssets:
     enabled: false
 
@@ -140,12 +134,12 @@ summary:
     WEBHOOK_URL: https://www.mock-impress.com/webhook/
     CELERY_BROKER_URL: redis://default:pass@redis-master:6379/1
     CELERY_RESULT_BACKEND: redis://default:pass@redis-master:6379/1
-
+  
   image:
     repository: localhost:5001/meet-summary
     pullPolicy: Always
     tag: "latest"
-
+  
   command:
     - "uvicorn"
     - "summary.main:app"
@@ -173,7 +167,7 @@ celery:
     WEBHOOK_URL: https://www.mock-impress.com/webhook/
     CELERY_BROKER_URL: redis://default:pass@redis-master:6379/1
     CELERY_RESULT_BACKEND: redis://default:pass@redis-master:6379/1
-
+  
   image:
     repository: localhost:5001/meet-summary
     pullPolicy: Always

src/helm/env.d/dev/secrets.enc.yaml

@@ -1,103 +0,0 @@
-djangoSecretKey: ENC[AES256_GCM,data:p+9m8eNB/dKMXAdfL0cVCg1uKhAv+YLrM+jjajvRYmOZZ9qbiikuFv0dyDp32va/M9w=,iv:ijUztg7ta6BBTsKs+IIfJMFdN0DfzyAKoxlfY8lisPg=,tag:B+uW6akIV0iI2LdMQotrpw==,type:str]
-oidc:
-    clientId: ENC[AES256_GCM,data:rHzKkQwFQ7hV6kOBBP60RK41NBKVMUs4dMcZavMQ8gCu9ust,iv:8vviSb+XIKS/zjBIScfmWu0VJ8lXCQZ8p7BxuvJtA2w=,tag:k8vn8I/qxKLE/+JNTDj4Jw==,type:str]
-    clientSecret: ENC[AES256_GCM,data:dOYJoG2PStlOMIJPi2exPzsqlxis73iTkcBMvjr8DBr2isWzstpbexscsog7Tuyelw4tpzrJKzC5BTTwJ+xioQ==,iv:oqkLRTPB8+qR0AHvjyNVfHRmoeGrkUvZjrTsWBjIeBc=,tag:hryfmSeqkdWCN9U38jxXlA==,type:str]
-#ENC[AES256_GCM,data:ua1td/VBXGIHDgAw/bm8XnWIRLmgeJKX9dP7g/rNv3jVsXHw6T+iDXxMWpLXNicAZ/RTymdntlwLwsH47r70Z4icEPsjps0yOZ+X734vaL9wVH9IsyFwCihtyck94kgY4CyC7DI=,iv:iGHYu+2aPaI28PQWFheVVuge8BPWLw1VB7Afsz7eLtI=,tag:pfkXsS+/QmHb3kHS/ONHCA==,type:comment]
-livekit:
-    keys:
-        devkey: ENC[AES256_GCM,data:5RnAMGm3,iv:bY4n8op2KFlXRqzV9h3QwoC3Bws2aEoN1GFxPlrrVBw=,tag:lA+b/6poVRzeJW6Bu8V29A==,type:str]
-livekitApi:
-    key: ENC[AES256_GCM,data:JP7KkPms,iv:LlIJ62IRyGf8fByl6abSZv1to2FUc90laC0oL5HFJK4=,tag:2aLMQ79GlDOaiurh8unO0Q==,type:str]
-    secret: ENC[AES256_GCM,data:kGDJo1lh,iv:dnI1OuvZGOJZEKZwzoigXqViqYCw/6H7Y0sVXH/p5RA=,tag:G1IB0mc8zuKEmkxrfyImrQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByR3IybDN3eGx4amYzZkFt
-            OW5VV3FQN3dkSmZBL0JwUE1qSzNLYmRTc1RjCkVCQ2ZmaHk2SFRJaXdMd0VMZUlP
-            b0VQeDVUTDBEZzhBQnhrS2RybzYvL1UKLS0tIG1CbllhWGpsOWx4WEkya0NLeUlC
-            WmRScW9MVkxQLzRxdk85WTZ4U2E0aUUKTpOPYQXutU0xYLih7SNYoQgO+PSEIERL
-            HLz+C7iV+Fj1/M7JrgiGxTB8wJoKMo7IhJ8AjxaAdxR4Q1TgUpQkPw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0aE15QkRsNmg2UTkxaWNF
-            T3NZY2RqSDd0WlRKOHYxWFE2R3J5SGJhRjJNClNIcEFwOEtoSmRWQjdaSm1ZSnlj
-            amhNci9tRDl2Qlp4dlBGZFYzTGxYdm8KLS0tIDZZWTYxQmVqOEZQaTNOODFGWUhn
-            cXpJL3poT3dpYjZKWTN6dGpOV3kxT2sKozsOz+cSYJdZ0C2L6QCf/VSU9DnOz6ae
-            lqV5MMzSl1Jf8ETpqt+PhvvWz+MLCAkIriT9yf6R29DQifCacB7XOA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySkpOYWxjQVZRbGtkNXlt
-            OTRKTDlrNjNMenU3V0hPeXYyRnhGVU1mMmhNCmhJTi9ZQzB3ekpSR0k1VDFiNExu
-            dW9TQkI3Vy9LOXhQaEExZHMyM25xZlEKLS0tIGRYTkpzbjIvL1FMS2lYYXl4dDVZ
-            U040akh0Z1ZYVmdjS3k2ZjFRK2VRNGMKqSCnviWARWTkZXeht+sdOYKAxylYYyZK
-            uXYE3nBaXGosIqmTf6deVqCIY+m0mH/J4UMcbH+faMV4pWmVr2JAxg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJbUhzZStoUVBHUkZLWlE3
-            NWNiRkJMdXhUVXRNZTFCMUljVzIxY3BVMFQ4ClpmOGhqeUZiaG1HcU5zdndmWE5y
-            Ym5OTmoyVVVsb2Ywa3loRTVNZzdlVjQKLS0tIHNEWVV3Mkk2VGVzR3diQW5Ccm1a
-            MVNUYjZCME9rQWFUaWNycEh5THQyTTAKTBnoF76mJ/GoCIq4TsmV+luYbiWnx0+I
-            BEISvqsr9gbT0z8kfdo/htPoKHZmnyevZhRhd2AMZdKixYvQMX9sjA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1tl80n23wq6zxegupwn70ew0yp225ua5v4dk800x7g2w6pvlxz46qk592pa
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWEZkODBNOGw2WFdncjJ0
-            TTVzRHlEa1AzaTF4V2hYR3hFRGg2cnBzYmowCmp3WDJ3bEZoTlFYL2hoZ3hhTVU1
-            WnQyYk03K2xmSk00dS92OHNNZnRIL2cKLS0tIEVrbjY4enJBZzdQMjRCRmwwVlRI
-            OHVOMm9NTGdJbnZ2aXYxdi9OdWpkVE0K4b1Hu6rOHVtfH601aXb/uTGYjNMh6yW/
-            LetO+HKk+VEzXHntObK2k/4mTl5I0+OP5H8+PR0jdIUZDpr79iEbgQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVE9iMmUwTXE2SHZNdG5P
-            Vi9XQ1Jkc1VDamFlakpkZk45ODZ2YnkwYkVBCnNrbktIdkV4UGltcHBUUHlXbjdx
-            Z0QwM3ZKbGI1cDBjL2g2cjdKdElOQjAKLS0tIGxrcTJDa1BWVWcxUS80MmxIMWZH
-            YjBRMDZJZWlmN1FNaXV5c04yVWtleE0K+nGNyFzqSotFP7My/kUnAgxXGu/ji50K
-            OGVLYgNvU48rCGck3r9ZrKY1HpQdAY8UMQXECsuO4HgdirNjiZ97Zg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age18fgn6j2vwwswqcpv9xpcehq8mrf9zs2sglwkamp3tzwx8d9jq9jsrskrk9
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4ZXZud0dqb0dkQ0E3NnE4
-            SXB0ZENjQk1mb1BHU2R1bW0waDhTYy9OZldVCjVnRTV5d1c3Q2NzcEVRQ3BoL09I
-            T1RPQ3hHT3Y2NFNzWG9EdGM2STR2STgKLS0tIHBvL3RhREFNTVdwUGk3S1B4NWJL
-            TnZpblF1SDdGRlVXM0dEdFAzT1FEMUUK6L8gTv5gt6++A3B7PHyWl+xtBUc8bC6G
-            53xoJvyyBpaov3HgUAdrN9VHubfEJmrBGgN7DngGgwYPtlhV87M7/w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hm2hsfgjezpsc3k0y5w5feq9t8vl3seq04qjhgt6ztd6403wfvpsgxu09m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlaXY1VmtDejcwTmUxRVZT
-            YURhMkVPaHNvb0sxT0FYL0pvN3hqclNNcXdRCmxWV3FGeDZTM1VVMVRyalpkVnFJ
-            OGU3Wk9wVVAvejVTdjc1MENPcy9Qc1kKLS0tIGpJQXhZVzV3REc2SFlFSXg0dUo5
-            bjRBaGtJdUFmVUkxeGgwbGYwWjRnNEkKYwzwZ9oOo+C6XD57rkUTO6QADZKzYfSF
-            cFJ7fX0NyZbzxLncyofWa+dlLWLZ3KohIP0doAFngRm+RVsUEVqY5A==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hnhuzj96ktkhpyygvmz0x9h8mfvssz7ss6emmukags644mdhf4msajk93r
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aFNsL2xvWmI4UTAxREc4
-            NFF3bC9qRTBqS3JrM3B0ZjE5bEtjR0diT0VjClhFNStFU3RydnhvcG9CSmhYM3V4
-            VjZ5c0JQZjRoQXh1R2UyeDMyd2NFMEEKLS0tIDNwWUNzZmlrNGZPbERTeFpoUkxO
-            QnZTWWFMemk5djVNWFRaekVMRkMyUjgKt4dw4BOm3J1Ig6U58NbSjzJbWi3ak/Zq
-            8PX5IW7tq1q5+Qd3adqv3cd9S2aVpqjHyN34fxagmuwfvYXVyQ2GDg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-02T07:30:09Z"
-    mac: ENC[AES256_GCM,data:BdEiR/7AiTz9eppAGOAarFzUJYEfCZzb0lg8LXaHiXe74B5Ob7Ai+XuBBX+x9QPIFzbLZgVveVSrqymW0wAH9Dv5R+e4spDf5KKdRCr9RADfCXNjYC0N9grZVerM70Ic51Lc1kKDnB2mon01W5Sa77Ei29Jo988yvM8AOlXFvr4=,iv:p7PCazxKNv7YcGX7Kpp2L8wXEFaJO8FajEXcVMzmmWQ=,tag:WJKZOkFZSof6IhcXqc60uQ==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0

src/helm/env.d/dev/values.meet.yaml.gotmpl

@@ -1,3 +1,14 @@
+secrets:
+  - name: oidcLogin
+    itemId: a25effec-eaea-4ce1-9ed8-3a3cc1c734db
+    field: username
+    podVariable: OIDC_RP_CLIENT_ID
+    clusterSecretStore: bitwarden-login-visio
+  - name: oidcPass
+    itemId: a25effec-eaea-4ce1-9ed8-3a3cc1c734db
+    field: password
+    podVariable: OIDC_RP_CLIENT_SECRET
+    clusterSecretStore: bitwarden-login-visio
 image:
   repository: localhost:5001/meet-backend
   pullPolicy: Always
@@ -21,8 +32,14 @@ backend:
     OIDC_OP_TOKEN_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/token
     OIDC_OP_USER_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo
     OIDC_OP_LOGOUT_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/session/end
-    OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }}
+    OIDC_RP_CLIENT_ID:
-    OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }}
+      secretKeyRef:
+        name: backend
+        key: OIDC_RP_CLIENT_ID
+    OIDC_RP_CLIENT_SECRET:
+      secretKeyRef:
+        name: backend
+        key: OIDC_RP_CLIENT_SECRET
     OIDC_RP_SIGN_ALGO: RS256
     OIDC_RP_SCOPES: "openid email given_name usual_name"
     OIDC_REDIRECT_ALLOWED_HOSTS: https://meet.127.0.0.1.nip.io

src/helm/env.d/dev/values.secrets.yaml

@@ -0,0 +1,8 @@
+djangoSecretKey: u!vbjDW71aru&OZA%NZQi0x
+livekit:
+    keys:
+        devkey: secret
+livekitApi:
+    key: devkey
+    secret: secret
+

src/helm/env.d/production/secrets.enc.yaml

@@ -1 +0,0 @@
-../../../../secrets/numerique-gouv/meet/env/production/secrets.enc.yaml

src/helm/env.d/production/values.meet.yaml.gotmpl

@@ -1,290 +0,0 @@
-image:
-  repository: lasuite/meet-backend
-  pullPolicy: Always
-  tag: "v0.1.12"
-
-backend:
-  migrateJobAnnotations:
-    argocd.argoproj.io/hook: PostSync
-    argocd.argoproj.io/hook-delete-policy: HookSucceeded
-  envVars:
-    DJANGO_CSRF_TRUSTED_ORIGINS: https://visio.numerique.gouv.fr,https://meet.numerique.gouv.fr
-    DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: visio.numerique.gouv.fr,meet.numerique.gouv.fr
-    DJANGO_SECRET_KEY:
-      secretKeyRef:
-        name: backend
-        key: DJANGO_SECRET_KEY
-    DJANGO_SETTINGS_MODULE: meet.settings
-    DJANGO_SILENCED_SYSTEM_CHECKS: security.W004, security.W008
-    DJANGO_SUPERUSER_EMAIL:
-      secretKeyRef:
-        name: backend
-        key: DJANGO_SUPERUSER_EMAIL
-    DJANGO_SUPERUSER_PASSWORD:
-      secretKeyRef:
-        name: backend
-        key: DJANGO_SUPERUSER_PASSWORD
-    DJANGO_EMAIL_HOST: "snap-mail.numerique.gouv.fr"
-    DJANGO_EMAIL_PORT: 465
-    DJANGO_EMAIL_USE_SSL: True
-    DJANGO_SENTRY_DSN: https://5aead03f03505da5130af6d642c42faf@sentry.incubateur.net/202
-    OIDC_OP_JWKS_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/jwks
-    OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/authorize
-    OIDC_OP_TOKEN_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/token
-    OIDC_OP_USER_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/userinfo
-    OIDC_OP_LOGOUT_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/session/end
-    OIDC_RP_CLIENT_ID:
-      secretKeyRef:
-        name: backend
-        key: OIDC_RP_CLIENT_ID
-    OIDC_RP_CLIENT_SECRET:
-      secretKeyRef:
-        name: backend
-        key: OIDC_RP_CLIENT_SECRET
-    OIDC_RP_SIGN_ALGO: RS256
-    OIDC_RP_SCOPES: "openid email given_name usual_name"
-    OIDC_REDIRECT_ALLOWED_HOSTS: https://visio.numerique.gouv.fr
-    OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
-    LOGIN_REDIRECT_URL: https://visio.numerique.gouv.fr
-    LOGIN_REDIRECT_URL_FAILURE: https://visio.numerique.gouv.fr
-    LOGOUT_REDIRECT_URL: https://visio.numerique.gouv.fr
-    DB_HOST:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: host
-    DB_NAME:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: database
-    DB_USER:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: username
-    DB_PASSWORD:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: password
-    DB_PORT:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: port
-    POSTGRES_USER:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: username
-    POSTGRES_DB:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: database
-    POSTGRES_PASSWORD:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: password
-    REDIS_URL:
-      secretKeyRef:
-        name: redis.redis.libre.sh
-        key: url
-    STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage
-    LIVEKIT_API_SECRET:
-      secretKeyRef:
-        name: backend
-        key: LIVEKIT_API_SECRET
-    LIVEKIT_API_KEY:
-      secretKeyRef:
-        name: backend
-        key: LIVEKIT_API_KEY
-    LIVEKIT_API_URL: https://livekit-preprod.beta.numerique.gouv.fr
-    ALLOW_UNREGISTERED_ROOMS: False
-    FRONTEND_SILENCE_LIVEKIT_DEBUG: False
-    FRONTEND_ANALYTICS: "{'id': 'phc_RPYko028Oqtj0c9exLIWwrlrjLxSdxT0ntW0Lam4iom', 'host': 'https://product.visio.numerique.gouv.fr'}"
-    FRONTEND_SUPPORT: "{'id': '58ea6697-8eba-4492-bc59-ad6562585041'}"
-    AWS_S3_ENDPOINT_URL:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: url
-    AWS_S3_ACCESS_KEY_ID:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: accessKey
-    AWS_S3_SECRET_ACCESS_KEY:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: secretKey
-    AWS_STORAGE_BUCKET_NAME:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: bucket
-    AWS_S3_REGION_NAME: local
-    RECORDING_ENABLE: True
-    RECORDING_STORAGE_EVENT_ENABLE: True
-    RECORDING_STORAGE_EVENT_TOKEN:
-        secretKeyRef:
-            name: backend
-            key: RECORDING_STORAGE_EVENT_TOKEN
-    SUMMARY_SERVICE_ENDPOINT: http://meet-summary:80/api/v1/tasks/
-    SUMMARY_SERVICE_API_TOKEN:
-        secretKeyRef:
-            name: summary
-            key: APP_API_TOKEN
-
-  createsuperuser:
-    command:
-      - "/bin/sh"
-      - "-c"
-      - |
-        python manage.py createsuperuser --email $DJANGO_SUPERUSER_EMAIL --password $DJANGO_SUPERUSER_PASSWORD
-    restartPolicy: Never
-
-frontend:
-  image:
-    repository: lasuite/meet-frontend
-    pullPolicy: Always
-    tag: "v0.1.12"
-
-ingress:
-  enabled: true
-  host: visio.numerique.gouv.fr
-  className: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-
-ingressAdmin:
-  enabled: true
-  host: visio.numerique.gouv.fr
-  className: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/start
-    nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/auth
-
-posthog:
-  ingress:
-    enabled: true
-    host: product.visio.numerique.gouv.fr
-    className: nginx
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt
-      nginx.ingress.kubernetes.io/upstream-vhost: eu.i.posthog.com
-      nginx.ingress.kubernetes.io/backend-protocol: https
-
-  ingressAssets:
-    enabled: true
-    host: product.visio.numerique.gouv.fr
-    className: nginx
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt
-      nginx.ingress.kubernetes.io/upstream-vhost: eu-assets.i.posthog.com
-      nginx.ingress.kubernetes.io/backend-protocol: https
-
-summary:
-  replicas: 1
-  envVars:
-    APP_NAME: summary-microservice
-    APP_API_TOKEN:
-      secretKeyRef:
-        name: summary
-        key: APP_API_TOKEN
-    AWS_S3_ENDPOINT_URL:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: url
-    AWS_S3_ACCESS_KEY_ID:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: accessKey
-    AWS_S3_SECRET_ACCESS_KEY:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: secretKey
-    AWS_STORAGE_BUCKET_NAME:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: bucket
-    AWS_S3_REGION_NAME: local
-    OPENAI_API_KEY:
-      secretKeyRef:
-        name: summary
-        key: OPENAI_API_KEY
-    OPENAI_BASE_URL: https://albertine.beta.numerique.gouv.fr/v1
-    OPENAI_ASR_MODEL: openai/whisper-large-v3
-    OPENAI_LLM_MODEL: meta-llama/Llama-3.1-8B-Instruct
-    WEBHOOK_API_TOKEN:
-      secretKeyRef:
-        name: summary
-        key: WEBHOOK_API_TOKEN
-    WEBHOOK_URL: https://docs.numerique.gouv.fr/api/v1.0/documents/create-for-owner/
-    CELERY_BROKER_URL:
-      secretKeyRef:
-        name: redis-summary.redis.libre.sh
-        key: url
-    CELERY_RESULT_BACKEND:
-      secretKeyRef:
-        name: redis-summary.redis.libre.sh
-        key: url
-
-  image:
-    repository: lasuite/meet-summary
-    pullPolicy: Always
-    tag: "v0.1.12"
-
-celery:
-  replicas: 1
-  envVars:
-    APP_NAME: summary-microservice
-    APP_API_TOKEN:
-      secretKeyRef:
-        name: summary
-        key: APP_API_TOKEN
-    AWS_S3_ENDPOINT_URL:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: endpoint
-    AWS_S3_ACCESS_KEY_ID:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: accessKey
-    AWS_S3_SECRET_ACCESS_KEY:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: secretKey
-    AWS_STORAGE_BUCKET_NAME:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: bucket
-    AWS_S3_REGION_NAME: local
-    OPENAI_API_KEY:
-      secretKeyRef:
-        name: summary
-        key: OPENAI_API_KEY
-    OPENAI_BASE_URL: https://albertine.beta.numerique.gouv.fr/v1
-    OPENAI_ASR_MODEL: openai/whisper-large-v3
-    OPENAI_LLM_MODEL: meta-llama/Llama-3.1-8B-Instruct
-    WEBHOOK_API_TOKEN:
-      secretKeyRef:
-        name: summary
-        key: WEBHOOK_API_TOKEN
-    WEBHOOK_URL: https://docs.numerique.gouv.fr/api/v1.0/documents/create-for-owner/
-    CELERY_BROKER_URL:
-      secretKeyRef:
-        name: redis-summary.redis.libre.sh
-        key: url
-    CELERY_RESULT_BACKEND:
-      secretKeyRef:
-        name: redis-summary.redis.libre.sh
-        key: url
-    SENTRY_IS_ENABLED: True
-    SENTRY_DSN: https://5aead03f03505da5130af6d642c42faf@sentry.incubateur.net/202
-
-  image:
-    repository: lasuite/meet-summary
-    pullPolicy: Always
-    tag: "v0.1.12"
-
-  command:
-    - "celery"
-    - "-A"
-    - "summary.core.celery_worker"
-    - "worker"
-    - "--pool=solo"
-    - "--loglevel=info"

src/helm/env.d/staging/secrets.enc.yaml

@@ -1 +0,0 @@
-../../../../secrets/numerique-gouv/meet/env/staging/secrets.enc.yaml

src/helm/env.d/staging/values.meet.yaml.gotmpl

@@ -1,300 +0,0 @@
-image:
-  repository: lasuite/meet-backend
-  pullPolicy: Always
-  tag: "main"
-
-backend:
-  migrateJobAnnotations:
-    argocd.argoproj.io/hook: PreSync
-    argocd.argoproj.io/hook-delete-policy: HookSucceeded
-  envVars:
-    DJANGO_CSRF_TRUSTED_ORIGINS: http://visio-staging.beta.numerique.gouv.fr,https://meet-staging.beta.numerique.gouv.fr
-    DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: visio-staging.beta.numerique.gouv.fr
-    DJANGO_SECRET_KEY:
-      secretKeyRef:
-        name: backend
-        key: DJANGO_SECRET_KEY
-    DJANGO_SETTINGS_MODULE: meet.settings
-    DJANGO_SUPERUSER_EMAIL:
-      secretKeyRef:
-        name: backend
-        key: DJANGO_SUPERUSER_EMAIL
-    DJANGO_SUPERUSER_PASSWORD:
-      secretKeyRef:
-        name: backend
-        key: DJANGO_SUPERUSER_PASSWORD
-    DJANGO_EMAIL_HOST: "snap-mail.numerique.gouv.fr"
-    DJANGO_EMAIL_PORT: 465
-    DJANGO_EMAIL_USE_SSL: True
-    DJANGO_SENTRY_DSN: https://5aead03f03505da5130af6d642c42faf@sentry.incubateur.net/202
-    OIDC_OP_JWKS_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/jwks
-    OIDC_OP_AUTHORIZATION_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/authorize
-    OIDC_OP_TOKEN_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/token
-    OIDC_OP_USER_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo
-    OIDC_OP_LOGOUT_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/session/end
-    OIDC_RP_CLIENT_ID:
-      secretKeyRef:
-        name: backend
-        key: OIDC_RP_CLIENT_ID
-    OIDC_RP_CLIENT_SECRET:
-      secretKeyRef:
-        name: backend
-        key: OIDC_RP_CLIENT_SECRET
-    OIDC_RP_SIGN_ALGO: RS256
-    OIDC_RP_SCOPES: "openid email given_name usual_name"
-    OIDC_REDIRECT_ALLOWED_HOSTS: https://visio-staging.beta.numerique.gouv.fr
-    OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
-    LOGIN_REDIRECT_URL: https://visio-staging.beta.numerique.gouv.fr
-    LOGIN_REDIRECT_URL_FAILURE: https://visio-staging.beta.numerique.gouv.fr
-    LOGOUT_REDIRECT_URL: https://visio-staging.beta.numerique.gouv.fr
-    DB_HOST:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: host
-    DB_NAME:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: database
-    DB_USER:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: username
-    DB_PASSWORD:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: password
-    DB_PORT:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: port
-    POSTGRES_USER:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: username
-    POSTGRES_DB:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: database
-    POSTGRES_PASSWORD:
-      secretKeyRef:
-        name: postgresql.postgres.libre.sh
-        key: password
-    REDIS_URL:
-      secretKeyRef:
-        name: redis.redis.libre.sh
-        key: url
-    STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage
-    LIVEKIT_API_SECRET:
-      secretKeyRef:
-        name: backend
-        key: LIVEKIT_API_SECRET
-    LIVEKIT_API_KEY:
-      secretKeyRef:
-        name: backend
-        key: LIVEKIT_API_KEY
-    LIVEKIT_API_URL: https://livekit-staging.beta.numerique.gouv.fr
-    ALLOW_UNREGISTERED_ROOMS: False
-    FRONTEND_ANALYTICS: "{'id': 'phc_RPYko028Oqtj0c9exLIWwrlrjLxSdxT0ntW0Lam4iom', 'host': 'https://product.visio-staging.beta.numerique.gouv.fr'}"
-    FRONTEND_SUPPORT: "{'id': '58ea6697-8eba-4492-bc59-ad6562585041'}"
-    AWS_S3_ENDPOINT_URL:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: url
-    AWS_S3_ACCESS_KEY_ID:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: accessKey
-    AWS_S3_SECRET_ACCESS_KEY:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: secretKey
-    AWS_STORAGE_BUCKET_NAME:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: bucket
-    AWS_S3_REGION_NAME: local
-    RECORDING_ENABLE: True
-    RECORDING_STORAGE_EVENT_ENABLE: True
-    RECORDING_STORAGE_EVENT_TOKEN:
-        secretKeyRef:
-            name: backend
-            key: RECORDING_STORAGE_EVENT_TOKEN
-    SUMMARY_SERVICE_ENDPOINT: http://meet-summary:80/api/v1/tasks/
-    SUMMARY_SERVICE_API_TOKEN:
-        secretKeyRef:
-            name: summary
-            key: APP_API_TOKEN
-
-  createsuperuser:
-    command:
-      - "/bin/sh"
-      - "-c"
-      - |
-        python manage.py createsuperuser --email $DJANGO_SUPERUSER_EMAIL --password $DJANGO_SUPERUSER_PASSWORD
-    restartPolicy: Never
-
-frontend:
-  image:
-    repository: lasuite/meet-frontend
-    pullPolicy: Always
-    tag: "main"
-
-ingress:
-  enabled: true
-  host: visio-staging.beta.numerique.gouv.fr
-  className: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-  tls:
-    enabled: true
-    additional:
-      - secretName: transitional-tls
-        hosts:
-          - {{ .Values.newDomain }}
-
-ingressAdmin:
-  enabled: true
-  host: visio-staging.beta.numerique.gouv.fr
-  className: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/start
-    nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/auth
-  tls:
-    enabled: true
-    additional:
-      - secretName: transitional-tls
-        hosts:
-          - {{ .Values.newDomain }}
-
-posthog:
-  ingress:
-    enabled: true
-    host: product.visio-staging.beta.numerique.gouv.fr
-    className: nginx
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-      nginx.ingress.kubernetes.io/upstream-vhost: eu.i.posthog.com
-      nginx.ingress.kubernetes.io/backend-protocol: https
-
-  ingressAssets:
-    enabled: true
-    host: product.visio-staging.beta.numerique.gouv.fr
-    className: nginx
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-      nginx.ingress.kubernetes.io/upstream-vhost: eu-assets.i.posthog.com
-      nginx.ingress.kubernetes.io/backend-protocol: https
-
-summary:
-  replicas: 1
-  envVars:
-    APP_NAME: summary-microservice
-    APP_API_TOKEN:
-      secretKeyRef:
-        name: summary
-        key: APP_API_TOKEN
-    AWS_S3_ENDPOINT_URL:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: url
-    AWS_S3_ACCESS_KEY_ID:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: accessKey
-    AWS_S3_SECRET_ACCESS_KEY:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: secretKey
-    AWS_STORAGE_BUCKET_NAME:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: bucket
-    AWS_S3_REGION_NAME: local
-    OPENAI_API_KEY:
-      secretKeyRef:
-        name: summary
-        key: OPENAI_API_KEY
-    OPENAI_BASE_URL: https://albertine.beta.numerique.gouv.fr/v1
-    OPENAI_ASR_MODEL: openai/whisper-large-v3
-    OPENAI_LLM_MODEL: meta-llama/Llama-3.1-8B-Instruct
-    WEBHOOK_API_TOKEN:
-      secretKeyRef:
-        name: summary
-        key: WEBHOOK_API_TOKEN
-    WEBHOOK_URL: https://impress-staging.beta.numerique.gouv.fr/api/v1.0/documents/create-for-owner/
-    CELERY_BROKER_URL:
-      secretKeyRef:
-        name: redis-summary.redis.libre.sh
-        key: url
-    CELERY_RESULT_BACKEND:
-      secretKeyRef:
-        name: redis-summary.redis.libre.sh
-        key: url
-
-  image:
-    repository: lasuite/meet-summary
-    pullPolicy: Always
-    tag: "main"
-
-celery:
-  replicas: 1
-  envVars:
-    APP_NAME: summary-microservice
-    APP_API_TOKEN:
-      secretKeyRef:
-        name: summary
-        key: APP_API_TOKEN
-    AWS_S3_ENDPOINT_URL:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: endpoint
-    AWS_S3_ACCESS_KEY_ID:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: accessKey
-    AWS_S3_SECRET_ACCESS_KEY:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: secretKey
-    AWS_STORAGE_BUCKET_NAME:
-      secretKeyRef:
-        name: meet-media-storage.bucket.libre.sh
-        key: bucket
-    AWS_S3_REGION_NAME: local
-    OPENAI_API_KEY:
-      secretKeyRef:
-        name: summary
-        key: OPENAI_API_KEY
-    OPENAI_BASE_URL: https://albertine.beta.numerique.gouv.fr/v1
-    OPENAI_ASR_MODEL: openai/whisper-large-v3
-    OPENAI_LLM_MODEL: meta-llama/Llama-3.1-8B-Instruct
-    WEBHOOK_API_TOKEN:
-      secretKeyRef:
-        name: summary
-        key: WEBHOOK_API_TOKEN
-    WEBHOOK_URL: https://impress-staging.beta.numerique.gouv.fr/api/v1.0/documents/create-for-owner/
-    CELERY_BROKER_URL:
-      secretKeyRef:
-        name: redis-summary.redis.libre.sh
-        key: url
-    CELERY_RESULT_BACKEND:
-      secretKeyRef:
-        name: redis-summary.redis.libre.sh
-        key: url
-    SENTRY_IS_ENABLED: True
-    SENTRY_DSN: https://5aead03f03505da5130af6d642c42faf@sentry.incubateur.net/202
-
-  image:
-    repository: lasuite/meet-summary
-    pullPolicy: Always
-    tag: "main"
-
-  command:
-    - "celery"
-    - "-A"
-    - "summary.core.celery_worker"
-    - "worker"
-    - "--pool=solo"
-    - "--loglevel=info"

src/helm/extra/templates/clustersecretstore.yaml

@@ -0,0 +1,13 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: bitwarden-login-visio
+  namespace: {{ $.Release.Namespace | quote }}
+spec:
+  provider:
+    webhook:
+      url: "http://bitwarden-cli-visio.meet.svc.cluster.local:8087/object/item/{{`{{ .remoteRef.key }}`}}"
+      headers:
+        Content-Type: application/json
+      result:
+        jsonPath: "$.data.login.{{`{{ .remoteRef.property }}`}}"

src/helm/extra/templates/external_secret.yaml

@@ -0,0 +1,28 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: backend
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  refreshInterval: "1m"
+  target:
+    name: backend
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+{{- range .Values.secrets }}
+        {{ .podVariable }}: |-
+          {{`{{`}} {{ print "." .name }} {{`}}`}}
+{{- end }}
+  data:
+{{- range .Values.secrets }}
+    - secretKey: {{ .name }}
+      sourceRef:
+        storeRef:
+          name: {{ .clusterSecretStore }}
+          kind: ClusterSecretStore
+      remoteRef:
+        key: {{ .itemId }}
+        property: {{ .field }}
+{{- end }}

src/helm/extra/templates/external_secret_deployment.yaml

@@ -0,0 +1,92 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bitwarden-cli-visio
+  namespace: {{ $.Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/instance: bitwarden-cli
+    app.kubernetes.io/name: bitwarden-cli
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: bitwarden-cli
+      app.kubernetes.io/instance: bitwarden-cli
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: bitwarden-cli
+        app.kubernetes.io/instance: bitwarden-cli
+    spec:
+      containers:
+        - name: bitwarden-cli
+          image: lasuite/vaultwarden-api:0.1
+          imagePullPolicy: Always
+          env:
+            - name: BW_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: bitwarden-cli-visio
+                  key: BW_HOST
+            - name: BW_USER
+              valueFrom:
+                secretKeyRef:
+                  name: bitwarden-cli-visio
+                  key: BW_USERNAME
+            - name: BW_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: bitwarden-cli-visio
+                  key: BW_PASSWORD
+          ports:
+            - name: http
+              containerPort: 8087
+              protocol: TCP
+          livenessProbe:
+            exec:
+              command:
+                - wget
+                - -q
+                - http://127.0.0.1:8087/sync?force=true
+                - --post-data=''
+            initialDelaySeconds: 20
+            failureThreshold: 3
+            timeoutSeconds: 10
+            periodSeconds: 120
+          readinessProbe:
+            tcpSocket:
+              port: 8087
+            initialDelaySeconds: 20
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: 8087
+            initialDelaySeconds: 10
+            failureThreshold: 30
+            timeoutSeconds: 1
+            periodSeconds: 5
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bitwarden-cli-visio
+  namespace: {{ $.Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/instance: bitwarden-cli
+    app.kubernetes.io/name: bitwarden-cli
+  annotations:
+spec:
+  type: ClusterIP
+  ports:
+  - port: 8087
+    targetPort: http
+    protocol: TCP
+    name: http
+  selector:
+    app.kubernetes.io/name: bitwarden-cli
+    app.kubernetes.io/instance: bitwarden-cli

src/helm/extra/templates/keydb.yaml

@@ -1,7 +0,0 @@
-apiVersion: core.libre.sh/v1alpha1
-kind: Redis
-metadata:
-  name: redis
-  namespace: {{ .Release.Namespace | quote }}
-spec:
-  disableAuth: false

src/helm/extra/templates/postgresql.yaml

@@ -1,7 +0,0 @@
-apiVersion: core.libre.sh/v1alpha1
-kind: Postgres
-metadata:
-  name: postgresql
-  namespace: {{ .Release.Namespace | quote }}
-spec:
-  database: meet

src/helm/extra/templates/redirect.yaml

@@ -1,55 +0,0 @@
-{{ if .Values.addRedirect }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    {{ if .Values.enablePermanentRedirect }}
-    nginx.ingress.kubernetes.io/permanent-redirect: "https://{{ .Values.newDomain }}$request_uri"
-    nginx.ingress.kubernetes.io/permanent-redirect-code: "308"
-    {{ end }}
-  name: temporary-redirect
-  namespace: {{ .Release.Namespace | quote }}
-spec:
-  ingressClassName: nginx
-  rules:
-  - host: {{ .Values.oldDomain }}
-    http:
-      paths:
-      - backend:
-          service:
-            name: meet-frontend
-            port:
-              number: 80
-        path: /
-        pathType: Prefix
-      - backend:
-          service:
-            name: meet-backend
-            port:
-              number: 80
-        path: /api
-        pathType: Prefix
-  tls:
-  - hosts:
-    - {{ .Values.oldDomain }}
-    secretName: transitional-tls
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: transitional-tls
-  namespace: {{ .Release.Namespace | quote }}
-spec:
-  dnsNames:
-  - {{ .Values.newDomain }}
-  - {{ .Values.oldDomain }}
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: {{ index .Values.ingress.annotations "cert-manager.io/cluster-issuer" }}
-  secretName: transitional-tls
-  usages:
-  - digital signature
-  - key encipherment
-{{ end }}

src/helm/extra/templates/s3.yaml

@@ -1,8 +0,0 @@
-apiVersion: core.libre.sh/v1alpha1
-kind: Bucket
-metadata:
-  name: meet-media-storage
-  namespace: {{ .Release.Namespace | quote }}
-spec:
-  provider: data
-  versioned: true

src/helm/extra/templates/summary_keydb.yaml

@@ -1,7 +0,0 @@
-apiVersion: core.libre.sh/v1alpha1
-kind: Redis
-metadata:
-  name: redis-summary
-  namespace: {{ .Release.Namespace | quote }}
-spec:
-  disableAuth: false

src/helm/helmfile.yaml

@@ -6,26 +6,7 @@ environments:
   dev:
     values:
       - version: 0.0.1
-    secrets:
+      - env.d/{{ .Environment.Name }}/values.secrets.yaml
-      - env.d/{{ .Environment.Name }}/secrets.enc.yaml
-  staging:
-    values:
-      - version: 0.0.1
-        addRedirect: True
-        enablePermanentRedirect: True
-        oldDomain: meet-staging.beta.numerique.gouv.fr
-        newDomain: visio-staging.beta.numerique.gouv.fr
-    secrets:
-      - env.d/{{ .Environment.Name }}/secrets.enc.yaml
-  production:
-    values:
-      - version: 0.0.1
-        addRedirect: True
-        enablePermanentRedirect: True
-        oldDomain: meet.numerique.gouv.fr
-        newDomain: visio.numerique.gouv.fr
-    secrets:
-      - env.d/{{ .Environment.Name }}/secrets.enc.yaml
 
 repositories:
 - name: bitnami
@@ -132,7 +113,7 @@ releases:
         architecture: standalone
 
   - name: extra
-    installed: {{ not (regexMatch "^dev.*" .Environment.Name) | toYaml }}
+    installed: {{ regexMatch "^dev.*" .Environment.Name | toYaml }}
     missingFileHandler: Warn
     namespace: {{ .Namespace }}
     chart: ./extra

src/helm/meet/templates/backend_deployment.yaml

@@ -19,7 +19,6 @@ spec:
         {{- with .Values.backend.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-        checksum/config: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
       labels:
         {{- include "meet.common.selectorLabels" (list . $component) | nindent 8 }}
     spec:

src/helm/meet/templates/celery_deployment.yaml

@@ -19,7 +19,6 @@ spec:
         {{- with .Values.celery.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-        checksum/config: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
       labels:
         {{- include "meet.common.selectorLabels" (list . $component) | nindent 8 }}
     spec:

src/helm/meet/templates/secrets.yaml

@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: backend
-  namespace: {{ .Release.Namespace | quote }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": before-hook-creation
-stringData:
-  DJANGO_SUPERUSER_EMAIL: {{ .Values.djangoSuperUserEmail }}
-  DJANGO_SUPERUSER_PASSWORD: {{ .Values.djangoSuperUserPass }}
-  DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }}
-  OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }}
-  OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }}
-  LIVEKIT_API_SECRET: {{ .Values.livekitApi.secret }}
-  LIVEKIT_API_KEY: {{ .Values.livekitApi.key }}
-  RECORDING_STORAGE_EVENT_TOKEN: {{ .Values.recordingStorageEventToken }}

src/helm/meet/templates/summary_deployment.yaml

@@ -19,7 +19,6 @@ spec:
         {{- with .Values.summary.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-        checksum/config: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
       labels:
         {{- include "meet.common.selectorLabels" (list . $component) | nindent 8 }}
     spec:

src/helm/meet/templates/summary_secrets.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: summary
-  namespace: {{ .Release.Namespace | quote }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": before-hook-creation
-stringData:
-  APP_API_TOKEN: {{ .Values.appApiToken }}
-  OPENAI_API_KEY: {{ .Values.openaiApiKey }}
-  WEBHOOK_API_TOKEN: {{ .Values.webhookApiToken }}
-

src/helm/meet/values.yaml

@@ -128,6 +128,16 @@ backend:
       - "--no-input"
     restartPolicy: Never
 
+ ## @param backend.createsuperuser.command backend migrate command
+ ## @param backend.createsuperuser.restartPolicy backend migrate job restart policy
+  createsuperuser:
+    command:
+      - "/bin/sh"
+      - "-c"
+      - |
+        python manage.py createsuperuser --email $DJANGO_SUPERUSER_EMAIL --password $DJANGO_SUPERUSER_PASSWORD
+    restartPolicy: Never
+
   ## @param backend.probes.liveness.path [nullable] Configure path for backend HTTP liveness probe
   ## @param backend.probes.liveness.targetPort [nullable] Configure port for backend HTTP liveness probe
   ## @param backend.probes.liveness.initialDelaySeconds [nullable] Configure initial delay for backend liveness probe