studio/people
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

♻️(dev) refacto tilt stack

Browse Source 
To be able to move the repository on the new organization and to
facilitate external developer integration we need to create a standalone
dev stack and use external secret.
This commit is contained in:
Jacques ROUSSEL
2025-01-07 15:53:36 +01:00
committed by rouja
parent cd7135da00
commit b848f9eca6
27 changed files with 455 additions and 756 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
Makefile
View File

@@ -361,3 +361,37 @@ tilt-up: ## start tilt - k8s local development
release: ## helper for release and deployment release: ## helper for release and deployment
python scripts/release.py python scripts/release.py
.PHONY: release .PHONY: release
install-secret: ## install the kubernetes secrets from Vaultwarden
if kubectl -n desk get secrets bitwarden-cli-desk; then \
echo "Secret already present"; \
else \
echo "Please provide the following information:"; \
read -p "Enter your vaultwarden email login: " LOGIN; \
read -p "Enter your vaultwarden password: " PASSWORD; \
read -p "Enter your vaultwarden server url: " URL; \
echo "\nCreate vaultwarden secret"; \
echo "apiVersion: v1" > /tmp/secret.yaml; \
echo "kind: Secret" >> /tmp/secret.yaml; \
echo "metadata:" >> /tmp/secret.yaml; \
echo " name: bitwarden-cli-desk" >> /tmp/secret.yaml; \
echo " namespace: desk" >> /tmp/secret.yaml; \
echo "type: Opaque" >> /tmp/secret.yaml; \
echo "stringData:" >> /tmp/secret.yaml; \
echo " BW_HOST: $$URL" >> /tmp/secret.yaml; \
echo " BW_PASSWORD: $$PASSWORD" >> /tmp/secret.yaml; \
echo " BW_USERNAME: $$LOGIN" >> /tmp/secret.yaml; \
kubectl -n desk apply -f /tmp/secret.yaml;\
rm -f /tmp/secret.yaml; \
fi; \
if kubectl get ns external-secrets; then \
echo "External secret already deployed"; \
else \
helm repo add external-secrets https://charts.external-secrets.io; \
helm upgrade --install external-secrets \
external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
--set installCRDs=true; \
fi
.PHONY: build-k8s-cluster

2
bin/Tiltfile
View File

@@ -29,7 +29,7 @@ docker_build(
] ]
) )
k8s_yaml(local('cd ../src/helm && helmfile -n desk -e dev template .')) k8s_yaml(local('cd ../src/helm && helmfile -n desk -e ${DEV_ENV:-dev} template .'))
migration = ''' migration = '''
set -eu set -eu

103
bin/start-kind.sh
View File

@@ -1,102 +1,3 @@
#!/bin/sh #!/usr/bin/env bash
set -o errexit
CURRENT_DIR=$(pwd) curl https://raw.githubusercontent.com/numerique-gouv/tools/refs/heads/main/kind/create_cluster.sh | bash -s -- desk
# 0. Create ca
echo "0. Create ca"
mkcert -install
cd /tmp
mkcert "127.0.0.1.nip.io" "*.127.0.0.1.nip.io"
cd $CURRENT_DIR
# 1. Create registry container unless it already exists
echo "1. Create registry container unless it already exists"
reg_name='kind-registry'
reg_port='5001'
if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
docker run \
-d --restart=always -p "127.0.0.1:${reg_port}:5000" --network bridge --name "${reg_name}" \
registry:2
fi
# 2. Create kind cluster with containerd registry config dir enabled
echo "2. Create kind cluster with containerd registry config dir enabled"
# TODO: kind will eventually enable this by default and this patch will
# be unnecessary.
#
# See:
# https://github.com/kubernetes-sigs/kind/issues/2875
# https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration
# See: https://github.com/containerd/containerd/blob/main/docs/hosts.md
cat <<EOF | kind create cluster --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
nodes:
- role: control-plane
image: kindest/node:v1.27.3
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
- role: worker
image: kindest/node:v1.27.3
- role: worker
image: kindest/node:v1.27.3
EOF
# 3. Add the registry config to the nodes
echo "3. Add the registry config to the nodes"
#
# This is necessary because localhost resolves to loopback addresses that are
# network-namespace local.
# In other words: localhost in the container is not localhost on the host.
#
# We want a consistent name that works from both ends, so we tell containerd to
# alias localhost:${reg_port} to the registry container when pulling images
REGISTRY_DIR="/etc/containerd/certs.d/localhost:${reg_port}"
for node in $(kind get nodes); do
docker exec "${node}" mkdir -p "${REGISTRY_DIR}"
cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${REGISTRY_DIR}/hosts.toml"
[host."http://${reg_name}:5000"]
EOF
done
# 4. Connect the registry to the cluster network if not already connected
echo "4. Connect the registry to the cluster network if not already connected"
# This allows kind to bootstrap the network but ensures they're on the same network
if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
docker network connect "kind" "${reg_name}"
fi
# 5. Document the local registry
echo "5. Document the local registry"
# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: local-registry-hosting
namespace: kube-public
data:
localRegistryHosting.v1: |
host: "localhost:${reg_port}"
help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
EOF
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
kubectl -n ingress-nginx create secret tls mkcert --key /tmp/127.0.0.1.nip.io+1-key.pem --cert /tmp/127.0.0.1.nip.io+1.pem
kubectl -n ingress-nginx patch deployments.apps ingress-nginx-controller --type 'json' -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--default-ssl-certificate=ingress-nginx/mkcert"}]'

4
docs/local_development_kube.md
View File

@@ -92,7 +92,11 @@ make start-kind
### Deploy the application ### Deploy the application
```bash ```bash
# Pro Connect environment
tilt up -f ./bin/Tiltfile tilt up -f ./bin/Tiltfile
# Standalone environment with keycloak
DEV_ENV=dev-keycloak tilt up -f ./bin/Tiltfile
``` ```
**or** run the equivalent using the makefile **or** run the equivalent using the makefile

4
scripts/install-pre-commit-hook.sh
View File

@@ -1,10 +1,10 @@
#!/bin/bash #!/usr/bin/env bash
mkdir -p "$(dirname -- "${BASH_SOURCE[0]}")/../.git/hooks/" mkdir -p "$(dirname -- "${BASH_SOURCE[0]}")/../.git/hooks/"
PRE_COMMIT_FILE="$(dirname -- "${BASH_SOURCE[0]}")/../.git/hooks/pre-commit" PRE_COMMIT_FILE="$(dirname -- "${BASH_SOURCE[0]}")/../.git/hooks/pre-commit"
cat <<'EOF' >$PRE_COMMIT_FILE cat <<'EOF' >$PRE_COMMIT_FILE
#!/bin/bash #!/usr/bin/env bash
# directories containing potential secrets # directories containing potential secrets
DIRS="." DIRS="."

90
src/helm/desk/README.md
View File

@@ -35,49 +35,52 @@
### backend ### backend
| Name | Description | Value | | Name | Description | Value |
| ----------------------------------------------------- | ---------------------------------------------------------------------------------- | ----------------------------------------------- | | ----------------------------------------------------- | ---------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
| `backend.command` | Override the backend container command | `[]` | | `backend.dpAnnotations` | Annotations to add to the backend Deployment | `{}` |
| `backend.args` | Override the backend container args | `[]` | | `backend.command` | Override the backend container command | `[]` |
| `backend.replicas` | Amount of backend replicas | `3` | | `backend.args` | Override the backend container args | `[]` |
| `backend.shareProcessNamespace` | Enable share process namespace between containers | `false` | | `backend.replicas` | Amount of backend replicas | `3` |
| `backend.sidecars` | Add sidecars containers to backend deployment | `[]` | | `backend.shareProcessNamespace` | Enable share process namespace between containers | `false` |
| `backend.securityContext` | Configure backend Pod security context | `nil` | | `backend.sidecars` | Add sidecars containers to backend deployment | `[]` |
| `backend.envVars` | Configure backend container environment variables | `undefined` | | `backend.migrateJobAnnotations` | Annotations for the migrate job | `{}` |
| `backend.envVars.BY_VALUE` | Example environment variable by setting value directly | | | `backend.securityContext` | Configure backend Pod security context | `nil` |
| `backend.envVars.FROM_CONFIGMAP.configMapKeyRef.name` | Name of a ConfigMap when configuring env vars from a ConfigMap | | | `backend.envVars` | Configure backend container environment variables | `undefined` |
| `backend.envVars.FROM_CONFIGMAP.configMapKeyRef.key` | Key within a ConfigMap when configuring env vars from a ConfigMap | | | `backend.envVars.BY_VALUE` | Example environment variable by setting value directly | |
| `backend.envVars.FROM_SECRET.secretKeyRef.name` | Name of a Secret when configuring env vars from a Secret | | | `backend.envVars.FROM_CONFIGMAP.configMapKeyRef.name` | Name of a ConfigMap when configuring env vars from a ConfigMap | |
| `backend.envVars.FROM_SECRET.secretKeyRef.key` | Key within a Secret when configuring env vars from a Secret | | | `backend.envVars.FROM_CONFIGMAP.configMapKeyRef.key` | Key within a ConfigMap when configuring env vars from a ConfigMap | |
| `backend.podAnnotations` | Annotations to add to the backend Pod | `{}` | | `backend.envVars.FROM_SECRET.secretKeyRef.name` | Name of a Secret when configuring env vars from a Secret | |
| `backend.service.type` | backend Service type | `ClusterIP` | | `backend.envVars.FROM_SECRET.secretKeyRef.key` | Key within a Secret when configuring env vars from a Secret | |
| `backend.service.port` | backend Service listening port | `80` | | `backend.podAnnotations` | Annotations to add to the backend Pod | `{}` |
| `backend.service.targetPort` | backend container listening port | `8000` | | `backend.service.type` | backend Service type | `ClusterIP` |
| `backend.service.annotations` | Annotations to add to the backend Service | `{}` | | `backend.service.port` | backend Service listening port | `80` |
| `backend.migrate.command` | backend migrate command | `["python","manage.py","migrate","--no-input"]` | | `backend.service.targetPort` | backend container listening port | `8000` |
| `backend.migrate.restartPolicy` | backend migrate job restart policy | `Never` | | `backend.service.annotations` | Annotations to add to the backend Service | `{}` |
| `backend.probes.liveness.path` | Configure path for backend HTTP liveness probe | `/__heartbeat__` | | `backend.migrate.command` | backend migrate command | `["python","manage.py","migrate","--no-input"]` |
| `backend.probes.liveness.targetPort` | Configure port for backend HTTP liveness probe | `undefined` | | `backend.migrate.restartPolicy` | backend migrate job restart policy | `Never` |
| `backend.probes.liveness.initialDelaySeconds` | Configure initial delay for backend liveness probe | `10` | | `backend.probes.liveness.path` | Configure path for backend HTTP liveness probe | `/__heartbeat__` |
| `backend.probes.liveness.initialDelaySeconds` | Configure timeout for backend liveness probe | `10` | | `backend.probes.liveness.targetPort` | Configure port for backend HTTP liveness probe | `undefined` |
| `backend.probes.startup.path` | Configure path for backend HTTP startup probe | `undefined` | | `backend.probes.liveness.initialDelaySeconds` | Configure initial delay for backend liveness probe | `10` |
| `backend.probes.startup.targetPort` | Configure port for backend HTTP startup probe | `undefined` | | `backend.probes.liveness.initialDelaySeconds` | Configure timeout for backend liveness probe | `10` |
| `backend.probes.startup.initialDelaySeconds` | Configure initial delay for backend startup probe | `undefined` | | `backend.probes.startup.path` | Configure path for backend HTTP startup probe | `undefined` |
| `backend.probes.startup.initialDelaySeconds` | Configure timeout for backend startup probe | `undefined` | | `backend.probes.startup.targetPort` | Configure port for backend HTTP startup probe | `undefined` |
| `backend.probes.readiness.path` | Configure path for backend HTTP readiness probe | `/__lbheartbeat__` | | `backend.probes.startup.initialDelaySeconds` | Configure initial delay for backend startup probe | `undefined` |
| `backend.probes.readiness.targetPort` | Configure port for backend HTTP readiness probe | `undefined` | | `backend.probes.startup.initialDelaySeconds` | Configure timeout for backend startup probe | `undefined` |
| `backend.probes.readiness.initialDelaySeconds` | Configure initial delay for backend readiness probe | `10` | | `backend.probes.readiness.path` | Configure path for backend HTTP readiness probe | `/__lbheartbeat__` |
| `backend.probes.readiness.initialDelaySeconds` | Configure timeout for backend readiness probe | `10` | | `backend.probes.readiness.targetPort` | Configure port for backend HTTP readiness probe | `undefined` |
| `backend.resources` | Resource requirements for the backend container | `{}` | | `backend.probes.readiness.initialDelaySeconds` | Configure initial delay for backend readiness probe | `10` |
| `backend.nodeSelector` | Node selector for the backend Pod | `{}` | | `backend.probes.readiness.initialDelaySeconds` | Configure timeout for backend readiness probe | `10` |
| `backend.tolerations` | Tolerations for the backend Pod | `[]` | | `backend.resources` | Resource requirements for the backend container | `{}` |
| `backend.affinity` | Affinity for the backend Pod | `{}` | | `backend.nodeSelector` | Node selector for the backend Pod | `{}` |
| `backend.persistence` | Additional volumes to create and mount on the backend. Used for debugging purposes | `{}` | | `backend.tolerations` | Tolerations for the backend Pod | `[]` |
| `backend.persistence.volume-name.size` | Size of the additional volume | | | `backend.affinity` | Affinity for the backend Pod | `{}` |
| `backend.persistence.volume-name.type` | Type of the additional volume, persistentVolumeClaim or emptyDir | | | `backend.persistence` | Additional volumes to create and mount on the backend. Used for debugging purposes | `{}` |
| `backend.persistence.volume-name.mountPath` | Path where the volume should be mounted to | | | `backend.persistence.volume-name.size` | Size of the additional volume | |
| `backend.extraVolumeMounts` | Additional volumes to mount on the backend. | `[]` | | `backend.persistence.volume-name.type` | Type of the additional volume, persistentVolumeClaim or emptyDir | |
| `backend.extraVolumes` | Additional volumes to mount on the backend. | `[]` | | `backend.persistence.volume-name.mountPath` | Path where the volume should be mounted to | |
| `backend.extraVolumeMounts` | Additional volumes to mount on the backend. | `[]` |
| `backend.extraVolumes` | Additional volumes to mount on the backend. | `[]` |
| `backend.createsuperuser.command` | The command to create the django super user | `python manage.py createsuperuser --username admin@example.com --password admin` |
### frontend ### frontend
@@ -86,6 +89,7 @@
| `frontend.image.repository` | Repository to use to pull desk's frontend container image | `lasuite/people-frontend` | | `frontend.image.repository` | Repository to use to pull desk's frontend container image | `lasuite/people-frontend` |
| `frontend.image.tag` | desk's frontend container tag | `latest` | | `frontend.image.tag` | desk's frontend container tag | `latest` |
| `frontend.image.pullPolicy` | frontend container image pull policy | `IfNotPresent` | | `frontend.image.pullPolicy` | frontend container image pull policy | `IfNotPresent` |
| `frontend.dpAnnotations` | Annotations to add to the frontend Deployment | `{}` |
| `frontend.command` | Override the frontend container command | `[]` | | `frontend.command` | Override the frontend container command | `[]` |
| `frontend.args` | Override the frontend container args | `[]` | | `frontend.args` | Override the frontend container args | `[]` |
| `frontend.replicas` | Amount of frontend replicas | `3` | | `frontend.replicas` | Amount of frontend replicas | `3` |

12
src/helm/desk/generate-readme.sh
View File

@@ -1,10 +1,10 @@
#!/bin/bash #!/usr/bin/env bash
docker image ls | grep readme-generator-for-helm docker image ls | grep readme-generator-for-helm
if [ "$?" -ne "0" ]; then if [ "$?" -ne "0" ]; then
git clone https://github.com/bitnami/readme-generator-for-helm.git /tmp/readme-generator-for-helm git clone https://github.com/bitnami/readme-generator-for-helm.git /tmp/readme-generator-for-helm
cd /tmp/readme-generator-for-helm cd /tmp/readme-generator-for-helm
docker build -t readme-generator-for-helm:latest . docker build -t readme-generator-for-helm:latest .
cd $(dirname -- "${BASH_SOURCE[0]}") cd $(dirname -- "${BASH_SOURCE[0]}")
fi fi
docker run --rm -it -v ./values.yaml:/app/values.yaml -v ./README.md:/app/README.md readme-generator-for-helm:latest readme-generator -v values.yaml -r README.md docker run --rm -it -v .:/source -w /source readme-generator-for-helm:latest readme-generator -v values.yaml -r README.md

4
src/helm/desk/templates/backend_deployment.yaml
View File

@@ -5,6 +5,10 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ $fullName }} name: {{ $fullName }}
annotations:
{{- with .Values.backend.dpAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ .Release.Namespace | quote }}
labels: labels:
{{- include "desk.common.labels" (list . $component) | nindent 4 }} {{- include "desk.common.labels" (list . $component) | nindent 4 }}

4
src/helm/desk/templates/frontend_deployment.yaml
View File

@@ -5,6 +5,10 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ $fullName }} name: {{ $fullName }}
annotations:
{{- with .Values.frontend.dpAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ .Release.Namespace | quote }}
labels: labels:
{{- include "desk.common.labels" (list . $component) | nindent 4 }} {{- include "desk.common.labels" (list . $component) | nindent 4 }}

30
src/helm/desk/templates/secrets.yaml
View File

@@ -1,30 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: backend
namespace: {{ .Release.Namespace | quote }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation
stringData:
DJANGO_SUPERUSER_EMAIL: {{ .Values.djangoSuperUserEmail }}
DJANGO_SUPERUSER_PASSWORD: {{ .Values.djangoSuperUserPass }}
DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }}
OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }}
OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }}
{{- if .Values.resourceServer }}
OIDC_RS_CLIENT_ID: {{ .Values.resourceServer.clientId }}
OIDC_RS_CLIENT_SECRET: {{ .Values.resourceServer.clientSecret }}
OIDC_RS_PRIVATE_KEY_STR: |
{{ .Values.resourceServer.privateKey | indent 4 }}
{{- end }}
{{- if .Values.mail_provisioning_api_credentials }}
MAIL_PROVISIONING_API_CREDENTIALS: {{ .Values.mail_provisioning_api_credentials }}
{{- end }}
{{- if .Values.djangoEmailHostUser }}
DJANGO_EMAIL_HOST_USER: {{ .Values.djangoEmailHostUser }}
{{- end }}
{{- if .Values.djangoEmailHostPassword }}
DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.djangoEmailHostPassword }}
{{- end }}

13
src/helm/desk/values.yaml
View File

@@ -72,6 +72,8 @@ ingressAdmin:
## @section backend ## @section backend
backend: backend:
## @param backend.dpAnnotations Annotations to add to the backend Deployment
dpAnnotations: {}
## @param backend.command Override the backend container command ## @param backend.command Override the backend container command
command: [] command: []
@@ -117,8 +119,8 @@ backend:
targetPort: 8000 targetPort: 8000
annotations: {} annotations: {}
## @param backend.migrate.command backend migrate command ## @param backend.migrate.command backend migrate command
## @param backend.migrate.restartPolicy backend migrate job restart policy ## @param backend.migrate.restartPolicy backend migrate job restart policy
migrate: migrate:
command: command:
- "python" - "python"
@@ -171,9 +173,11 @@ backend:
## @param backend.extraVolumes Additional volumes to mount on the backend. ## @param backend.extraVolumes Additional volumes to mount on the backend.
extraVolumes: [] extraVolumes: []
## @param backend.createsuperuser.command The command to create the django super user
createsuperuser:
command: python manage.py createsuperuser --username admin@example.com --password admin
## @section frontend ## @section frontend
frontend: frontend:
## @param frontend.image.repository Repository to use to pull desk's frontend container image ## @param frontend.image.repository Repository to use to pull desk's frontend container image
## @param frontend.image.tag desk's frontend container tag ## @param frontend.image.tag desk's frontend container tag
@@ -183,6 +187,9 @@ frontend:
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
tag: "latest" tag: "latest"
## @param frontend.dpAnnotations Annotations to add to the frontend Deployment
dpAnnotations: {}
## @param frontend.command Override the frontend container command ## @param frontend.command Override the frontend container command
command: [] command: []

104
src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl Normal file
View File

@@ -0,0 +1,104 @@
image:
repository: localhost:5001/people-backend
pullPolicy: Always
tag: "latest"
backend:
replicas: 1
envVars:
DJANGO_CSRF_TRUSTED_ORIGINS: https://desk.127.0.0.1.nip.io,http://desk.127.0.0.1.nip.io
DJANGO_CONFIGURATION: Local
DJANGO_ALLOWED_HOSTS: "*"
DJANGO_SECRET_KEY: kkdsjfhkjhsfdkjhsd76kjhkjh
DJANGO_SETTINGS_MODULE: people.settings
DJANGO_SUPERUSER_PASSWORD: admin
DJANGO_SUPERUSER_EMAIL: admin@example.com
DJANGO_EMAIL_HOST_PASSWORD: changeme
DJANGO_EMAIL_HOST: "mailcatcher"
DJANGO_EMAIL_PORT: 1025
DJANGO_EMAIL_USE_SSL: False
OIDC_RS_CLIENT_ID: changeme
OIDC_RS_CLIENT_SECRET: changeme
OIDC_RS_PRIVATE_KEY_STR: "lkj"
OIDC_OP_JWKS_ENDPOINT: https://keycloak.127.0.0.1.nip.io/realms/people/protocol/openid-connect/certs
OIDC_OP_AUTHORIZATION_ENDPOINT: https://keycloak.127.0.0.1.nip.io/realms/people/protocol/openid-connect/auth
OIDC_OP_TOKEN_ENDPOINT: https://keycloak.127.0.0.1.nip.io/realms/people/protocol/openid-connect/token
OIDC_OP_USER_ENDPOINT: https://keycloak.127.0.0.1.nip.io/realms/people/protocol/openid-connect/userinfo
OIDC_OP_LOGOUT_ENDPOINT: https://keycloak.127.0.0.1.nip.io/realms/people/protocol/openid-connect/logout
OIDC_ORGANIZATION_REGISTRATION_ID_FIELD: "siret"
OIDC_RP_CLIENT_ID: people
OIDC_RP_CLIENT_SECRET: ThisIsAnExampleKeyForDevPurposeOnly
OIDC_RP_SIGN_ALGO: RS256
OIDC_RP_SCOPES: "openid email siret"
OIDC_REDIRECT_ALLOWED_HOSTS: https://desk.127.0.0.1.nip.io
OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
ORGANIZATION_PLUGINS: "plugins.organizations.NameFromSiretOrganizationPlugin"
ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]'
LOGIN_REDIRECT_URL: https://desk.127.0.0.1.nip.io
LOGIN_REDIRECT_URL_FAILURE: https://desk.127.0.0.1.nip.io
LOGOUT_REDIRECT_URL: https://desk.127.0.0.1.nip.io
DB_HOST: postgres-postgresql
DB_NAME: people
DB_USER: dinum
DB_PASSWORD: pass
DB_PORT: 5432
POSTGRES_DB: people
POSTGRES_USER: dinum
POSTGRES_PASSWORD: pass
REDIS_URL: redis://default:pass@redis-master:6379/1
WEBMAIL_URL: "https://onestendev.yapasdewebmail.fr"
MAIL_PROVISIONING_API_URL: "http://dimail:8000"
MAIL_PROVISIONING_API_CREDENTIALS: changeme
SENTRY_DSN: "https://b72746c73d669421e7a8ccd3fab0fad2@sentry.incubateur.net/171"
command:
- "gunicorn"
- "-c"
- "/usr/local/etc/gunicorn/people.py"
- "people.wsgi:application"
- "--reload"
createsuperuser:
command:
- "/bin/sh"
- "-c"
- python manage.py createsuperuser --username ${DJANGO_SUPERUSER_EMAIL} --password ${DJANGO_SUPERUSER_PASSWORD} || echo ok
restartPolicy: Never
# Extra volume mounts to manage our local custom CA and avoid to set ssl_verify: false
extraVolumeMounts:
- name: certs
mountPath: /usr/local/lib/python3.12/site-packages/certifi/cacert.pem
subPath: cacert.pem
# Exra volumes to manage our local custom CA and avoid to set ssl_verify: false
extraVolumes:
- name: certs
configMap:
name: certifi
items:
- key: cacert.pem
path: cacert.pem
frontend:
envVars:
PORT: 8080
NEXT_PUBLIC_API_ORIGIN: https://desk.127.0.0.1.nip.io
replicas: 1
command:
- yarn
- dev
image:
repository: localhost:5001/people-frontend
pullPolicy: Always
tag: "latest"
ingress:
enabled: true
host: desk.127.0.0.1.nip.io
ingressAdmin:
enabled: true
host: desk.127.0.0.1.nip.io

80
src/helm/env.d/dev/secrets.enc.yaml
View File

@@ -1,80 +0,0 @@
djangoSecretKey: ENC[AES256_GCM,data:MeAsS1OoGaC1yKvK4jlsvtM/tnXdy3AiZItRafBIvHJzz2D1fQ2Ol85cX6cJ1H7XGRs=,iv:cV/H03WnCYiPgjvuQTUXuhsPd/mHforbI818lkv4Tcw=,tag:ofJ9+AA+aMxuAt03n2j6sQ==,type:str]
djangoSuperUserPass: ENC[AES256_GCM,data:CrUCj+w=,iv:VvCIQYDvhbIeWI2lJt6kw4hBxzERY4H9OOV6CkCxXg4=,tag:e6LLH8bBenG7ZlWutkiECQ==,type:str]
mail_provisioning_api_credentials: ENC[AES256_GCM,data:2iDJSkOV/muVZQ5ZrWyBB+uslzEj/4Yv,iv:awJgZ4wUl1xM19yTFooa1e/U91awm8xraZWEYI5ZIh4=,tag:/n64HEwNVO5f1XuoYBTI6g==,type:str]
oidc:
clientId: ENC[AES256_GCM,data:C7WWJAC02IZ47FVtHUoFMX/t9u9Ar1wU0xN54IR+TcVmNLR6,iv:GCu4unvxtV2sxxR+Jo9c39Zyo21utQPM4/iyk0OIFOE=,tag:qU5Vcfq9LRxffRJW/h1taA==,type:str]
clientSecret: ENC[AES256_GCM,data:0FttMuHtz3zciIoGZl+2ele2SR2IGSW12RXZuYMZtHZBT71jgN4v9cR9zKPvpbudqGvoF86doPfHWZvBCcx6zA==,iv:HyfUnSsWWTVEK4Pf7kgK0MtlZvQiy6cKODjCw0WDG4w=,tag:0NbQK6+SWB82ul89kmzRHA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObklxN2hPUEd2bkZQSE1j
MWE0a1dJcVloOTcyOHNmcC84dytaZ0NXNVJFCkl2eGFLUTh3LzFIRzNRNUhMT2Ir
aWpxK2cvcVZXbUVTbFFUSFZnaGtuekEKLS0tIFJ2NnJMejZuYWFTbkFYNGYrSS9X
aUxCb21NTlpYQWdraTA0djBsRkVCbGcK8l3yr3Wsit1bjWrHahdY4bPdVjz76WHC
ESSR0ekaHw+7jXe8yhfalLrFTyN9aa5/wJOy51oNIh6i9J9qiGpt5A==
-----END AGE ENCRYPTED FILE-----
- recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRldFY3lFUkJ6UmhVUkJ5
ZmlQczJ2MklFSy9BVVV3K0UwWVpIOW5FYkc0CnI4WHNhTk1qa1BmOU16L0k2YzV5
Z25tT244NnlibVdMcWRWNlFleG1FYlUKLS0tIGpMcktpQjcva29TWVJkWGRNL0Vi
RTZ2V2luMTdaUGU3a04xSU1aSFJ4WWsKqTKbwlTGmTc99D4Ud/ohQNWamGX9QR06
jLLK2ySKP2EbBZxLe+3MZlufPPiESY8246pfdaymrdWZ1PS00TOdhA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaMTVWNHlXc0k2UUM4b3Q2
VTNQSmYySXc3Y0tWUHU2czhVWWt4bldabFdrClg2TWRvbHZkYVpiMnF2U2tPYXJy
ZXNwQzBVcnBXMkxEMmNXeWFXWGNVb2sKLS0tIGduOWpSTkxCKzNXY2xtQS9rWGp2
WTEyeDlRYlVtQTJ3N3RPMVpla0U3MTgK87FDs8GwhUGwgV5aLTWYAaVi+4QkWCmv
BG/RfGeYAm87FGGg/UUEPUCZgLnYPZwz/SzKfAZQlRP5s3POFRGpEg==
-----END AGE ENCRYPTED FILE-----
- recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZHZCVlIwM2cyeVMzWUpR
ZlFPSmthdGF2MVNwOFpjSWJmV1ptV3BZVHo0Ckh3ckc1K013YkdxUzNsMEUwa0pw
SFdGR3lmTlpJRzRFVTRqRmc4SFlMMW8KLS0tIGxnSWhmWlpPelhlZTkwOXBrMDRT
U1JPK3Z6NzBxNFNWenEyYVJZRzF2T1kKyFhaWvQ2/ZttyBDshz6fmhd3cgL31rhO
0EtPVQO5p7kDDyG2/TyrfR32C5/5+YNqS+Cggk31jon7blNvV3asVA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hnhuzj96ktkhpyygvmz0x9h8mfvssz7ss6emmukags644mdhf4msajk93r
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUzVTRCtOWlBMOGwwMTNp
ZndVZVZ4bXlPUHJCeFVhRVVpKzlmWnNZS0N3CjdWOGRNQmZkM2tib29NK0NXT3pH
alNnVDhiUWlTUXJkc0ZRb3MyLzhjY3cKLS0tIENzRDllUVV0dkdyeVNoclUwc21Z
amd2TEttd25PN2NNY0RFclZISFBaUVkKGUYbTjt/cw7KzHeSNt9Kem+Xhy7zcxC+
JPEliPnJiMuzoZNIoKq0Ta1aWaC9leN5k5JAbFOpqQTkcY+38V3Fpw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tl80n23wq6zxegupwn70ew0yp225ua5v4dk800x7g2w6pvlxz46qk592pa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuWlkvaWNjdnFFTG44UkN6
Q3RaeUk3T3N1RFlISm1HQzkwa3MzdmtQSGdJCmdwM241WmhpS2ZKWVFNSmE5MTRQ
c3FGeWFhZFpobjQ1SEV4OWR0ZDNLMWsKLS0tIGpqaU5jZ1NhakErd2JsZG53RDNv
SXdwdThDSnRrRktSMW9xckpsNDNKV1kKI+iCo2o87qVA9E2dtnmIu251Xg0KbgVF
/J/M1HQVnIEHxhQYSjXat0ZAZDs5B1YnZ+nUG3iJ8q1hOKp2O9xtIw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rjchule5sncn8r8gfph07muee6vzx4wqfrtldt5jjzke4vlfxy2qqplfvc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYUhBcjdGQTBTUWJ3cGgy
NXJHYnM5dXZHTzNzL1NWSitEYit3NWNhN2hjClErOGNFLzZ6VHVnaFRyZk05dFB4
M29ybkduSE44Uk9BcGN0aVQ0TUxxUVkKLS0tIGtsUGhMdXdIQlZNKzJNRzNnWUhF
M2hQY3kraFNqbjU3SkIzcWdZeDZIWFkK7Z39fJzr7a7/Lk62hU9GUjQPeA6C4Jp7
3Nj8sGpGKbt83u2tNYTHtpNa2a6MFqKfccxRKxwYUf9DfPRhH5p9nQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-23T09:37:33Z"
mac: ENC[AES256_GCM,data:L6tN1Lx4FtDUty2OKHIS9KiaayX9mTwiXzBsrPP8rEM3Gs/Z/v4XMfiIylBs6m1XUwrOy7kFNUGfnu1d72nB4ukWZBHTmcE9wZ3U1AaEnjjMPdIlUtyaNxmAbw5/QprZcempMLd5750QjEUHqDTzmF2+yI+Jt0mRMQEAFYY/5b4=,iv:vyRwRl1minGkv3XJMORWaf5NwJXWGa8us/x/DAyRDrQ=,tag:zgKEgD7IH/b1x7LRzq2NXg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

29
src/helm/env.d/dev/values.desk.yaml.gotmpl
View File

@@ -1,3 +1,19 @@
secrets:
- name: oidcLogin
itemId: 753d95be-f0d0-44ff-b8b9-bdd905f2ae1d
field: username
podVariable: OIDC_RP_CLIENT_ID
clusterSecretStore: bitwarden-login-desk
- name: oidcPass
itemId: 753d95be-f0d0-44ff-b8b9-bdd905f2ae1d
field: password
podVariable: OIDC_RP_CLIENT_SECRET
clusterSecretStore: bitwarden-login-desk
- name: mail_provisioning_api_credentials
itemId: 2fcb5d3c-d037-4ec5-967d-3d15b261e2ab
field: password
podVariable: MAIL_PROVISIONING_API_CREDENTIALS
clusterSecretStore: bitwarden-login-desk
image: image:
repository: localhost:5001/people-backend repository: localhost:5001/people-backend
pullPolicy: Always pullPolicy: Always
@@ -9,15 +25,10 @@ backend:
DJANGO_CSRF_TRUSTED_ORIGINS: https://desk.127.0.0.1.nip.io,http://desk.127.0.0.1.nip.io DJANGO_CSRF_TRUSTED_ORIGINS: https://desk.127.0.0.1.nip.io,http://desk.127.0.0.1.nip.io
DJANGO_CONFIGURATION: Local DJANGO_CONFIGURATION: Local
DJANGO_ALLOWED_HOSTS: "*" DJANGO_ALLOWED_HOSTS: "*"
DJANGO_SECRET_KEY: DJANGO_SECRET_KEY: changeme
secretKeyRef:
name: backend
key: DJANGO_SECRET_KEY
DJANGO_SETTINGS_MODULE: people.settings DJANGO_SETTINGS_MODULE: people.settings
DJANGO_SUPERUSER_PASSWORD: DJANGO_SUPERUSER_EMAIL: admin@example.com
secretKeyRef: DJANGO_SUPERUSER_PASSWORD: admin
name: backend
key: DJANGO_SUPERUSER_PASSWORD
DJANGO_EMAIL_HOST: "mailcatcher" DJANGO_EMAIL_HOST: "mailcatcher"
DJANGO_EMAIL_PORT: 1025 DJANGO_EMAIL_PORT: 1025
DJANGO_EMAIL_USE_SSL: False DJANGO_EMAIL_USE_SSL: False
@@ -71,7 +82,7 @@ backend:
command: command:
- "/bin/sh" - "/bin/sh"
- "-c" - "-c"
- python manage.py createsuperuser --username admin@example.com --password admin - python manage.py createsuperuser --username ${DJANGO_SUPERUSER_EMAIL} --password ${DJANGO_SUPERUSER_PASSWORD} || echo ok
restartPolicy: Never restartPolicy: Never
frontend: frontend:

1
src/helm/env.d/preprod/secrets.enc.yaml
View File

@@ -1 +0,0 @@
../../../../secrets/numerique-gouv/people/env/preprod/secrets.enc.yaml

139
src/helm/env.d/preprod/values.desk.yaml.gotmpl
View File

@@ -1,139 +0,0 @@
image:
repository: lasuite/people-backend
pullPolicy: Always
tag: "v1.9.1"
backend:
migrateJobAnnotations:
argocd.argoproj.io/hook: PreSync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
envVars:
DJANGO_CSRF_TRUSTED_ORIGINS: https://desk-preprod.beta.numerique.gouv.fr
DJANGO_CONFIGURATION: PreProduction
DJANGO_ALLOWED_HOSTS: "*"
DJANGO_SECRET_KEY:
secretKeyRef:
name: backend
key: DJANGO_SECRET_KEY
DJANGO_SETTINGS_MODULE: people.settings
DJANGO_SUPERUSER_EMAIL:
secretKeyRef:
name: backend
key: DJANGO_SUPERUSER_EMAIL
DJANGO_SUPERUSER_PASSWORD:
secretKeyRef:
name: backend
key: DJANGO_SUPERUSER_PASSWORD
DJANGO_EMAIL_HOST: "smtp.tem.scw.cloud"
DJANGO_EMAIL_PORT: 587
DJANGO_EMAIL_USE_TLS: True
DJANGO_EMAIL_FROM: "noreply@regie.beta.numerique.gouv.fr"
DJANGO_EMAIL_HOST_USER:
secretKeyRef:
name: backend
key: DJANGO_EMAIL_HOST_USER
DJANGO_EMAIL_HOST_PASSWORD:
secretKeyRef:
name: backend
key: DJANGO_EMAIL_HOST_PASSWORD
DJANGO_SILENCED_SYSTEM_CHECKS: security.W008,security.W004
OIDC_OP_JWKS_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/jwks
OIDC_OP_AUTHORIZATION_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/authorize
OIDC_OP_TOKEN_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/token
OIDC_OP_USER_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo
OIDC_OP_LOGOUT_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/session/end
OIDC_ORGANIZATION_REGISTRATION_ID_FIELD: "siret"
OIDC_RP_CLIENT_ID:
secretKeyRef:
name: backend
key: OIDC_RP_CLIENT_ID
OIDC_RP_CLIENT_SECRET:
secretKeyRef:
name: backend
key: OIDC_RP_CLIENT_SECRET
OIDC_RP_SIGN_ALGO: RS256
OIDC_RP_SCOPES: "openid email siret"
OIDC_REDIRECT_ALLOWED_HOSTS: https://desk-preprod.beta.numerique.gouv.fr
OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
ORGANIZATION_PLUGINS: ["plugins.organizations.NameFromSiretOrganizationPlugin"]
ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]'
LOGIN_REDIRECT_URL: https://desk-preprod.beta.numerique.gouv.fr
LOGIN_REDIRECT_URL_FAILURE: https://desk-preprod.beta.numerique.gouv.fr
LOGOUT_REDIRECT_URL: https://desk-preprod.beta.numerique.gouv.fr
DB_HOST:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: host
DB_NAME:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: database
DB_USER:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: username
DB_PASSWORD:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: password
DB_PORT:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: port
POSTGRES_USER:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: username
POSTGRES_DB:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: database
POSTGRES_PASSWORD:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: password
REDIS_URL:
secretKeyRef:
name: redis.redis.libre.sh
key: url
WEBMAIL_URL: "https://webmail.test.ox.numerique.gouv.fr"
MAIL_PROVISIONING_API_URL: "https://api.ovhdev.dimail1.numerique.gouv.fr"
MAIL_PROVISIONING_API_CREDENTIALS:
secretKeyRef:
name: backend
key: MAIL_PROVISIONING_API_CREDENTIALS
FEATURE_TEAMS_DISPLAY: False
FEATURE_CONTACTS_DISPLAY: False
FEATURE_CONTACTS_CREATE: False
FEATURE_TEAMS_CREATE: False
FEATURE_MAILBOXES_CREATE: False
SENTRY_DSN: "https://b72746c73d669421e7a8ccd3fab0fad2@sentry.incubateur.net/171"
createsuperuser:
command:
- "/bin/sh"
- "-c"
- python manage.py createsuperuser --username $DJANGO_SUPERUSER_EMAIL --password $DJANGO_SUPERUSER_PASSWORD
restartPolicy: Never
frontend:
image:
repository: lasuite/people-frontend
pullPolicy: Always
tag: "v1.9.1"
ingress:
enabled: true
host: desk-preprod.beta.numerique.gouv.fr
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
ingressAdmin:
enabled: true
host: desk-preprod.beta.numerique.gouv.fr
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/start
nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/auth

1
src/helm/env.d/production/secrets.enc.yaml
View File

@@ -1 +0,0 @@
../../../../secrets/numerique-gouv/people/env/production/secrets.enc.yaml

141
src/helm/env.d/production/values.desk.yaml.gotmpl
View File

@@ -1,141 +0,0 @@
image:
repository: lasuite/people-backend
pullPolicy: Always
tag: "v1.9.1"
backend:
migrateJobAnnotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
envVars:
DJANGO_ADMIN_HEADER_BACKGROUND: "#dc3545"
DJANGO_ADMIN_HEADER_COLOR: "#ffffff"
DJANGO_CSRF_TRUSTED_ORIGINS: https://regie.numerique.gouv.fr
DJANGO_CONFIGURATION: Production
DJANGO_ALLOWED_HOSTS: "*"
DJANGO_SECRET_KEY:
secretKeyRef:
name: backend
key: DJANGO_SECRET_KEY
DJANGO_SETTINGS_MODULE: people.settings
DJANGO_SUPERUSER_EMAIL:
secretKeyRef:
name: backend
key: DJANGO_SUPERUSER_EMAIL
DJANGO_SUPERUSER_PASSWORD:
secretKeyRef:
name: backend
key: DJANGO_SUPERUSER_PASSWORD
DJANGO_EMAIL_HOST: "smtp.tem.scw.cloud"
DJANGO_EMAIL_PORT: 587
DJANGO_EMAIL_USE_TLS: True
DJANGO_EMAIL_FROM: "noreply@regie.beta.numerique.gouv.fr"
DJANGO_EMAIL_HOST_USER:
secretKeyRef:
name: backend
key: DJANGO_EMAIL_HOST_USER
DJANGO_EMAIL_HOST_PASSWORD:
secretKeyRef:
name: backend
key: DJANGO_EMAIL_HOST_PASSWORD
DJANGO_SILENCED_SYSTEM_CHECKS: security.W008,security.W004
OIDC_OP_JWKS_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/jwks
OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/authorize
OIDC_OP_TOKEN_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/token
OIDC_OP_USER_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/userinfo
OIDC_OP_LOGOUT_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/session/end
ORGANIZATION_PLUGINS: ["plugins.organizations.NameFromSiretOrganizationPlugin"]
OIDC_ORGANIZATION_REGISTRATION_ID_FIELD: "siret"
OIDC_RP_CLIENT_ID:
secretKeyRef:
name: backend
key: OIDC_RP_CLIENT_ID
OIDC_RP_CLIENT_SECRET:
secretKeyRef:
name: backend
key: OIDC_RP_CLIENT_SECRET
OIDC_RP_SIGN_ALGO: RS256
OIDC_RP_SCOPES: "openid email siret"
OIDC_REDIRECT_ALLOWED_HOSTS: https://regie.numerique.gouv.fr
OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]'
LOGIN_REDIRECT_URL: https://regie.numerique.gouv.fr
LOGIN_REDIRECT_URL_FAILURE: https://regie.numerique.gouv.fr
LOGOUT_REDIRECT_URL: https://regie.numerique.gouv.fr
DB_HOST:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: host
DB_NAME:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: database
DB_USER:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: username
DB_PASSWORD:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: password
DB_PORT:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: port
POSTGRES_USER:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: username
POSTGRES_DB:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: database
POSTGRES_PASSWORD:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: password
REDIS_URL:
secretKeyRef:
name: redis.redis.libre.sh
key: url
WEBMAIL_URL: "https://webmail.numerique.gouv.fr"
MAIL_PROVISIONING_API_URL: "https://api.ovhprod.dimail1.numerique.gouv.fr"
MAIL_PROVISIONING_API_CREDENTIALS:
secretKeyRef:
name: backend
key: MAIL_PROVISIONING_API_CREDENTIALS
FEATURE_TEAMS_DISPLAY: False
FEATURE_CONTACTS_DISPLAY: False
FEATURE_CONTACTS_CREATE: False
FEATURE_TEAMS_CREATE: False
FEATURE_MAILBOXES_CREATE: False
SENTRY_DSN: "https://b72746c73d669421e7a8ccd3fab0fad2@sentry.incubateur.net/171"
createsuperuser:
command:
- "/bin/sh"
- "-c"
- python manage.py createsuperuser --username $DJANGO_SUPERUSER_EMAIL --password $DJANGO_SUPERUSER_PASSWORD
restartPolicy: Never
frontend:
image:
repository: lasuite/people-frontend
pullPolicy: Always
tag: "v1.9.1"
ingress:
enabled: true
host: regie.numerique.gouv.fr
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt
ingressAdmin:
enabled: true
host: regie.numerique.gouv.fr
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/start
nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/auth

1
src/helm/env.d/staging/secrets.enc.yaml
View File

@@ -1 +0,0 @@
../../../../secrets/numerique-gouv/people/env/staging/secrets.enc.yaml

150
src/helm/env.d/staging/values.desk.yaml.gotmpl
View File

@@ -1,150 +0,0 @@
image:
repository: lasuite/people-backend
pullPolicy: Always
tag: "main"
backend:
migrateJobAnnotations:
argocd.argoproj.io/hook: PreSync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
envVars:
DJANGO_ADMIN_HEADER_BACKGROUND: "#0f5132"
DJANGO_ADMIN_HEADER_COLOR: "#ffffff"
DJANGO_CSRF_TRUSTED_ORIGINS: http://desk-staging.beta.numerique.gouv.fr,https://desk-staging.beta.numerique.gouv.fr
DJANGO_CONFIGURATION: Staging
DJANGO_ALLOWED_HOSTS: "*"
DJANGO_SECRET_KEY:
secretKeyRef:
name: backend
key: DJANGO_SECRET_KEY
DJANGO_SETTINGS_MODULE: people.settings
DJANGO_SUPERUSER_EMAIL:
secretKeyRef:
name: backend
key: DJANGO_SUPERUSER_EMAIL
DJANGO_SUPERUSER_PASSWORD:
secretKeyRef:
name: backend
key: DJANGO_SUPERUSER_PASSWORD
DJANGO_EMAIL_HOST: "smtp.tem.scw.cloud"
DJANGO_EMAIL_PORT: 587
DJANGO_EMAIL_USE_TLS: True
DJANGO_EMAIL_FROM: "noreply@regie.beta.numerique.gouv.fr"
DJANGO_EMAIL_HOST_USER:
secretKeyRef:
name: backend
key: DJANGO_EMAIL_HOST_USER
DJANGO_EMAIL_HOST_PASSWORD:
secretKeyRef:
name: backend
key: DJANGO_EMAIL_HOST_PASSWORD
DJANGO_SILENCED_SYSTEM_CHECKS: security.W008,security.W004
OIDC_OP_JWKS_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/jwks
OIDC_OP_AUTHORIZATION_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/authorize
OIDC_OP_TOKEN_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/token
OIDC_OP_USER_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo
OIDC_OP_LOGOUT_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/session/end
OIDC_OP_INTROSPECTION_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/checktoken
OIDC_OP_URL: https://fca.integ01.dev-agentconnect.fr/api/v2
OIDC_ORGANIZATION_REGISTRATION_ID_FIELD: "siret"
OIDC_RP_CLIENT_ID:
secretKeyRef:
name: backend
key: OIDC_RP_CLIENT_ID
OIDC_RP_CLIENT_SECRET:
secretKeyRef:
name: backend
key: OIDC_RP_CLIENT_SECRET
OIDC_RS_CLIENT_ID:
secretKeyRef:
name: backend
key: OIDC_RS_CLIENT_ID
OIDC_RS_CLIENT_SECRET:
secretKeyRef:
name: backend
key: OIDC_RS_CLIENT_SECRET
OIDC_RS_PRIVATE_KEY_STR:
secretKeyRef:
name: backend
key: OIDC_RS_PRIVATE_KEY_STR
OIDC_RP_SIGN_ALGO: RS256
OIDC_RP_SCOPES: "openid email siret"
OIDC_REDIRECT_ALLOWED_HOSTS: https://desk-staging.beta.numerique.gouv.fr
OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
ORGANIZATION_PLUGINS: "plugins.organizations.NameFromSiretOrganizationPlugin"
ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]'
LOGIN_REDIRECT_URL: https://desk-staging.beta.numerique.gouv.fr
LOGIN_REDIRECT_URL_FAILURE: https://desk-staging.beta.numerique.gouv.fr
LOGOUT_REDIRECT_URL: https://desk-staging.beta.numerique.gouv.fr
DB_HOST:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: host
DB_NAME:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: database
DB_USER:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: username
DB_PASSWORD:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: password
DB_PORT:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: port
POSTGRES_USER:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: username
POSTGRES_DB:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: database
POSTGRES_PASSWORD:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: password
REDIS_URL:
secretKeyRef:
name: redis.redis.libre.sh
key: url
WEBMAIL_URL: "https://webmail.test.ox.numerique.gouv.fr"
MAIL_PROVISIONING_API_URL: "https://api.ovhdev.dimail1.numerique.gouv.fr"
MAIL_PROVISIONING_API_CREDENTIALS:
secretKeyRef:
name: backend
key: MAIL_PROVISIONING_API_CREDENTIALS
SENTRY_DSN: "https://b72746c73d669421e7a8ccd3fab0fad2@sentry.incubateur.net/171"
createsuperuser:
command:
- "/bin/sh"
- "-c"
- python manage.py createsuperuser --username $DJANGO_SUPERUSER_EMAIL --password $DJANGO_SUPERUSER_PASSWORD
restartPolicy: Never
frontend:
image:
repository: lasuite/people-frontend
pullPolicy: Always
tag: "main"
ingress:
enabled: true
host: desk-staging.beta.numerique.gouv.fr
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
ingressAdmin:
enabled: true
host: desk-staging.beta.numerique.gouv.fr
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/start
nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/auth

2
src/helm/extra/Chart.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: v2 apiVersion: v2
name: extra name: extra
description: A Helm chart to add some manifests to desk description: A Helm chart to add some manifests to meet
type: application type: application
version: 0.1.0 version: 0.1.0

34
src/helm/extra/templates/clustersecretstore.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: bitwarden-login-{{ $.Release.Namespace }}
namespace: external-secrets
spec:
provider:
webhook:
url: "http://bitwarden-cli-{{ $.Release.Namespace }}.{{ $.Release.Namespace }}.svc.cluster.local:8087/object/item/{{`{{ .remoteRef.key }}`}}"
headers:
Content-Type: application/json
result:
jsonPath: "$.data.login.{{`{{ .remoteRef.property }}`}}"
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: bitwarden-fields-{{ $.Release.Namespace }}
spec:
provider:
webhook:
url: "http://bitwarden-cli-{{ $.Release.Namespace }}.{{ $.Release.Namespace }}.svc.cluster.local:8087/object/item/{{`{{ .remoteRef.key }}`}}"
result:
jsonPath: "$.data.fields[?@.name==\"{{`{{ .remoteRef.property }}`}}\"].value"
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: bitwarden-attachments-{{ $.Release.Namespace }}
spec:
provider:
webhook:
url: "http://bitwarden-cli-{{ $.Release.Namespace }}.{{ $.Release.Namespace }}.svc.cluster.local:8087/object/attachment/{{`{{ .remoteRef.property }}`}}?itemid={{`{{ .remoteRef.key }}`}}"
result: {}

28
src/helm/extra/templates/external_secret.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: backend
namespace: {{ .Release.Namespace | quote }}
spec:
refreshInterval: "1m"
target:
name: backend
deletionPolicy: Delete
template:
type: Opaque
data:
{{- range .Values.secrets }}
{{ .podVariable }}: |-
{{`{{`}} {{ print "." .name }} {{`}}`}}
{{- end }}
data:
{{- range .Values.secrets }}
- secretKey: {{ .name }}
sourceRef:
storeRef:
name: {{ .clusterSecretStore }}
kind: ClusterSecretStore
remoteRef:
key: {{ .itemId }}
property: {{ .field }}
{{- end }}

92
src/helm/extra/templates/external_secret_deployment.yaml Normal file
View File

@@ -0,0 +1,92 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: bitwarden-cli-{{ $.Release.Namespace }}
namespace: {{ $.Release.Namespace | quote }}
labels:
app.kubernetes.io/instance: bitwarden-cli
app.kubernetes.io/name: bitwarden-cli
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: bitwarden-cli
app.kubernetes.io/instance: bitwarden-cli
template:
metadata:
labels:
app.kubernetes.io/name: bitwarden-cli
app.kubernetes.io/instance: bitwarden-cli
spec:
containers:
- name: bitwarden-cli
image: lasuite/vaultwarden-api:0.1
imagePullPolicy: Always
env:
- name: BW_HOST
valueFrom:
secretKeyRef:
name: bitwarden-cli-{{ $.Release.Namespace }}
key: BW_HOST
- name: BW_USER
valueFrom:
secretKeyRef:
name: bitwarden-cli-{{ $.Release.Namespace }}
key: BW_USERNAME
- name: BW_PASSWORD
valueFrom:
secretKeyRef:
name: bitwarden-cli-{{ $.Release.Namespace }}
key: BW_PASSWORD
ports:
- name: http
containerPort: 8087
protocol: TCP
livenessProbe:
exec:
command:
- wget
- -q
- http://127.0.0.1:8087/sync?force=true
- --post-data=''
initialDelaySeconds: 20
failureThreshold: 3
timeoutSeconds: 10
periodSeconds: 120
readinessProbe:
tcpSocket:
port: 8087
initialDelaySeconds: 20
failureThreshold: 3
timeoutSeconds: 1
periodSeconds: 10
startupProbe:
tcpSocket:
port: 8087
initialDelaySeconds: 10
failureThreshold: 30
timeoutSeconds: 1
periodSeconds: 5
---
apiVersion: v1
kind: Service
metadata:
name: bitwarden-cli-{{ $.Release.Namespace }}
namespace: {{ $.Release.Namespace | quote }}
labels:
app.kubernetes.io/instance: bitwarden-cli
app.kubernetes.io/name: bitwarden-cli
annotations:
spec:
type: ClusterIP
ports:
- port: 8087
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: bitwarden-cli
app.kubernetes.io/instance: bitwarden-cli

7
src/helm/extra/templates/keydb.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: core.libre.sh/v1alpha1
kind: Redis
metadata:
name: redis
namespace: {{ .Release.Namespace | quote }}
spec:
disableAuth: false

7
src/helm/extra/templates/postgresql.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: core.libre.sh/v1alpha1
kind: Postgres
metadata:
name: postgresql
namespace: {{ .Release.Namespace | quote }}
spec:
database: desk

93
src/helm/helmfile.yaml
View File

@@ -1,11 +1,60 @@
environments:
dev:
values:
- version: 0.0.1
dev-keycloak:
values:
- version: 0.0.1
---
repositories: repositories:
- name: bitnami - name: bitnami
url: registry-1.docker.io/bitnamicharts url: registry-1.docker.io/bitnamicharts
oci: true oci: true
releases: releases:
- name: keycloak
installed: {{ eq .Environment.Name "dev-keycloak" | toYaml }}
missingFileHandler: Warn
namespace: {{ .Namespace }}
chart: bitnami/keycloak
version: 17.3.6
values:
- postgresql:
auth:
username: keycloak
password: keycloak
database: keycloak
- extraEnvVars:
- name: KEYCLOAK_EXTRA_ARGS
value: "--import-realm"
- name: KC_HOSTNAME_URL
value: https://keycloak.127.0.0.1.nip.io
- extraVolumes:
- name: import
configMap:
name: desk-keycloak
- extraVolumeMounts:
- name: import
mountPath: /opt/bitnami/keycloak/data/import/
- auth:
adminUser: su
adminPassword: su
- proxy: edge
- ingress:
enabled: true
hostname: keycloak.127.0.0.1.nip.io
- extraDeploy:
- apiVersion: v1
kind: ConfigMap
metadata:
name: desk-keycloak
data:
meet.json: |
{{ readFile "../../docker/auth/realm.json" | replace "http://localhost:3200" "https://desk.127.0.0.1.nip.io" | indent 14 }}
- name: postgres - name: postgres
installed: {{ eq .Environment.Name "dev" | toYaml }} installed: {{ regexMatch "^dev.*" .Environment.Name | toYaml }}
missingFileHandler: Warn
namespace: {{ .Namespace }} namespace: {{ .Namespace }}
chart: bitnami/postgresql chart: bitnami/postgresql
version: 13.1.5 version: 13.1.5
@@ -19,7 +68,8 @@ releases:
autoGenerated: true autoGenerated: true
- name: redis - name: redis
installed: {{ eq .Environment.Name "dev" | toYaml }} installed: {{ regexMatch "^dev.*" .Environment.Name | toYaml }}
missingFileHandler: Warn
namespace: {{ .Namespace }} namespace: {{ .Namespace }}
chart: bitnami/redis chart: bitnami/redis
version: 18.19.2 version: 18.19.2
@@ -28,40 +78,19 @@ releases:
password: pass password: pass
architecture: standalone architecture: standalone
- name: extra
installed: {{ ne .Environment.Name "dev" | toYaml }}
namespace: {{ .Namespace }}
chart: ./extra
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
- name: desk - name: desk
version: {{ .Values.version }} installed: {{ regexMatch "^dev.*" .Environment.Name | toYaml }}
missingFileHandler: Warn
namespace: {{ .Namespace }} namespace: {{ .Namespace }}
chart: ./desk chart: ./desk
values: values:
- env.d/{{ .Environment.Name }}/values.desk.yaml.gotmpl - env.d/{{ .Environment.Name }}/values.desk.yaml.gotmpl
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
environments: - name: extra
dev: installed: {{ eq .Environment.Name "dev" | toYaml }}
missingFileHandler: Warn
namespace: {{ .Namespace }}
chart: ./extra
values: values:
- version: 0.0.1 - env.d/{{ .Environment.Name }}/values.desk.yaml.gotmpl
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
staging:
values:
- version: 0.0.1
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
preprod:
values:
- version: 0.0.1
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
production:
values:
- version: 0.0.1
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml