update devops flow

.circleci/config.yml

@@ -43,7 +43,7 @@ jobs:
           name: Deploy
           command: >
               helm upgrade 
-              lecoffre-back devops/ -i -f devops/values.yaml 
+              lecoffre-back devops/ -i -f devops/<<parameters.env>>.values.yaml 
               -n lecoffre-<<parameters.env>>
               --create-namespace
               --set lecoffreBack.image.repository='rg.fr-par.scw.cloud/lecoffre/back'

devops/ppd.values.yaml

@@ -0,0 +1,31 @@
+dockerPullSecret: docker-pull-secret
+
+scwSecretKey: AgCgjF5QEzxT3GYTS5B6cmQ0e+0/qFWzKaUDSi+Vjc7RoameuvaIJvTXMBkS3he1oy1ulbB34v6vpZI2kxnGNqERA/U5BaYDAyfKSBwMAy4br7HVKhhuwkoF5qoG5JzJXseSmqB1U9vncVIGOZWzJc1Y4/eGlWcvLcLyfw2z/WEpyeNiWJfEhTYpJOB7gv0XnRb2U/JM3jRy1QgEUIk1WR6kgBalF+xaczPQ6uKh+PR2pqkbZa3WaKUrddmzNsgEz4d8PZMWt8IBwR2JOQEHUqCd34p/pJNyLdUgcdDhg02DKwn1oRoAxKTbAio/a7WrMbodjCb3TNWIYGal5mFmItZ7Ok/EBmUf4E85eOkTR+j8ynuuiexld3Q5Kw3o8LsHjgzVL9uP+T2rYaKkjtVt+YQRX1U8l9CrsdUEz0/wEBA0jwCWMfnh1qhD5pM/xwwjsEEAcK4rYV+Q7iAgGZZvZBCQ5aEHzrtn5D95tr1GZCV2hmrW6Seu+LKKLVBS1JmsuEsOuhudYsEK9m2RYVcxbjuS5eokKEjNrGobf2oB8rhBByavfw1JTBixR5JrI8lcYlnCa+oEhxXKJY+4Fx5SAB4YaLCMSo5vw6zsFQ3WKQzlEmCFt+EnapS+a+MGrdlwq07OHTDpvgk/1z39hopoCuhhKckGGfErLXsTYQvDOkFu+EPzgY7m7qDw/d9pSiht5tuSOkAqeOgm7tpNkUufZhaXmP+1aT7i+H5gq1JILGAmXzTI5Wc=
+
+lecoffreBack:
+  serviceAccountName: lecoffre-back-sa
+  command: "npm run api:start" 
+  envSecrets: ppd-env
+  imagePullSecrets:
+    - name: docker-pull-secret
+  image:
+    pullPolicy: Always
+    repository: "rg.fr-par.scw.cloud/lecoffre/back" 
+  resources:
+    requests:
+      cpu: 200m
+      memory: 1Gi
+    limits:
+      memory: 2Gi
+  ingress: 
+    host: api.stg.lecoffre.smart-chain.fr
+    tls:
+      hosts: 
+      - api.stg.lecoffre.smart-chain.fr 
+      secretName: api-tls
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      cert-manager.io/cluster-issuer: letsencrypt-prod 
+      nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+

devops/prd.values.yaml

@@ -0,0 +1,31 @@
+dockerPullSecret: docker-pull-secret
+
+scwSecretKey: AgBG2y7uQuap+2akNPGFxpCR+l0INO6Wxez5qljtY6t71GFGhJLYN9ZfefflKcFzD2Nv7DQMXXhpnCCaFti+9JMCMDuN324dDgtMMLTot+Pkxk/bAm+L8t3HfRharFdLz/vvzg77bvypi28TEoNYR/AM0e8VMYxBEgEp2TmP5uXcxZOgPzXMrfQoSdNRyzGTJ5tXZwe3PP7XvXyTNsZzHBtoQQM+nul9nL+VFA7CBRaaOpCmKOXjAlt7TyNXo4X5eYBNlxr+NuQw4dh4E/1zqdU/dDCE1+vx88BDbdydBA1qJaTOUSGTFquSK4kb9qAVAexBAIUqRwpfEW6Li945AXtnxLN42gEGPRsA9tSXL2c20k6thuRCqxwEOZljq2E03qtLAkxdP6WFBcb77o4PIEMZ8AmzPASnI+eW5z2mCoP3L+HZQrTLliDjmF4AMtOfZxRi0CCTrsSabOrimJC6v3y3ve0VcSsjA3rd5vvJ3Va4mZK4JAtYwEUx4PCHCGkUxc0w6jRwKB5tL/auZVT4SV/0z/WgW4Kq4AdvxsU6yGOqflt6e3ePIIuvCgjw+1yOYRpUiSGj36oOqNPMA4smxIB7p7Gi3csqt2TrQoW3TaLv/s7gbCcxHWSor+WT71WGg8AVmLm+FzUINmNop+c2RNo3O/Gj7h1uybX/pj+tRLNOuBQCqa+GQkY2bT2NcT9ifnAZB6K+2zAWXl+tdbMlDGV89P2yMYuRMdHGhuOoyuIUPWeA5i0=
+
+lecoffreBack:
+  serviceAccountName: lecoffre-back-sa
+  command: "npm run api:start" 
+  envSecrets: prd-env
+  imagePullSecrets:
+    - name: docker-pull-secret
+  image:
+    pullPolicy: Always
+    repository: "rg.fr-par.scw.cloud/lecoffre/back" 
+  resources:
+    requests:
+      cpu: 200m
+      memory: 1Gi
+    limits:
+      memory: 2Gi
+  ingress: 
+    host: api.stg.lecoffre.smart-chain.fr
+    tls:
+      hosts: 
+      - api.stg.lecoffre.smart-chain.fr 
+      secretName: api-tls
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      cert-manager.io/cluster-issuer: letsencrypt-prod 
+      nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+

devops/stg.values.yaml

@@ -0,0 +1,38 @@
+dockerPullSecret: docker-pull-secret
+
+scwSecretKey: AgChoEnPitXp4Ny/rVMEcevaWKNVpyj2cJYAcq+yFqKwVwnLB+ffDvwqz9XBHu+6d4Nyyjkf37zUAMoaM21lEDWA7x3zfG2/D/j+rvX1qxzZgLD0mjBk7fGElVm332I6JA83oInes8AMMYEDPLElzHnpKRb9KtkIP4NzgOcCeW0ijft3N7Vroez6LEHsBPCA1I9XjKSkGEDvrO0MhWX3iJOlfz+SPMfJAV7rPawOs0ZmohTHrPW8qIvGDn8HCzKyU8zRBoMt+Ogpf5pH4U3JryEFuqD61KAQgablAM8edPIvsgNno9HAEuC2QtRLYA9aUhuKdaKuS58c9P2E80PHWXIlbpFCg6EugQTgNfnYp+3qDUNz8edeCfapYLvF4s9eCMGyMsGnpDR8EDNOyuGy7Y3l7okX8Xqu464gMp9E+hX7bHkcD6a4xfyIgJcWxsku0tm1TH1dpn4M1UXRuyZZif8P08nuE6MTUL67sAR9J1lpn4lVEL4kflk0pP2tZ5ncgPQFafJrRz05krMb0eU5tb2H4gs7ao/LL6idWo8MM9K1yr8lIuT5x2WW5CX+RjA+i50ex114V6vX3PNP5oVyt+DynTUB9QmXzVm3oLfDc3Cae1uqh7X0CFd+xiztJBtg0VtJaD/xUJcuWfY4cV2lERo9fRrykltzlJqiXHO4nowt8OtN0BcViVV8NJhPhYFzyb4ympxpOlTjm3GETuT2TYhUqdgS9nzleEAbOmOHZdIO2COunPE=
+
+lecoffreBack:
+  serviceAccountName: lecoffre-back-sa
+  envSecrets: stg-env
+  command: "npm run api:start" 
+  imagePullSecrets:
+    - name: docker-pull-secret
+  image:
+    pullPolicy: Always
+    repository: "rg.fr-par.scw.cloud/lecoffre/back" 
+  resources:
+    requests:
+      cpu: 200m
+      memory: 1Gi
+    limits:
+      memory: 2Gi
+  ingress: 
+    host: api.stg.lecoffre.smart-chain.fr
+    tls:
+      hosts: 
+      - api.stg.lecoffre.smart-chain.fr 
+      secretName: api-tls
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      cert-manager.io/cluster-issuer: letsencrypt-prod 
+      nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+ # key is name of the environment variable, scwID is the secret ID in SCW with "id:" in front
+  env: 
+    - key: env1
+      scwID: "id:a131edea-84e0-49d6-b4a8-20ab417220c9"
+    - key: env2 
+      scwID: "id:f396cfed-098f-4f75-8e5e-92ba60b46cee"
+
+

devops/templates/docker-pull-secret.yaml

@@ -5,8 +5,8 @@ metadata:
 spec:
   refreshInterval: 1h
   secretStoreRef:
-    name: dockerpullsecret-vault-cluster-secret-store
+    name: secret-store
-    kind: ClusterSecretStore
+    kind: SecretStore
   target:
     template:
       type: kubernetes.io/dockerconfigjson
@@ -16,4 +16,4 @@ spec:
   - secretKey: .dockerconfigjson
     remoteRef:
       key: {{ .Values.dockerPullSecret }}
-      property: .dockerconfigjson
+      version: latest_enabled

devops/templates/lecoffre-back.yaml

@@ -3,7 +3,6 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: lecoffre-back
-  namespace: {{ .Values.namespace }}
 {{if .Values.lecoffreBack.ingress.annotations}}
   annotations: 
 {{toYaml .Values.lecoffreBack.ingress.annotations | indent 4 }}
@@ -28,7 +27,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: lecoffre-back-svc
-  namespace: {{ .Values.namespace }}
   labels:
 spec:
   ports:
@@ -42,7 +40,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: lecoffre-back
-  namespace: {{ .Values.namespace }} 
   labels:
     app: lecoffre-back
 spec:
@@ -53,7 +50,6 @@ spec:
   template:
     metadata:
       annotations:
-{{toYaml .Values.lecoffreBack.vault.annotations | indent 8 }}
       labels:
         app: lecoffre-back
     spec:
@@ -62,10 +58,13 @@ spec:
       - name: docker-pull-secret
       containers:
       - name: lecoffre-back
-        image: "{{ .Values.lecoffreBack.image.repository }}:v{{ .Chart.AppVersion }}"
+        image: "{{ .Values.lecoffreBack.image.repository }}:{{ .Values.lecoffreBack.image.tag }}"
 {{if .Values.lecoffreBack.resources}}
         resources:
 {{toYaml .Values.lecoffreBack.resources | indent 10}}
 {{end}}
         imagePullPolicy: {{ .Values.lecoffreBack.image.pullPolicy }}
-        command: [{{ .Values.lecoffreBack.command }}]
+        command: [{{ .Values.lecoffreBack.command }}]
+        envFrom:
+          - secretRef:
+              name:  {{ .Values.lecoffreBack.envSecrets }}

devops/templates/sealed-secret.yaml

@@ -0,0 +1,12 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: scw-secret-key
+spec:
+  encryptedData:
+    SCW_SECRET_KEY: {{ .Values.scwSecretKey }}
+  template:
+    metadata:
+      creationTimestamp: null
+      name: scw-secret-key

devops/templates/secret-store.yaml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: secret-store
+spec:
+  provider:
+    scaleway:
+      region: fr-par
+      projectId: c0ed1e9e-d945-461f-920c-98c844ef1ad4
+      accessKey:
+        value: SCWNCSH22EMVGT3MNX09
+      secretKey:
+        secretRef:
+          name: scw-secret-key
+          key: SCW_SECRET_KEY

devops/templates/secrets.yaml

@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ .Values.lecoffreBack.envSecrets }}
+spec:
+  refreshInterval: 20s
+  secretStoreRef:
+    kind: SecretStore
+    name: secret-store
+  data:
+  {{ range $v := .Values.lecoffreBack.env }}
+    - secretKey: {{ $v.key }}
+      remoteRef:
+        key: {{ $v.scwID}}
+        version: latest_enabled
+  {{ end }}

devops/values.yaml

@@ -1,29 +1,17 @@
-dockerPullSecret: secret/data/minteed-stg/config/dockerpullsecret
+dockerPullSecret: docker-pull-secret
 
-namespace: lecoffre
+scwSecretKey: ss
 
 lecoffreBack:
   serviceAccountName: lecoffre-back-sa
-  command: "'sh', '-c', '. /vault/secrets/envs-api && npm run api:start'" 
+  command: "npm run api:start" 
-  vault:
+  envSecrets: env-env
-    role : custom_lecoffre-back_injector_rol
-    server: https://vault-stg.smart-chain.fr
-    annotations: 
-      vault.hashicorp.com/agent-pre-populate-only: "true"
-      vault.hashicorp.com/agent-inject: "true"
-      vault.hashicorp.com/agent-inject-secret-envs-api: secret/data/lecoffre-back-stg/config/envs-api
-      vault.hashicorp.com/role: custom_lecoffre-back_injector_rol
-      vault.hashicorp.com/agent-inject-template-envs-api: |    
-        {{ with secret "secret/data/lecoffre-back-stg/config/envs-api" }}
-          {{ range $k, $v := .Data.data }}
-              export {{ $k }}="{{ $v }}"
-          {{ end }}
-        {{ end }}
   imagePullSecrets:
     - name: docker-pull-secret
   image:
     pullPolicy: Always
     repository: "rg.fr-par.scw.cloud/lecoffre/back" 
+    tag:
   resources:
     requests:
       cpu: 200m
@@ -41,4 +29,8 @@ lecoffreBack:
       cert-manager.io/cluster-issuer: letsencrypt-prod 
       nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+  
+  env: 
+    - key: a
+      scwID: b