From 624aab70a5b3f2493530a1acb4a439f4f1e8d892 Mon Sep 17 00:00:00 2001 From: pida123 Date: Thu, 3 Aug 2023 12:20:22 +0200 Subject: [PATCH] refacto all devops --- .circleci/config.yml | 75 +++++++++++++++++++++--- devops/Chart.yaml | 5 +- devops/ppd.values.yaml | 31 ++++++++++ devops/prd.values.yaml | 31 ++++++++++ devops/stg.values.yaml | 38 ++++++++++++ devops/templates/docker-pull-secret.yaml | 1 + devops/templates/lecoffre-front.yaml | 15 +++-- devops/templates/sealed-secret.yaml | 1 + devops/templates/secret-store.yaml | 1 + devops/templates/secrets.yaml | 16 +++++ devops/values.yaml | 32 ++++------ 11 files changed, 207 insertions(+), 39 deletions(-) create mode 100644 devops/ppd.values.yaml create mode 100644 devops/prd.values.yaml create mode 100644 devops/stg.values.yaml create mode 100644 devops/templates/docker-pull-secret.yaml create mode 100644 devops/templates/sealed-secret.yaml create mode 100644 devops/templates/secret-store.yaml create mode 100644 devops/templates/secrets.yaml diff --git a/.circleci/config.yml b/.circleci/config.yml index 8cbb2304..96b23a85 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -15,8 +15,8 @@ jobs: - checkout - add_ssh_keys: fingerprints: - - "39:25:57:64:62:43:1f:98:b1:5e:75:53:87:d8:e7:71" - - run: cp $HOME/.ssh/id_rsa_3925576462431f98b15e755387d8e771 id_rsa + - "4c:8e:00:16:94:44:d9:ad:e9:e9:2c:8b:02:d4:8d:7a" + - run: cp $HOME/.ssh/id_rsa_4c8e00169444d9ade9e92c8b02d48d7a id_rsa - setup_remote_docker: version: 20.10.12 docker_layer_caching: true @@ -30,6 +30,10 @@ jobs: - image: cimg/base:stable environment: TAG: << pipeline.git.tag >> + parameters: + env: + type: string + default: stg steps: - checkout - kubernetes/install-kubeconfig: @@ -39,28 +43,81 @@ jobs: name: Deploy command: > helm upgrade - lecoffre-front devops/ -i -f devops/values.yaml - -n lecoffre + lecoffre-front devops/ -i -f devops/<>.values.yaml + -n lecoffre-<> --create-namespace - --set lecoffreFront.image.repository='rg.fr-par.scw.cloud/lecoffre/front' - --set lecoffreFront.image.tag=$TAG + --set lecoffrefront.image.repository='rg.fr-par.scw.cloud/lecoffre/front' + --set lecoffrefront.image.tag=$TAG workflows: version: 2 - build-and-register: + build-and-register-stg: + when: + and: + - equal: [ staging, << pipeline.git.branch >> ] + - << pipeline.git.tag >> jobs: - build-push-docker-image: filters: tags: only: /^v.*/ branches: - ignore: /.*/ + only: staging - deploy-docker-image: + env: stg requires: - build-push-docker-image context: - - staging + - sc-shared-prd + filters: + tags: + only: /^v.*/ + branches: + ignore: /.*/ + + build-and-register-ppd: + when: + and: + - equal: [ preprod, << pipeline.git.branch >> ] + - << pipeline.git.tag >> + jobs: + - build-push-docker-image: + filters: + tags: + only: /^v.*/ + branches: + only: preprod + - deploy-docker-image: + env: ppd + requires: + - build-push-docker-image + context: + - sc-shared-prd + filters: + tags: + only: /^v.*/ + branches: + ignore: /.*/ + + build-and-register-prd: + when: + and: + - equal: [ main, << pipeline.git.branch >> ] + - << pipeline.git.tag >> + jobs: + - build-push-docker-image: + filters: + tags: + only: /^v.*/ + branches: + only: main + - deploy-docker-image: + env: prd + requires: + - build-push-docker-image + context: + - sc-shared-prd filters: tags: only: /^v.*/ diff --git a/devops/Chart.yaml b/devops/Chart.yaml index b19e514c..208511fb 100644 --- a/devops/Chart.yaml +++ b/devops/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: leCoffre-front +name: leCoffre-back description: A Helm chart for Kubernetes # A chart can be either an 'application' or a 'library' chart. @@ -21,4 +21,5 @@ version: 0.0.1 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.5.0 +appVersion: 0.5.6 + diff --git a/devops/ppd.values.yaml b/devops/ppd.values.yaml new file mode 100644 index 00000000..8d3b1dd9 --- /dev/null +++ b/devops/ppd.values.yaml @@ -0,0 +1,31 @@ +dockerPullSecret: docker-pull-secret + +scwSecretKey: AgCgjF5QEzxT3GYTS5B6cmQ0e+0/qFWzKaUDSi+Vjc7RoameuvaIJvTXMBkS3he1oy1ulbB34v6vpZI2kxnGNqERA/U5BaYDAyfKSBwMAy4br7HVKhhuwkoF5qoG5JzJXseSmqB1U9vncVIGOZWzJc1Y4/eGlWcvLcLyfw2z/WEpyeNiWJfEhTYpJOB7gv0XnRb2U/JM3jRy1QgEUIk1WR6kgBalF+xaczPQ6uKh+PR2pqkbZa3WaKUrddmzNsgEz4d8PZMWt8IBwR2JOQEHUqCd34p/pJNyLdUgcdDhg02DKwn1oRoAxKTbAio/a7WrMbodjCb3TNWIYGal5mFmItZ7Ok/EBmUf4E85eOkTR+j8ynuuiexld3Q5Kw3o8LsHjgzVL9uP+T2rYaKkjtVt+YQRX1U8l9CrsdUEz0/wEBA0jwCWMfnh1qhD5pM/xwwjsEEAcK4rYV+Q7iAgGZZvZBCQ5aEHzrtn5D95tr1GZCV2hmrW6Seu+LKKLVBS1JmsuEsOuhudYsEK9m2RYVcxbjuS5eokKEjNrGobf2oB8rhBByavfw1JTBixR5JrI8lcYlnCa+oEhxXKJY+4Fx5SAB4YaLCMSo5vw6zsFQ3WKQzlEmCFt+EnapS+a+MGrdlwq07OHTDpvgk/1z39hopoCuhhKckGGfErLXsTYQvDOkFu+EPzgY7m7qDw/d9pSiht5tuSOkAqeOgm7tpNkUufZhaXmP+1aT7i+H5gq1JILGAmXzTI5Wc= + +lecoffreFront: + serviceAccountName: lecoffre-front-sa + command: "npm run api:start" + envSecrets: front-env-ppd + imagePullSecrets: + - name: docker-pull-secret + image: + pullPolicy: Always + repository: "rg.fr-par.scw.cloud/lecoffre/front" + resources: + requests: + cpu: 200m + memory: 1Gi + limits: + memory: 2Gi + ingress: + host: app.stg.lecoffre.smart-chain.fr + tls: + hosts: + - app.stg.lecoffre.smart-chain.fr + secretName: api-tls + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/from-to-www-redirect: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + diff --git a/devops/prd.values.yaml b/devops/prd.values.yaml new file mode 100644 index 00000000..046b8a08 --- /dev/null +++ b/devops/prd.values.yaml @@ -0,0 +1,31 @@ +dockerPullSecret: docker-pull-secret + +scwSecretKey: AgBG2y7uQuap+2akNPGFxpCR+l0INO6Wxez5qljtY6t71GFGhJLYN9ZfefflKcFzD2Nv7DQMXXhpnCCaFti+9JMCMDuN324dDgtMMLTot+Pkxk/bAm+L8t3HfRharFdLz/vvzg77bvypi28TEoNYR/AM0e8VMYxBEgEp2TmP5uXcxZOgPzXMrfQoSdNRyzGTJ5tXZwe3PP7XvXyTNsZzHBtoQQM+nul9nL+VFA7CBRaaOpCmKOXjAlt7TyNXo4X5eYBNlxr+NuQw4dh4E/1zqdU/dDCE1+vx88BDbdydBA1qJaTOUSGTFquSK4kb9qAVAexBAIUqRwpfEW6Li945AXtnxLN42gEGPRsA9tSXL2c20k6thuRCqxwEOZljq2E03qtLAkxdP6WFBcb77o4PIEMZ8AmzPASnI+eW5z2mCoP3L+HZQrTLliDjmF4AMtOfZxRi0CCTrsSabOrimJC6v3y3ve0VcSsjA3rd5vvJ3Va4mZK4JAtYwEUx4PCHCGkUxc0w6jRwKB5tL/auZVT4SV/0z/WgW4Kq4AdvxsU6yGOqflt6e3ePIIuvCgjw+1yOYRpUiSGj36oOqNPMA4smxIB7p7Gi3csqt2TrQoW3TaLv/s7gbCcxHWSor+WT71WGg8AVmLm+FzUINmNop+c2RNo3O/Gj7h1uybX/pj+tRLNOuBQCqa+GQkY2bT2NcT9ifnAZB6K+2zAWXl+tdbMlDGV89P2yMYuRMdHGhuOoyuIUPWeA5i0= + +lecoffreFront: + serviceAccountName: lecoffre-front-sa + command: "npm run api:start" + envSecrets: front-env-prd + imagePullSecrets: + - name: docker-pull-secret + image: + pullPolicy: Always + repository: "rg.fr-par.scw.cloud/lecoffre/front" + resources: + requests: + cpu: 200m + memory: 1Gi + limits: + memory: 2Gi + ingress: + host: lecoffre.smart-chain.fr + tls: + hosts: + - lecoffre.smart-chain.fr + secretName: api-tls + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/from-to-www-redirect: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + diff --git a/devops/stg.values.yaml b/devops/stg.values.yaml new file mode 100644 index 00000000..cd49e99a --- /dev/null +++ b/devops/stg.values.yaml @@ -0,0 +1,38 @@ +dockerPullSecret: docker-pull-secret + +scwSecretKey: AgChoEnPitXp4Ny/rVMEcevaWKNVpyj2cJYAcq+yFqKwVwnLB+ffDvwqz9XBHu+6d4Nyyjkf37zUAMoaM21lEDWA7x3zfG2/D/j+rvX1qxzZgLD0mjBk7fGElVm332I6JA83oInes8AMMYEDPLElzHnpKRb9KtkIP4NzgOcCeW0ijft3N7Vroez6LEHsBPCA1I9XjKSkGEDvrO0MhWX3iJOlfz+SPMfJAV7rPawOs0ZmohTHrPW8qIvGDn8HCzKyU8zRBoMt+Ogpf5pH4U3JryEFuqD61KAQgablAM8edPIvsgNno9HAEuC2QtRLYA9aUhuKdaKuS58c9P2E80PHWXIlbpFCg6EugQTgNfnYp+3qDUNz8edeCfapYLvF4s9eCMGyMsGnpDR8EDNOyuGy7Y3l7okX8Xqu464gMp9E+hX7bHkcD6a4xfyIgJcWxsku0tm1TH1dpn4M1UXRuyZZif8P08nuE6MTUL67sAR9J1lpn4lVEL4kflk0pP2tZ5ncgPQFafJrRz05krMb0eU5tb2H4gs7ao/LL6idWo8MM9K1yr8lIuT5x2WW5CX+RjA+i50ex114V6vX3PNP5oVyt+DynTUB9QmXzVm3oLfDc3Cae1uqh7X0CFd+xiztJBtg0VtJaD/xUJcuWfY4cV2lERo9fRrykltzlJqiXHO4nowt8OtN0BcViVV8NJhPhYFzyb4ympxpOlTjm3GETuT2TYhUqdgS9nzleEAbOmOHZdIO2COunPE= + +lecoffreFront: + serviceAccountName: lecoffre-front-sa + envSecrets: front-env-stg + command: "npm run api:start" + imagePullSecrets: + - name: docker-pull-secret + image: + pullPolicy: Always + repository: "rg.fr-par.scw.cloud/lecoffre/front" + resources: + requests: + cpu: 200m + memory: 1Gi + limits: + memory: 2Gi + ingress: + host: app.ppd.lecoffre.smart-chain.fr + tls: + hosts: + - app.ppd.lecoffre.smart-chain.fr + secretName: api-tls + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/from-to-www-redirect: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + # key is name of the environment variable, scwID is the secret ID in SCW with "id:" in front + env: + - key: env1 + scwID: "id:a131edea-84e0-49d6-b4a8-20ab417220c9" + - key: env2 + scwID: "id:f396cfed-098f-4f75-8e5e-92ba60b46cee" + + diff --git a/devops/templates/docker-pull-secret.yaml b/devops/templates/docker-pull-secret.yaml new file mode 100644 index 00000000..dcb16698 --- /dev/null +++ b/devops/templates/docker-pull-secret.yaml @@ -0,0 +1 @@ +### USE SECRET FROM BACK diff --git a/devops/templates/lecoffre-front.yaml b/devops/templates/lecoffre-front.yaml index 5f375de6..53400248 100644 --- a/devops/templates/lecoffre-front.yaml +++ b/devops/templates/lecoffre-front.yaml @@ -3,7 +3,6 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: lecoffre-front - namespace: {{ .Values.namespace }} {{if .Values.lecoffreFront.ingress.annotations}} annotations: {{toYaml .Values.lecoffreFront.ingress.annotations | indent 4 }} @@ -18,7 +17,7 @@ spec: paths: - path: / pathType: Prefix - backend: + frontend: service: name: lecoffre-front-svc port: @@ -28,13 +27,12 @@ apiVersion: v1 kind: Service metadata: name: lecoffre-front-svc - namespace: {{ .Values.namespace }} labels: spec: ports: - port: 80 name: http - targetPort: 3000 + targetPort: 3001 selector: app: lecoffre-front --- @@ -42,7 +40,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: lecoffre-front - namespace: {{ .Values.namespace }} labels: app: lecoffre-front spec: @@ -53,7 +50,6 @@ spec: template: metadata: annotations: -{{toYaml .Values.lecoffreFront.vault.annotations | indent 8 }} labels: app: lecoffre-front spec: @@ -62,10 +58,13 @@ spec: - name: docker-pull-secret containers: - name: lecoffre-front - image: "{{ .Values.lecoffreFront.image.repository }}:v{{ .Chart.AppVersion }}" + image: "{{ .Values.lecoffreFront.image.repository }}:{{ .Values.lecoffreFront.image.tag }}" {{if .Values.lecoffreFront.resources}} resources: {{toYaml .Values.lecoffreFront.resources | indent 10}} {{end}} imagePullPolicy: {{ .Values.lecoffreFront.image.pullPolicy }} - command: [{{ .Values.lecoffreFront.command }}] \ No newline at end of file + command: [{{ .Values.lecoffreFront.command }}] + envFrom: + - secretRef: + name: {{ .Values.lecoffreFront.envSecrets }} \ No newline at end of file diff --git a/devops/templates/sealed-secret.yaml b/devops/templates/sealed-secret.yaml new file mode 100644 index 00000000..4d8a706b --- /dev/null +++ b/devops/templates/sealed-secret.yaml @@ -0,0 +1 @@ +## USE SEALED SECRET FROM BACK \ No newline at end of file diff --git a/devops/templates/secret-store.yaml b/devops/templates/secret-store.yaml new file mode 100644 index 00000000..f7888f78 --- /dev/null +++ b/devops/templates/secret-store.yaml @@ -0,0 +1 @@ +## USE SECRET STORE FROM BACK \ No newline at end of file diff --git a/devops/templates/secrets.yaml b/devops/templates/secrets.yaml new file mode 100644 index 00000000..52f3c820 --- /dev/null +++ b/devops/templates/secrets.yaml @@ -0,0 +1,16 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: {{ .Values.lecoffreFront.envSecrets }} +spec: + refreshInterval: 20s + secretStoreRef: + kind: SecretStore + name: secret-store + data: + {{ range $v := .Values.lecoffreFront.env }} + - secretKey: {{ $v.key }} + remoteRef: + key: {{ $v.scwID}} + version: latest_enabled + {{ end }} \ No newline at end of file diff --git a/devops/values.yaml b/devops/values.yaml index c7a9480c..17226cbc 100644 --- a/devops/values.yaml +++ b/devops/values.yaml @@ -1,29 +1,17 @@ -dockerPullSecret: secret/data/lecoffre-front-stg/config/dockerpullsecret +dockerPullSecret: docker-pull-secret -namespace: lecoffre +scwSecretKey: ss lecoffreFront: serviceAccountName: lecoffre-front-sa - command: "'sh', '-c', '. /vault/secrets/envs && npm run start'" - vault: - role : custom_lecoffre-front_injector_rol - server: https://vault-stg.smart-chain.fr - annotations: - vault.hashicorp.com/agent-pre-populate-only: "true" - vault.hashicorp.com/agent-inject: "true" - vault.hashicorp.com/agent-inject-secret-envs: secret/data/lecoffre-front-stg/config/envs - vault.hashicorp.com/role: custom_lecoffre-front_injector_rol - vault.hashicorp.com/agent-inject-template-envs: | - {{ with secret "secret/data/lecoffre-front-stg/config/envs" }} - {{ range $k, $v := .Data.data }} - export {{ $k }}="{{ $v }}" - {{ end }} - {{ end }} + command: "npm run api:start" + envSecrets: env-env imagePullSecrets: - name: docker-pull-secret image: pullPolicy: Always repository: "rg.fr-par.scw.cloud/lecoffre/front" + tag: resources: requests: cpu: 200m @@ -31,14 +19,18 @@ lecoffreFront: limits: memory: 2Gi ingress: - host: app.stg.lecoffre.smart-chain.fr + host: api.stg.lecoffre.smart-chain.fr tls: hosts: - - app.stg.lecoffre.smart-chain.fr - secretName: app-tls + - api.stg.lecoffre.smart-chain.fr + secretName: api-tls annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/from-to-www-redirect: "true" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + + env: + - key: a + scwID: b