refacto all devops

2023-08-03 12:20:22 +02:00 · 2023-08-03 12:20:22 +02:00 · 624aab70a5
commit 624aab70a5
parent 23cb15d2cf
11 changed files with 207 additions and 39 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -15,8 +15,8 @@ jobs:
      - checkout
      - add_ssh_keys:
          fingerprints:
-            - "39:25:57:64:62:43:1f:98:b1:5e:75:53:87:d8:e7:71"
-      - run: cp $HOME/.ssh/id_rsa_3925576462431f98b15e755387d8e771 id_rsa
+            - "4c:8e:00:16:94:44:d9:ad:e9:e9:2c:8b:02:d4:8d:7a"
+      - run: cp $HOME/.ssh/id_rsa_4c8e00169444d9ade9e92c8b02d48d7a id_rsa
      - setup_remote_docker:
          version: 20.10.12
          docker_layer_caching: true
@ -30,6 +30,10 @@ jobs:
      - image: cimg/base:stable
    environment:
      TAG: << pipeline.git.tag >>
+    parameters:
+      env:
+        type: string
+        default: stg
    steps:
      - checkout
      - kubernetes/install-kubeconfig:
@ -39,28 +43,81 @@ jobs:
          name: Deploy
          command: >
              helm upgrade 
-              lecoffre-front devops/ -i -f devops/values.yaml 
-              -n lecoffre
+              lecoffre-front devops/ -i -f devops/<<parameters.env>>.values.yaml 
+              -n lecoffre-<<parameters.env>>
              --create-namespace
-              --set lecoffreFront.image.repository='rg.fr-par.scw.cloud/lecoffre/front'
-              --set lecoffreFront.image.tag=$TAG         
+              --set lecoffrefront.image.repository='rg.fr-par.scw.cloud/lecoffre/front'
+              --set lecoffrefront.image.tag=$TAG         


 workflows:
  version: 2
-  build-and-register:
+  build-and-register-stg:
+    when:
+      and:
+        - equal: [ staging, << pipeline.git.branch >> ]
+        - << pipeline.git.tag >> 
    jobs:
      - build-push-docker-image:
          filters:
            tags:
              only: /^v.*/
            branches:
-              ignore: /.*/
+              only: staging
      - deploy-docker-image:
+          env: stg
          requires:
            - build-push-docker-image
          context: 
-            - staging
+            - sc-shared-prd
+          filters:
+            tags:
+              only: /^v.*/
+            branches:
+              ignore: /.*/
+
+  build-and-register-ppd:
+    when:
+      and:
+        - equal: [ preprod, << pipeline.git.branch >> ]
+        - << pipeline.git.tag >> 
+    jobs:
+      - build-push-docker-image:
+          filters:
+            tags:
+              only: /^v.*/
+            branches:
+              only: preprod
+      - deploy-docker-image:
+          env: ppd
+          requires:
+            - build-push-docker-image
+          context: 
+            - sc-shared-prd
+          filters:
+            tags:
+              only: /^v.*/
+            branches:
+              ignore: /.*/
+
+  build-and-register-prd:
+    when:
+      and:
+        - equal: [ main, << pipeline.git.branch >> ]
+        - << pipeline.git.tag >> 
+    jobs:
+      - build-push-docker-image:
+          filters:
+            tags:
+              only: /^v.*/
+            branches:
+              only: main
+      - deploy-docker-image:
+          env: prd
+          requires:
+            - build-push-docker-image
+          context: 
+            - sc-shared-prd
          filters:
            tags:
              only: /^v.*/
--- a/devops/Chart.yaml
+++ b/devops/Chart.yaml
@ -1,5 +1,5 @@
 apiVersion: v2
-name: leCoffre-front
+name: leCoffre-back
 description: A Helm chart for Kubernetes

 # A chart can be either an 'application' or a 'library' chart.
@ -21,4 +21,5 @@ version: 0.0.1
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.5.0
+appVersion: 0.5.6
+
--- a/devops/ppd.values.yaml
+++ b/devops/ppd.values.yaml
@ -0,0 +1,31 @@
+dockerPullSecret: docker-pull-secret
+
+scwSecretKey: AgCgjF5QEzxT3GYTS5B6cmQ0e+0/qFWzKaUDSi+Vjc7RoameuvaIJvTXMBkS3he1oy1ulbB34v6vpZI2kxnGNqERA/U5BaYDAyfKSBwMAy4br7HVKhhuwkoF5qoG5JzJXseSmqB1U9vncVIGOZWzJc1Y4/eGlWcvLcLyfw2z/WEpyeNiWJfEhTYpJOB7gv0XnRb2U/JM3jRy1QgEUIk1WR6kgBalF+xaczPQ6uKh+PR2pqkbZa3WaKUrddmzNsgEz4d8PZMWt8IBwR2JOQEHUqCd34p/pJNyLdUgcdDhg02DKwn1oRoAxKTbAio/a7WrMbodjCb3TNWIYGal5mFmItZ7Ok/EBmUf4E85eOkTR+j8ynuuiexld3Q5Kw3o8LsHjgzVL9uP+T2rYaKkjtVt+YQRX1U8l9CrsdUEz0/wEBA0jwCWMfnh1qhD5pM/xwwjsEEAcK4rYV+Q7iAgGZZvZBCQ5aEHzrtn5D95tr1GZCV2hmrW6Seu+LKKLVBS1JmsuEsOuhudYsEK9m2RYVcxbjuS5eokKEjNrGobf2oB8rhBByavfw1JTBixR5JrI8lcYlnCa+oEhxXKJY+4Fx5SAB4YaLCMSo5vw6zsFQ3WKQzlEmCFt+EnapS+a+MGrdlwq07OHTDpvgk/1z39hopoCuhhKckGGfErLXsTYQvDOkFu+EPzgY7m7qDw/d9pSiht5tuSOkAqeOgm7tpNkUufZhaXmP+1aT7i+H5gq1JILGAmXzTI5Wc=
+
+lecoffreFront:
+  serviceAccountName: lecoffre-front-sa
+  command: "npm run api:start" 
+  envSecrets: front-env-ppd
+  imagePullSecrets:
+    - name: docker-pull-secret
+  image:
+    pullPolicy: Always
+    repository: "rg.fr-par.scw.cloud/lecoffre/front" 
+  resources:
+    requests:
+      cpu: 200m
+      memory: 1Gi
+    limits:
+      memory: 2Gi
+  ingress: 
+    host: app.stg.lecoffre.smart-chain.fr
+    tls:
+      hosts: 
+      - app.stg.lecoffre.smart-chain.fr 
+      secretName: api-tls
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      cert-manager.io/cluster-issuer: letsencrypt-prod 
+      nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+
--- a/devops/prd.values.yaml
+++ b/devops/prd.values.yaml
@ -0,0 +1,31 @@
+dockerPullSecret: docker-pull-secret
+
+scwSecretKey: AgBG2y7uQuap+2akNPGFxpCR+l0INO6Wxez5qljtY6t71GFGhJLYN9ZfefflKcFzD2Nv7DQMXXhpnCCaFti+9JMCMDuN324dDgtMMLTot+Pkxk/bAm+L8t3HfRharFdLz/vvzg77bvypi28TEoNYR/AM0e8VMYxBEgEp2TmP5uXcxZOgPzXMrfQoSdNRyzGTJ5tXZwe3PP7XvXyTNsZzHBtoQQM+nul9nL+VFA7CBRaaOpCmKOXjAlt7TyNXo4X5eYBNlxr+NuQw4dh4E/1zqdU/dDCE1+vx88BDbdydBA1qJaTOUSGTFquSK4kb9qAVAexBAIUqRwpfEW6Li945AXtnxLN42gEGPRsA9tSXL2c20k6thuRCqxwEOZljq2E03qtLAkxdP6WFBcb77o4PIEMZ8AmzPASnI+eW5z2mCoP3L+HZQrTLliDjmF4AMtOfZxRi0CCTrsSabOrimJC6v3y3ve0VcSsjA3rd5vvJ3Va4mZK4JAtYwEUx4PCHCGkUxc0w6jRwKB5tL/auZVT4SV/0z/WgW4Kq4AdvxsU6yGOqflt6e3ePIIuvCgjw+1yOYRpUiSGj36oOqNPMA4smxIB7p7Gi3csqt2TrQoW3TaLv/s7gbCcxHWSor+WT71WGg8AVmLm+FzUINmNop+c2RNo3O/Gj7h1uybX/pj+tRLNOuBQCqa+GQkY2bT2NcT9ifnAZB6K+2zAWXl+tdbMlDGV89P2yMYuRMdHGhuOoyuIUPWeA5i0=
+
+lecoffreFront:
+  serviceAccountName: lecoffre-front-sa
+  command: "npm run api:start" 
+  envSecrets: front-env-prd
+  imagePullSecrets:
+    - name: docker-pull-secret
+  image:
+    pullPolicy: Always
+    repository: "rg.fr-par.scw.cloud/lecoffre/front" 
+  resources:
+    requests:
+      cpu: 200m
+      memory: 1Gi
+    limits:
+      memory: 2Gi
+  ingress: 
+    host: lecoffre.smart-chain.fr
+    tls:
+      hosts: 
+      - lecoffre.smart-chain.fr 
+      secretName: api-tls
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      cert-manager.io/cluster-issuer: letsencrypt-prod 
+      nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+
--- a/devops/stg.values.yaml
+++ b/devops/stg.values.yaml
@ -0,0 +1,38 @@
+dockerPullSecret: docker-pull-secret
+
+scwSecretKey: AgChoEnPitXp4Ny/rVMEcevaWKNVpyj2cJYAcq+yFqKwVwnLB+ffDvwqz9XBHu+6d4Nyyjkf37zUAMoaM21lEDWA7x3zfG2/D/j+rvX1qxzZgLD0mjBk7fGElVm332I6JA83oInes8AMMYEDPLElzHnpKRb9KtkIP4NzgOcCeW0ijft3N7Vroez6LEHsBPCA1I9XjKSkGEDvrO0MhWX3iJOlfz+SPMfJAV7rPawOs0ZmohTHrPW8qIvGDn8HCzKyU8zRBoMt+Ogpf5pH4U3JryEFuqD61KAQgablAM8edPIvsgNno9HAEuC2QtRLYA9aUhuKdaKuS58c9P2E80PHWXIlbpFCg6EugQTgNfnYp+3qDUNz8edeCfapYLvF4s9eCMGyMsGnpDR8EDNOyuGy7Y3l7okX8Xqu464gMp9E+hX7bHkcD6a4xfyIgJcWxsku0tm1TH1dpn4M1UXRuyZZif8P08nuE6MTUL67sAR9J1lpn4lVEL4kflk0pP2tZ5ncgPQFafJrRz05krMb0eU5tb2H4gs7ao/LL6idWo8MM9K1yr8lIuT5x2WW5CX+RjA+i50ex114V6vX3PNP5oVyt+DynTUB9QmXzVm3oLfDc3Cae1uqh7X0CFd+xiztJBtg0VtJaD/xUJcuWfY4cV2lERo9fRrykltzlJqiXHO4nowt8OtN0BcViVV8NJhPhYFzyb4ympxpOlTjm3GETuT2TYhUqdgS9nzleEAbOmOHZdIO2COunPE=
+
+lecoffreFront:
+  serviceAccountName: lecoffre-front-sa
+  envSecrets: front-env-stg
+  command: "npm run api:start" 
+  imagePullSecrets:
+    - name: docker-pull-secret
+  image:
+    pullPolicy: Always
+    repository: "rg.fr-par.scw.cloud/lecoffre/front" 
+  resources:
+    requests:
+      cpu: 200m
+      memory: 1Gi
+    limits:
+      memory: 2Gi
+  ingress: 
+    host: app.ppd.lecoffre.smart-chain.fr
+    tls:
+      hosts: 
+      - app.ppd.lecoffre.smart-chain.fr 
+      secretName: api-tls
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      cert-manager.io/cluster-issuer: letsencrypt-prod 
+      nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+ # key is name of the environment variable, scwID is the secret ID in SCW with "id:" in front
+  env: 
+    - key: env1
+      scwID: "id:a131edea-84e0-49d6-b4a8-20ab417220c9"
+    - key: env2 
+      scwID: "id:f396cfed-098f-4f75-8e5e-92ba60b46cee"
+
+
--- a/devops/templates/docker-pull-secret.yaml
+++ b/devops/templates/docker-pull-secret.yaml
@ -0,0 +1 @@
+### USE SECRET FROM BACK
--- a/devops/templates/lecoffre-front.yaml
+++ b/devops/templates/lecoffre-front.yaml
@ -3,7 +3,6 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: lecoffre-front
-  namespace: {{ .Values.namespace }}
 {{if .Values.lecoffreFront.ingress.annotations}}
  annotations: 
 {{toYaml .Values.lecoffreFront.ingress.annotations | indent 4 }}
@ -18,7 +17,7 @@ spec:
      paths:
      - path: /
        pathType: Prefix
-        backend:
+        frontend:
          service:
            name: lecoffre-front-svc
            port:
@ -28,13 +27,12 @@ apiVersion: v1
 kind: Service
 metadata:
  name: lecoffre-front-svc
-  namespace: {{ .Values.namespace }}
  labels:
 spec:
  ports:
    - port: 80
      name: http
-      targetPort: 3000
+      targetPort: 3001
  selector:
    app: lecoffre-front
 ---
@ -42,7 +40,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: lecoffre-front
-  namespace: {{ .Values.namespace }} 
  labels:
    app: lecoffre-front
 spec:
@ -53,7 +50,6 @@ spec:
  template:
    metadata:
      annotations:
-{{toYaml .Values.lecoffreFront.vault.annotations | indent 8 }}
      labels:
        app: lecoffre-front
    spec:
@ -62,10 +58,13 @@ spec:
      - name: docker-pull-secret
      containers:
      - name: lecoffre-front
-        image: "{{ .Values.lecoffreFront.image.repository }}:v{{ .Chart.AppVersion }}"
+        image: "{{ .Values.lecoffreFront.image.repository }}:{{ .Values.lecoffreFront.image.tag }}"
 {{if .Values.lecoffreFront.resources}}
        resources:
 {{toYaml .Values.lecoffreFront.resources | indent 10}}
 {{end}}
        imagePullPolicy: {{ .Values.lecoffreFront.image.pullPolicy }}
-        command: [{{ .Values.lecoffreFront.command }}]
+        command: [{{ .Values.lecoffreFront.command }}]
+        envFrom:
+          - secretRef:
+              name:  {{ .Values.lecoffreFront.envSecrets }}
--- a/devops/templates/sealed-secret.yaml
+++ b/devops/templates/sealed-secret.yaml
@ -0,0 +1 @@
+## USE SEALED SECRET FROM BACK
--- a/devops/templates/secret-store.yaml
+++ b/devops/templates/secret-store.yaml
@ -0,0 +1 @@
+## USE SECRET STORE FROM BACK
--- a/devops/templates/secrets.yaml
+++ b/devops/templates/secrets.yaml
@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ .Values.lecoffreFront.envSecrets }}
+spec:
+  refreshInterval: 20s
+  secretStoreRef:
+    kind: SecretStore
+    name: secret-store
+  data:
+  {{ range $v := .Values.lecoffreFront.env }}
+    - secretKey: {{ $v.key }}
+      remoteRef:
+        key: {{ $v.scwID}}
+        version: latest_enabled
+  {{ end }}
--- a/devops/values.yaml
+++ b/devops/values.yaml
@ -1,29 +1,17 @@
-dockerPullSecret: secret/data/lecoffre-front-stg/config/dockerpullsecret
+dockerPullSecret: docker-pull-secret

-namespace: lecoffre
+scwSecretKey: ss

 lecoffreFront:
  serviceAccountName: lecoffre-front-sa
-  command: "'sh', '-c', '. /vault/secrets/envs && npm run start'" 
-  vault:
-    role : custom_lecoffre-front_injector_rol 
-    server: https://vault-stg.smart-chain.fr
-    annotations: 
-      vault.hashicorp.com/agent-pre-populate-only: "true"
-      vault.hashicorp.com/agent-inject: "true"
-      vault.hashicorp.com/agent-inject-secret-envs: secret/data/lecoffre-front-stg/config/envs
-      vault.hashicorp.com/role: custom_lecoffre-front_injector_rol
-      vault.hashicorp.com/agent-inject-template-envs: |    
-        {{ with secret "secret/data/lecoffre-front-stg/config/envs" }}
-          {{ range $k, $v := .Data.data }}
-              export {{ $k }}="{{ $v }}"
-          {{ end }}
-        {{ end }}
+  command: "npm run api:start" 
+  envSecrets: env-env
  imagePullSecrets:
    - name: docker-pull-secret
  image:
    pullPolicy: Always
    repository: "rg.fr-par.scw.cloud/lecoffre/front" 
+    tag:
  resources:
    requests:
      cpu: 200m
@ -31,14 +19,18 @@ lecoffreFront:
    limits:
      memory: 2Gi
  ingress: 
-    host: app.stg.lecoffre.smart-chain.fr
+    host: api.stg.lecoffre.smart-chain.fr
    tls:
      hosts: 
-      - app.stg.lecoffre.smart-chain.fr 
-      secretName: app-tls
+      - api.stg.lecoffre.smart-chain.fr 
+      secretName: api-tls
    annotations:
      kubernetes.io/ingress.class: nginx
      cert-manager.io/cluster-issuer: letsencrypt-prod 
      nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+  
+  env: 
+    - key: a
+      scwID: b