Merge pull request #59 from SocialGouv/maxgfr/auth-kube

SocialGouv · May 20, 2022 · 0fca6ea · 0fca6ea
2 parents 99a59d7 + b234f93
commit 0fca6ea
Show file tree

Hide file tree

Showing 34 changed files with 6,205 additions and 1,432 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -3,4 +3,6 @@ Dockerfile
 node_modules
 npm-debug.log
 README.md
-.next
+.next
+.kube-workflow
+.github
diff --git a/.env.development b/.env.development
@@ -1,12 +1,10 @@
-NEXT_TELEMETRY_DISABLED=1
-NEXT_PUBLIC_SITE_URL=""
 NEXT_PUBLIC_SENTRY_DSN=""
 NEXT_PUBLIC_SENTRY_ENV=""
 NEXT_PUBLIC_MATOMO_URL=""
 NEXT_PUBLIC_MATOMO_SITE_ID=""
 NEXT_PUBLIC_APP_REPOSITORY_URL="https://github.com/SocialGouv/template"
-KEYCLOAK_URL="http://localhost:8080/realms/realme-app"
-KEYCLOAK_CLIENT_SECRET="AkBnFMIBfEcTdWPL5WlM9HDL0cVa3UOy"
-KEYCLOAK_CLIENT_ID="confidential-client"
+KEYCLOAK_URL="http://localhost:8080/auth/realms/app-realm"
+KEYCLOAK_CLIENT_SECRET="**********"
+KEYCLOAK_CLIENT_ID="app-client"
 NEXTAUTH_URL="http://localhost:3000"
-NEXTAUTH_SECRET="RnDOzMROgGQqGE6zJ9Vx+vPoQn/x4Y1zmaz/Xj+xg0I="
+NEXTAUTH_SECRET="RnDOzMROgGQqGE6zJ9Vx+vPoQn/x4Y1zmaz/Xj+xg0I="
diff --git a/.env.production b/.env.production
@@ -1,12 +1,5 @@
-NEXT_TELEMETRY_DISABLED=1
-NEXT_PUBLIC_SITE_URL="https://template.fabrique.social.gouv.fr/"
 NEXT_PUBLIC_SENTRY_DSN="https://67a92c8c0f70486d9f36f2352eff1d19@sentry.fabrique.social.gouv.fr/68"
 NEXT_PUBLIC_SENTRY_ENV="production"
 NEXT_PUBLIC_MATOMO_URL="https://matomo.fabrique.social.gouv.fr"
 NEXT_PUBLIC_MATOMO_SITE_ID=63
-NEXT_PUBLIC_APP_REPOSITORY_URL="https://github.com/SocialGouv/template"
-KEYCLOAK_URL=""
-KEYCLOAK_CLIENT_SECRET=""
-KEYCLOAK_CLIENT_ID=""
-NEXTAUTH_URL=""
-NEXTAUTH_SECRET=""
+NEXT_PUBLIC_APP_REPOSITORY_URL="https://github.com/SocialGouv/template"
diff --git a/.env.staging b/.env.staging
@@ -1,12 +1,5 @@
-NEXT_TELEMETRY_DISABLED=1
-NEXT_PUBLIC_SITE_URL="https://template.fabrique.social.gouv.fr/"
 NEXT_PUBLIC_SENTRY_DSN="https://67a92c8c0f70486d9f36f2352eff1d19@sentry.fabrique.social.gouv.fr/68"
 NEXT_PUBLIC_SENTRY_ENV="development"
 NEXT_PUBLIC_MATOMO_URL=""
 NEXT_PUBLIC_MATOMO_SITE_ID=""
 NEXT_PUBLIC_APP_REPOSITORY_URL="https://github.com/SocialGouv/template"
-KEYCLOAK_URL=""
-KEYCLOAK_CLIENT_SECRET=""
-KEYCLOAK_CLIENT_ID=""
-NEXTAUTH_URL=""
-NEXTAUTH_SECRET=""
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,5 +1,4 @@
 # Protect workflow files
 .github/workflows/*.yml @socialgouv/sre
 .github/CODEOWNERS @socialgouv/sre
-.k8s/ @socialgouv/sre
 .socialgouv/  @socialgouv/sre
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -8,7 +8,7 @@ concurrency:
 
 jobs:
   build:
-    name: Build and export
+    name: Build
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
@@ -26,6 +26,6 @@ jobs:
       - name: Install dependencies
         run: |
           yarn install --prefer-offline --frozen-lockfile
-      - name: Build and export
+      - name: Build
         run: |
-          yarn build:export
+          yarn build
diff --git a/.github/workflows/preproduction.yml b/.github/workflows/preproduction.yml
@@ -26,7 +26,7 @@ jobs:
           imagePackage: app
           token: ${{ secrets.GITHUB_TOKEN }}
           dockerbuildargs: |
-            GITHUB_SHA=${{ env.GITHUB_SHA }}
+            NEXT_PUBLIC_APP_VERSION_COMMIT=${{ env.GITHUB_SHA }}
 
   deploy:
     name: Deploy application

diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
@@ -14,18 +14,18 @@ jobs:
     name: Build & Register application
     runs-on: ubuntu-latest
     steps:
-    - name: Get commit sha
-      run: |
+      - name: Get commit sha
+        run: |
           echo "GITHUB_SHA=${GITHUB_SHA}" >> $GITHUB_ENV
-    - name: Use autodevops build and register
-      uses: SocialGouv/actions/autodevops-build-register@v1
-      with:
-        environment: prod
-        imagePackage: app
-        token: ${{ secrets.GITHUB_TOKEN }}
-        dockerbuildargs: |
-            PRODUCTION=true
-            GITHUB_SHA=${{ env.GITHUB_SHA }}
+      - name: Use autodevops build and register
+        uses: SocialGouv/actions/autodevops-build-register@v1
+        with:
+          environment: prod
+          imagePackage: app
+          token: ${{ secrets.GITHUB_TOKEN }}
+          dockerbuildargs: |
+            NEXT_PUBLIC_IS_PRODUCTION_DEPLOYMENT=true
+            NEXT_PUBLIC_APP_VERSION_COMMIT=${{ env.GITHUB_SHA }}
 
   deploy:
     name: Deploy application
@@ -35,11 +35,11 @@ jobs:
       name: production
       url: https://template.fabrique.social.gouv.fr
     steps:
-    - name: Use kube-workflow deployment
-      uses: SocialGouv/kube-workflow@v1
-      with:
-        environment: prod
-        token: ${{ secrets.GITHUB_TOKEN }}
-        kubeconfig: ${{ secrets.KUBECONFIG }}
-        rancherProjectId: ${{ secrets.RANCHER_PROJECT_ID }}
-        rancherProjectName: ${{ secrets.RANCHER_PROJECT_NAME }}
+      - name: Use kube-workflow deployment
+        uses: SocialGouv/kube-workflow@v1
+        with:
+          environment: prod
+          token: ${{ secrets.GITHUB_TOKEN }}
+          kubeconfig: ${{ secrets.KUBECONFIG }}
+          rancherProjectId: ${{ secrets.RANCHER_PROJECT_ID }}
+          rancherProjectName: ${{ secrets.RANCHER_PROJECT_NAME }}
diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml
@@ -26,7 +26,7 @@ jobs:
           imagePackage: app
           token: ${{ secrets.GITHUB_TOKEN }}
           dockerbuildargs: |
-            GITHUB_SHA=${{ env.GITHUB_SHA }}
+            NEXT_PUBLIC_APP_VERSION_COMMIT=${{ env.GITHUB_SHA }}
 
   deploy:
     name: Deploy review branch

diff --git a/.kube-workflow/common/values.yaml b/.kube-workflow/common/values.yaml
diff --git a/.kube-workflow/dev/templates/app.configmap.yaml b/.kube-workflow/dev/templates/app.configmap.yaml
@@ -0,0 +1,8 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: app
+data:
+  NEXT_TELEMETRY_DISABLED: "1"
+  KEYCLOAK_URL: "https://keycloak-{{.Values.global.host}}"
+  NEXTAUTH_URL: "https://{{.Values.global.host}}"
diff --git a/.kube-workflow/dev/templates/app.sealed.secret.yaml b/.kube-workflow/dev/templates/app.sealed.secret.yaml
@@ -0,0 +1,18 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: 'true'
+  name: app
+  namespace: null
+spec:
+  encryptedData:
+    NEXTAUTH_SECRET: AgBdDOpKTwHKWU2g0+hGyGZpP0LC6f3sEtw1ejLkk72Rhip/Soia+/4gKzXHb938u0YE1FQsz8tntM2/mmCv6+hmtgvsE+aaNWEBqTMkOby/bbChrxhw50es06cWBK7ts0m6NGNvyNfdEWHWWrOTDmO7m/4f0oS9KAaXjeFdNlOEU8kq7Fe5W5/hdNpH7u8MF7MwWwGrQyO9QHHNp3Ojyc5i/PIEBjE4VgxnLlX/B3i+sPjymIQhI8bsd9HXwvqM3V8TK/AI5JceYodz7UkBlPipgS4Bg2ldmK8xgXkYuRrehh+sTo8faiuMwVAYmdFYJYRwhMMg04IZ4yGsHu0NxmFuVAUvQL+5ksoDoJTGjWxrwR4+LT7NiGPRma65ARpFD0iDj/n+pKODkXA/ol+2p9I4gEHzWVwECIEjKMXVuOGAfHVjklZWj6+qYY74w9yF/P+QsWsK68p2igjFb1RfXszeujAQyF25vhNB5MXCFkeuLaEyU1yNFULc6vyc0HJO1Y/8zNWXmqqDSUMlc/mGrO/TojkMKwDrfbMhIhegW0JcgcHJSpPnXpReYKp77PH8ElavbqmjVN1SXXlA1kCHX9QzERHvoIMzJFXCryOSXIVq3LkYiNeKCNJKEHpIB9exuOdwqJXBb/lnPponkZOh4JpyGgjARc6HoQsGr0mzpYkIIRYny/tSvW6vrIT1Yak+VWcNTlw+1+nu7av1dax7HDVkZ3AnepD6zsHSEnoNp0zy7ZkZPJZtN7E8vEEf8Q==
+    KEYCLOAK_CLIENT_ID: AgB8KATkspkNplsty+H4bBjm7Ce4pxmy3/s0h0KFnO69dFj5Xwy36nJ5H7g4oTE8xQBDEPWX/YyF5/rqFGTeN5Btybk3yRRQoS+j5OyMruUOdvwthN2RQlma6IMeHp65UwIFuOrYn44w4kZBYbXM9teinH3qI/IvLs+8s5D3NxbD6TYTPcUVOxfiuI21atN35qgVCrMtWBy7w1VjcA9Trjwv3nc0fOUkKWZNNmc7S5zh/UneJJC0Wlf96x1OkYNbSm1GB6H5T80ayPDB1d5nT2598Hz1BFhsxbsqfoABQYcQIOULggMkQaAGHkgGk4lCF4U83b4m3lIb7il6W7UmANMW4ZdFUsftA3o37WUq2rfasIjHLrZuNka97SkU9ZJKm4axb5bNRz+xCxwv6FaWQTfvrI/qYUAsuFpgMPRphEyxngOoHLqyrBa2fN+ahNYyniIXBp2TmUhzfjybXt56QWwNUEDeMGesk9FTw3ssCAgu3PwrJv4REYpMKzdszuGlCd9v21XtWxnABDLIme9WxapM9AXZhWm+ftJTHbSSlHwDdJPHCulh05dLrJ63C3AtsnncyeMNl0nkMHqN51yB2cus6qeE4LL5zErK/f4fmp31HuzfAveR6zzZKJ+tXPvkg//mABaFhfMMHpvPo4oqU8wOyqKFZU6mDfA5DsYWgsMiU4kpePkaXbAUUxYw8N5CY/s7ic8+wT+lGWwO
+    KEYCLOAK_CLIENT_SECRET: AgC2BgDwrXwWXYrpvHDh5vZZMLMNIdebcvWQzxrJE89WlkTAzh70JuKPXKW1s0Aj41xc1Cx00mvUSeEw+EnVmpvxyn6AZxPBCJsVYfZtK5Cd+qzlbwe1r7vAgOgUDEKCEVPGDUesxmaEQwLTW78vkhFTBiOMWhKAew8LBA0y9DIV+CQvAOCEZcB5J5jP1OEmaeZiwOdBbOVyk/s1Qbx1YmmhgMAMAAPlnURIbMAH+RjaQi6/BU4tS+hPEdQZ5yqm4wk63PFgxi1U3GaRYqDP2eVaPyBzu8A9AvR3YLOynw3yMAxFEgfBrtuykZt4X10hu8dRYGe9JSsbonOd9PlZirnknlnifTF/99lzQq074Dhd1rpjNVvnbTM0PmyxpXAD0Ydf7CTvZoeD/dQNTEzafkr5HpiS9X1788a+0VsAWVS2ux/4V/khS0pkoExZWsxFfQVlNRkMKyR7N5fFRS2VOEAzomOqMdjcf2iaizWdDd0YkQF6LTjLs87nrJaIJSLccpAUy7lPxKs9+pRuqpay61+V54tcv2vwhZHlOc7JFxY6NgCvz07UaI665koa/67TdbSjYww/NfqhJdf/8ybtcN85Yu+SzU0l89Z0AwMnH7rDP9Pwv2OW+MWn8eDqu1E4/duCAxhKMS/sjPHHU83CFM6Ycd9MXA6e+HlLQBEPBV/08KLynhtAycotMraUQ9hmU4HrBDJqmZFtpO/ZUW9CP1gZ0ZsFyv2r2qyUUqvIyFLbUA==
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: 'true'
+      name: app
+    type: Opaque
diff --git a/.kube-workflow/dev/templates/keycloak.sealed.secret.yaml b/.kube-workflow/dev/templates/keycloak.sealed.secret.yaml
@@ -0,0 +1,17 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: 'true'
+  name: keycloak-secrets
+  namespace: null
+spec:
+  encryptedData:
+    KEYCLOAK_USER: AgBWye/9Iav1llY6ZLWgL4to/75FMWvu21ploogsvNSQoig2vUxNO9e9wpfSf2I8CJDic0RStCI65nvBcJr7UhaV3WXvutbV2JBMgqF6VPGJh1BYu7UERzaBFdfYaV8foFJsLHW5RvPRGALhhiovvR2mjNgNtBdhyf6bmOss+lj/UxN66/vmdBu2PwCRmuyDCCnIbzQw/31KZjA2v9OZC4PLtFB6TTITsZmG6MN5fbz4QFk6TGXDPfYVuN3voFOn1uICcRsk2WY/4N3RYqlhF1vxO974rphuObnzwWOWzfg7dZRx0CdvtbGZsWG4LcMekUHO8mj4gFM1GmS0hkKfQnALattYtfo0Lo42FRFFRm4CSc07BkjW6a/JzEyeYDV+wcZtvcEhLG6UyF9m9eW12ukZyS3K7o/UH/8VR1Z+G65L8KlIpg9gjIXxGyX/cCSFRYt/OvWj5fjpstdAvgcHt4sTlMPaqQpeH3FflRb2VhhXhgBFaXYc0kjl1vDgSV/dCu1OhLcIg1Z4V+z1BAoPESd7syOC9OFxqFacIoK7Uz/vR7svkvFfJrm7Iamnf/CklwuO0BRZrL67Tf1anT4A/WCsFEd/Ha0j9PaxP8UptkfLkDPNICE1qbUkf/vFOQA6d7V2PC+HYkwLrpYnc0Y5ze8gTB4GlOUfQNXGZpaEI9EGguHA7YbAyIXHhyUyYBEeCptdd83u3gaff7RW6Avo/75qT/oiVgUX08eXqp8xo/DRCB/h6JKiAwbpgzADuA==
+    KEYCLOAK_PASSWORD: AgBkcJ8Y/h6hIP6OKMl25ryKcL2WTqvRmu6U1wUMvSzI5r+ZJxaMpYNisGgSSDdQmkLGhkMeRmHxfWVSRNSUb5YJ6Aw9MQRHEHXmDDRN8iBuLlpG/uB+rpuILdyKz4z8lxFVUw4ZYd/sR4ge8E+HADVokmFVHPGg+ZDchz7AJ+4qmp/Ey/TRPl47U8xWfLj1P8TpyZCqFgceFoNGLo7OCzhgFAeaiTU0sP2jc1NR0QS0kWK+NhOHZ24AvkQnZo2kPTWY3kFLbh6uz8N7gYif55CIbZSEyfp+OZyfBGzn4xNRe7i004/vDFWhGnAQdaAFDhlc6fHzwIUWTcNUR6E/aA0wX/8HmLKncNQ8UO6UIYOvak0UMT2GnVMkRYaqw2QEKrODbuPwoAJjdrrDxA/s97ZwOSa5iysisa562IMk/dKT6/k4jEdNH0h0PpD4ZE+MYLa8nDNn6yMGeoO4p22U03UjQLzyjMvxWfFLkLTyMy6ct8Lxp++xqm9g58K29dSvXpSxCa1382RjA7ocOqpa4Qy1y4gzVBBvVZLeTXyywqSu4bc3+ZBiAWy1SDadNyin28/krRQ4F7gK7BgzT0cHXPC3xIdI52hsf5Cg9FAZwXd9xBpAMHdkIbrD7/3LvC7FbwjdkqUVX7pjEXfqX0qUHRWjrYcomuRxiBwb+qtWWiqgcMWBiBoddwfdSQudeNHY770LSLtWzNK7j9kFaSDofJPoHdaAO9gP6MpDh03BBpILfmg0YhGp6KrsJDwlHA==
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: 'true'
+      name: keycloak-secrets
+    type: Opaque
diff --git a/.kube-workflow/dev/values.yaml b/.kube-workflow/dev/values.yaml
@@ -0,0 +1,23 @@
+jobs:
+  runs:
+    db:
+      use: SocialGouv/kube-workflow/jobs/create-db
+      with:
+        pgAdminSecretRefName: pg-scaleway
+    db-keycloak:
+      use: SocialGouv/kube-workflow/jobs/create-db
+      needs: [db]
+      with:
+        pgAdminSecretRefName: pg-scaleway
+        pgSecretName: "keycloak-db-{{ .Values.global.branchSlug32 }}"
+        database: "keycloak_{{ .Values.global.branchSlug32 }}"
+        pgUser: "keycloak_{{ .Values.global.branchSlug32 }}"
+
+keycloak:
+  statefulsetAnnotations:
+    kapp.k14s.io/change-rule: "upsert after upserting kube-workflow/db-keycloak.{{ .Values.global.namespace }}"
+  extraEnvFrom: |
+    - secretRef:
+        name: "keycloak-db-{{ .Values.global.branchSlug32 }}"
+    - secretRef:
+        name: keycloak-secrets