From 4b74272b1384654235fbbc6c75200e0830961496 Mon Sep 17 00:00:00 2001 From: Julien Bouquillon Date: Tue, 21 Nov 2023 00:28:35 +0100 Subject: [PATCH 1/3] fix: add CNPG prod cluster (#1729) * fix: add CNPG prod cluster * fix * fix * fix * fix * fix * fix * fix * fix * fix * fix * fix * fix * fix * fix * fix * fix * fix * fix * fix * fix * Update values.yaml * fix * fix * fix * fix --- .github/workflows/preproduction.yaml | 21 +++-------- .github/workflows/production.yaml | 19 ++-------- .github/workflows/review-auto.yaml | 20 ++--------- .github/workflows/review.yaml | 19 ++-------- .kontinuous/config.yaml | 8 +++-- .kontinuous/env/dev/values.yaml | 43 ++++++++++++++++++----- .kontinuous/env/preprod/values.yaml | 52 +++++++++++++++++++++++----- .kontinuous/env/prod/values.yaml | 15 -------- .kontinuous/values.yaml | 47 ++++++++----------------- back/strapi/Dockerfile | 3 +- back/strapi/config/database.js | 9 ++++- 11 files changed, 119 insertions(+), 137 deletions(-) diff --git a/.github/workflows/preproduction.yaml b/.github/workflows/preproduction.yaml index 8c0e289ab..c0028bf1e 100644 --- a/.github/workflows/preproduction.yaml +++ b/.github/workflows/preproduction.yaml @@ -4,27 +4,16 @@ on: push: branches: - "master" + - "main" + tags-ignore: + - v* concurrency: cancel-in-progress: true group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.ref }} jobs: - register: - name: Build & Register application - runs-on: ubuntu-latest - steps: - - name: Use autodevops build and register - uses: socialgouv/workflows/actions/build-image@v1 - with: - environment: preprod - dockercontext: ./back/strapi - imagePackage: strapi - token: ${{ secrets.GITHUB_TOKEN }} - dockerfile: ./back/strapi/Dockerfile - - kontinuous: - name: "Deploy on Kubernetes 🐳" - needs: [register] + socialgouv: + name: "🇫🇷 SocialGouv" uses: socialgouv/workflows/.github/workflows/use-ks-gh-preproduction.yaml@v1 secrets: inherit diff --git a/.github/workflows/production.yaml b/.github/workflows/production.yaml index f0a93d25b..3cae2d52a 100644 --- a/.github/workflows/production.yaml +++ b/.github/workflows/production.yaml @@ -10,22 +10,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.ref }} jobs: - - register: - name: Build & Register application - runs-on: ubuntu-latest - steps: - - name: Use autodevops build and register - uses: socialgouv/workflows/actions/build-image@v1 - with: - environment: prod - dockercontext: ./back/strapi - imagePackage: strapi - token: ${{ secrets.GITHUB_TOKEN }} - dockerfile: ./back/strapi/Dockerfile - - kontinuous: - name: "Deploy on Kubernetes 🐳" - needs: [register] + socialgouv: + name: "🇫🇷 SocialGouv" uses: socialgouv/workflows/.github/workflows/use-ks-gh-production.yaml@v1 secrets: inherit diff --git a/.github/workflows/review-auto.yaml b/.github/workflows/review-auto.yaml index 731b67787..a5e9d67dd 100644 --- a/.github/workflows/review-auto.yaml +++ b/.github/workflows/review-auto.yaml @@ -13,21 +13,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.ref }} jobs: - register: - name: Build & Register Strapi - runs-on: ubuntu-latest - steps: - - name: Use autodevops build and register - uses: socialgouv/workflows/actions/build-image@v1 - with: - environment: dev - dockercontext: ./back/strapi - imagePackage: strapi - token: ${{ secrets.GITHUB_TOKEN }} - dockerfile: ./back/strapi/Dockerfile - - kontinuous: - name: "Deploy on Kubernetes 🐳" - needs: [register] - uses: socialgouv/workflows/.github/workflows/use-ks-gh-review-auto.yaml@master + socialgouv: + name: "🇫🇷 SocialGouv" + uses: socialgouv/workflows/.github/workflows/use-ks-gh-review-auto.yaml@v1 secrets: inherit diff --git a/.github/workflows/review.yaml b/.github/workflows/review.yaml index 6e64b9404..0cc2c91f5 100644 --- a/.github/workflows/review.yaml +++ b/.github/workflows/review.yaml @@ -16,22 +16,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.ref }} jobs: - - register: - name: Build & Register Strapi - runs-on: ubuntu-latest - steps: - - name: Use autodevops build and register - uses: socialgouv/workflows/actions/build-image@v1 - with: - environment: dev - dockercontext: ./back/strapi - imagePackage: strapi - token: ${{ secrets.GITHUB_TOKEN }} - dockerfile: ./back/strapi/Dockerfile - - kontinuous: - name: "Deploy on Kubernetes 🐳" - needs: [register] + socialgouv: + name: "🇫🇷 SocialGouv" uses: socialgouv/workflows/.github/workflows/use-ks-gh-review.yaml@v1 secrets: inherit diff --git a/.kontinuous/config.yaml b/.kontinuous/config.yaml index 58e80ae4d..c5f23c585 100644 --- a/.kontinuous/config.yaml +++ b/.kontinuous/config.yaml @@ -1,8 +1,10 @@ projectName: les1000jours +ciNamespace: ci-les1000jours dependencies: fabrique: - import: SocialGouv/kontinuous/plugins/fabrique + extends: + - name: buildkit-service dependencies: contrib: preDeploy: @@ -10,5 +12,5 @@ dependencies: options: secrets: les1000joursprodserver-backup-credentials: - env: dev - required: true \ No newline at end of file + les1000jours-dev-backups-access-key: + les1000jours-prod-backups-access-key: diff --git a/.kontinuous/env/dev/values.yaml b/.kontinuous/env/dev/values.yaml index 9350428cb..eaab84a7c 100644 --- a/.kontinuous/env/dev/values.yaml +++ b/.kontinuous/env/dev/values.yaml @@ -1,8 +1,8 @@ app-strapi: - ~needs: [restore] + ~needs: [pg, build-strapi, restore] ~preDeploy.cleaner: match: - kind: Deployment + kind: Deployment value: true volumes: - name: uploads @@ -10,18 +10,45 @@ app-strapi: volumeMounts: - mountPath: /app/public/uploads name: uploads - + envFrom: + - secretRef: + name: strapi + - configMapRef: + name: strapi-configmap + - secretRef: + name: "pg-app" + # - secretRef: + # name: azure-les1000jours-volume +# +# todo: a remplacer par une conf de restore CNPG +# jobs: runs: - create-db: - use: create-db restore: - ~needs: [create-db] + ~needs: [pg] use: pg-restore checkout: false with: mountPath: /mnt/restore - restorePath: "${LATEST}/prod_db.psql.gz" + restorePath: "${LATEST}" + pgAdminUserSecretRefName: pg-superuser + env: # there is a bug when setting custom job env, so we have to repeat "with" vars here + - name: RESTORE_PATH + value: "${LATEST}" + - name: OWNER + value: "{{ $.Values.global.pgUser }}" + - name: MOUNT_PATH + value: /mnt/restore + - name: FILTER_PATH + value: prod_db + - name: PGPASSWORD + value: "$(password)" + - name: PGUSER + value: "$(username)" + - name: PGHOST + value: "pg-rw" + - name: PGDATABASE + value: "{{ $.Values.global.pgDatabase }}" volumeMounts: - name: restore mountPath: /mnt/restore @@ -33,4 +60,4 @@ jobs: readOnly: true volumeAttributes: secretName: les1000joursprodserver-backup-credentials - shareName: les1000jprodsrv2-backup-restore \ No newline at end of file + shareName: les1000jprodsrv2-backup-restore diff --git a/.kontinuous/env/preprod/values.yaml b/.kontinuous/env/preprod/values.yaml index 818ac4d90..5c081c75b 100644 --- a/.kontinuous/env/preprod/values.yaml +++ b/.kontinuous/env/preprod/values.yaml @@ -1,16 +1,50 @@ app-strapi: host: "backoffice-1000jours-preprod.dev.fabrique.social.gouv.fr" + ~needs: [pg, build-strapi, restore] addVolumes: - uploads volumeMounts: - mountPath: /app/public/uploads name: uploads - envFrom: - - secretRef: - name: strapi - - configMapRef: - name: strapi-configmap - - secretRef: - name: azure-les1000jours-volume - - secretRef: - name: "{{ .Values.global.pgSecretName }}" + +# todo: a remplacer par une conf de restore CNPG +# +jobs: + runs: + restore: + ~needs: [pg] + use: pg-restore + checkout: false + with: + mountPath: /mnt/restore + restorePath: "${LATEST}" + pgAdminUserSecretRefName: pg-superuser + env: # there is a bug when setting custom job env, so we have to repeat "with" vars here + - name: RESTORE_PATH + value: "${LATEST}" + - name: OWNER + value: "{{ $.Values.global.pgUser }}" + - name: MOUNT_PATH + value: /mnt/restore + - name: FILTER_PATH + value: prod_db + - name: PGPASSWORD + value: "$(password)" + - name: PGUSER + value: "$(username)" + - name: PGHOST + value: "pg-rw" + - name: PGDATABASE + value: "{{ $.Values.global.pgDatabase }}" + volumeMounts: + - name: restore + mountPath: /mnt/restore + readOnly: true + volumes: + - name: restore + csi: + driver: file.csi.azure.com + readOnly: true + volumeAttributes: + secretName: les1000joursprodserver-backup-credentials + shareName: les1000jprodsrv2-backup-restore diff --git a/.kontinuous/env/prod/values.yaml b/.kontinuous/env/prod/values.yaml index a68f77787..90721df5b 100644 --- a/.kontinuous/env/prod/values.yaml +++ b/.kontinuous/env/prod/values.yaml @@ -14,18 +14,3 @@ app-strapi: enabled: true minReplicas: 2 maxReplicas: 5 - envFrom: - - secretRef: - name: strapi - - configMapRef: - name: strapi-configmap - - secretRef: - name: azure-les1000jours-volume - - secretRef: - name: "{{ .Values.global.pgSecretName }}" -#app-cache: -# certSecretName: strapi-cache-crt -# autoscale: -# enabled: true -# minReplicas: 2 -# maxReplicas: 5 diff --git a/.kontinuous/values.yaml b/.kontinuous/values.yaml index 6d80e9bd9..9cd223646 100644 --- a/.kontinuous/values.yaml +++ b/.kontinuous/values.yaml @@ -1,10 +1,13 @@ global: - registry: ghcr.io - imageProject: socialgouv + imageProject: 1000jours + +pg: + ~chart: pg app-strapi: ~chart: app host: "backoffice-{{ .Values.global.host }}" + ~needs: [pg, build-strapi] imagePackage: strapi containerPort: 1337 probesPath: /_health @@ -23,7 +26,9 @@ app-strapi: - configMapRef: name: strapi-configmap - secretRef: - name: "{{ .Values.global.pgSecretName }}" + name: "pg-app" + - secretRef: + name: azure-les1000jours-volume env: - name: BACKOFFICE_URL value: "https://backoffice-{{ .Values.global.host }}" @@ -43,33 +48,11 @@ app-strapi: value: "true" - name: TZ value: "Europe/Paris" -#app-cache: -# ~chart: app -# image: "nginx:1.19.6" -# needs: ["app-strapi"] -# host: "backoffice-{{ .Values.global.host }}" -# containerPort: 8080 -# volumes: -# - name: strapi-cache -# emptyDir: {} -# - name: "config" -# configMap: -# name: nginx-configmap -# volumeMounts: -# - name: strapi-cache -# mountPath: /var/cache/nginx -# - name: config -# mountPath: /etc/nginx/nginx.conf -# subPath: nginx.conf -# ingress: -# annotations: -# "nginx.ingress.kubernetes.io/proxy-body-size": "1g" -# "nginx.ingress.kubernetes.io/limit-rps": "20" -# "nginx.ingress.kubernetes.io/limit-rpm": "300" -deactivate: - jobs-deactivate: - runs: - deactivate: - with: - db: true +jobs: + runs: + build-strapi: + use: build + with: + context: ./back/strapi + imagePackage: strapi diff --git a/back/strapi/Dockerfile b/back/strapi/Dockerfile index c6cc9ebf6..fe3f7acce 100644 --- a/back/strapi/Dockerfile +++ b/back/strapi/Dockerfile @@ -36,8 +36,7 @@ ENV NODE_ENV=production RUN yarn build -RUN adduser --uid 1001 strapi && \ - chown -R strapi:strapi /app +RUN useradd strapi --uid 1001 --shell /dev/null && chown -R strapi:strapi /app USER 1001 CMD ["yarn", "start"] diff --git a/back/strapi/config/database.js b/back/strapi/config/database.js index 2c74ab951..9c9db2f83 100644 --- a/back/strapi/config/database.js +++ b/back/strapi/config/database.js @@ -9,10 +9,17 @@ module.exports = ({ env }) => ({ host: env("DATABASE_HOST", "postgres"), password: env("DATABASE_PASSWORD", "strapi"), port: env.int("DATABASE_PORT", 5432), - ssl: env.bool("DATABASE_SSL", false), + ssl: getSslConfig(env), username: env("DATABASE_USERNAME", "strapi"), }, }, }, defaultConnection: "default", }); + +function getSslConfig(env) { + if (env.bool("DATABASE_SSL", false)) { + return { rejectUnauthorized: false }; // For self-signed certificates + } + return false; +} From a9865bcb338d15bc7a1726a5bd8ef42bfc9b9428 Mon Sep 17 00:00:00 2001 From: Julien Bouquillon Date: Tue, 21 Nov 2023 00:30:56 +0100 Subject: [PATCH 2/3] chore: fix preprod workflow --- .github/workflows/preproduction.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/preproduction.yaml b/.github/workflows/preproduction.yaml index c0028bf1e..415626269 100644 --- a/.github/workflows/preproduction.yaml +++ b/.github/workflows/preproduction.yaml @@ -4,9 +4,6 @@ on: push: branches: - "master" - - "main" - tags-ignore: - - v* concurrency: cancel-in-progress: true From dffeb6c31befe7a36db59bdcd34c61cd8cfb7904 Mon Sep 17 00:00:00 2001 From: Julien Bouquillon Date: Tue, 21 Nov 2023 00:38:37 +0100 Subject: [PATCH 3/3] fix: release