Merge remote-tracking branch 'refs/remotes/origin/main'

SocialGouv · Jan 8, 2024 · bbee5f8 · bbee5f8
2 parents 55145d6 + 41c659b
commit bbee5f8
Show file tree

Hide file tree

Showing 20 changed files with 277 additions and 0 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,5 @@
+# Protect workflow files
+.github/workflows/*.yml @socialgouv/sre
+.github/CODEOWNERS @socialgouv/sre
+.k8s/ @socialgouv/sre
+.socialgouv/  @socialgouv/sre
diff --git a/.github/workflows/deactivate.yaml b/.github/workflows/deactivate.yaml
@@ -0,0 +1,23 @@
+name: ♻️ Deactivate
+on:
+  pull_request:
+    types: [closed]
+  delete:
+    branches:
+      - "**"
+      - "!v*"
+      - "!master"
+      - "!main"
+      - "!dev"
+      - "!develop"
+      - "!**/persist"
+      - "!persist/**"
+      - "!**/persist/**"
+      - "!persist-**"
+      - "!**-persist"
+      - "!**-persist-**"
+
+jobs:
+  socialgouv:
+    uses: socialgouv/workflows/.github/workflows/use-ks-gh-deactivate.yaml@v1
+    secrets: inherit
diff --git a/.github/workflows/preproduction.yaml b/.github/workflows/preproduction.yaml
@@ -0,0 +1,17 @@
+name: 😎 PreProd
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "master"
+      - "main"
+
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.ref }}
+
+jobs:
+  socialgouv:
+    name: "🇫🇷 SocialGouv"
+    uses: socialgouv/workflows/.github/workflows/use-ks-gh-preproduction.yaml@v1
+    secrets: inherit
diff --git a/.github/workflows/production.yaml b/.github/workflows/production.yaml
@@ -0,0 +1,16 @@
+name: 🚀 Production
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - v*
+
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.ref }}
+
+jobs:
+  socialgouv:
+    name: "🇫🇷 SocialGouv"
+    uses: socialgouv/workflows/.github/workflows/use-ks-gh-production.yaml@v1
+    secrets: inherit
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,15 @@
+name: Release
+on:
+  workflow_dispatch:
+  push:
+    branches: [master, main, alpha, beta, next]
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+    - uses: socialgouv/workflows/actions/semantic-release@v1
+      with:
+        github-token: ${{ secrets.SOCIALGROOVYBOT_BOTO_PAT }}
+        author-name: ${{ secrets.SOCIALGROOVYBOT_NAME }}
+        author-email: ${{ secrets.SOCIALGROOVYBOT_EMAIL }}
diff --git a/.github/workflows/review-auto.yaml b/.github/workflows/review-auto.yaml
@@ -0,0 +1,16 @@
+name: 👓 Review Auto
+on:
+  push:
+    branches:
+      - "feat/**"
+      - "fix/**"
+
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.ref }}
+
+jobs:
+  socialgouv:
+    name: "🇫🇷 SocialGouv"
+    uses: socialgouv/workflows/.github/workflows/use-ks-gh-review-auto.yaml@v1
+    secrets: inherit
diff --git a/.github/workflows/review.yaml b/.github/workflows/review.yaml
@@ -0,0 +1,19 @@
+name: 👀 Review
+on:
+  push:
+    branches:
+      - "**"
+      - "!master"
+      - "!main"
+      - "!feat/**"
+      - "!fix/**"
+
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.ref }}
+
+jobs:
+  socialgouv:
+    name: "🇫🇷 SocialGouv"
+    uses: socialgouv/workflows/.github/workflows/use-ks-gh-review.yaml@v1
+    secrets: inherit
diff --git a/.kontinuous/config.yaml b/.kontinuous/config.yaml
@@ -0,0 +1,18 @@
+projectName: carte-jeune-engage
+ciNamespace: ci-carte-jeune-engage
+
+dependencies:
+  fabrique:
+    extends:
+      - name: ovh
+        ifEnv: [dev, preprod]
+      - name: buildkit-service
+        ifEnv: [dev, preprod]
+    dependencies:
+      contrib:
+        preDeploy:
+          importSecrets:
+            options:
+              secrets:
+                carte-jeune-engage-dev-backups-access-key:
+                carte-jeune-engage-prod-backups-access-key:
diff --git a/.kontinuous/env/dev/templates/app.configmap.yaml b/.kontinuous/env/dev/templates/app.configmap.yaml
@@ -0,0 +1,6 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: app-configmap
+data:
+  PAYLOAD_CONFIG_PATH: payload/payload.config.ts
diff --git a/.kontinuous/env/dev/templates/app.sealed-secret.yaml b/.kontinuous/env/dev/templates/app.sealed-secret.yaml
@@ -0,0 +1 @@
+../../preprod/templates/app.sealed-secret.yaml
diff --git a/.kontinuous/env/preprod/templates/app.configmap.yaml b/.kontinuous/env/preprod/templates/app.configmap.yaml
@@ -0,0 +1,6 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: app-configmap
+data:
+  PAYLOAD_CONFIG_PATH: payload/payload.config.ts
diff --git a/.kontinuous/env/preprod/templates/app.sealed-secret.yaml b/.kontinuous/env/preprod/templates/app.sealed-secret.yaml
@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: 'true'
+  name: app-sealed-secret
+spec:
+  encryptedData:
+    PAYLOAD_SECRET: AgCUOf5GYU76Wpev453PuZGT5xSns0/50rXIB61hG8oFtwD//5b064nNycou3zkC+VzdrwyrBcda42n9JST4THKySHu+d5LhX9q5IiLkKNWJnQ8I0022sZIZbNPvPFm0II5LPW7GG5jpqdc9TO5k1uDBATRpXf4UNeQop7Kj+gamt3wHFoI72Yt2FZBGriPZf3Ka5bC4Z4l5hBt97LnH49S5ZY2t/vvFYStZDHn6UbEHH/+jWtsIfkZ00gi9U7wUgprYPXjvvAIfjjlCeMvRa4I1zpXftolrcM0tqwKT7j3dafQWD1JkmgVXkQUosGLqxWsIgTy2bwF8LiYCD0s2uBVdrqFV9wkNpHZBsCVCh2Bs+EDA4MPSCLcWsDB7YNsetDUhME56oEpaOMOE3npzt1safB7LpqHodWu5S5ySVTQM7rTuPjbJZPn/Bn6pM+W/2lmGztgpgHImfbox+D5JlSn1aRuG8kyQAmGxv45LjQnOP3AnP5D4l+DIn+om+QMcHjsq8/+5IYfpupok9DkdDv0Zasee/wv+H8YnH1SY7mX8eIkMea86f2qIdOVnKQoz7lZYHg4ZkzEstCQp4x+etO26t9GVJ+o8o1E/6sCfb/MkoEaw+0AxHlhAcr7GOlJokdFf7vPrQ56I5pqO7Gev9p981v9NpEnzs7XZePjIEOxng7NWYxV95bbu7SWiZzZtnZ8tE2OxSPO8CnswENXi0Oms
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: 'true'
+      name: app-sealed-secret
+    type: Opaque
diff --git a/.kontinuous/env/preprod/values.yaml b/.kontinuous/env/preprod/values.yaml
@@ -0,0 +1,2 @@
+app:
+  host: "cje-preprod.ovh.fabrique.social.gouv.fr"
diff --git a/.kontinuous/env/prod/templates/app.configmap.yaml b/.kontinuous/env/prod/templates/app.configmap.yaml
@@ -0,0 +1,6 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: app-configmap
+data:
+  PAYLOAD_CONFIG_PATH: payload/payload.config.ts
diff --git a/.kontinuous/env/prod/templates/app.sealed-secret.yaml b/.kontinuous/env/prod/templates/app.sealed-secret.yaml
@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/namespace-wide: 'true'
+  name: app-sealed-secret
+  namespace: carte-jeune-engage
+spec:
+  encryptedData:
+    PAYLOAD_SECRET: AgCXJjeQ77HOJNobfye+1HmjzIuUqehcAVWFrMZWJE5Ilfc5Lqq68AK8mcz/NY8ib3xpr5APAxZAf4MTU0v5ckPCFE9XGmi+NPKKasezDr3OVoeuU0kfme5RpM/+ByI/1B6amLYjjXWNbwjrpUIvo89XYVx8PsdLBPWYB0SR4HuPqjv9pjWv8h55wmgJh45UzhXgWNPESl9eFIhd7qrX6nwbuAaVofk3aVKbb73GsBIpquisg2vGM1ng04LB4mycBtCOgGOEulxCdDShl40dzHBFXhIidwmPJKifMwWS/tY9JnYx1sQqkbDbN7eBuWUwcSmjMc5FJBuVS7NIe3rzEVCdsU4T8usDrjVZ2APyr788vpEoxwd2Q38W9G5nA2zwLkHJg2XSW1nAU6qigJGbwgXlGsAj/v4kosMfLe3HQtdM8xdLZBggaUqKTzhhfIW8kG2heuUwfls3qRTOfaYw0amg7OuMYs11vtx0kAe8KnsrqQPAeqhpvjCWBff11+k7tAGI5P57N03kagZXquEbyAgnOePL1sl0LQrOnF+51DavuXghBY36JiFwyb/0gMEqBwx4SlpR5DR+0xoh5d9X98vOCxFY6Sn8Nyjh/6WAEEd13QOWIBxdWOc4EMtbAwZjsJRmTuYYQwJh3gDGvixVWxrrwtehhPHB0q4IvO4Yf0yUqHPeumHaQVI8PfmIRwNiRPfDYi7OdsPv+dEr7w1kbcyZ
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/namespace-wide: 'true'
+      name: app-sealed-secret
+    type: Opaque
diff --git a/.kontinuous/env/prod/values.yaml b/.kontinuous/env/prod/values.yaml
@@ -0,0 +1,19 @@
+app:
+  host: cje.fabrique.social.gouv.fr
+  envFrom:
+    - secretRef:
+        name: pg-app
+    - secretRef:
+        name: app-sealed-secret
+    - configMapRef:
+        name: app-configmap
+    - secretRef:
+        name: azure-cje-volume
+
+pg:
+  cnpg-cluster:
+    resources:
+      requests:
+        memory: 128Mi
+      limits:
+        memory: 1Gi
diff --git a/.kontinuous/values.yaml b/.kontinuous/values.yaml
@@ -0,0 +1,26 @@
+app:
+  ~chart: app
+  ~needs: [build-app]
+  host: "app-{{ $.Values.global.host }}"
+  imagePackage: app
+  probesPath: /api/healthz
+
+  env:
+    - name: DATABASE_URL
+      value: "$(DATABASE_URL)"
+  envFrom:
+    - secretRef:
+        name: app-sealed-secret
+    - configMapRef:
+        name: app-configmap
+
+cnpg-cluster:
+  ~chart: pg
+
+jobs:
+  runs:
+    build-app:
+      use: build
+      with:
+        imagePackage: app
+        context: ./webapp
diff --git a/webapp/Dockerfile b/webapp/Dockerfile
@@ -0,0 +1,45 @@
+ARG NODE_VERSION=lts-alpine3.18@sha256:ef5e088232f803cadb83326edb4731015f42961d23a11510b109c2c98cfbb945
+
+FROM node:$NODE_VERSION as dependencies
+WORKDIR /app
+ARG PRODUCTION
+COPY package.json yarn.lock ./
+RUN yarn install --frozen-lockfile
+
+FROM node:$NODE_VERSION as builder
+WORKDIR /app
+ARG PRODUCTION
+
+COPY . .
+COPY --from=dependencies /app/node_modules ./node_modules
+RUN yarn build
+
+FROM node:$NODE_VERSION as runner
+WORKDIR /app
+ARG PRODUCTION
+ENV NODE_ENV production
+
+COPY package.json yarn.lock ./
+# Remove dev dependencies
+RUN yarn install --production --frozen-lockfile && \
+    yarn cache clean
+
+RUN addgroup --system --gid 1001 nodejs && \
+    adduser --system --uid 1001 nextjs
+
+COPY --from=builder /app/public ./public
+COPY --from=builder /app/.next ./.next
+COPY --from=builder /app/node_modules ./node_modules
+
+# Block crawlers for staging deployments
+RUN if [ -z "$PRODUCTION" ]; then mv -f public/robots.staging.txt public/robots.txt; \
+    else rm -f public/robots.staging.txt; fi
+
+RUN chmod 1777 /tmp
+RUN chmod 1777 /app
+
+USER 1001
+
+EXPOSE 3000
+ENV PORT 3000
+CMD ["yarn", "start"]
diff --git a/webapp/public/robots.staging.txt b/webapp/public/robots.staging.txt
diff --git a/webapp/src/pages/api/healthz.ts b/webapp/src/pages/api/healthz.ts
@@ -0,0 +1,6 @@
+
+import { NextApiRequest, NextApiResponse } from 'next';
+
+export default (req: NextApiRequest, res: NextApiResponse) => {
+  res.status(200).json({ status: 'ok' });
+};