diff --git a/.github/dev.env b/.github/dev.env deleted file mode 100644 index 5bcb447..0000000 --- a/.github/dev.env +++ /dev/null @@ -1,2 +0,0 @@ -SOCIALGOUV_BASE_DOMAIN=dev.fabrique.social.gouv.fr -RANCHER_PROJECT_ID=c-gjtkk:p-v79sd diff --git a/.github/preprod.env b/.github/preprod.env deleted file mode 100644 index 5bcb447..0000000 --- a/.github/preprod.env +++ /dev/null @@ -1,2 +0,0 @@ -SOCIALGOUV_BASE_DOMAIN=dev.fabrique.social.gouv.fr -RANCHER_PROJECT_ID=c-gjtkk:p-v79sd diff --git a/.github/prod.env b/.github/prod.env deleted file mode 100644 index de2f142..0000000 --- a/.github/prod.env +++ /dev/null @@ -1,2 +0,0 @@ -SOCIALGOUV_BASE_DOMAIN=fabrique.social.gouv.fr -RANCHER_PROJECT_ID=c-5rj5b:p-7f92z diff --git a/.github/workflows/preproduction.yml b/.github/workflows/preproduction.yml index abb2347..ec26ad0 100644 --- a/.github/workflows/preproduction.yml +++ b/.github/workflows/preproduction.yml @@ -28,35 +28,24 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} imageName: monsuivipsy/monsuivipsy-site - ############################################################################## - ## GENERATE KUBERNETES MANIFESTS - ############################################################################## - manifests: - name: Generate k8s manifests - runs-on: ubuntu-latest - steps: - - name: Use autodevops manifests generation - uses: SocialGouv/actions/autodevops-manifests@v1 - with: - environment: "preprod" - rancherId: ${{ secrets.RANCHER_PROJECT_ID }} - socialgouvBaseDomain: ${{ secrets.SOCIALGOUV_BASE_DOMAIN }} - ############################################################################## ## DEPLOY APPLICATION OVER KUBERNETES ############################################################################## deploy: name: Deploy application runs-on: ubuntu-latest - needs: [register, manifests] + needs: [register] environment: name: preproduction url: https://monsuivipsy-site-preprod.dev.fabrique.social.gouv.fr steps: - name: Use autodevops deployment - uses: SocialGouv/actions/autodevops-deploy@v1 + uses: SocialGouv/actions/autodevops-helm-deploy@v1 with: environment: "preprod" token: ${{ secrets.GITHUB_TOKEN }} kubeconfig: ${{ secrets.KUBECONFIG }} rancherId: ${{ secrets.RANCHER_PROJECT_ID }} + rancherProjectName: ${{ secrets.RANCHER_PROJECT_NAME }} + socialgouvBaseDomain: ${{ secrets.SOCIALGOUV_BASE_DOMAIN }} + imageName: monsuivipsy/monsuivipsy-site diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml index e3e88ec..dc2c07d 100644 --- a/.github/workflows/production.yml +++ b/.github/workflows/production.yml @@ -41,18 +41,16 @@ jobs: needs: [register] environment: name: production - url: https://monsuivipsy.fabrique.social.gouv.Fr + url: https://monsuivipsy.fabrique.social.gouv.fr steps: - - name: Use autodevops manifests generation - uses: SocialGouv/actions/autodevops-manifests@master - with: - environment: "prod" - rancherId: ${{ secrets.RANCHER_PROJECT_ID }} - socialgouvBaseDomain: ${{ secrets.SOCIALGOUV_BASE_DOMAIN }} + - name: Use autodevops deployment - uses: SocialGouv/actions/autodevops-deploy@master + uses: SocialGouv/actions/autodevops-helm-deploy@v1 with: environment: "prod" token: ${{ secrets.GITHUB_TOKEN }} kubeconfig: ${{ secrets.SOCIALGOUV_KUBE_CONFIG_PROD }} rancherId: ${{ secrets.RANCHER_PROJECT_ID }} + rancherProjectName: ${{ secrets.RANCHER_PROJECT_NAME }} + imageName: monsuivipsy/monsuivipsy-site + productionHost: monsuivipsy.fabrique.social.gouv.fr diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml index ee0e470..85a04d2 100644 --- a/.github/workflows/review.yml +++ b/.github/workflows/review.yml @@ -32,31 +32,22 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} imageName: monsuivipsy/monsuivipsy-site - ############################################################################## - ## GENERATE KUBERNETES MANIFESTS - ############################################################################## - manifests: - name: Generate k8s manifests - runs-on: ubuntu-latest - steps: - - - name: Use autodevops manifests generation - uses: SocialGouv/actions/autodevops-manifests@master - with: - environment: "dev" - ############################################################################## ## DEPLOY APPLICATION OVER KUBERNETES ############################################################################## deploy: name: Deploy application runs-on: ubuntu-latest - needs: [register, manifests] + needs: [register] steps: - name: Use autodevops deployment - uses: SocialGouv/actions/autodevops-deploy@master + uses: SocialGouv/actions/autodevops-helm-deploy@v1 with: environment: "dev" token: ${{ secrets.GITHUB_TOKEN }} kubeconfig: ${{ secrets.SOCIALGOUV_KUBE_CONFIG_DEV }} + rancherId: ${{ secrets.RANCHER_PROJECT_ID }} + rancherProjectName: ${{ secrets.RANCHER_PROJECT_NAME }} + socialgouvBaseDomain: ${{ secrets.SOCIALGOUV_BASE_DOMAIN }} + imageName: monsuivipsy/monsuivipsy-site diff --git a/.socialgouv/chart/base/kustomization.yaml b/.socialgouv/chart/base/kustomization.yaml new file mode 100644 index 0000000..04cd258 --- /dev/null +++ b/.socialgouv/chart/base/kustomization.yaml @@ -0,0 +1,15 @@ +resources: +- ../autodevops/base + +patches: +- target: + kind: Ingress + patch: | + - op: add + path: "/metadata/annotations" + value: + "nginx.ingress.kubernetes.io/configuration-snippet": | + more_set_headers "Content-Security-Policy: default-src 'none'; connect-src 'self' https://*.gouv.fr; font-src 'self'; media-src 'self' https://*.gouv.fr; img-src 'self' https://*.gouv.fr https://a.tile.openstreetmap.org https://b.tile.openstreetmap.org https://c.tile.openstreetmap.org; prefetch-src 'self' https://*.gouv.fr; script-src 'self' https://*.gouv.fr; frame-src 'self' https://*.gouv.fr; style-src 'self' 'unsafe-inline'"; + more_set_headers "X-Frame-Options: deny"; + more_set_headers "X-XSS-Protection: 1; mode=block"; + more_set_headers "X-Content-Type-Options: nosniff"; diff --git a/.socialgouv/chart/values.project.yaml b/.socialgouv/chart/values.project.yaml new file mode 100644 index 0000000..5ba1695 --- /dev/null +++ b/.socialgouv/chart/values.project.yaml @@ -0,0 +1,4 @@ +app: + containerPort: 3000 + probesPath: /api/healthz + envSecretName: monsuivipsy-site-sealed-secret \ No newline at end of file diff --git a/.socialgouv/config.json b/.socialgouv/config.json index 039ee3e..fca177f 100644 --- a/.socialgouv/config.json +++ b/.socialgouv/config.json @@ -1,13 +1,6 @@ { "type": "app", "name": "monsuivipsy-site", - "subdomain": "monsuivipsy", - "probesPath": "/api/healthz", "registry": "ghcr", - "project": "monsuivipsy", - "ingress": { - "annotations": { - "nginx.ingress.kubernetes.io/configuration-snippet": "more_set_headers \"Content-Security-Policy: default-src 'none'; connect-src 'self' https://*.gouv.fr; font-src 'self'; media-src 'self' https://*.gouv.fr; img-src 'self' https://*.gouv.fr https://a.tile.openstreetmap.org https://b.tile.openstreetmap.org https://c.tile.openstreetmap.org; prefetch-src 'self' https://*.gouv.fr; script-src 'self' https://*.gouv.fr; frame-src 'self' https://*.gouv.fr; style-src 'self' 'unsafe-inline'\";\nmore_set_headers \"X-Frame-Options: deny\";\nmore_set_headers \"X-XSS-Protection: 1; mode=block\";\nmore_set_headers \"X-Content-Type-Options: nosniff\";" - } - } + "project": "monsuivipsy" } diff --git a/.socialgouv/environments/prod/yaml/redirect.yaml b/.socialgouv/environments/prod/yaml/redirect.yaml index a0ccfc4..6de3e7d 100644 --- a/.socialgouv/environments/prod/yaml/redirect.yaml +++ b/.socialgouv/environments/prod/yaml/redirect.yaml @@ -7,8 +7,7 @@ metadata: cert-manager.io/cluster-issuer: letsencrypt-prod kubernetes.io/tls-acme: "true" labels: - app.kubernetes.io/component: redirect - app.kubernetes.io/name: www + component: app name: www-redirect namespace: monsuivipsy-site spec: