mission-apprentissage · FaXaq · Nov 26, 2024 · Oct 25, 2024 · Oct 25, 2024 · Oct 25, 2024
diff --git a/.bin/commands.sh b/.bin/commands.sh
@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+function Help() {
+   # Display Help
+   echo "Commands"
+   echo "  bin:setup                                               Installs ${PRODUCT_NAME} binary with zsh completion on system"
+   echo "  init:env                                                Update local env files using values from vault file"
+   echo "  docker:login                                            Login to ghcr.io"
+   echo "  release:interactive                                                                Build & Push Docker image releases"
+   echo "  release:manual:rc                                                                Build & Push Docker image releases in a release candidate"
+   echo "  release:app                                                                Build & Push Docker image releases"
+   echo "  deploy <env> --user <your_username>                                           Deploy application to <env>"
+   echo "  preview:build                                                                Build preview"
+   echo "  preview:cleanup --user <your_username>                                        Remove preview from close pull-requests"
+   echo "  vault:init                                                                    Fetch initial vault-password from template-apprentissage"
+   echo "  vault:edit                                                                    Edit vault file"
+   echo "  vault:password                                                                Show vault password"
+   echo "  seed:update                                Update seed using a database"
+   echo "  seed:apply                                 Apply seed to a database"
+   echo "  deploy:log:encrypt                         Encrypt Github ansible logs"
+   echo "  deploy:log:dencrypt                        Decrypt Github ansible logs"
+   echo 
+   echo
+}
+
+function bin:setup() {
+  sudo ln -fs "${ROOT_DIR}/.bin/product" "/usr/local/bin/product-${PRODUCT_NAME}"
+
+  sudo mkdir -p /usr/local/share/zsh/site-functions
+  sudo ln -fs "${ROOT_DIR}/.bin/zsh-completion" "/usr/local/share/zsh/site-functions/_${PRODUCT_NAME}"
+  sudo rm -f ~/.zcompdump*
+}
+
+function init:env() {
+  "${SCRIPT_DIR}/setup-local-env.sh" "$@"
+}
+
+function docker:login() {
+  "${SCRIPT_DIR}/docker-login.sh" "$@"
+}
+
+function release:interactive() {
+  "${SCRIPT_DIR}/release-interactive.sh" "$@"
+}
+
+function release:app() {
+  "${SCRIPT_DIR}/release-app.sh" "$@"
+}
+
+function release:manual:rc() {
+  "${SCRIPT_DIR}/release-manual-rc.sh" "$@"
+}
+
+function deploy() {
+  "${SCRIPT_DIR}/deploy-app.sh" "$@"
+}
+
+function preview:build() {
+  "${SCRIPT_DIR}/build-images.sh" "$@"
+}
+
+function preview:cleanup() {
+  "${SCRIPT_DIR}/run-playbook.sh" "preview_cleanup.yml" "preview"
+}
+
+function vault:init() {
+  # Ensure Op is connected
+  op account get > /dev/null
+  op document get ".vault-password-tmpl" --vault "vault-passwords-common" > "${ROOT_DIR}/.infra/vault/.vault-password.gpg"
+}
+
+function vault:edit() {
+  editor=${EDITOR:-'code -w'}
+  EDITOR=$editor "${SCRIPT_DIR}/edit-vault.sh" "$@"
+}
+
+function vault:password() {
+  "${SCRIPT_DIR}/get-vault-password-client.sh" "$@"
+}
+
+function seed:update() {
+  "${SCRIPT_DIR}/seed-update.sh" "$@"
+}
+
+function seed:apply() {
+  "${SCRIPT_DIR}/seed-apply.sh" "$@"
+}
+
+function deploy:log:encrypt() {
+  (cd "$ROOT_DIR" && "${SCRIPT_DIR}/deploy-log-encrypt.sh" "$@")
+}
+
+function deploy:log:decrypt() {
+  (cd "$ROOT_DIR" && "${SCRIPT_DIR}/deploy-log-decrypt.sh" "$@")
+}
+
diff --git a/.bin/product b/.bin/product
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+export BIN_DIR="$(dirname -- "$( readlink -f -- "$0"; )")"
+export ROOT_DIR="$(dirname "${BIN_DIR}")"
+export SCRIPT_DIR="$BIN_DIR/scripts"
+
+source "${BIN_DIR}/product-meta.sh"
+source "${BIN_DIR}/commands.sh"
+
+################################################################################
+################################################################################
+# Main program                                                                 #
+################################################################################
+################################################################################
+
+readonly command=${1:-}
+if [ -z "$command" ]; then
+  Help
+fi;
+shift
+
+if [[ `command -v $command` != $command ]]; then
+  echo "Err: Command '$command' not found"
+  echo
+  Help
+fi;
+
+$command "$@"
diff --git a/.bin/product-meta.sh b/.bin/product-meta.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+
+export PRODUCT_NAME=orion
+export REPO_NAME=tjp-pilotage
+export DATABASE_NAME=orion
+readonly OP_ACCOUNT="inserjeunes"
diff --git a/.bin/scripts/build-images.sh b/.bin/scripts/build-images.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+set -euo pipefail
+
+export VERSION="${1:?"Veuillez préciser la version"}"
+mode=${2:?"Veuillez préciser le mode <push|load>"}
+shift 2
+
+get_channel() {
+  local version="$1"
+  channel=$(echo "$version" | cut -d '-' -f 2)
+
+  if [ "$channel" == "$version" ]; then
+    channel="latest"
+  else
+    channel=$(echo $channel | cut -d '.' -f 1 )
+  fi
+
+  echo $channel
+}
+
+if [[ $# == "0" ]]; then
+  echo "Veuillez spécifier les environnements à build (production, recette, preview, local)"
+  exit 1;
+fi;
+
+set +e
+docker buildx create --name "ij-${PRODUCT_NAME}" --driver docker-container --config "$SCRIPT_DIR/buildkitd.toml" 2> /dev/null
+set -e
+
+if [[ ! -z "${CI:-}" ]]; then
+  export DEPS_ID=($(md5sum $ROOT_DIR/yarn.lock))
+else
+  export DEPS_ID=""
+fi
+
+export CHANNEL=$(get_channel $VERSION)
+
+# "$@" is the list of environements
+docker buildx bake --builder "ij-${PRODUCT_NAME}" --${mode} "$@"
+docker builder prune --builder "ij-${PRODUCT_NAME}" --keep-storage 20GB --force
+docker buildx stop --builder "ij-${PRODUCT_NAME}"
diff --git a/.bin/scripts/buildkitd.toml b/.bin/scripts/buildkitd.toml
@@ -0,0 +1,7 @@
+[worker.oci]
+  max-parallelism = 2
+
+[[worker.oci.gcpolicy]]
+  all = true
+  keepBytes = "20GB"
+  keepDuration = "72h"
diff --git a/.bin/scripts/deploy-app.sh b/.bin/scripts/deploy-app.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+readonly ENV_FILTER=${1:?"Merci de préciser un ou plusieurs environnements (ex. recette ou production)"}
+shift
+
+function deploy() {
+  echo "Déploiement sur l'environnement ${ENV_FILTER}..."
+
+  if [[ "$ENV_FILTER" == "preview" ]]; then
+    readonly PR_NUMBER=${1:?"Merci de préciser le numéro de la Pull Request (ex. 33)"};
+    shift;
+
+    if ! [[ $PR_NUMBER =~ ^[0-9]+$ ]]; then
+      echo "Merci de préciser le numéro de la Pull Request (ex. 33)" >&2;
+      echo "Usage: deploy-app.sh preview <pr_number> <ansible_args...>" >&2;
+      exit 1
+    fi
+
+    "${ROOT_DIR}/.bin/scripts/run-playbook.sh" "preview.yml" "$ENV_FILTER" --extra-var "pr_number=$PR_NUMBER"
+  else
+    "${ROOT_DIR}/.bin/scripts/run-playbook.sh" "deploy.yml" "$ENV_FILTER" "$@"
+  fi
+}
+
+deploy "$@"
diff --git a/.bin/scripts/deploy-log-decrypt.sh b/.bin/scripts/deploy-log-decrypt.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [ -z "${1:-}" ]; then
+  read -p "Veuillez renseigner l'ID du run: " RUN_ID
+else
+    readonly RUN_ID="$1"
+    shift
+fi
+
+if [ -z "${1:-}" ]; then
+  read -p "Veuillez renseigner l'ID du job: " JOB_ID
+else
+    readonly JOB_ID="$1"
+    shift
+fi
+
+if [[ -z "${ANSIBLE_VAULT_PASSWORD_FILE:-}" ]]; then
+  ansible_extra_opts+=("--vault-password-file" "${SCRIPT_DIR}/get-vault-password-client.sh")
+else
+  echo "Récupération de la passphrase depuis l'environnement variable ANSIBLE_VAULT_PASSWORD_FILE" 
+fi
+
+readonly PASSPHRASE="$ROOT_DIR/.bin/SEED_PASSPHRASE.txt"
+readonly VAULT_FILE="${ROOT_DIR}/.infra/vault/vault.yml"
+
+delete_cleartext() {
+  rm -f "$PASSPHRASE"
+}
+trap delete_cleartext EXIT
+
+
+rm -f /tmp/deploy.log.gpg
+
+gh run download "$RUN_ID" -n "logs-$JOB_ID" -D /tmp
+
+ansible-vault view "${ansible_extra_opts[@]}" "$VAULT_FILE" | yq '.vault.SEED_GPG_PASSPHRASE' > "$PASSPHRASE"
+
+gpg -d --batch --passphrase-file "$PASSPHRASE" /tmp/deploy.log.gpg
diff --git a/.bin/scripts/deploy-log-encrypt.sh b/.bin/scripts/deploy-log-encrypt.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ -z "${ANSIBLE_VAULT_PASSWORD_FILE:-}" ]]; then
+  ansible_extra_opts+=("--vault-password-file" "${SCRIPT_DIR}/get-vault-password-client.sh")
+else
+  echo "Récupération de la passphrase depuis l'environnement variable ANSIBLE_VAULT_PASSWORD_FILE" 
+fi
+
+readonly PASSPHRASE="$ROOT_DIR/.bin/SEED_PASSPHRASE.txt"
+readonly VAULT_FILE="${ROOT_DIR}/.infra/vault/vault.yml"
+
+delete_cleartext() {
+  rm -f "$PASSPHRASE"
+}
+trap delete_cleartext EXIT
+
+ansible-vault view "${ansible_extra_opts[@]}" "$VAULT_FILE" | yq '.vault.SEED_GPG_PASSPHRASE' > "$PASSPHRASE"
+
+# Make sur the file exists
+touch /tmp/deploy.log
+gpg  -c --cipher-algo twofish --batch --passphrase-file "$PASSPHRASE" -o /tmp/deploy.log.gpg /tmp/deploy.log
diff --git a/.bin/scripts/docker-login.sh b/.bin/scripts/docker-login.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+read -p "[ghcr.io] user ? : " u
+read -p "[ghcr.io] GH personnal token ? : " p
+
+echo "Login sur le registry ..."
+echo $p | docker login ghcr.io -u "$u" --password-stdin
+echo "Logged!"
diff --git a/.bin/scripts/edit-vault.sh b/.bin/scripts/edit-vault.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+readonly VAULT_FILE="${ROOT_DIR}/.infra/vault/vault.yml"
+
+ansible-vault edit --vault-password-file="${SCRIPT_DIR}/get-vault-password-client.sh" "${VAULT_FILE}"
diff --git a/.bin/scripts/get-vault-password-client.sh b/.bin/scripts/get-vault-password-client.sh
@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# echo "Command line interface to view the vault password"
+# echo "This file implements Ansible specifications third-party vault tools"
+# echo "For more informations see https://docs.ansible.com/ansible/latest/vault_guide/vault_managing_passwords.html#storing-passwords-in-third-party-tools-with-vault-password-client-scripts"
+
+## CHECK UPDATES AND RENEW
+
+readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+readonly BIN_DIR="$(dirname "${SCRIPT_DIR}")"
+readonly ROOT_DIR="$(dirname "${BIN_DIR}")"
+readonly VAULT_DIR="${ROOT_DIR}/.infra/vault"
+readonly VAULT_FILE="${VAULT_DIR}/vault.yml"
+readonly PRODUCT_NAME="orion"
+readonly OP_ACCOUNT="inserjeunes"
+
+DOCUMENT_CONTENT=$(op --account "${OP_ACCOUNT}" document get ".vault-password-${PRODUCT_NAME}" --vault "vault-passwords-common" || echo "")
+vault_password_file="${VAULT_DIR}/.vault-password.gpg"
+previous_vault_password_file="${VAULT_DIR}/.vault-password-previous.gpg"
+
+if [ ! -f "$vault_password_file" ]; then
+    echo "$DOCUMENT_CONTENT" > "$vault_password_file"
+    echo "vault password créé avec succès."
+
+# Si le fichier existe et que son contenu est différent
+elif [ ! -z "$DOCUMENT_CONTENT" ] && [ "$DOCUMENT_CONTENT" != "$(cat "${vault_password_file}")" ]; then
+    # Renommer l'ancien fichier
+    mv "$vault_password_file" "$previous_vault_password_file"
+    # echo "vault-password existant renommé en .vault-password-previous.gpg."
+
+    # Créer un nouveau fichier avec le contenu actuel
+    echo "$DOCUMENT_CONTENT" > "$vault_password_file"
+    # echo "Nouveau vault-password créé avec succès."
+
+    previous_vault_password_file_clear_text="${VAULT_DIR}/prev_clear_text"
+    vault_password_file_clear_text="${VAULT_DIR}/new_clear_text"
+
+    delete_cleartext() {
+      rm -f "$previous_vault_password_file_clear_text" "$vault_password_file_clear_text"
+    }
+    trap delete_cleartext EXIT
+
+    gpg --quiet --batch --use-agent --decrypt "${previous_vault_password_file}" > "${previous_vault_password_file_clear_text}"
+    gpg --quiet --batch --use-agent --decrypt "${vault_password_file}" > "${vault_password_file_clear_text}"
+
+    ansible-vault rekey \
+    --vault-id "${previous_vault_password_file_clear_text}" \
+    --new-vault-id "${vault_password_file_clear_text}" \
+    "${VAULT_FILE}" > /dev/null || true
+
+    delete_cleartext
+fi
+
+
+decrypt_password() {
+  ## Decrypt
+
+  if test -f "${vault_password_file}"; then
+    gpg --quiet --batch --use-agent --decrypt "${vault_password_file}"
+  else
+    #Allows to run playbooks with --vault-password-file even if password has not been yet generated
+    echo "not-yet-generated"
+  fi
+
+  gpgconf --kill gpg-agent
+}
+
+
+decrypt_password
diff --git a/.bin/scripts/get-version.sh b/.bin/scripts/get-version.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+VERSION=$(git describe --tags --abbrev=0 --candidates 100 --always)
+HEAD=$(git rev-parse HEAD)
+
+if [[ "$VERSION" = "$HEAD" ]]; then
+  VERSION="v0.0.0"
+fi;
+
+set -euo pipefail
+
+echo "${VERSION:1}"