From 74b6ade5a0bec207e1b07ed0d2cf3e3559f427ba Mon Sep 17 00:00:00 2001 From: Jacques ROUSSEL Date: Fri, 3 Jan 2025 11:24:20 +0100 Subject: [PATCH] wip --- .github/workflows/docker-hub.yml | 86 ++------------- .github/workflows/helmfile-linter.yaml | 24 ++-- bin/start-kind.sh | 103 +----------------- src/helm/env.d/dev/secrets.enc.yaml | 62 ----------- src/helm/env.d/dev/values.impress.yaml.gotmpl | 48 +++++--- src/helm/extra/Chart.yaml | 5 - src/helm/extra/templates/keydb.yaml | 7 -- src/helm/extra/templates/postgresql.yaml | 7 -- src/helm/extra/templates/s3.yaml | 8 -- src/helm/helmfile.yaml | 51 +++++++-- src/helm/impress/templates/secrets.yaml | 4 - 11 files changed, 100 insertions(+), 305 deletions(-) delete mode 100644 src/helm/env.d/dev/secrets.enc.yaml delete mode 100644 src/helm/extra/Chart.yaml delete mode 100644 src/helm/extra/templates/keydb.yaml delete mode 100644 src/helm/extra/templates/postgresql.yaml delete mode 100644 src/helm/extra/templates/s3.yaml diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml index e80df6e27..7dca9637d 100644 --- a/.github/workflows/docker-hub.yml +++ b/.github/workflows/docker-hub.yml @@ -19,26 +19,9 @@ jobs: build-and-push-backend: runs-on: ubuntu-latest steps: - - - uses: actions/create-github-app-token@v1 - id: app-token - with: - app-id: ${{ secrets.APP_ID }} - private-key: ${{ secrets.PRIVATE_KEY }} - owner: ${{ github.repository_owner }} - repositories: "impress,secrets" - name: Checkout repository - uses: actions/checkout@v2 - with: - submodules: recursive - token: ${{ steps.app-token.outputs.token }} - - - name: Load sops secrets - uses: rouja/actions-sops@main - with: - secret-file: secrets/numerique-gouv/impress/secrets.enc.env - age-key: ${{ secrets.SOPS_PRIVATE }} + uses: actions/checkout@v4 - name: Docker meta id: meta @@ -48,7 +31,7 @@ jobs: - name: Login to DockerHub if: github.event_name != 'pull_request' - run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin + run: echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_HUB_USER }}" --password-stdin - name: Run trivy scan uses: numerique-gouv/action-trivy-cache@main @@ -70,26 +53,9 @@ jobs: build-and-push-frontend: runs-on: ubuntu-latest steps: - - - uses: actions/create-github-app-token@v1 - id: app-token - with: - app-id: ${{ secrets.APP_ID }} - private-key: ${{ secrets.PRIVATE_KEY }} - owner: ${{ github.repository_owner }} - repositories: "impress,secrets" - name: Checkout repository - uses: actions/checkout@v2 - with: - submodules: recursive - token: ${{ steps.app-token.outputs.token }} - - - name: Load sops secrets - uses: rouja/actions-sops@main - with: - secret-file: secrets/numerique-gouv/impress/secrets.enc.env - age-key: ${{ secrets.SOPS_PRIVATE }} + uses: actions/checkout@v4 - name: Docker meta id: meta @@ -99,7 +65,7 @@ jobs: - name: Login to DockerHub if: github.event_name != 'pull_request' - run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin + run: echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_HUB_USER }}" --password-stdin - name: Run trivy scan uses: numerique-gouv/action-trivy-cache@main @@ -122,26 +88,9 @@ jobs: build-and-push-y-provider: runs-on: ubuntu-latest steps: - - - uses: actions/create-github-app-token@v1 - id: app-token - with: - app-id: ${{ secrets.APP_ID }} - private-key: ${{ secrets.PRIVATE_KEY }} - owner: ${{ github.repository_owner }} - repositories: "impress,secrets" - name: Checkout repository - uses: actions/checkout@v2 - with: - submodules: recursive - token: ${{ steps.app-token.outputs.token }} - - - name: Load sops secrets - uses: rouja/actions-sops@main - with: - secret-file: secrets/numerique-gouv/impress/secrets.enc.env - age-key: ${{ secrets.SOPS_PRIVATE }} + uses: actions/checkout@v4 - name: Docker meta id: meta @@ -151,7 +100,7 @@ jobs: - name: Login to DockerHub if: github.event_name != 'pull_request' - run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin + run: echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_HUB_USER }}" --password-stdin - name: Run trivy scan uses: numerique-gouv/action-trivy-cache@main @@ -179,29 +128,12 @@ jobs: if: | github.event_name != 'pull_request' steps: - - - uses: actions/create-github-app-token@v1 - id: app-token - with: - app-id: ${{ secrets.APP_ID }} - private-key: ${{ secrets.PRIVATE_KEY }} - owner: ${{ github.repository_owner }} - repositories: "impress,secrets" - name: Checkout repository - uses: actions/checkout@v2 - with: - submodules: recursive - token: ${{ steps.app-token.outputs.token }} - - - name: Load sops secrets - uses: rouja/actions-sops@main - with: - secret-file: secrets/numerique-gouv/impress/secrets.enc.env - age-key: ${{ secrets.SOPS_PRIVATE }} + uses: actions/checkout@v4 - name: Call argocd github webhook run: | data='{"ref": "'$GITHUB_REF'","repository": {"html_url":"'$GITHUB_SERVER_URL'/'$GITHUB_REPOSITORY'"}}' - sig=$(echo -n ${data} | openssl dgst -sha1 -hmac ''${ARGOCD_WEBHOOK_SECRET}'' | awk '{print "X-Hub-Signature: sha1="$2}') - curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" $ARGOCD_WEBHOOK_URL + sig=$(echo -n ${data} | openssl dgst -sha1 -hmac ''${{ secrets.ARGOCD_PREPROD_WEBHOOK_SECRET}}'' | awk '{print "X-Hub-Signature: sha1="$2}') + curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" ${{ vars.ARGOCD_PREPROD_WEBHOOK_URL }} diff --git a/.github/workflows/helmfile-linter.yaml b/.github/workflows/helmfile-linter.yaml index 26b830b41..af5fb7c41 100644 --- a/.github/workflows/helmfile-linter.yaml +++ b/.github/workflows/helmfile-linter.yaml @@ -2,6 +2,7 @@ name: Helmfile lint run-name: Helmfile lint on: + push: pull_request: branches: - 'main' @@ -12,11 +13,18 @@ jobs: container: image: ghcr.io/helmfile/helmfile:latest steps: - - - uses: numerique-gouv/action-helmfile-lint@main - with: - app-id: ${{ secrets.APP_ID }} - age-key: ${{ secrets.SOPS_PRIVATE }} - private-key: ${{ secrets.PRIVATE_KEY }} - helmfile-src: "src/helm" - repositories: "impress,secrets" + - + name: Checkout repository + uses: actions/checkout@v4 + - + name: Helmfile lint + shell: bash + run: | + set -e + HELMFILE=src/helm/helmfile.yaml + environments=$(awk '/environments:/ {flag=1; next} flag && NF {print} !NF {flag=0}' "$HELMFILE" | grep -E '^[[:space:]]{2}[a-zA-Z]+' | sed 's/^[[:space:]]*//;s/:.*//') + for env in $environments; do + echo "################### $env lint ###################" + helmfile -e $env -f $HELMFILE lint || exit 1 + echo -e "\n" + done diff --git a/bin/start-kind.sh b/bin/start-kind.sh index 59eba562e..f07ab368a 100755 --- a/bin/start-kind.sh +++ b/bin/start-kind.sh @@ -1,103 +1,2 @@ #!/bin/sh -set -o errexit - -CURRENT_DIR=$(pwd) - -echo "0. Create ca" -# 0. Create ca -mkcert -install -cd /tmp -mkcert "127.0.0.1.nip.io" "*.127.0.0.1.nip.io" -cd $CURRENT_DIR - -echo "1. Create registry container unless it already exists" -# 1. Create registry container unless it already exists -reg_name='kind-registry' -reg_port='5001' -if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then - docker run \ - -d --restart=unless-stopped -p "127.0.0.1:${reg_port}:5000" --network bridge --name "${reg_name}" \ - registry:2 -fi - -echo "2. Create kind cluster with containerd registry config dir enabled" -# 2. Create kind cluster with containerd registry config dir enabled -# TODO: kind will eventually enable this by default and this patch will -# be unnecessary. -# -# See: -# https://github.com/kubernetes-sigs/kind/issues/2875 -# https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration -# See: https://github.com/containerd/containerd/blob/main/docs/hosts.md -cat <