Merge branch 'master' into fix/cnpg-prod-default-backup-enabled

SocialGouv · Jul 31, 2023 · 3b2d6e9 · 3b2d6e9
2 parents d8b24dc + e019db2
commit 3b2d6e9
Show file tree

Hide file tree

Showing 85 changed files with 361 additions and 510 deletions.
diff --git a/.github/actions/deploy-via-github/Dockerfile b/.github/actions/deploy-via-github/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/socialgouv/kontinuous:v1.161.5
+FROM ghcr.io/socialgouv/kontinuous:v1.161.9
 
 COPY entrypoint.sh /entrypoint.sh
 

diff --git a/.github/actions/deploy-via-github/action.yaml b/.github/actions/deploy-via-github/action.yaml
@@ -45,7 +45,7 @@ inputs:
 runs:
   using: docker
   # image: Dockerfile
-  image: docker://ghcr.io/socialgouv/kontinuous/deploy-via-github:v1.161.5
+  image: docker://ghcr.io/socialgouv/kontinuous/deploy-via-github:v1.161.9
   env:
     KS_ENVIRONMENT: ${{ inputs.environment }}
     KS_CHART: ${{ inputs.chart }}

diff --git a/.github/actions/deploy-via-webhook/Dockerfile b/.github/actions/deploy-via-webhook/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/socialgouv/kontinuous:v1.161.5 as base
+FROM ghcr.io/socialgouv/kontinuous:v1.161.9 as base
 
 USER 0
 

diff --git a/.github/actions/deploy-via-webhook/action.yaml b/.github/actions/deploy-via-webhook/action.yaml
@@ -29,7 +29,7 @@ inputs:
 runs:
   using: docker
   # image: Dockerfile
-  image: docker://ghcr.io/socialgouv/kontinuous/deploy-via-webhook:v1.161.5
+  image: docker://ghcr.io/socialgouv/kontinuous/deploy-via-webhook:v1.161.9
   env:
     KS_WEBHOOK_TOKEN: ${{ inputs.webhookToken }}
     KS_WEBHOOK_URI: ${{ inputs.webhookUri }}

diff --git a/.github/actions/deploy-via-webhook/kontinuousVersion b/.github/actions/deploy-via-webhook/kontinuousVersion
@@ -1 +1 @@
-ghcr.io/socialgouv/kontinuous:v1.161.5
+ghcr.io/socialgouv/kontinuous:v1.161.9
diff --git a/.github/actions/env/Dockerfile b/.github/actions/env/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/socialgouv/kontinuous:v1.161.5
+FROM ghcr.io/socialgouv/kontinuous:v1.161.9
 
 COPY entrypoint.sh /entrypoint.sh
 

diff --git a/.github/actions/env/action.yaml b/.github/actions/env/action.yaml
@@ -11,7 +11,7 @@ inputs:
 runs:
   using: docker
   # image: Dockerfile
-  image: docker://ghcr.io/socialgouv/kontinuous/env:v1.161.5
+  image: docker://ghcr.io/socialgouv/kontinuous/env:v1.161.9
   env:
     KS_GIT_BRANCH: ${{ inputs.branch }}
     KSENV_REPOSITORY_NAME: ${{ inputs.repositoryName }}

diff --git a/.github/kontinuousVersion b/.github/kontinuousVersion
@@ -1 +1 @@
-ghcr.io/socialgouv/kontinuous:v1.161.5
+ghcr.io/socialgouv/kontinuous:v1.161.9
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,24 @@
 
 All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
 
+## 1.161.9 (2023-07-31)
+
+## 1.161.8 (2023-07-31)
+
+
+### Bug Fixes
+
+* **metabase:** upgrade to v0.46.6.4 ([#377](https://github.com/socialgouv/kontinuous/issues/377)) ([47f5fa2](https://github.com/socialgouv/kontinuous/commit/47f5fa2df0c75ce6ac8877460645c1dc1ec2ae7f))
+
+## 1.161.7 (2023-07-28)
+
+
+### Bug Fixes
+
+* **metabase:** fix chart ([#369](https://github.com/socialgouv/kontinuous/issues/369)) ([ea390ec](https://github.com/socialgouv/kontinuous/commit/ea390ec0c389a69fcd252eb3d4cd797dfb94208f))
+
+## 1.161.6 (2023-07-28)
+
 ## 1.161.5 (2023-07-28)
 
 

diff --git a/boilerplates/infra-samples/argocd/kontinuous-webhook/values.yaml b/boilerplates/infra-samples/argocd/kontinuous-webhook/values.yaml
@@ -1,5 +1,5 @@
 kontinuous-webhook:
-  image: ghcr.io/socialgouv/kontinuous/webhook:v1.161.5
+  image: ghcr.io/socialgouv/kontinuous/webhook:v1.161.9
   # image: harbor.fabrique.social.gouv.fr/sre/kontinuous/webhook:1
   host: "kontinuous.fabrique.social.gouv.fr"
 

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -17,8 +17,8 @@ services:
       KUBEWEBHOOK_CONFIG_PATH: config.sample.yaml
       KUBEWEBHOOK_SUPERTOKEN: ${KUBEWEBHOOK_SUPERTOKEN:-1234}
       KUBEWEBHOOK_EXPOSED_PORT: ${KUBEWEBHOOK_EXPOSED_PORT:-7530}
-      KUBEWEBHOOK_PIPELINE_IMAGE: ${KUBEWEBHOOK_PIPELINE_IMAGE:-"ghcr.io/socialgouv/kontinuous:v1.161.5"}
-      KUBEWEBHOOK_PIPELINE_CHECKOUT_IMAGE: ${KUBEWEBHOOK_PIPELINE_CHECKOUT_IMAGE:-"ghcr.io/socialgouv/kontinuous/degit:v1.161.5"}
+      KUBEWEBHOOK_PIPELINE_IMAGE: ${KUBEWEBHOOK_PIPELINE_IMAGE:-"ghcr.io/socialgouv/kontinuous:v1.161.9"}
+      KUBEWEBHOOK_PIPELINE_CHECKOUT_IMAGE: ${KUBEWEBHOOK_PIPELINE_CHECKOUT_IMAGE:-"ghcr.io/socialgouv/kontinuous/degit:v1.161.9"}
       KUBEWEBHOOK_CI_NAMESPACE_ALLOW_ALL: ${KUBEWEBHOOK_CI_NAMESPACE_ALLOW_ALL:-"true"}
       KUBEWEBHOOK_HTTPLOGGER_IGNOREUSERAGENTS: backbox-robot
       KUBEWEBHOOK_SENTRY_DSN: ${KUBEWEBHOOK_SENTRY_DSN}

diff --git a/docs/faq.md b/docs/faq.md
@@ -1,6 +1,6 @@
 # FAQ
 
-[Add your question](https://github.com/SocialGouv/kontinuous/issues/new?title=docs:%20add%20FAQ%20entry)
+[Add your question](https://github.com/SocialGouv/kontinuous/edit/master/docs/faq.md)
 
 ## Why another CI/CD ?
 
@@ -83,6 +83,40 @@ app:
         name: pg-xxx-app
 ```
 
+## Run a seed job
+
+This example build your Dockerfile, creates a PG cluster, seed the database then starts your application with secrets attached
+
+In your `.kontinuous/values.yaml` or `.kontinuous/[env]/values.yaml`
+
+```yaml
+# create app database
+pg:
+  ~chart: pg
+
+# run app after build and seed
+app:
+  ~chart: app
+  ~needs: [build-app, seed-db]
+  # use CNPG db created secret
+  envFrom:
+    - secretRef:
+        name: pg-app
+
+jobs:
+  runs:
+    # builds Dockerfile
+    build-app:
+      use: build
+    # seed the database
+    seed-db:
+      use: seed-db
+      ~needs: [pg]
+      pgSecretName: pg-app
+      with:
+        seedPath: ./seeds.sql
+```
+
 ## Add a custom HELM chart
 
 To add a custom HELM chart to your deployment :
@@ -136,6 +170,57 @@ jobs:
         context: packages/api
 ```
 
+## Add an oauth2 proxy to protect some application
+
+You can delegate application authentication to [oauth2-proxy](https://oauth2-proxy.github.io/oauth2-proxy) that can connect to multiple identity providers like GitHub, Azure, AD, KeyCloak...
+
+This has many security advantages :
+
+- hides all your application from external users
+- delegates all security processes to state-of-the-art providers
+- application can receive verifiable user identity
+
+You'll have to disable the default application ingress and replace it with `oauth2-proxy` one then register your application, see [compatible providers](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider).
+
+```mermaid
+graph LR
+Internet["🌍" Internet]-->Proxy["🔒" Proxy]
+subgraph Cluster
+Proxy-->WebApp["🧑‍💼" WebApp]
+Proxy<-->IDP["🔑" Identity providers]
+end
+```
+
+In `.kontinuous/values.yaml` :
+
+```yaml
+# Application to protect
+metabase:
+  ingress:
+    enabled: false # disable ingress (internet exposition)
+  # metabase secrets and settings
+  envFrom:
+    - secretRef:
+        name: metabase
+
+oauth2-proxy:
+  # public URL that will show metabase once loggedin
+  host: "metabase.myapp.somewhere.fr"
+  # internal protected service URL
+  upstream: http://metabase
+  # oauth2-proxy secrets and settings
+  envFrom:
+    - secretRef:
+        name: oauth2-proxy
+  env:
+    - name: OAUTH2_PROXY_PROVIDER
+      value: github
+    - name: OAUTH2_PROXY_GITHUB_ORG
+      value: some-org
+```
+
+**NOTE** in this example, only users from `some-org` GitHub organisation can access the metabase, but they also have to login on the metabase separately.
+
 ## Define a custom docker registry
 
 [TODO]

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "~dev",
-  "version": "1.161.5",
+  "version": "1.161.9",
   "repository": "[email protected]:socialgouv/kontinuous.git",
   "license": "MIT",
   "private": true,

diff --git a/packages/argocd/Dockerfile b/packages/argocd/Dockerfile
@@ -25,8 +25,8 @@ RUN chown 1001:1001 /workspace
 RUN git config --global --add safe.directory /workspace
 
 
-COPY --from=ghcr.io/socialgouv/kontinuous:v1.161.5 /usr/local/bin /usr/local/bin/
-COPY --from=ghcr.io/socialgouv/kontinuous:v1.161.5 --chown=999:999 /opt/kontinuous /opt/kontinuous/
+COPY --from=ghcr.io/socialgouv/kontinuous:v1.161.9 /usr/local/bin /usr/local/bin/
+COPY --from=ghcr.io/socialgouv/kontinuous:v1.161.9 --chown=999:999 /opt/kontinuous /opt/kontinuous/
 
 # Switch back to non-root user
 USER 999
diff --git a/packages/common/package.json b/packages/common/package.json
@@ -1,6 +1,6 @@
 {
   "name": "~common",
-  "version": "1.161.5",
+  "version": "1.161.9",
   "description": "",
   "license": "MIT",
   "engines": {

diff --git a/packages/dev-tools/package.json b/packages/dev-tools/package.json
@@ -1,6 +1,6 @@
 {
   "name": "~dev-tools",
-  "version": "1.161.5",
+  "version": "1.161.9",
   "dependencies": {
     "replace": "^1.2.2",
     "~common": "workspace:^"

diff --git a/packages/helm-tree/package.json b/packages/helm-tree/package.json
@@ -1,6 +1,6 @@
 {
   "name": "helm-tree",
-  "version": "1.161.5",
+  "version": "1.161.9",
   "description": "",
   "license": "MIT",
   "engines": {

diff --git a/packages/kontinuous/package.json b/packages/kontinuous/package.json
@@ -1,6 +1,6 @@
 {
   "name": "kontinuous",
-  "version": "1.161.5",
+  "version": "1.161.9",
   "repository": "https://github.com/socialgouv/kontinuous.git",
   "homepage": "https://socialgouv.github.io/kontinuous/",
   "license": "MIT",

diff --git a/packages/kontinuous/tests/__snapshots__/deactivate.dev.yaml b/packages/kontinuous/tests/__snapshots__/deactivate.dev.yaml
@@ -56,7 +56,7 @@ spec:
       restartPolicy: Never
       initContainers:
         - name: degit-action
-          image: ghcr.io/socialgouv/kontinuous/degit:v1.161.5
+          image: ghcr.io/socialgouv/kontinuous/degit:v1.161.9
           command:
             - sh
             - -c

diff --git a/packages/kontinuous/tests/__snapshots__/extends-ovh.dev.yaml b/packages/kontinuous/tests/__snapshots__/extends-ovh.dev.yaml
@@ -135,7 +135,7 @@ spec:
       restartPolicy: Never
       initContainers:
         - name: degit-action
-          image: ghcr.io/socialgouv/kontinuous/degit:v1.161.5
+          image: ghcr.io/socialgouv/kontinuous/degit:v1.161.9
           command:
             - sh
             - -c
@@ -284,7 +284,7 @@ spec:
       restartPolicy: Never
       initContainers:
         - name: degit-action
-          image: ghcr.io/socialgouv/kontinuous/degit:v1.161.5
+          image: ghcr.io/socialgouv/kontinuous/degit:v1.161.9
           command:
             - sh
             - -c

diff --git a/packages/kontinuous/tests/__snapshots__/extends-ovh.prod.yaml b/packages/kontinuous/tests/__snapshots__/extends-ovh.prod.yaml
@@ -133,7 +133,7 @@ spec:
       restartPolicy: Never
       initContainers:
         - name: degit-action
-          image: ghcr.io/socialgouv/kontinuous/degit:v1.161.5
+          image: ghcr.io/socialgouv/kontinuous/degit:v1.161.9
           command:
             - sh
             - -c
@@ -282,7 +282,7 @@ spec:
       restartPolicy: Never
       initContainers:
         - name: degit-action
-          image: ghcr.io/socialgouv/kontinuous/degit:v1.161.5
+          image: ghcr.io/socialgouv/kontinuous/degit:v1.161.9
           command:
             - sh
             - -c

diff --git a/packages/kontinuous/tests/__snapshots__/include-file.dev.yaml b/packages/kontinuous/tests/__snapshots__/include-file.dev.yaml
@@ -134,7 +134,7 @@ spec:
       restartPolicy: Never
       initContainers:
         - name: degit-repository
-          image: ghcr.io/socialgouv/kontinuous/degit:v1.161.5
+          image: ghcr.io/socialgouv/kontinuous/degit:v1.161.9
           imagePullPolicy: IfNotPresent
           command:
             - sh

diff --git a/packages/kontinuous/tests/__snapshots__/ingress-annotations.prod.yaml b/packages/kontinuous/tests/__snapshots__/ingress-annotations.prod.yaml
@@ -105,11 +105,14 @@ data:
   MB_ANON_TRACKING_ENABLED: \\"false\\"
   MB_APPLICATION_LOGO_URL: https://socialgouv.github.io/support/_media/marianne.jpeg
   MB_EMAIL_FROM_ADDRESS: [email protected]
+  MB_EMAIL_FROM_NAME: Fabrique numérique des ministères sociaux
   MB_ENABLE_EMBEDDING: \\"true\\"
   MB_ENABLE_PUBLIC_SHARING: \\"true\\"
   MB_SITE_LOCALE: fr
-  MB_SITE_NAME: Fabrique des ministères sociaux
+  MB_START_OF_WEEK: monday
+  MB_SITE_NAME: Fabrique numérique des ministères sociaux
   MB_SITE_URL: https://metabase-test-ingress-annotations.fabrique.social.gouv.fr
+  MB_PASSWORD_COMPLEXITY: strong
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -167,7 +170,7 @@ spec:
         fsGroup: 1000
         runAsNonRoot: true
       containers:
-        - image: metabase/metabase:v0.46.6.1
+        - image: metabase/metabase:v0.46.6.4
           name: metabase
           securityContext:
             allowPrivilegeEscalation: false