Compare commits

...

4 Commits

Author SHA1 Message Date
Anthony LC ab2028c624 📸(helm) production-example
We add a "production-example" environment to the
helm chart. We have the "dev" environment already,
but this one can be mistaken for a production,
so we add a "production-example" to make it clear.
"dev" is for development, it is used by our Tilt
stack.
2024-12-24 10:58:05 +01:00
Julien Bouquillon 33d1f3c151 ️(y-provider) reduce sentry tracesSampleRate
Reduce `tracesSampleRate` due to +120k daily events.
2024-12-20 09:52:43 +01:00
Julien Bouquillon fc4eba2497 ️(frontend) reduce sentry tracesSampleRate
Reduce `tracesSampleRate` due to +120k daily events.
2024-12-20 09:52:43 +01:00
Dominik Kaminski 3e5f27c1d5 🔧(helm) add option to disable default tls setting
Sets an option for those who uses impress
with a different secretName in ingress.
2024-12-19 15:16:16 +01:00
10 changed files with 252 additions and 20 deletions
+5
View File
@@ -9,6 +9,11 @@ and this project adheres to
## [Unreleased]
## Added
🔧(helm) add option to disable default tls setting by @dominikkaminski #519
📸(helm) production-example #529
## [1.10.0] - 2024-12-17
@@ -25,7 +25,7 @@ export const useSentryStore = create<SentryState>((set, get) => ({
release: packageJson.version,
replaysSessionSampleRate: 0.1,
replaysOnErrorSampleRate: 1.0,
tracesSampleRate: 1.0,
tracesSampleRate: 0.1,
}),
});
},
@@ -6,6 +6,6 @@ import { SENTRY_DSN } from '../env';
Sentry.init({
dsn: SENTRY_DSN,
integrations: [nodeProfilingIntegration()],
tracesSampleRate: 1.0,
tracesSampleRate: 0.1,
profilesSampleRate: 1.0,
});
@@ -0,0 +1,220 @@
image:
repository: lasuite/impress-backend
pullPolicy: Always
tag: "v1.10.0"
backend:
migrateJobAnnotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
envVars:
AI_API_KEY:
secretKeyRef:
name: backend
key: AI_API_KEY
AI_BASE_URL: https://albert.api.etalab.gouv.fr/v1/
AI_MODEL: meta-llama/Meta-Llama-3.1-70B-Instruct
COLLABORATION_API_URL: https://docs.numerique.gouv.fr/collaboration/api/
COLLABORATION_SERVER_SECRET:
secretKeyRef:
name: backend
key: COLLABORATION_SERVER_SECRET
DJANGO_CSRF_TRUSTED_ORIGINS: https://docs.numerique.gouv.fr
DJANGO_CONFIGURATION: Production
DJANGO_ALLOWED_HOSTS: docs.numerique.gouv.fr
DJANGO_SECRET_KEY:
secretKeyRef:
name: backend
key: DJANGO_SECRET_KEY
DJANGO_SERVER_TO_SERVER_API_TOKENS:
secretKeyRef:
name: backend
key: DJANGO_SERVER_TO_SERVER_API_TOKENS
DJANGO_SETTINGS_MODULE: impress.settings
DJANGO_SUPERUSER_EMAIL:
secretKeyRef:
name: backend
key: DJANGO_SUPERUSER_EMAIL
DJANGO_SUPERUSER_PASSWORD:
secretKeyRef:
name: backend
key: DJANGO_SUPERUSER_PASSWORD
DJANGO_EMAIL_BRAND_NAME: "La Suite Numérique"
DJANGO_EMAIL_HOST: "smtp.tem.scw.cloud"
DJANGO_EMAIL_LOGO_IMG: https://docs.numerique.gouv.fr/assets/logo-suite-numerique.png
DJANGO_EMAIL_PORT: 587
DJANGO_EMAIL_USE_TLS: True
DJANGO_EMAIL_FROM: "noreply@docs.beta.numerique.gouv.fr"
DJANGO_EMAIL_HOST_USER:
secretKeyRef:
name: backend
key: DJANGO_EMAIL_HOST_USER
DJANGO_EMAIL_HOST_PASSWORD:
secretKeyRef:
name: backend
key: DJANGO_EMAIL_HOST_PASSWORD
DJANGO_SILENCED_SYSTEM_CHECKS: security.W008,security.W004
OIDC_OP_JWKS_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/jwks
OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/authorize
OIDC_OP_TOKEN_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/token
OIDC_OP_USER_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/userinfo
OIDC_OP_LOGOUT_ENDPOINT: https://auth.agentconnect.gouv.fr/api/v2/session/end
OIDC_RP_CLIENT_ID:
secretKeyRef:
name: backend
key: OIDC_RP_CLIENT_ID
OIDC_RP_CLIENT_SECRET:
secretKeyRef:
name: backend
key: OIDC_RP_CLIENT_SECRET
OIDC_RP_SIGN_ALGO: RS256
OIDC_RP_SCOPES: "openid email given_name usual_name"
USER_OIDC_FIELD_TO_SHORTNAME: "given_name"
USER_OIDC_FIELDS_TO_FULLNAME: "given_name,usual_name"
OIDC_REDIRECT_ALLOWED_HOSTS: https://docs.numerique.gouv.fr
OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
LOGIN_REDIRECT_URL: https://docs.numerique.gouv.fr
LOGIN_REDIRECT_URL_FAILURE: https://docs.numerique.gouv.fr
LOGOUT_REDIRECT_URL: https://docs.numerique.gouv.fr
DB_HOST:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: host
DB_NAME:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: database
DB_USER:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: username
DB_PASSWORD:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: password
DB_PORT:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: port
POSTGRES_USER:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: username
POSTGRES_DB:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: database
POSTGRES_PASSWORD:
secretKeyRef:
name: postgresql.postgres.libre.sh
key: password
REDIS_URL:
secretKeyRef:
name: redis.redis.libre.sh
key: url
AWS_S3_ENDPOINT_URL:
secretKeyRef:
name: impress-media-storage.bucket.libre.sh
key: url
AWS_S3_ACCESS_KEY_ID:
secretKeyRef:
name: impress-media-storage.bucket.libre.sh
key: accessKey
AWS_S3_SECRET_ACCESS_KEY:
secretKeyRef:
name: impress-media-storage.bucket.libre.sh
key: secretKey
AWS_STORAGE_BUCKET_NAME:
secretKeyRef:
name: impress-media-storage.bucket.libre.sh
key: bucket
AWS_S3_REGION_NAME: local
STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage
Y_PROVIDER_API_BASE_URL: http://impress-y-provider:443/api/
Y_PROVIDER_API_KEY:
secretKeyRef:
name: backend
key: Y_PROVIDER_API_KEY
createsuperuser:
command:
- "/bin/sh"
- "-c"
- |
python manage.py createsuperuser --email $DJANGO_SUPERUSER_EMAIL --password $DJANGO_SUPERUSER_PASSWORD
restartPolicy: Never
frontend:
image:
repository: lasuite/impress-frontend
pullPolicy: Always
tag: "v1.10.0"
yProvider:
image:
repository: lasuite/impress-y-provider
pullPolicy: Always
tag: "v1.10.0"
envVars:
COLLABORATION_LOGGING: true
COLLABORATION_SERVER_ORIGIN: https://docs.numerique.gouv.fr
COLLABORATION_SERVER_SECRET:
secretKeyRef:
name: backend
key: COLLABORATION_SERVER_SECRET
Y_PROVIDER_API_KEY:
secretKeyRef:
name: backend
key: Y_PROVIDER_API_KEY
ingress:
enabled: true
host: docs.numerique.gouv.fr
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt
ingressCollaborationWS:
enabled: true
host: docs.numerique.gouv.fr
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/auth-url: https://docs.numerique.gouv.fr/api/v1.0/documents/collaboration-auth/
ingressCollaborationApi:
enabled: true
host: docs.numerique.gouv.fr
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt
ingressAdmin:
enabled: true
host: docs.numerique.gouv.fr
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/start
nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/auth
ingressMedia:
enabled: true
host: docs.numerique.gouv.fr
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256"
nginx.ingress.kubernetes.io/auth-url: https://docs.numerique.gouv.fr/api/v1.0/documents/media-auth/
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /impress-impress-media-storage/$1
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/upstream-vhost: s3.hedy-lamarr.indiehosters.net
serviceMedia:
host: s3.hedy-lamarr.indiehosters.net
port: 443
+1 -2
View File
@@ -29,7 +29,7 @@ spec:
{{- if .Values.ingress.tls.enabled }}
tls:
{{- if .Values.ingress.host }}
- secretName: {{ $fullName }}-tls
- secretName: {{ .Values.ingress.tls.secretName | default (printf "%s-tls" $fullName) | quote }}
hosts:
- {{ .Values.ingress.host | quote }}
{{- end }}
@@ -115,4 +115,3 @@ spec:
{{- end }}
{{- end }}
{{- end }}
@@ -29,7 +29,7 @@ spec:
{{- if .Values.ingressAdmin.tls.enabled }}
tls:
{{- if .Values.ingressAdmin.host }}
- secretName: {{ $fullName }}-tls
- secretName: {{ .Values.ingressAdmin.tls.secretName | default (printf "%s-tls" $fullName) | quote }}
hosts:
- {{ .Values.ingressAdmin.host | quote }}
{{- end }}
@@ -95,4 +95,3 @@ spec:
{{- end }}
{{- end }}
{{- end }}
@@ -29,7 +29,7 @@ spec:
{{- if .Values.ingressCollaborationApi.tls.enabled }}
tls:
{{- if .Values.ingressCollaborationApi.host }}
- secretName: {{ $fullName }}-tls
- secretName: {{ .Values.ingressCollaborationApi.tls.secretName | default (printf "%s-tls" $fullName) | quote }}
hosts:
- {{ .Values.ingressCollaborationApi.host | quote }}
{{- end }}
@@ -69,4 +69,3 @@ spec:
{{- end }}
{{- end }}
{{- end }}
@@ -29,7 +29,7 @@ spec:
{{- if .Values.ingressCollaborationWS.tls.enabled }}
tls:
{{- if .Values.ingressCollaborationWS.host }}
- secretName: {{ $fullName }}-tls
- secretName: {{ .Values.ingressCollaborationWS.tls.secretName | default (printf "%s-tls" $fullName) | quote }}
hosts:
- {{ .Values.ingressCollaborationWS.host | quote }}
{{- end }}
@@ -69,4 +69,3 @@ spec:
{{- end }}
{{- end }}
{{- end }}
@@ -29,7 +29,7 @@ spec:
{{- if .Values.ingressMedia.tls.enabled }}
tls:
{{- if .Values.ingressMedia.host }}
- secretName: {{ $fullName }}-tls
- secretName: {{ .Values.ingressMedia.tls.secretName | default (printf "%s-tls" $fullName) | quote }}
hosts:
- {{ .Values.ingressMedia.host | quote }}
{{- end }}
+20 -9
View File
@@ -37,12 +37,14 @@ ingress:
## @param ingress.hosts Additional host to configure for the Ingress
hosts: []
# - chart-example.local
## @param ingress.tls.enabled Wether to enable TLS for the Ingress
## @param ingress.tls.enabled Weather to enable TLS for the Ingress
## @param ingress.tls.secretName Secret name for TLS config
## @skip ingress.tls.additional
## @extra ingress.tls.additional[].secretName Secret name for additional TLS config
## @extra ingress.tls.additional[].hosts[] Hosts for additional TLS config
tls:
enabled: true
secretName: null
additional: []
## @param ingress.customBackends Add custom backends to ingress
@@ -60,21 +62,23 @@ ingressCollaborationWS:
## @param ingress.hosts Additional host to configure for the Ingress
hosts: []
# - chart-example.local
## @param ingressCollaborationWS.tls.enabled Wether to enable TLS for the Ingress
## @param ingressCollaborationWS.tls.enabled Weather to enable TLS for the Ingress
## @param ingressCollaborationWS.tls.secretName Secret name for TLS config
## @skip ingressCollaborationWS.tls.additional
## @extra ingressCollaborationWS.tls.additional[].secretName Secret name for additional TLS config
## @extra ingressCollaborationWS.tls.additional[].hosts[] Hosts for additional TLS config
tls:
enabled: true
secretName: null
additional: []
## @param ingressCollaborationWS.customBackends Add custom backends to ingress
customBackends: []
annotations:
annotations:
nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Can-Edit, X-User-Id"
nginx.ingress.kubernetes.io/auth-url: https://impress.example.com/api/v1.0/documents/collaboration-auth/
nginx.ingress.kubernetes.io/enable-websocket: "true"
nginx.ingress.kubernetes.io/enable-websocket: "true"
nginx.ingress.kubernetes.io/proxy-read-timeout: "86400"
nginx.ingress.kubernetes.io/proxy-send-timeout: "86400"
nginx.ingress.kubernetes.io/upstream-hash-by: $arg_room
@@ -91,20 +95,23 @@ ingressCollaborationApi:
## @param ingress.hosts Additional host to configure for the Ingress
hosts: []
# - chart-example.local
## @param ingressCollaborationApi.tls.enabled Wether to enable TLS for the Ingress
## @param ingressCollaborationApi.tls.enabled Weather to enable TLS for the Ingress
## @param ingressCollaborationApi.tls.secretName Secret name for TLS config
## @skip ingressCollaborationApi.tls.additional
## @extra ingressCollaborationApi.tls.additional[].secretName Secret name for additional TLS config
## @extra ingressCollaborationApi.tls.additional[].hosts[] Hosts for additional TLS config
tls:
enabled: true
secretName: null
additional: []
## @param ingressCollaborationApi.customBackends Add custom backends to ingress
customBackends: []
annotations:
annotations:
nginx.ingress.kubernetes.io/upstream-hash-by: $arg_room
## @param ingressAdmin.enabled whether to enable the Ingress or not
## @param ingressAdmin.className IngressClass to use for the Ingress
## @param ingressAdmin.host Host for the Ingress
@@ -117,12 +124,14 @@ ingressAdmin:
## @param ingressAdmin.hosts Additional host to configure for the Ingress
hosts: [ ]
# - chart-example.local
## @param ingressAdmin.tls.enabled Wether to enable TLS for the Ingress
## @param ingressAdmin.tls.enabled Weather to enable TLS for the Ingress
## @param ingressAdmin.tls.secretName Secret name for TLS config
## @skip ingressAdmin.tls.additional
## @extra ingressAdmin.tls.additional[].secretName Secret name for additional TLS config
## @extra ingressAdmin.tls.additional[].hosts[] Hosts for additional TLS config
tls:
enabled: true
secretName: null
additional: []
## @param ingressMedia.enabled whether to enable the Ingress or not
@@ -137,12 +146,14 @@ ingressMedia:
## @param ingressMedia.hosts Additional host to configure for the Ingress
hosts: [ ]
# - chart-example.local
## @param ingressMedia.tls.enabled Wether to enable TLS for the Ingress
## @param ingressMedia.tls.enabled Weather to enable TLS for the Ingress
## @param ingressMedia.tls.secretName Secret name for TLS config
## @skip ingressMedia.tls.additional
## @extra ingressMedia.tls.additional[].secretName Secret name for additional TLS config
## @extra ingressMedia.tls.additional[].hosts[] Hosts for additional TLS config
tls:
enabled: true
secretName: null
additional: []
annotations:
@@ -442,4 +453,4 @@ yProvider:
extraVolumeMounts: []
## @param yProvider.extraVolumes Additional volumes to mount on the yProvider.
extraVolumes: []
extraVolumes: []