Tta 87 create secrets management for time tracker v 2 and time tracker UI (#901)

* Innecesary env files deleted

* New changes to env files

* Add 1 git-crypt collaborator

New collaborators:

	F295BDD1 Marco Aguirre <[email protected]>

* Add 1 git-crypt collaborator

New collaborators:

	1CC2872D Rodolfo Diaz <[email protected]>

* Add 2 git-crypt collaborators

New collaborators:

	1CC2872D Rodolfo Diaz <[email protected]>
	F295BDD1 Marco Aguirre <[email protected]>

* New keys and env variables added

* env files added & modified

* Make run now uses .dev.env

* Pipeline modified

* is the .env needed?

* using encrypted .stage.env

* load secrets

* adding env variables

* scopes cannot be empty

* use env

* using env var

* using env file

* adding mask

* using docker buildkit

* only on tags

* using buildkit directly

* using dash source

* docker buildkit

* missing folders added

* nginx fix

* fixing secrets

* problem with double qoutes

* fixing quotes in .stage.env

* fixing secrets

* loading to env

* quotes fixed

* replacing \r

* fixing trailing \n

* one line expose

* fixing endpoint url

* removing unnecessary jobs

* update creds

* adding with space at the end of the file

Co-authored-by: Marco Aguirre <[email protected]>
Co-authored-by: Marco Aguirre <[email protected]>

Author: 3 people

.dev.env

@@ -6,3 +6,6 @@ Makefile
 .gitignore
 *keys.ts
 *.keys.json
+.git-crypt
+.git
+Dockerfile

.dockerignore

@@ -15,6 +15,7 @@ jobs:
         ARM_CLIENT_SECRET: ${{secrets.TF_ARM_CLIENT_SECRET}}
         ARM_SUBSCRIPTION_ID: ${{secrets.TF_ARM_SUBSCRIPTION_ID}}
         ARM_TENANT_ID: ${{secrets.TF_ARM_TENANT_ID}}
+        
     steps:
     - name: Checkout
       uses: actions/checkout@v3
@@ -29,16 +30,15 @@ jobs:
       with:
         creds: ${{ secrets.AZURE_CREDENTIALS }}
 
+    - name: Unlock STAGE secrets
+      uses: sliteteam/[email protected]
+      env:
+        GIT_CRYPT_KEY: ${{ secrets.GIT_CRYPT_KEY_STAGE }}
+      
     - name: Build the docker image
       run: |-
         docker build \
-          --target production  -t timetracker_ui \
-          --build-arg API_URL="${{secrets.API_URL_STAGE}}" \
-          --build-arg AUTHORITY="${{secrets.AUTHORITY}}" \
-          --build-arg CLIENT_ID="${{secrets.CLIENT_ID_STAGE}}" \
-          --build-arg CLIENT_URL="${{ secrets.CLIENT_URL_STAGE}}" \
-          --build-arg SCOPES="${{secrets.SCOPES}}" \
-          --build-arg AZURE_APP_CONFIGURATION_CONNECTION_STRING="${{secrets.AZURE_APP_CONFIGURATION_CONNECTION_STRING}}" \
+          --target production -t timetracker_ui \
           .
 
     - name: Publish docker image to stage azure container registry

.github/workflows/time-tracker-ui-cd-stage.yml

@@ -14,7 +14,6 @@ jobs:
     runs-on: ubuntu-latest
     env:
         WORKING_DIR: infrastructure/
-        DB_CONNECTION:  ${{ secrets.DB_CONNECTION }}
         ARM_CLIENT_ID: ${{secrets.TF_ARM_CLIENT_ID}}
         ARM_CLIENT_SECRET: ${{secrets.TF_ARM_CLIENT_SECRET}}
         ARM_SUBSCRIPTION_ID: ${{secrets.TF_ARM_SUBSCRIPTION_ID}}
@@ -30,20 +29,6 @@ jobs:
       with:
         ssh-private-key: ${{ secrets.INFRA_TERRAFORM_MODULES_SSH_PRIV_KEY }}
 
-    - name: Inject Secrets
-      env:
-        AUTHORITY: ${{ secrets.AUTHORITY }}
-        API_URL: ${{ secrets.STAGE_API_URL}}
-        SCOPES: ${{ secrets.SCOPES }}
-        CLIENT_ID: ${{ secrets.STAGE_CLIENT_ID }}
-        CLIENT_URL: ${{ secrets.STAGE_CLIENT_URL }}
-        STACK_EXCHANGE_ID: ${{ secrets.STAGE_STACK_EXCHANGE_ID }}
-        STACK_EXCHANGE_ACCESS_TOKEN: ${{ secrets.STAGE_STACK_EXCHANGE_ACCESS_TOKEN }}
-        AZURE_APP_CONFIGURATION_CONNECTION_STRING: ${{ secrets.AZURE_APP_CONFIGURATION_CONNECTION_STRING }}
-      run: |
-        chmod +x ./scripts/populate-keys.sh
-        sh ./scripts/populate-keys.sh
-
     - name: build docker
       run: make build
 
@@ -81,7 +66,8 @@ jobs:
 
     - name: Terraform Plan Prod
       id: plan-prod
-      run: terraform plan -var-file=${{ env.TF_WORKSPACE }}.tfvars -var image_tag=latest -no-color
+      # run: terraform plan -var-file=${{ env.TF_WORKSPACE }}.tfvars -var image_tag=latest -no-color
+      run: echo "Disabled for now up to restructure infra tiers"
       continue-on-error: true
       working-directory: ./${{ env.WORKING_DIR }}
       env:

.github/workflows/time-tracker-ui-ci.yml

@@ -35,12 +35,10 @@ RUN useradd -ms /bin/bash ${USERNAME}
 
 WORKDIR ${HOME}/time-tracker-ui
 COPY . .
-RUN rm -f .env
 RUN chown ${USERNAME}:${USERNAME} -R ${HOME}/time-tracker-ui
 RUN chmod -R 777 ${HOME}/time-tracker-ui
 
 USER ${USERNAME}
-COPY .env .
 EXPOSE 4200
 EXPOSE 9876
 RUN npm cache clean --force && npm install

.prod.env

@@ -1,47 +1,22 @@
-FROM node:14 AS building
-
-ENV USERNAME timetracker
-ENV HOME /home/${USERNAME}
-RUN useradd -ms /bin/bash ${USERNAME}
-WORKDIR ${HOME}/time-tracker-ui
-COPY . .
-RUN chown ${USERNAME}:${USERNAME} -R ${HOME}/time-tracker-ui
-RUN chmod -R 777 ${HOME}/time-tracker-ui
-
-USER ${USERNAME}
+FROM node:14-alpine AS building
+WORKDIR /app
+# ENV USERNAME timetracker
+# ENV HOME /home/${USERNAME}
+# RUN useradd -ms /bin/bash ${USERNAME}
+# WORKDIR ${HOME}/time-tracker-ui
+COPY . /app
+# RUN chown ${USERNAME}:${USERNAME} -R ${HOME}/time-tracker-ui
+# RUN chmod -R 777 ${HOME}/time-tracker-ui
+# USER ${USERNAME}
 RUN npm cache clean --force && npm install
-EXPOSE 4200
-EXPOSE 9876
-ARG API_URL
-ARG AUTHORITY
-ARG CLIENT_ID
-ARG CLIENT_URL
-ARG SCOPES
-ARG AZURE_APP_CONFIGURATION_CONNECTION_STRING
-
-RUN API_URL=${API_URL} \
-    AUTHORITY=${AUTHORITY} \
-    CLIENT_ID=${CLIENT_ID} \
-    CLIENT_URL=${CLIENT_URL} \
-    SCOPES=${SCOPES} \
-    AZURE_APP_CONFIGURATION_CONNECTION_STRING=${AZURE_APP_CONFIGURATION_CONNECTION_STRING}
-
-RUN npm run build
-
+EXPOSE 4200 9876
+RUN source .stage.env && npm run build
+# >> scrt && 
+#
 
 FROM nginx:1.21 AS production
-
-ENV USERNAME app
-RUN useradd -ms /bin/bash ${USERNAME}
-
 COPY nginx.conf /etc/nginx/conf.d/default.conf
-COPY --from=building /home/timetracker/time-tracker-ui/dist/time-tracker /usr/share/nginx/html
-COPY .env /usr/share/nginx/html
-RUN chown -R ${USERNAME}:${USERNAME} /var/cache/nginx && \
-    chown -R ${USERNAME}:${USERNAME} /var/log/nginx && \
-    chown -R ${USERNAME}:${USERNAME} /etc/nginx/conf.d
-RUN touch /var/run/nginx.pid && chown -R ${USERNAME}:${USERNAME} /var/run/nginx.pid
-
+COPY --from=building /app/dist/time-tracker /usr/share/nginx/html
 # FIXME: Actually if we can deploy to azure in port 80 we need a root user
 # Maybe we can refactor this dockerfile to use root user directly this is not a good approach y
 # security terms. It's a good practice to have rootless in containers so for this

.stage.env

@@ -3,7 +3,6 @@
 > .env
 echo "API_URL='$API_URL'" >> .env
 echo "AUTHORITY='$AUTHORITY'" >> .env
-echo "API_URL='$API_URL'" >> .env
 echo "CLIENT_ID='$CLIENT_ID'" >> .env
 echo "CLIENT_URL='$CLIENT_URL'" >> .env
 echo "SCOPES='$SCOPES'" >> .env

Docker/Dockerfile.test

@@ -42,7 +42,7 @@ describe('ActivityManagement Selectors', () => {
         description: 'Some description'
       },
     ];
-  
+
     const activitiesOrdered = [
       {
         id: '002',