♻️(dev) refacto tilt stack

To be able to move the repository on the new organization and to
facilitate external developer integration we need to create a standalone
dev stack and use external secret.

Makefile

@@ -361,3 +361,37 @@ tilt-up: ## start tilt - k8s local development
 release:  ## helper for release and deployment
 	python scripts/release.py
 .PHONY: release
+
+install-secret: ## install the kubernetes secrets from Vaultwarden
+	if kubectl -n desk get secrets bitwarden-cli-desk; then \
+		echo "Secret already present"; \
+	else \
+		echo "Please provide the following information:"; \
+		read -p "Enter your vaultwarden email login: " LOGIN; \
+		read -p "Enter your vaultwarden password: " PASSWORD; \
+		read -p "Enter your vaultwarden server url: " URL; \
+		echo "\nCreate vaultwarden secret"; \
+		echo "apiVersion: v1" > /tmp/secret.yaml; \
+		echo "kind: Secret" >> /tmp/secret.yaml; \
+		echo "metadata:" >> /tmp/secret.yaml; \
+		echo "  name: bitwarden-cli-desk" >> /tmp/secret.yaml; \
+		echo "  namespace: desk" >> /tmp/secret.yaml; \
+		echo "type: Opaque" >> /tmp/secret.yaml; \
+		echo "stringData:" >> /tmp/secret.yaml; \
+		echo "  BW_HOST: $$URL" >> /tmp/secret.yaml; \
+		echo "  BW_PASSWORD: $$PASSWORD" >> /tmp/secret.yaml; \
+		echo "  BW_USERNAME: $$LOGIN" >> /tmp/secret.yaml; \
+		kubectl -n desk apply -f /tmp/secret.yaml;\
+		rm -f /tmp/secret.yaml; \
+	fi; \
+	if kubectl get ns external-secrets; then \
+		echo "External secret already deployed"; \
+	else \
+		helm repo add external-secrets https://charts.external-secrets.io; \
+		helm upgrade --install external-secrets \
+      external-secrets/external-secrets \
+       -n external-secrets \
+       --create-namespace \
+       --set installCRDs=true; \
+	fi
+.PHONY: build-k8s-cluster

bin/Tiltfile

@@ -29,7 +29,7 @@ docker_build(
     ]
 )
 
-k8s_yaml(local('cd ../src/helm && helmfile -n desk -e dev template .'))
+k8s_yaml(local('cd ../src/helm && helmfile -n desk -e ${DEV_ENV:-dev} template .'))
 
 migration = '''
 set -eu

bin/start-kind.sh

@@ -1,102 +1,3 @@
-#!/bin/sh
-set -o errexit
+#!/usr/bin/env bash
 
-CURRENT_DIR=$(pwd)
-
-# 0. Create ca
-echo "0. Create ca"
-mkcert -install
-cd /tmp
-mkcert "127.0.0.1.nip.io" "*.127.0.0.1.nip.io"
-cd $CURRENT_DIR
-
-# 1. Create registry container unless it already exists
-echo "1. Create registry container unless it already exists"
-reg_name='kind-registry'
-reg_port='5001'
-if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
-	docker run \
-		-d --restart=always -p "127.0.0.1:${reg_port}:5000" --network bridge --name "${reg_name}" \
-		registry:2
-fi
-
-# 2. Create kind cluster with containerd registry config dir enabled
-echo "2. Create kind cluster with containerd registry config dir enabled"
-# TODO: kind will eventually enable this by default and this patch will
-# be unnecessary.
-#
-# See:
-# https://github.com/kubernetes-sigs/kind/issues/2875
-# https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration
-# See: https://github.com/containerd/containerd/blob/main/docs/hosts.md
-cat <<EOF | kind create cluster --config=-
-kind: Cluster
-apiVersion: kind.x-k8s.io/v1alpha4
-containerdConfigPatches:
-- |-
-  [plugins."io.containerd.grpc.v1.cri".registry]
-    config_path = "/etc/containerd/certs.d"
-nodes:
-- role: control-plane
-  image: kindest/node:v1.27.3
-  kubeadmConfigPatches:
-  - |
-    kind: InitConfiguration
-    nodeRegistration:
-      kubeletExtraArgs:
-        node-labels: "ingress-ready=true"
-  extraPortMappings:
-  - containerPort: 80
-    hostPort: 80
-    protocol: TCP
-  - containerPort: 443
-    hostPort: 443
-    protocol: TCP
-- role: worker
-  image: kindest/node:v1.27.3
-- role: worker
-  image: kindest/node:v1.27.3
-EOF
-
-# 3. Add the registry config to the nodes
-echo "3. Add the registry config to the nodes"
-#
-# This is necessary because localhost resolves to loopback addresses that are
-# network-namespace local.
-# In other words: localhost in the container is not localhost on the host.
-#
-# We want a consistent name that works from both ends, so we tell containerd to
-# alias localhost:${reg_port} to the registry container when pulling images
-REGISTRY_DIR="/etc/containerd/certs.d/localhost:${reg_port}"
-for node in $(kind get nodes); do
-	docker exec "${node}" mkdir -p "${REGISTRY_DIR}"
-	cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${REGISTRY_DIR}/hosts.toml"
-[host."http://${reg_name}:5000"]
-EOF
-done
-
-# 4. Connect the registry to the cluster network if not already connected
-echo "4. Connect the registry to the cluster network if not already connected"
-# This allows kind to bootstrap the network but ensures they're on the same network
-if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
-	docker network connect "kind" "${reg_name}"
-fi
-
-# 5. Document the local registry
-echo "5. Document the local registry"
-# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
-cat <<EOF | kubectl apply -f -
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: local-registry-hosting
-  namespace: kube-public
-data:
-  localRegistryHosting.v1: |
-    host: "localhost:${reg_port}"
-    help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
-EOF
-
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
-kubectl -n ingress-nginx create secret tls mkcert --key /tmp/127.0.0.1.nip.io+1-key.pem --cert /tmp/127.0.0.1.nip.io+1.pem
-kubectl -n ingress-nginx patch deployments.apps ingress-nginx-controller --type 'json' -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--default-ssl-certificate=ingress-nginx/mkcert"}]'
+curl https://raw.githubusercontent.com/numerique-gouv/tools/refs/heads/main/kind/create_cluster.sh | bash -s -- desk

docs/local_development_kube.md

@@ -92,7 +92,11 @@ make start-kind
 ### Deploy the application
 
 ```bash
-tilt up -f ./bin/Tiltfile
+# Pro Connect environment
+tilt up -f ./bin/Tiltfile 
+
+# Standalone environment with keycloak
+DEV_ENV=dev-keycloak tilt up -f ./bin/Tiltfile
 ```
 
 **or** run the equivalent using the makefile

scripts/install-pre-commit-hook.sh

@@ -1,10 +1,10 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 mkdir -p "$(dirname -- "${BASH_SOURCE[0]}")/../.git/hooks/"
 PRE_COMMIT_FILE="$(dirname -- "${BASH_SOURCE[0]}")/../.git/hooks/pre-commit"
 
 cat <<'EOF' >$PRE_COMMIT_FILE
-#!/bin/bash
+#!/usr/bin/env bash
 
 # directories containing potential secrets
 DIRS="."