fix: Strapi on S3 (#201)

* deploy

* feat: add s3 plugin config

* feat: add s3 secret reference in kontinuous

* fix: strapi env

* fix: add s3 plugin

* Revert "fix: add s3 plugin"

This reverts commit 789fd45.

* fix: install s3 plugin in strapi dir

* fix: s3 config

* fix: cleaning

* remove initContainer

* fix: CSP

* runtime env

* default

* new seed

* wip

* wip

* wip

* deactivate

* fix: deactivate

* fix: move deactivate

* fix: kontinuous config

* fix: api secrets

* fix: secret refs

---------

Co-authored-by: Gary van Woerkens <[email protected]>

.kontinuous/env/dev/values.yaml

@@ -1,35 +1,29 @@
 api:
-  ~preDeploy.cleaner:
-    match:
-      kind: Deployment
-    value: true
-  volumes:
-    - name: public
-  volumeMounts:
-    - mountPath: /app/public
-      name: public
+  vars:
+    ENV: review
+  envFrom:
+    - secretRef:
+        name: pg-app
+    - secretRef:
+        name: api
+    - secretRef:
+        name: ozensemble-dev-app-access-key
 
-  # Strapi wants to move the entire uploads dir to a backup when you import data
-  # so public cannot be a volume, it must be its parent
-  # see https://github.com/strapi/strapi/issues/17809
   initContainers:
-    - name: import-and-prepare
-      image:
-        "{{ .Values.global.registry }}/{{ .Values.global.projectName }}/{{
+    - name: import
+      image: "{{ .Values.global.registry }}/{{ .Values.global.projectName }}/{{
         .Values.global.imageRepository }}/api:{{ .Values.global.imageTag }}"
       command: ["/bin/sh", "-c"]
       args:
         - |
-          yarn strapi import --force -f seed-data.tar.gz && \
-          cp -r public/. /mnt/public
-      volumeMounts:
-        - name: public
-          mountPath: /mnt/public
+          yarn strapi import --force -f seed-data.tar.gz
       envFrom:
         - secretRef:
             name: pg-app
         - secretRef:
             name: api
+        - secretRef:
+            name: ozensemble-dev-app-access-key
       env:
         - name: DATABASE_HOST
           value: "$(PGHOST)"
@@ -47,3 +41,46 @@ api:
           value: "1337"
         - name: DATABASE_CLIENT
           value: postgres
+        - name: ENV
+          value: review
+        - name: BRANCH_NAME
+          value: "{{ .Values.global.branchSlug }}"
+
+deactivate:
+  jobs-deactivate:
+    runs:
+      cleanup-bucket:
+        image: bitnami/rclone:latest
+        run: |
+          rclone purge remote:${BUCKET_NAME}/{{ .Values.global.branchSlug }}
+        checkout: false
+        env:
+          - name: RCLONE_CONFIG_REMOTE_TYPE
+            value: s3
+          - name: RCLONE_CONFIG_REMOTE_PROVIDER
+            value: Other
+          - name: RCLONE_CONFIG_REMOTE_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: ozensemble-dev-app-access-key
+                key: bucket_access_key
+          - name: RCLONE_CONFIG_REMOTE_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: ozensemble-dev-app-access-key
+                key: bucket_secret_key
+          - name: RCLONE_CONFIG_REMOTE_REGION
+            valueFrom:
+              secretKeyRef:
+                name: ozensemble-dev-app-access-key
+                key: bucket_region
+          - name: RCLONE_CONFIG_REMOTE_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                name: ozensemble-dev-app-access-key
+                key: bucket_endpoint
+          - name: BUCKET_NAME
+            valueFrom:
+              secretKeyRef:
+                name: ozensemble-dev-app-access-key
+                key: bucket_name

.kontinuous/env/preprod/values.yaml

@@ -1,6 +1,15 @@
 api:
+  vars:
+    ENV: preprod
   addVolumes:
     - uploads
   volumeMounts:
     - mountPath: /app/public/uploads
       name: uploads
+  envFrom:
+    - secretRef:
+        name: pg-app
+    - secretRef:
+        name: api
+    - secretRef:
+        name: ozensemble-dev-app-access-key

.kontinuous/env/prod/values.yaml

@@ -1,4 +1,6 @@
 api:
+  vars:
+    ENV: prod
   addVolumes:
     - uploads
   volumeMounts:
@@ -11,6 +13,13 @@ api:
     limits:
       cpu: "300m"
       memory: "1Gi"
+  envFrom:
+    - secretRef:
+        name: pg-app
+    - secretRef:
+        name: api
+    - secretRef:
+        name: ozensemble-prod-app-access-key
 
 next-app:
   host: ozensemble.fabrique.social.gouv.fr

.kontinuous/values.yaml

@@ -16,11 +16,7 @@ api:
   imagePackage: api
   probesPath: /_health
   containerPort: "1337"
-  envFrom:
-    - secretRef:
-        name: pg-app
-    - secretRef:
-        name: api
+
   vars:
     DATABASE_HOST: "$(PGHOST)"
     DATABASE_PORT: "$(PGPORT)"
@@ -30,6 +26,7 @@ api:
     HOST: "0.0.0.0"
     PORT: "1337"
     DATABASE_CLIENT: postgres
+    BRANCH_NAME: "{{ .Values.global.branchSlug }}"
   replicas: 1 # mandatory because volume is RWO
   strategyType: Recreate # idem
   securityContext:

api/config/middlewares.js

@@ -1,12 +1,43 @@
-module.exports = [
-  'strapi::logger',
-  'strapi::errors',
-  'strapi::security',
-  'strapi::cors',
-  'strapi::poweredBy',
-  'strapi::query',
-  'strapi::body',
-  'strapi::session',
-  'strapi::favicon',
-  'strapi::public',
-];
+module.exports = ({ env }) => [
+  "strapi::logger",
+  "strapi::errors",
+  {
+    name: "strapi::security",
+    config: {
+      contentSecurityPolicy: {
+        useDefaults: true,
+        directives: {
+          "connect-src": ["'self'", "https:"],
+          "img-src": [
+            "'self'",
+            "data:",
+            "blob:",
+            "market-assets.strapi.io",
+            `${env("bucket_name")}.${
+              new URL(env("bucket_endpoint", "https://fabrique.social.gouv.fr"))
+                .hostname
+            }`,
+          ],
+          "media-src": [
+            "'self'",
+            "data:",
+            "blob:",
+            "market-assets.strapi.io",
+            `${env("bucket_name")}.${
+              new URL(env("bucket_endpoint", "https://fabrique.social.gouv.fr"))
+                .hostname
+            }`,
+          ],
+          upgradeInsecureRequests: null,
+        },
+      },
+    },
+  },
+  "strapi::cors",
+  "strapi::poweredBy",
+  "strapi::query",
+  "strapi::body",
+  "strapi::session",
+  "strapi::favicon",
+  "strapi::public",
+]

api/config/plugins.js

@@ -1,14 +1,40 @@
-module.exports = () => ({
-    'sitemap': {
-        enabled: true,
-        config: {
-          cron: '0 0 0 * * *',
-          limit: 45000,
-          xsl: true,
-          autoGenerate: false,
-          caching: true,
-          allowedFields: ['id', 'uid'],
-          excludedTypes: [],
+module.exports = ({ env }) => ({
+  sitemap: {
+    enabled: true,
+    config: {
+      cron: "0 0 0 * * *",
+      limit: 45000,
+      xsl: true,
+      autoGenerate: false,
+      caching: true,
+      allowedFields: ["id", "uid"],
+      excludedTypes: [],
+    },
+  },
+  upload: {
+    config: {
+      provider: "aws-s3",
+      providerOptions: {
+        rootPath: env("ENV") === "prod" ? "" : env("BRANCH_NAME"),
+        s3Options: {
+          region: env("bucket_region"),
+          endpoint: env("bucket_endpoint"),
+          credentials: {
+            accessKeyId: env("bucket_access_key"),
+            secretAccessKey: env("bucket_secret_key"),
+          },
+          params: {
+            ACL: "public-read",
+            signedUrlExpires: 15 * 60,
+            Bucket: env("bucket_name"),
+          },
         },
       },
-});
+      actionOptions: {
+        upload: {},
+        uploadStream: {},
+        delete: {},
+      },
+    },
+  },
+})

api/package.json

@@ -15,6 +15,7 @@
     "@strapi/plugin-cloud": "4.24.0",
     "@strapi/plugin-i18n": "4.24.0",
     "@strapi/plugin-users-permissions": "4.24.0",
+    "@strapi/provider-upload-aws-s3": "^5.4.0",
     "@strapi/strapi": "4.24.0",
     "better-sqlite3": "8.6.0",
     "pg": "^8.12.0",