Merge branch 'dotenv-vault-migration' into v2.1.0

e85e6edb · michael.minelli · d4a85553 · 584118d1 · e85e6edb · e85e6edb
Commit e85e6edb authored 1 year ago by michael.minelli
--- a/.gitignore
+++ b/.gitignore
-.env
-
 aws.xml
 workspace.xml

@@ -184,11 +182,10 @@ web_modules/
 .yarn-integrity

 # dotenv environment variable files
-.env
-.env.development.local
-.env.test.local
-.env.production.local
-.env.local
+.env*
+.flaskenv*
+!.env.project
+!.env.vault

 # parcel-bundler cache (https://parceljs.org/)
 .cache

--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -57,9 +57,19 @@ variables:
        - !reference [ .init_dind_script, script ]
        - mkdir -p $ARTIFACTS_FOLDER

-        # Download secure files
-        - curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | sh
-        - mv .secure_files/env_$VERSION $PROJECT_FOLDER/.env
+        # Decrypt env vars for production
+        - apk add npm sed
+        - cd $PROJECT_FOLDER
+        - sed -i -r "s/\{\{VERSION\}\}/${VERSION}/g" src/app.ts
+        - |
+            if [ $CI_COMMIT_REF_PROTECTED == "true" ]; then
+                echo "Decrypt production env vars"
+                sed -i -r "s/(DOTENV_KEY[ ]*:[ ]*[\'\"\`])[^'\"\`]*([\'\"\`])([ ]*\,)?//g" src/app.ts
+                sed -i -r "s/,[\ \n]*\}/\}/g" src/app.ts
+                npx dotenv-vault local decrypt "${DOTENV_PROD_KEY}" > .env
+               
+            fi
+        - cd ..

        # Need to build for each platform separately because of multi-stage builds (docker buildx don't use cache same way as docker build)
        - >
@@ -114,7 +124,7 @@ test:build:
    script:
        - !reference [ .build_script, script ]
    rules:
-        - if: '$CI_COMMIT_TAG =~ "/^$/" && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && $CI_COMMIT_BRANCH !~ /^v[0-9]+(\.[0-9]+)*$/'
+        - if: '$CI_COMMIT_TAG =~ "/^$/" && $CI_COMMIT_REF_PROTECTED != "true"'


 build:version:
@@ -131,7 +141,7 @@ build:version:
        # Here docker buildx can use cached images created in previous step
        - docker buildx build --platform $DOCKER_PLATFORMS --file $DOCKERFILE --push --tag $CONTAINER_IMAGE .
    rules:
-        - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /^v[0-9]+(\.[0-9]+)*$/'
+        - if: '$CI_COMMIT_REF_PROTECTED == "true"'


 clean:release:
@@ -143,7 +153,7 @@ clean:release:
        - !reference [.get_version, script]
        - !reference [.clean_release, script]
    rules:
-        - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /^v[0-9]+(\.[0-9]+)*$/'
+        - if: '$CI_COMMIT_REF_PROTECTED == "true"'


 clean:packages:
@@ -155,7 +165,7 @@ clean:packages:
        - !reference [.get_version, script]
        - !reference [.clean_packages, script]
    rules:
-        - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /^v[0-9]+(\.[0-9]+)*$/'
+        - if: '$CI_COMMIT_REF_PROTECTED == "true"'


 clean:dev:release:
@@ -225,13 +235,14 @@ upload:packages:wiki:
        - !reference [.get_packages_url, script]

        # Create archive
+        - mkdir -p $ARTIFACTS_FOLDER
        - WIKI_ARCHIVE_PATH="${ARTIFACTS_FOLDER}/${WIKI_ARCHIVE_NAME}"
        - tar -v -c -C "${CI_PROJECT_DIR}/${WIKI_FOLDER}" -J -f "${WIKI_ARCHIVE_PATH}" . # Ubuntu: tar --verbose --create --cd wiki-test-2 --xz --file file.tar.bz2

        # Send package
        - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ${WIKI_ARCHIVE_PATH} "${PACKAGE_URL_WIKI}";'
    rules:
-        - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /^v[0-9]+(\.[0-9]+)*$/'
+        - if: '$CI_COMMIT_REF_PROTECTED == "true"'


 release:dockerhub:latest:
@@ -335,4 +346,4 @@ release:gitlab:
              --header "JOB-TOKEN: $CI_JOB_TOKEN" \
              --request POST "${GITLAB_API_PROJECT_URL}/releases"
    rules:
-        - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /^v[0-9]+(\.[0-9]+)*$/'
\ No newline at end of file
+        - if: '$CI_COMMIT_REF_PROTECTED == "true"'
\ No newline at end of file
--- a/ExerciseChecker/.env.vault
+++ b/ExerciseChecker/.env.vault
+#/-------------------.env.vault---------------------/
+#/         cloud-agnostic vaulting standard         /
+#/   [how it works](https://dotenv.org/env-vault)   /
+#/--------------------------------------------------/
+
+# development
+DOTENV_VAULT_DEVELOPMENT="Ir7CPeMh8qd9jAgmy8RaSTlY3OA4Kw6xHB+j7AJjfM07H2koRKpOUP5Fsa+XBYp1rjTCl5p2063/H3ed2VmhUwIHxa+CUwHOagy+kKLYHBVzEdSrE6EK96+ihyGwjkrFRdRRWar74TxaCsxoNpLUz0HtK1fbJZMFUhgJOklBcw8BdH6mrq3RI8+tkSx5nOTJTGo0OhilsAZTeAbOdcZQNIcIfbZVMLD1X3YocqitLyAURzfyEegp3XOHfpOr+45/Be4HaakylijLggn73sS/fDr/yo2IRHTz7il/Y8IO3kUMJnSXoqQM1EPzqiYEtIFsDW2aVjLnbDdM2BxlNe+Cv50yglPINfkOMJ3ZBsELjkDBI9N5wLW9qyoF5zxaw4jfnGTPuVsM1FhozEGTBg64GtJ82WI0ftDjt06E1jkMB9hWbYS5pKBWHq/w2A+TfatZjn9QmgEuiO5Q8RW6srojTsuuMjJwVC9YCzjzvxC0YJulfMCBYuPW1cVagp6CkA5soo7iaEfJmt++GhWkYGBMq9EeezTl5GEarpUBYdLYlwfICsgP1E+9lF5dud+zWnrGzBVeePBmcVO86C/SZici/3HkORY68NoqbswV5AXJyACFT6Qf+z3k8CLkrCvfti6xvAAf4ivorbnihB0RX4znE4e70qCU2w3QjS+cwuHuC8sEp4SpqxR+kP2+ktfA5pw08yoFg4zrSTwuvJN8OnLyryo0VODCWA1V6Bom/imtCLn2nRuYQhO0AYiAtvyWOTbeduQ7rixeYc98j80sVHU7PY4hFbF7NVnWUY+nhzJ3rbK1y9q7iLLkpivsRmeosIIhVtoSR+Lur/hYZ2ReFyA6OHofxdcIqKiphG4HLZl9lCq6a+UlRAOqN98XABGmJ1KhCTsFxTTuGahMU1r556O/4NJFnubPU1DH80n71AB4HdD2qCxs4Tm4fDVs3cDv7fak"
+
+# production
+DOTENV_VAULT_PRODUCTION="NEaGKlOKDlL652EG43Iid/7P4ybOxkmc3t+6xgKS11Kevzs7zocA8cjJqfkjBAFdMu1oZbiLO+dzXgqEVHmu+66Qr8CDMufQsNXgpO6viLUx/FlDpeY1IYJVma/W1GwEP+5AW2BhrT7MJnBidzx5wHomjy+CAYlMoV3c4Q/obJQcomq65jn5KSgaiFcyLqitbUESJhxAS5adRXvtkdbqaXR5yCRtXF2OS50HW544/9qf9e9hqwELHrd1fYOJqYuE/zbZV3ZGgwgK7Ui0tv8MU4uN6LzpTTZVWdK4cdMuQTtX23rTWg9J9WcAj5M8jpo309VFPPxN3SfzoQHVb9+RlL+XEH92EwRFFevtKdE07Wz5ZbUbtiKAqkqaKiusjSALasoT+mW5LFWjFdFCDJKof98w00kR7c6PoTDBw50Zh5/z+UPn4uXT8ZOKV7ooxGQLATrBP+4k7pyBx2bYCo/o0tbgSJ4uTv+Wo2eVwUXrptxwmp6Tow50NAdcvKJCQmDe43e6PMsyX+9GO6CbRywvS/2aLffXRly+txqkr0B9/suMwuQwyEv8LOVR9Q2z3MC6leQ3VAaGxNGLKEdtJFgn+31JnciGy6HQABDZ6Agc/Tux4PBOOWy0yq0mGQztIk/0dj+WMro="
+
--- a/ExerciseChecker/.gitignore
+++ b/ExerciseChecker/.gitignore
+
+.env*
+.flaskenv*
+!.env.project
+!.env.vault
\ No newline at end of file
--- a/ExerciseChecker/package-lock.json
+++ b/ExerciseChecker/package-lock.json
--- a/ExerciseChecker/package.json
+++ b/ExerciseChecker/package.json
@@ -42,6 +42,7 @@
        "@types/js-yaml"    : "^4.0.5",
        "@types/node"       : "^18.17.1",
        "@types/tar-stream" : "^2.2.2",
+        "dotenv-vault"      : "^1.25.0",
        "pkg"               : "^5.8.1",
        "tiny-typed-emitter": "^2.1.0",
        "ts-node"           : "^10.9.1",

--- a/ExerciseChecker/src/app.ts
+++ b/ExerciseChecker/src/app.ts
 // Read from the .env file
 // ATTENTION : This lines MUST be the first of this file (except for the path import)
 const path = require('node:path');
-require('dotenv').config({ path: path.join(__dirname, '../.env') });
+require('dotenv').config({
+                             path      : path.join(__dirname, '../.env'),
+                             DOTENV_KEY: 'dotenv://:key_bebfddf18e3dd9a0bafafe0e383313f75add1da6fbe41ea5fde51f37ef1776aa@dotenv.local/vault/.env.vault?environment=development'
+                         });
 require('./shared/helpers/TypeScriptExtensions'); // ATTENTION : This line MUST be the second of this file

 import ClientsSharedConfig         from './sharedByClients/config/ClientsSharedConfig';
@@ -28,7 +31,7 @@ import ClientsSharedExerciseHelper from './sharedByClients/helpers/Dojo/ClientsS

    HttpManager.registerAxiosInterceptor();

-    console.log(Styles.APP_NAME(Config.appName));
+    console.log(Styles.APP_NAME(`${ Config.appName } (version {{VERSION}})`));

    let exerciseAssignment: ExerciseAssignment | undefined;
    let exerciseDockerCompose: ExerciseDockerCompose;