181 lines
6.6 KiB
YAML
181 lines
6.6 KiB
YAML
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: afterwork-secrets
|
|
namespace: applications
|
|
labels:
|
|
app: afterwork-api
|
|
component: secrets
|
|
environment: production
|
|
project: lions-infrastructure-2025
|
|
type: Opaque
|
|
stringData:
|
|
# ==============================================================================
|
|
# BASE DE DONNÉES PostgreSQL
|
|
# ==============================================================================
|
|
# Utilise le PostgreSQL de l'infrastructure Lions
|
|
# postgresql-service.postgresql.svc.cluster.local:5432
|
|
DB_PASSWORD: "AfterWork2025!"
|
|
|
|
# ==============================================================================
|
|
# JWT / SÉCURITÉ
|
|
# ==============================================================================
|
|
# Clé secrète JWT (minimum 32 caractères, aléatoire)
|
|
# Générer avec: openssl rand -base64 32
|
|
JWT_SECRET: "AfterWorkJWTSecret2025LionsInfrastructureKey"
|
|
|
|
# ==============================================================================
|
|
# COMPTE ADMINISTRATEUR INITIAL
|
|
# ==============================================================================
|
|
ADMIN_EMAIL: "admin@afterwork.ci"
|
|
ADMIN_PASSWORD: "AdminAfterWork2025!"
|
|
|
|
# ==============================================================================
|
|
# SERVICE EMAIL (SMTP)
|
|
# ==============================================================================
|
|
# Configuration Gmail ou autre SMTP
|
|
MAILER_USERNAME: "noreply@afterwork.ci"
|
|
MAILER_PASSWORD: "CHANGEZ_MOI_SMTP_PASSWORD"
|
|
|
|
# ==============================================================================
|
|
# WAVE PAYMENT (Intégration paiement)
|
|
# ==============================================================================
|
|
WAVE_API_KEY: "CHANGEZ_MOI_WAVE_API_KEY"
|
|
WAVE_SECRET: "CHANGEZ_MOI_WAVE_SECRET"
|
|
|
|
---
|
|
# ==============================================================================
|
|
# CONFIGMAP POUR CONFIGURATION NON-SENSIBLE
|
|
# ==============================================================================
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: afterwork-config
|
|
namespace: applications
|
|
labels:
|
|
app: afterwork-api
|
|
component: configuration
|
|
environment: production
|
|
project: lions-infrastructure-2025
|
|
data:
|
|
# ==============================================================================
|
|
# BASE DE DONNÉES - Lions PostgreSQL
|
|
# ==============================================================================
|
|
DB_HOST: "postgresql-service.postgresql.svc.cluster.local"
|
|
DB_PORT: "5432"
|
|
DB_NAME: "mic-after-work-server-impl-quarkus-main"
|
|
DB_USERNAME: "lionsuser"
|
|
|
|
# ==============================================================================
|
|
# QUARKUS
|
|
# ==============================================================================
|
|
QUARKUS_PROFILE: "prod"
|
|
QUARKUS_LOG_LEVEL: "INFO"
|
|
QUARKUS_LOG_CONSOLE_JSON: "true"
|
|
|
|
# ==============================================================================
|
|
# JWT
|
|
# ==============================================================================
|
|
JWT_LIFESPAN: "86400"
|
|
JWT_ISSUER: "afterwork-api"
|
|
|
|
# ==============================================================================
|
|
# KAFKA - Lions Infrastructure
|
|
# ==============================================================================
|
|
# Utilise le Kafka déployé dans le namespace kafka
|
|
KAFKA_BOOTSTRAP_SERVERS: "kafka-service.kafka.svc.cluster.local:9092"
|
|
|
|
# ==============================================================================
|
|
# EMAIL (SMTP)
|
|
# ==============================================================================
|
|
MAILER_HOST: "smtp.gmail.com"
|
|
MAILER_PORT: "587"
|
|
MAILER_FROM: "AfterWork <noreply@afterwork.ci>"
|
|
MAILER_START_TLS: "REQUIRED"
|
|
# En production, mettre false. true = mock (pas d'envoi réel)
|
|
MAILER_MOCK: "true"
|
|
|
|
# ==============================================================================
|
|
# RATE LIMITING
|
|
# ==============================================================================
|
|
AFTERWORK_RATELIMIT_MAX_REQUESTS: "10"
|
|
AFTERWORK_RATELIMIT_WINDOW_SECONDS: "60"
|
|
|
|
# ==============================================================================
|
|
# WAVE PAYMENT
|
|
# ==============================================================================
|
|
WAVE_BASE_URL: "https://api.wave.com"
|
|
WAVE_CURRENCY: "XOF"
|
|
WAVE_CALLBACK_URL: "https://api.lions.dev/afterwork/webhooks/wave"
|
|
|
|
# ==============================================================================
|
|
# OBSERVABILITY - Lions Prometheus/Grafana
|
|
# ==============================================================================
|
|
# Prometheus scrape via annotations sur le pod
|
|
# Grafana disponible sur https://grafana.lions.dev
|
|
|
|
# ==============================================================================
|
|
# KEYCLOAK / SSO (optionnel)
|
|
# ==============================================================================
|
|
# OIDC_AUTH_SERVER_URL: "https://security.lions.dev/realms/lions"
|
|
# OIDC_CLIENT_ID: "afterwork-api"
|
|
|
|
---
|
|
# ==============================================================================
|
|
# EXTERNAL SECRET - Intégration Vault (ACTIF)
|
|
# ==============================================================================
|
|
# Vault est déverrouillé sur https://vault.lions.dev
|
|
# Les secrets sont synchronisés depuis Vault vers Kubernetes automatiquement
|
|
#
|
|
# PRÉREQUIS: Créer les secrets dans Vault avec:
|
|
# vault kv put lions/afterwork \
|
|
# db_password="AfterWork2025!" \
|
|
# jwt_secret="AfterWorkJWTSecret2025LionsInfrastructureKey" \
|
|
# admin_password="AdminAfterWork2025!" \
|
|
# mailer_password="SMTP_PASSWORD" \
|
|
# wave_api_key="WAVE_KEY" \
|
|
# wave_secret="WAVE_SECRET"
|
|
#
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: afterwork-vault-secrets
|
|
namespace: applications
|
|
labels:
|
|
app: afterwork-api
|
|
component: external-secrets
|
|
project: lions-infrastructure-2025
|
|
spec:
|
|
refreshInterval: "1h"
|
|
secretStoreRef:
|
|
name: vault-backend
|
|
kind: ClusterSecretStore
|
|
target:
|
|
name: afterwork-secrets-vault
|
|
creationPolicy: Owner
|
|
data:
|
|
- secretKey: DB_PASSWORD
|
|
remoteRef:
|
|
key: lions/data/afterwork
|
|
property: db_password
|
|
- secretKey: JWT_SECRET
|
|
remoteRef:
|
|
key: lions/data/afterwork
|
|
property: jwt_secret
|
|
- secretKey: ADMIN_PASSWORD
|
|
remoteRef:
|
|
key: lions/data/afterwork
|
|
property: admin_password
|
|
- secretKey: MAILER_PASSWORD
|
|
remoteRef:
|
|
key: lions/data/afterwork
|
|
property: mailer_password
|
|
- secretKey: WAVE_API_KEY
|
|
remoteRef:
|
|
key: lions/data/afterwork
|
|
property: wave_api_key
|
|
- secretKey: WAVE_SECRET
|
|
remoteRef:
|
|
key: lions/data/afterwork
|
|
property: wave_secret
|