feat: show case kube and helm config

Author: JeromeBu

README.md

@@ -21,10 +21,10 @@ Documentation is available [here](https://codegouvfr.github.io/catalogi/)
 
 This monorepo is made of several directories:
 
-- `api/`: Application API (also includes jobs, that can be run periodically)
-- `web/`: Web frontend
-- `docs/`: Documentation, as deployed [here](https://codegouvfr.github.io/catalogi/)
-- `deploy-examples/`: Deployment examples. For now only a Docker Compose example.
+- api: Application API (also includes jobs, that can be run periodically)
+- web: Web frontend
+- docs: Documentation, as deployed [here](https://codegouvfr.github.io/catalogi/)
+- deploy-examples: Examples of deployment, including [Docker Compose](deploy-examples/docker-compose) and [Kubernetes with Helm](docs/5-deploying-with-kubernetes.md).
 
 ## Governance and contributions
 

deployment-examples/helm/ingress-api.yaml

@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: catalogi-api
+  namespace: catalogi
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/enable-modsecurity: "false"
+    nginx.ingress.kubernetes.io/enable-owasp-core-rules: "false"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: catalogi.127.0.0.1.nip.io
+      http:
+        paths:
+          - path: /api(/|$)(.*)
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: catalogi-api
+                port:
+                  number: 3000
+    - host: localhost
+      http:
+        paths:
+          - path: /api(/|$)(.*)
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: catalogi-api
+                port:
+                  number: 3000

deployment-examples/helm/ingress-web.yaml

@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: catalogi-web
+  namespace: catalogi
+  annotations:
+    nginx.ingress.kubernetes.io/enable-modsecurity: "false"
+    nginx.ingress.kubernetes.io/enable-owasp-core-rules: "false"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: catalogi.127.0.0.1.nip.io
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: catalogi-web
+                port:
+                  number: 80
+    - host: localhost
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: catalogi-web
+                port:
+                  number: 80

deployment-examples/helm/values-local-dev.yaml

@@ -0,0 +1,77 @@
+api:
+  image:
+    tag: "latest"
+    pullPolicy: IfNotPresent
+  env:
+    OIDC_ISSUER_URI: "https://auth.code.gouv.fr/auth/realms/codegouv"
+    OIDC_CLIENT_ID: "sill"
+
+update:
+  image:
+    tag: "latest"
+    pullPolicy: IfNotPresent
+
+ingress:
+  enabled: false
+
+database:
+  password: "change-this-in-production"
+
+postgresql:
+  enabled: true
+  auth:
+    postgresPassword: "postgres"
+    username: "catalogi_user"
+    password: "change-this-in-production"
+    database: "catalogi_db"
+
+# Web container configuration
+web:
+  replicaCount: 1
+  image:
+    repository: codegouvfr/catalogi-web
+    tag: "latest"
+    pullPolicy: IfNotPresent
+  customNginxConfig: |
+    server {
+        listen 8080;
+        
+        gzip on; 
+        gzip_vary on; 
+        gzip_min_length 1024; 
+        gzip_proxied expired no-cache no-store private auth; 
+        gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/javascript application/xml; 
+        gzip_disable "MSIE [1-6]\.";
+
+        # Add comprehensive CSP for Vite dynamic imports  
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' https://auth.code.gouv.fr; frame-src 'self' https://auth.code.gouv.fr; object-src 'none';" always;
+
+        root /usr/share/nginx/html;
+        index index.html;      
+
+        # Static assets with caching
+        location ~* \.(js|css|woff2?|eot|ttf|xml|md)$ {
+          try_files $uri =404;
+          expires 1y;
+          access_log off;
+          add_header Cache-Control "public";
+        }
+
+        # Images and other assets  
+        location ~* \.(png|jpg|jpeg|gif|ico|svg)$ {
+          try_files $uri =404;
+          expires 1y;
+          add_header Cache-Control "public";
+        }
+
+        # HTML, JSON, TXT files
+        location ~* \.(html|json|txt)$ {
+          try_files $uri =404;
+          expires -1;
+        }
+
+        # SPA fallback for everything else (routes)
+        location / {
+          try_files $uri $uri/ /index.html;
+        }
+    }

deployment-examples/helm/values-temp.yaml

@@ -0,0 +1,98 @@
+# Temporary local development configuration for testing
+web:
+  image:
+    tag: "latest"
+    pullPolicy: IfNotPresent
+api:
+  image:
+    tag: "latest"
+    pullPolicy: IfNotPresent
+  env:
+    OIDC_ISSUER_URI: "https://auth.code.gouv.fr/auth/realms/codegouv"
+    OIDC_CLIENT_ID: "sill"
+update:
+  image:
+    tag: "latest"
+    pullPolicy: IfNotPresent
+
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /$1
+    nginx.ingress.kubernetes.io/enable-modsecurity: "false"
+    nginx.ingress.kubernetes.io/enable-owasp-core-rules: "false"
+  hosts:
+    - host: catalogi-test.local
+      paths:
+        - path: /
+          pathType: Prefix
+          service:
+            name: web
+            port: 80
+        - path: /api/(.*)
+          pathType: ImplementationSpecific
+          service:
+            name: api
+            port: 3000
+
+database:
+  password: "change-this-in-production"
+
+postgresql:
+  enabled: true
+  auth:
+    postgresPassword: "postgres"
+    password: "catalogi123"
+
+customization:
+  enabled: false
+
+# Custom nginx configuration for web container
+web:
+  replicaCount: 1
+  image:
+    repository: codegouvfr/catalogi-web
+    tag: "latest"
+    pullPolicy: IfNotPresent
+  customNginxConfig: |
+    server {
+        listen 8080;
+        
+        gzip on; 
+        gzip_vary on; 
+        gzip_min_length 1024; 
+        gzip_proxied expired no-cache no-store private auth; 
+        gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/javascript application/xml; 
+        gzip_disable "MSIE [1-6]\.";
+
+        add_header Content-Security-Policy "script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'none'; base-uri 'self';" always;
+
+        root /usr/share/nginx/html;
+        index index.html;      
+
+        try_files $uri $uri/ /index.html;
+
+        location ~ ^.+\..+$ {
+          try_files $uri =404;
+
+          location ~* \.(?:html|json|txt)$ {
+            expires -1;
+          }
+
+          location ~* \.(?:css|js|woff2?|eot|ttf|xml|md)$ {
+            expires 1y;
+            access_log off;
+            add_header Cache-Control "public";
+
+            location ~* \.(?:woff2?|eot|ttf|xml|md)$ {
+              add_header Access-Control-Allow-Origin *;
+            }
+          }
+        }
+    }
+
+# Override OIDC settings for local development
+oidc:
+  issuerUri: "https://auth.code.gouv.fr/auth/realms/codegouv"
+  clientId: "sill"