From 9de8160d21ad18bcb08305f1638f20b341dc5820 Mon Sep 17 00:00:00 2001
From: Quentin Duchemin <quentinduchemin@tuta.io>
Date: Mon, 1 Jun 2020 22:28:50 +0200
Subject: [PATCH] [PicaMetrics] Build with CI, manage conf and secrets with Git
---
pica-metrics-bot/CHANGELOG.md | 10 +++++
pica-metrics-bot/Dockerfile | 19 ++++++++
pica-metrics-bot/README.md | 21 +++++++++
pica-metrics-bot/clair-whitelist.yml | 1 +
pica-metrics-bot/config.json | 28 ++++++++++++
pica-metrics-bot/docker-compose.yml | 43 +++++++++++++++++++
pica-metrics-bot/entrypoint.sh | 36 ++++++++++++++++
pica-metrics-bot/picasoft-metrics-bot | 2 +-
.../secrets/account.secrets.example | 4 ++
.../secrets/influxdb.secrets.example | 7 +++
10 files changed, 170 insertions(+), 1 deletion(-)
create mode 100644 pica-metrics-bot/CHANGELOG.md
create mode 100644 pica-metrics-bot/Dockerfile
create mode 100644 pica-metrics-bot/README.md
create mode 100644 pica-metrics-bot/clair-whitelist.yml
create mode 100644 pica-metrics-bot/config.json
create mode 100644 pica-metrics-bot/docker-compose.yml
create mode 100644 pica-metrics-bot/entrypoint.sh
create mode 100644 pica-metrics-bot/secrets/account.secrets.example
create mode 100644 pica-metrics-bot/secrets/influxdb.secrets.example
diff --git a/pica-metrics-bot/CHANGELOG.md b/pica-metrics-bot/CHANGELOG.md
new file mode 100644
index 00000000..c32470f3
--- /dev/null
+++ b/pica-metrics-bot/CHANGELOG.md
@@ -0,0 +1,10 @@
+# Version 1.0.1
+
+* Mise à jour avec le code permettant de récupérer le nombre d'utilisateurs actifs.
+* Injection des secrets via un entrypoint personnalisé.
+* Passage d'InfluxDB en volume Docker.
+* Isolation réseau du bot (pas besoin d'être contacté de l'extérieur)
+
+# Version 1.0.0
+
+Version initiale.
diff --git a/pica-metrics-bot/Dockerfile b/pica-metrics-bot/Dockerfile
new file mode 100644
index 00000000..9ab271e2
--- /dev/null
+++ b/pica-metrics-bot/Dockerfile
@@ -0,0 +1,19 @@
+FROM python:3.8-alpine
+
+LABEL maintainer quentinduchemin@tuta.io
+
+# Copy all code
+COPY picasoft-metrics-bot /code
+
+# Custom Picasoft entrypoint
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+WORKDIR /code
+
+# Install dependencies
+RUN pip3 install -r requirements.txt
+
+VOLUME /code/config/config.json
+
+ENTRYPOINT [ "/entrypoint.sh" ]
diff --git a/pica-metrics-bot/README.md b/pica-metrics-bot/README.md
new file mode 100644
index 00000000..b17626f5
--- /dev/null
+++ b/pica-metrics-bot/README.md
@@ -0,0 +1,21 @@
+# Métriques des services Picasoft
+
+Dans ce dossier se trouvent les éléments de configuration permettant de faire fonctionner [Picasoft Metrics Bot](https://gitlab.utc.fr/picasoft/projets/picasoft-metrics-bot).
+
+C'est un projet indépendant ajouté en submodule dans le dossier [picasoft-metrics-bot](./picasoft-metrics-bot), car il est léger et car cela facilite la construction du Dockerfile.
+
+Par rapport au projet original :
+* La configuration en production est versionnée ici, et un Docker Compose adapté est proposé
+* Un [entrypoint](./entrypoint.sh) modifié permet d'injecter des secrets sous forme de variables d'environnement
+* La construction de l'image est gérée par la chaîne d'intégration et permet d'analyser la sécurité de l'image
+* Ajout d'InfluxDB directement adossé à Picasoft Metrics Bot, dans un seul Docker Compose!
+
+## Premier lancement
+
+Copier les fichiers `.secrets.example` en `.secrets` et remplacez les valeurs.
+
+L'utilisateur InfluxDB qui doit être utilisé dans Picasoft Metrics Bot est celui avec les droits d'écriture (mais pas d'administrateur). Dans le fichier d'exemple, c'est `picasoft-write`.
+
+## Mise à jour
+
+Le projet Picasoft Metrics Bot n'a pas de numéro de version : pour reconstruire l'image avec les dernières modifications, il suffira de changer le tag dans le fichier Docker Compose et de lancer manuellement la construction au niveau du Pipeline du commit.
diff --git a/pica-metrics-bot/clair-whitelist.yml b/pica-metrics-bot/clair-whitelist.yml
new file mode 100644
index 00000000..a9d6ed5b
--- /dev/null
+++ b/pica-metrics-bot/clair-whitelist.yml
@@ -0,0 +1 @@
+generalwhitelist:
diff --git a/pica-metrics-bot/config.json b/pica-metrics-bot/config.json
new file mode 100644
index 00000000..ee2dffcc
--- /dev/null
+++ b/pica-metrics-bot/config.json
@@ -0,0 +1,28 @@
+{
+ "influxdb": {
+ "url": "https://influxdb.picasoft.net",
+ "user": "INFLUXDB_USER",
+ "password": "INFLUXDB_PASSWORD",
+ "database": "picasoft"
+ },
+ "modules" : {
+ "etherpad" : [
+ {
+ "url" : "https://pad.picasoft.net",
+ "name" : "pad.picasoft.net"
+ },
+ {
+ "url" : "https://week.pad.picasoft.net",
+ "name" : "week.pad.picasoft.net"
+ }
+ ],
+ "mattermost" : [
+ {
+ "url" : "https://team.picasoft.net",
+ "user" : "MATTERMOST_USER",
+ "password" : "MATTERMOST_PASSWORD",
+ "name" : "team.picasoft.net"
+ }
+ ]
+ }
+}
diff --git a/pica-metrics-bot/docker-compose.yml b/pica-metrics-bot/docker-compose.yml
new file mode 100644
index 00000000..39b01b19
--- /dev/null
+++ b/pica-metrics-bot/docker-compose.yml
@@ -0,0 +1,43 @@
+version: 3.7
+
+volumes:
+ influxdb:
+ name: influxdb
+
+networks:
+ docker_default:
+ external: true
+ picasoft-metrics:
+
+services:
+ picasoft-metrics-bot:
+ image: registry.picasoft.net/picasoft-metrics-bot:v1.0.1
+ container_name: picasoft-metrics-bot
+ volumes:
+ - config.json:/code/config/config.json
+ environment:
+ - INTERVAL_SECONDS=60
+ env_file: ./secrets/account.secrets
+ networks:
+ - picasoft-metrics
+ restart: unless-stopped
+
+influxdb:
+ image: registry.picasoft.net/influxdb:1.7.9
+ container_name: influxdb
+ volumes:
+ - influxdb:/var/lib/influxdb
+ environment:
+ - INFLUXDB_HTTP_AUTH_ENABLED=true
+ - INFLUXDB_DATA_MAX_VALUES_PER_TAG=0
+ # See https://docs.influxdata.com/influxdb/v1.7/administration/upgrading/#switch-between-tsm-and-tsi-indexes
+ - INFLUXDB_DATA_INDEX_VERSION=tsi1
+ env_file: ./secrets/influxdb.secrets
+ labels:
+ traefik.frontend.rule: "Host:influxdb.picasoft.net"
+ traefik.port: 8086
+ traefik.enable: true
+ networks:
+ - picasoft-metrics
+ - docker_default
+ restart: always
diff --git a/pica-metrics-bot/entrypoint.sh b/pica-metrics-bot/entrypoint.sh
new file mode 100644
index 00000000..7b300b66
--- /dev/null
+++ b/pica-metrics-bot/entrypoint.sh
@@ -0,0 +1,36 @@
+#/usr/bin/env sh
+
+set -e
+
+if [ -z "${INFLUXDB_USER}" ]; then
+ echo >&2 'Error : missing required ${INFLUXDB_USER} environment variable, exiting.'
+ exit 1
+fi
+
+if [ -z "${INFLUXDB_PASSWORD}" ]; then
+ echo >&2 'Error : missing required ${INFLUXDB_PASSWORD} environment variable, exiting.'
+ exit 1
+fi
+
+if [ -z "${MATTERMOST_USER}" ]; then
+ echo >&2 'Error : missing required ${MATTERMOST_USER} environment variable, exiting.'
+ exit 1
+fi
+
+if [ -z "${MATTERMOST_PASSWORD}" ]; then
+ echo >&2 'Error : missing required ${MATTERMOST_PASSWORD} environment variable, exiting.'
+ exit 1
+fi
+
+sed -i s|INFLUXDB_USER|${INFLUXDB_USER}|g /code/config/config.json
+sed -i s|INFLUXDB_PASSWORD|${INFLUXDB_PASSWORD}|g /code/config/config.json
+sed -i s|MATTERMOST_USER|${MATTERMOST_USER}|g /code/config/config.json
+sed -i s|MATTERMOST_PASSWORD|${MATTERMOST_PASSWORD}|g /code/config/config.json
+
+INTERVAL_SECONDS=${INTERVAL_SECONDS:-60}
+
+while :
+do
+ python3 main.py
+ sleep $INTERVAL_SECONDS
+done
diff --git a/pica-metrics-bot/picasoft-metrics-bot b/pica-metrics-bot/picasoft-metrics-bot
index fdf56de4..416a6397 160000
--- a/pica-metrics-bot/picasoft-metrics-bot
+++ b/pica-metrics-bot/picasoft-metrics-bot
@@ -1 +1 @@
-Subproject commit fdf56de4a01f995e0d8e63b85148d7491f7b47df
+Subproject commit 416a6397f5963c4021f380af97b7bbff1fb71239
diff --git a/pica-metrics-bot/secrets/account.secrets.example b/pica-metrics-bot/secrets/account.secrets.example
new file mode 100644
index 00000000..53dcaef1
--- /dev/null
+++ b/pica-metrics-bot/secrets/account.secrets.example
@@ -0,0 +1,4 @@
+INFLUXDB_USER=user
+INFLUXDB_PASSWORD=password
+MATTERMOST_USER=user
+MATTERMOST_PASSWORD=password
diff --git a/pica-metrics-bot/secrets/influxdb.secrets.example b/pica-metrics-bot/secrets/influxdb.secrets.example
new file mode 100644
index 00000000..0335b358
--- /dev/null
+++ b/pica-metrics-bot/secrets/influxdb.secrets.example
@@ -0,0 +1,7 @@
+INFLUXDB_DB=picasoft
+INFLUXDB_ADMIN_USER=picasoft-admin
+INFLUXDB_ADMIN_PASSWORD=password
+INFLUXDB_WRITE_USER=picasoft-write
+INFLUXDB_WRITE_USER_PASSWORD=password
+INFLUXDB_READ_USER=picasoft-read
+INFLUXDB_READ_USER_PASSWORD=password
--
GitLab