diff --git a/.github/workflows/deploy-pr.yaml b/.github/workflows/deploy-pr.yaml index 56938bd..fdcff10 100644 --- a/.github/workflows/deploy-pr.yaml +++ b/.github/workflows/deploy-pr.yaml @@ -12,25 +12,7 @@ jobs: test: name: Run Python Tests if: github.event.action != 'closed' - runs-on: ubuntu-latest - - steps: - - name: Check out repository code - uses: actions/checkout@v4 - - - name: Set up Python 3.11 - uses: actions/setup-python@v5 - with: - python-version: '3.11' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - - - name: Run tests with pytest - run: pytest - working-directory: ./7project/backend + uses: ./.github/workflows/run-tests.yml build: if: github.event.action != 'closed' @@ -118,7 +100,8 @@ jobs: --set frontend_domain_scheme="$FRONTEND_DOMAIN_SCHEME" \ --set image.digest="$DIGEST" \ --set-string rabbitmq.password="$RABBITMQ_PASSWORD" \ - --set-string database.password="$DB_PASSWORD" + --set-string database.password="$DB_PASSWORD" \ + --set-string database.encryptionSecret="$PR" - name: Post preview URLs as PR comment uses: actions/github-script@v7 diff --git a/.github/workflows/deploy-prod.yaml b/.github/workflows/deploy-prod.yaml index 7f99e56..8004cac 100644 --- a/.github/workflows/deploy-prod.yaml +++ b/.github/workflows/deploy-prod.yaml @@ -23,26 +23,7 @@ concurrency: jobs: test: name: Run Python Tests - if: github.event.action != 'closed' - runs-on: ubuntu-latest - - steps: - - name: Check out repository code - uses: actions/checkout@v4 - - - name: Set up Python 3.11 - uses: actions/setup-python@v5 - with: - python-version: '3.11' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - - - name: Run tests with pytest - run: pytest - working-directory: ./7project/backend + uses: ./.github/workflows/run-tests.yml build: name: Build and push image (reusable) @@ -129,4 +110,5 @@ jobs: --set-string oauth.mojeid.clientSecret="$MOJEID_CLIENT_SECRET" \ --set-string oauth.csas.clientId="$CSAS_CLIENT_ID" \ --set-string oauth.csas.clientSecret="$CSAS_CLIENT_SECRET" \ - --set-string sentry_dsn="$SENTRY_DSN" \ \ No newline at end of file + --set-string sentry_dsn="$SENTRY_DSN" \ + --set-string database.encryptionSecret="${{ secrets.PROD_DB_ENCRYPTION_KEY }}" \ No newline at end of file diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index b71a6d1..ddd0337 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -2,54 +2,60 @@ name: Run Python Tests permissions: contents: read -# ----------------- -# --- Triggers ---- -# ----------------- -# This section defines when the workflow will run. on: - # Run on every push to the 'main' branch - push: - branches: [ "main", "30-create-tests-and-set-up-a-github-pipeline" ] - # Also run on every pull request that targets the 'main' branch - pull_request: - branches: [ "main" ] + workflow_call: -# ----------------- -# ------ Jobs ----- -# ----------------- -# A workflow is made up of one or more jobs that can run in parallel or sequentially. jobs: - # A descriptive name for your job build-and-test: - # Specifies the virtual machine to run the job on. 'ubuntu-latest' is a common and cost-effective choice. runs-on: ubuntu-latest - # ----------------- - # ----- Steps ----- - # ----------------- - # A sequence of tasks that will be executed as part of the job. + services: + mariadb: + image: mariadb:11.4 + env: + MARIADB_ROOT_PASSWORD: rootpw + MARIADB_DATABASE: group_project + MARIADB_USER: appuser + MARIADB_PASSWORD: apppass + ports: + - 3306:3306 + options: >- + --health-cmd="mariadb-admin ping -h 127.0.0.1 -u root -prootpw --silent" + --health-interval=5s + --health-timeout=2s + --health-retries=20 + + env: + MARIADB_HOST: 127.0.0.1 + MARIADB_PORT: "3306" + MARIADB_DB: group_project + MARIADB_USER: appuser + MARIADB_PASSWORD: apppass + steps: - # Step 1: Check out your repository's code - # This action allows the workflow to access your code. - name: Check out repository code uses: actions/checkout@v4 - # Step 2: Set up the Python environment - # This action installs a specific version of Python on the runner. - name: Set up Python 3.11 uses: actions/setup-python@v5 with: - python-version: '3.11' # Use the Python version that matches your project + python-version: '3.11' + + - name: Add test dependencies to requirements + run: | + echo "pytest==8.4.2" >> ./7project/backend/requirements.txt + echo "pytest-asyncio==1.2.0" >> ./7project/backend/requirements.txt - # Step 3: Install project dependencies - # Runs shell commands to install the libraries listed in your requirements.txt. - name: Install dependencies run: | python -m pip install --upgrade pip - pip install -r requirements.txt - - # Step 4: Run your tests! - # Executes the pytest command to run your test suite. + pip install -r ./7project/backend/requirements.txt + + - name: Run Alembic migrations + run: | + alembic upgrade head + working-directory: ./7project/backend + - name: Run tests with pytest run: pytest working-directory: ./7project/backend \ No newline at end of file diff --git a/7project/backend/alembic/env.py b/7project/backend/alembic/env.py index ec52aab..f910b91 100644 --- a/7project/backend/alembic/env.py +++ b/7project/backend/alembic/env.py @@ -25,7 +25,8 @@ if not DATABASE_URL: SYNC_DATABASE_URL = DATABASE_URL.replace("+asyncmy", "+pymysql") -ssl_enabled = os.getenv("MARIADB_HOST", "localhost") != "localhost" +host_env = os.getenv("MARIADB_HOST", "localhost") +ssl_enabled = host_env not in {"localhost", "127.0.0.1"} connect_args = {"ssl": {"ssl": True}} if ssl_enabled else {} def run_migrations_offline() -> None: diff --git a/7project/backend/alembic/versions/2025_10_29_1326-46b9e702e83f_add_encrypted_type.py b/7project/backend/alembic/versions/2025_10_29_1326-46b9e702e83f_add_encrypted_type.py new file mode 100644 index 0000000..8f9119a --- /dev/null +++ b/7project/backend/alembic/versions/2025_10_29_1326-46b9e702e83f_add_encrypted_type.py @@ -0,0 +1,47 @@ +"""Add encrypted type + +Revision ID: 46b9e702e83f +Revises: 1f2a3c4d5e6f +Create Date: 2025-10-29 13:26:24.568523 + +""" +from typing import Sequence, Union + +import sqlalchemy_utils +from alembic import op +import sqlalchemy as sa +from sqlalchemy.dialects import mysql + +# revision identifiers, used by Alembic. +revision: str = '46b9e702e83f' +down_revision: Union[str, Sequence[str], None] = '1f2a3c4d5e6f' +branch_labels: Union[str, Sequence[str], None] = None +depends_on: Union[str, Sequence[str], None] = None + + +def upgrade() -> None: + """Upgrade schema.""" + # ### commands auto generated by Alembic - please adjust! ### + op.alter_column('transaction', 'amount', + existing_type=mysql.FLOAT(), + type_=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(), + existing_nullable=False) + op.alter_column('transaction', 'description', + existing_type=mysql.VARCHAR(length=255), + type_=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(), + existing_nullable=True) + # ### end Alembic commands ### + + +def downgrade() -> None: + """Downgrade schema.""" + # ### commands auto generated by Alembic - please adjust! ### + op.alter_column('transaction', 'description', + existing_type=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(), + type_=mysql.VARCHAR(length=255), + existing_nullable=True) + op.alter_column('transaction', 'amount', + existing_type=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(), + type_=mysql.FLOAT(), + existing_nullable=False) + # ### end Alembic commands ### diff --git a/7project/backend/app/api/auth.py b/7project/backend/app/api/auth.py index 075600c..d5c59d8 100644 --- a/7project/backend/app/api/auth.py +++ b/7project/backend/app/api/auth.py @@ -24,6 +24,23 @@ async def delete_me( await user_manager.delete(user) # Keep existing paths as-is under /auth/* and /users/* +from fastapi import Request, Response +from app.core.security import revoke_token, extract_bearer_token + + +@router.post( + "/auth/jwt/logout", + status_code=status.HTTP_204_NO_CONTENT, + tags=["auth"], + summary="Log out and revoke current token", +) +async def custom_logout(request: Request) -> Response: + """Revoke the current bearer token so it cannot be used anymore.""" + token = extract_bearer_token(request) + if token: + revoke_token(token) + return Response(status_code=status.HTTP_204_NO_CONTENT) + router.include_router( fastapi_users.get_auth_router(auth_backend), prefix="/auth/jwt", tags=["auth"] ) diff --git a/7project/backend/app/app.py b/7project/backend/app/app.py index ae50a62..af85d4f 100644 --- a/7project/backend/app/app.py +++ b/7project/backend/app/app.py @@ -16,6 +16,8 @@ from app.api.csas import router as csas_router from app.api.categories import router as categories_router from app.api.transactions import router as transactions_router from app.services.user_service import auth_backend, current_active_verified_user, fastapi_users, get_oauth_provider, UserManager, get_jwt_strategy +from app.core.security import extract_bearer_token, is_token_revoked, decode_and_verify_jwt +from app.services.user_service import SECRET from fastapi import FastAPI @@ -49,6 +51,23 @@ fastApi.include_router(categories_router) fastApi.include_router(transactions_router) logging.basicConfig(filename='app.log', level=logging.INFO, format='%(asctime)s %(message)s') +@fastApi.middleware("http") +async def auth_guard(request: Request, call_next): + # Enforce revoked/expired JWTs are rejected globally + token = extract_bearer_token(request) + if token: + from fastapi import Response, status as _status + # Deny if token is revoked + if is_token_revoked(token): + return Response(status_code=_status.HTTP_401_UNAUTHORIZED) + # Deny if token is expired or invalid + try: + decode_and_verify_jwt(token, SECRET) + except Exception: + return Response(status_code=_status.HTTP_401_UNAUTHORIZED) + return await call_next(request) + + @fastApi.middleware("http") async def log_traffic(request: Request, call_next): start_time = datetime.now() @@ -105,10 +124,6 @@ async def root(): async def authenticated_route(user: User = Depends(current_active_verified_user)): return {"message": f"Hello {user.email}!"} -@fastApi.get("/sentry-debug") -async def trigger_error(): - division_by_zero = 1 / 0 - @fastApi.get("/debug/scrape/csas/all", tags=["debug"]) async def debug_scrape_csas_all(): diff --git a/7project/backend/app/core/db.py b/7project/backend/app/core/db.py index 9c8cad7..1186352 100644 --- a/7project/backend/app/core/db.py +++ b/7project/backend/app/core/db.py @@ -19,7 +19,8 @@ from app.models.user import User from app.models.transaction import Transaction from app.models.categories import Category -ssl_enabled = os.getenv("MARIADB_HOST", "localhost") != "localhost" +host_env = os.getenv("MARIADB_HOST", "localhost") +ssl_enabled = host_env not in {"localhost", "127.0.0.1"} connect_args = {"ssl": {"ssl": True}} if ssl_enabled else {} engine = create_async_engine( diff --git a/7project/backend/app/core/security.py b/7project/backend/app/core/security.py new file mode 100644 index 0000000..2093cbb --- /dev/null +++ b/7project/backend/app/core/security.py @@ -0,0 +1,52 @@ +from typing import Optional +import re +import jwt +from fastapi import Request + +# Simple in-memory revocation store for revoked JWT tokens. +# +# Limitations: +# - All revoked tokens will be lost if the process restarts (data loss on restart). +# - Not suitable for multi-instance deployments: the revocation list is not shared between instances. +# A token revoked in one instance will not be recognized as revoked in others. +# +# For production, use a persistent and shared store (e.g., Redis or a database). +_REVOKED_TOKENS: set[str] = set() + +# Bearer token regex +_BEARER_RE = re.compile(r"^[Bb]earer\s+(.+)$") + + +def extract_bearer_token(request: Request) -> Optional[str]: + auth = request.headers.get("authorization") + if not auth: + return None + m = _BEARER_RE.match(auth) + if not m: + return None + return m.group(1).strip() + + +def revoke_token(token: str) -> None: + if token: + _REVOKED_TOKENS.add(token) + + +def is_token_revoked(token: str) -> bool: + return token in _REVOKED_TOKENS + + +def decode_and_verify_jwt(token: str, secret: str) -> dict: + """ + Decode the JWT using the shared secret, verifying expiration and signature. + Audience is not verified here to be compatible with fastapi-users default tokens. + Raises jwt.ExpiredSignatureError if expired. + Raises jwt.InvalidTokenError for other issues. + Returns the decoded payload dict on success. + """ + return jwt.decode( + token, + secret, + algorithms=["HS256"], + options={"verify_aud": False}, + ) # verify_exp is True by default \ No newline at end of file diff --git a/7project/backend/app/models/transaction.py b/7project/backend/app/models/transaction.py index 84f3981..d432437 100644 --- a/7project/backend/app/models/transaction.py +++ b/7project/backend/app/models/transaction.py @@ -1,15 +1,21 @@ +import os from fastapi_users_db_sqlalchemy import GUID from sqlalchemy import Column, Integer, String, Float, ForeignKey, Date, func from sqlalchemy.orm import relationship +from sqlalchemy_utils import EncryptedType +from sqlalchemy_utils.types.encrypted.encrypted_type import FernetEngine + from app.core.base import Base from app.models.categories import association_table +SECRET_KEY = os.environ.get("DB_ENCRYPTION_KEY", "localdev") + class Transaction(Base): __tablename__ = "transaction" id = Column(Integer, primary_key=True, autoincrement=True) - amount = Column(Float, nullable=False) - description = Column(String(length=255), nullable=True) + amount = Column(EncryptedType(Float, SECRET_KEY, engine=FernetEngine), nullable=False) + description = Column(EncryptedType(String(length=255), SECRET_KEY, engine=FernetEngine), nullable=True) date = Column(Date, nullable=False, server_default=func.current_date()) user_id = Column(GUID, ForeignKey("user.id"), nullable=False) diff --git a/7project/backend/pyproject.toml b/7project/backend/pyproject.toml index ef504fe..afdd586 100644 --- a/7project/backend/pyproject.toml +++ b/7project/backend/pyproject.toml @@ -1,2 +1,5 @@ [tool.pytest.ini_options] -pythonpath = "." \ No newline at end of file +pythonpath = "." +asyncio_mode = "auto" +asyncio_default_fixture_loop_scope = "session" +asyncio_default_test_loop_scope = "session" \ No newline at end of file diff --git a/7project/backend/requirements.txt b/7project/backend/requirements.txt index 34fc377..d0699ef 100644 --- a/7project/backend/requirements.txt +++ b/7project/backend/requirements.txt @@ -54,6 +54,7 @@ sentry-sdk==2.42.0 six==1.17.0 sniffio==1.3.1 SQLAlchemy==2.0.43 +SQLAlchemy-Utils==0.42.0 starlette==0.48.0 tomli==2.2.1 typing-inspection==0.4.1 diff --git a/7project/backend/tests/conftest.py b/7project/backend/tests/conftest.py index 1c6dca7..596aced 100644 --- a/7project/backend/tests/conftest.py +++ b/7project/backend/tests/conftest.py @@ -1,7 +1,9 @@ import sys +import uuid import types import pytest from fastapi.testclient import TestClient +from httpx import AsyncClient, ASGITransport # Stub sentry_sdk to avoid optional dependency issues during import of app stub = types.ModuleType("sentry_sdk") @@ -20,3 +22,23 @@ def fastapi_app(): @pytest.fixture(scope="session") def client(fastapi_app): return TestClient(fastapi_app, raise_server_exceptions=True) + + +@pytest.fixture(scope="function") +async def test_user(fastapi_app): + """ + Creates a new user asynchronously and returns their credentials. + Does NOT log them in. + Using AsyncClient with ASGITransport avoids event loop conflicts with DB connections. + """ + unique_email = f"testuser_{uuid.uuid4()}@example.com" + password = "a_strong_password" + user_payload = {"email": unique_email, "password": password} + + transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + response = await ac.post("/auth/register", json=user_payload) + assert response.status_code == 201 + + return {"username": unique_email, "password": password} + diff --git a/7project/backend/tests/test_e2e_auth_flow.py b/7project/backend/tests/test_e2e_auth_flow.py index e622f9c..7ad18d2 100644 --- a/7project/backend/tests/test_e2e_auth_flow.py +++ b/7project/backend/tests/test_e2e_auth_flow.py @@ -1,3 +1,6 @@ +import pytest +import uuid +from httpx import AsyncClient, ASGITransport from fastapi import status @@ -13,3 +16,83 @@ def test_e2e_minimal_auth_flow(client): # 3) Protected endpoint should not be accessible without token me = client.get("/users/me") assert me.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN) + + +@pytest.mark.asyncio +async def test_e2e_full_user_lifecycle(fastapi_app, test_user): + # Use an AsyncClient with ASGITransport for async tests + transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + login_payload = test_user + + # 1. Log in with the new credentials + login_resp = await ac.post("/auth/jwt/login", data=login_payload) + assert login_resp.status_code == status.HTTP_200_OK + token = login_resp.json()["access_token"] + headers = {"Authorization": f"Bearer {token}"} + + # 2. Access a protected endpoint + me_resp = await ac.get("/users/me", headers=headers) + assert me_resp.status_code == status.HTTP_200_OK + assert me_resp.json()["email"] == test_user["username"] + + # 3. Update the user's profile + update_payload = {"first_name": "Test"} + patch_resp = await ac.patch("/users/me", json=update_payload, headers=headers) + assert patch_resp.status_code == status.HTTP_200_OK + assert patch_resp.json()["first_name"] == "Test" + + # 4. Log out + logout_resp = await ac.post("/auth/jwt/logout", headers=headers) + assert logout_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT) + + # 5. Verify token is invalid + me_again_resp = await ac.get("/users/me", headers=headers) + assert me_again_resp.status_code == status.HTTP_401_UNAUTHORIZED + + +@pytest.mark.asyncio +async def test_e2e_transaction_workflow(fastapi_app, test_user): + transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + # 1. Log in to get the token + login_resp = await ac.post("/auth/jwt/login", data=test_user) + token = login_resp.json()["access_token"] + headers = {"Authorization": f"Bearer {token}"} + + # NEW STEP: Create a category first to get a valid ID + category_payload = {"name": "Test Category for E2E"} + create_category_resp = await ac.post("/categories/create", json=category_payload, headers=headers) + assert create_category_resp.status_code == status.HTTP_201_CREATED + category_id = create_category_resp.json()["id"] + + # 2. Create a new transaction + tx_payload = {"amount": -55.40, "description": "Milk and eggs"} + tx_resp = await ac.post("/transactions/create", json=tx_payload, headers=headers) + assert tx_resp.status_code == status.HTTP_201_CREATED + tx_id = tx_resp.json()["id"] + + # 3. Assign the category + assign_resp = await ac.post(f"/transactions/{tx_id}/categories/{category_id}", headers=headers) + assert assign_resp.status_code == status.HTTP_200_OK + + # 4. Verify assignment + get_tx_resp = await ac.get(f"/transactions/{tx_id}", headers=headers) + assert category_id in get_tx_resp.json()["category_ids"] + + # 5. Unassign the category + unassign_resp = await ac.delete(f"/transactions/{tx_id}/categories/{category_id}", headers=headers) + assert unassign_resp.status_code == status.HTTP_200_OK + + # 6. Get the transaction again and verify the category is gone + get_tx_again_resp = await ac.get(f"/transactions/{tx_id}", headers=headers) + final_tx_data = get_tx_again_resp.json() + assert category_id not in final_tx_data["category_ids"] + + # 7. Delete the transaction for cleanup + delete_resp = await ac.delete(f"/transactions/{tx_id}/delete", headers=headers) + assert delete_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT) + + # NEW STEP: Clean up the created category + delete_category_resp = await ac.delete(f"/categories/{category_id}", headers=headers) + assert delete_category_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT) \ No newline at end of file diff --git a/7project/backend/tests/test_integration_app.py b/7project/backend/tests/test_integration_app.py index 6c8733d..c924e25 100644 --- a/7project/backend/tests/test_integration_app.py +++ b/7project/backend/tests/test_integration_app.py @@ -1,5 +1,6 @@ from fastapi import status import pytest +from httpx import AsyncClient, ASGITransport def test_root_ok(client): @@ -13,6 +14,53 @@ def test_authenticated_route_requires_auth(client): assert resp.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN) -def test_sentry_debug_raises_exception(client): - with pytest.raises(ZeroDivisionError): - client.get("/sentry-debug") +@pytest.mark.asyncio +async def test_create_and_get_category(fastapi_app, test_user): + # Use AsyncClient for async tests + transport = ASGITransport(app=fastapi_app) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + # 1. Log in to get an auth token + login_resp = await ac.post("/auth/jwt/login", data=test_user) + token = login_resp.json()["access_token"] + headers = {"Authorization": f"Bearer {token}"} + + # 2. Define and create the new category + category_name = "Async Integration Test" + category_payload = {"name": category_name} + create_resp = await ac.post("/categories/create", json=category_payload, headers=headers) + + # 3. Assert creation was successful + assert create_resp.status_code == status.HTTP_201_CREATED + created_data = create_resp.json() + category_id = created_data["id"] + assert created_data["name"] == category_name + + # 4. GET the list of categories to verify + list_resp = await ac.get("/categories/", headers=headers) + assert list_resp.status_code == status.HTTP_200_OK + + # 5. Check that our new category is in the list + categories_list = list_resp.json() + assert any(cat["name"] == category_name for cat in categories_list) + + delete_resp = await ac.delete(f"/categories/{category_id}", headers=headers) + assert delete_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT) + + +@pytest.mark.asyncio +async def test_create_transaction_missing_amount_fails(fastapi_app, test_user): + transport = ASGITransport(app=fastapi_app) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + # 1. Log in to get an auth token + login_resp = await ac.post("/auth/jwt/login", data=test_user) + token = login_resp.json()["access_token"] + headers = {"Authorization": f"Bearer {token}"} + + # 2. Define an invalid payload + invalid_payload = {"description": "This should fail"} + + # 3. Attempt to create the transaction + resp = await ac.post("/transactions/create", json=invalid_payload, headers=headers) + + # 4. Assert the expected validation error + assert resp.status_code == status.HTTP_422_UNPROCESSABLE_ENTITY diff --git a/7project/backend/tests/test_unit_user_service.py b/7project/backend/tests/test_unit_user_service.py index 7e89962..dedff0e 100644 --- a/7project/backend/tests/test_unit_user_service.py +++ b/7project/backend/tests/test_unit_user_service.py @@ -19,7 +19,7 @@ def test_get_oauth_provider_known_unknown(): def test_get_jwt_strategy_lifetime(): strategy = user_service.get_jwt_strategy() assert strategy is not None - # Basic smoke check: strategy has a lifetime set to 3600 + # Basic smoke check: strategy has a lifetime set to 604800 assert getattr(strategy, "lifetime_seconds", None) in (604800,) diff --git a/7project/charts/myapp-chart/templates/app-deployment.yaml b/7project/charts/myapp-chart/templates/app-deployment.yaml index dc85dbd..02afbfb 100644 --- a/7project/charts/myapp-chart/templates/app-deployment.yaml +++ b/7project/charts/myapp-chart/templates/app-deployment.yaml @@ -101,6 +101,11 @@ spec: secretKeyRef: name: prod key: SENTRY_DSN + - name: DB_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: prod + key: DB_ENCRYPTION_KEY livenessProbe: httpGet: path: / diff --git a/7project/charts/myapp-chart/templates/prod.yaml b/7project/charts/myapp-chart/templates/prod.yaml index 0b9442d..abb294a 100644 --- a/7project/charts/myapp-chart/templates/prod.yaml +++ b/7project/charts/myapp-chart/templates/prod.yaml @@ -18,3 +18,4 @@ stringData: RABBITMQ_PASSWORD: {{ .Values.rabbitmq.password | default "" | quote }} RABBITMQ_USERNAME: {{ .Values.rabbitmq.username | quote }} SENTRY_DSN: {{ .Values.sentry_dsn | quote }} + DB_ENCRYPTION_KEY: {{ required "Set .Values.database.encryptionSecret" .Values.database.encryptionSecret | quote }} diff --git a/7project/charts/myapp-chart/templates/worker-deployment.yaml b/7project/charts/myapp-chart/templates/worker-deployment.yaml index 11227d3..fbd5182 100644 --- a/7project/charts/myapp-chart/templates/worker-deployment.yaml +++ b/7project/charts/myapp-chart/templates/worker-deployment.yaml @@ -20,7 +20,7 @@ spec: securityContext: allowPrivilegeEscalation: false capabilities: - drop: ["ALL"] + drop: [ "ALL" ] command: - celery - -A @@ -80,3 +80,8 @@ spec: secretKeyRef: name: prod key: CSAS_CLIENT_SECRET + - name: DB_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: prod + key: DB_ENCRYPTION_KEY diff --git a/7project/charts/myapp-chart/values.yaml b/7project/charts/myapp-chart/values.yaml index 867728e..d20fa70 100644 --- a/7project/charts/myapp-chart/values.yaml +++ b/7project/charts/myapp-chart/values.yaml @@ -75,3 +75,4 @@ database: userName: app-demo-user secretName: app-demo-database-secret password: "" + encryptionSecret: "" diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index f97951f..0000000 --- a/requirements.txt +++ /dev/null @@ -1,72 +0,0 @@ -aio-pika==9.5.6 -aiormq==6.8.1 -aiosqlite==0.21.0 -alembic==1.16.5 -amqp==5.3.1 -annotated-types==0.7.0 -anyio==4.11.0 -argon2-cffi==23.1.0 -argon2-cffi-bindings==25.1.0 -asyncmy==0.2.9 -bcrypt==4.3.0 -billiard==4.2.2 -celery==5.5.3 -certifi==2025.10.5 -cffi==2.0.0 -click==8.1.8 -click-didyoumean==0.3.1 -click-plugins==1.1.1.2 -click-repl==0.3.0 -cryptography==46.0.1 -dnspython==2.7.0 -email_validator==2.2.0 -exceptiongroup==1.3.0 -fastapi==0.117.1 -fastapi-users==14.0.1 -fastapi-users-db-sqlalchemy==7.0.0 -greenlet==3.2.4 -h11==0.16.0 -httpcore==1.0.9 -httptools==0.6.4 -httpx==0.28.1 -httpx-oauth==0.16.1 -idna==3.10 -iniconfig==2.3.0 -kombu==5.5.4 -makefun==1.16.0 -Mako==1.3.10 -MarkupSafe==3.0.2 -multidict==6.6.4 -packaging==25.0 -pamqp==3.3.0 -pluggy==1.6.0 -prompt_toolkit==3.0.52 -propcache==0.3.2 -pwdlib==0.2.1 -pycparser==2.23 -pydantic==2.11.9 -pydantic_core==2.33.2 -Pygments==2.19.2 -PyJWT==2.10.1 -PyMySQL==1.1.2 -pytest==8.4.2 -pytest-asyncio==1.2.0 -python-dateutil==2.9.0.post0 -python-dotenv==1.1.1 -python-multipart==0.0.20 -PyYAML==6.0.2 -six==1.17.0 -sniffio==1.3.1 -SQLAlchemy==2.0.43 -starlette==0.48.0 -tomli==2.2.1 -typing-inspection==0.4.1 -typing_extensions==4.15.0 -tzdata==2025.2 -uvicorn==0.37.0 -uvloop==0.21.0 -vine==5.1.0 -watchfiles==1.1.0 -wcwidth==0.2.14 -websockets==15.0.1 -yarl==1.20.1