Docker: Add a Docker secret for the Django key
We have decided against including an insecure default key with a mere warning. Therefore, unlike the admin and user secrets, the availability of this secret is a hard requirement. The instance will not be able to start before a secret has been generated manually or by a management tool.
This commit is contained in:
parent
d48794ae8a
commit
4f194a8794
@ -73,6 +73,8 @@ services:
|
||||
- server-db-setup
|
||||
environment:
|
||||
<< : *default-osserver-env
|
||||
secrets:
|
||||
- django
|
||||
ifelse(read_env(`OPENSLIDES_BACKEND_SERVICE_REPLICAS'),,,deploy:
|
||||
replicas: ifenvelse(`OPENSLIDES_BACKEND_SERVICE_REPLICAS', 1))
|
||||
|
||||
@ -81,7 +83,8 @@ services:
|
||||
entrypoint: /usr/local/sbin/entrypoint-db-setup
|
||||
environment:
|
||||
<< : *default-osserver-env
|
||||
ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:)
|
||||
secrets:
|
||||
- django
|
||||
ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
|
||||
ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
|
||||
depends_on:
|
||||
@ -195,7 +198,9 @@ networks:
|
||||
back:
|
||||
dbnet:
|
||||
|
||||
ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:)
|
||||
secrets:
|
||||
django:
|
||||
file: ./secrets/django.env
|
||||
ifelse(ADMIN_SECRET_AVAILABLE, 0,os_admin:
|
||||
file: ./secrets/adminsecret.env)
|
||||
ifelse(USER_SECRET_AVAILABLE, 0,os_user:
|
||||
|
@ -71,6 +71,8 @@ services:
|
||||
# command: "daphne -b 0.0.0.0 -p 8000 openslides.asgi:application"
|
||||
environment:
|
||||
<< : *default-osserver-env
|
||||
secrets:
|
||||
- django
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
@ -82,7 +84,8 @@ services:
|
||||
entrypoint: /usr/local/sbin/entrypoint-db-setup
|
||||
environment:
|
||||
<< : *default-osserver-env
|
||||
ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:)
|
||||
secrets:
|
||||
- django
|
||||
ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
|
||||
ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
|
||||
|
||||
@ -229,7 +232,9 @@ networks:
|
||||
driver_opts:
|
||||
encrypted: ""
|
||||
|
||||
ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:)
|
||||
secrets:
|
||||
django:
|
||||
file: ./secrets/django.env
|
||||
ifelse(ADMIN_SECRET_AVAILABLE, 0,os_admin:
|
||||
file: ./secrets/adminsecret.env)
|
||||
ifelse(USER_SECRET_AVAILABLE, 0,os_user:
|
||||
|
3
docker/secrets/django.env.example
Normal file
3
docker/secrets/django.env.example
Normal file
@ -0,0 +1,3 @@
|
||||
# Define a secret key for Django
|
||||
# https://docs.djangoproject.com/en/1.10/howto/deployment/checklist/#secret-key
|
||||
DJANGO_SECRET_KEY=
|
@ -7,12 +7,4 @@ printf "Server built on %s:\n\nBranch: %s\n\n%s\n" \
|
||||
"$(git rev-parse --abbrev-ref HEAD)" \
|
||||
"$(git show -s --format=raw)" > docker/server-version.txt
|
||||
|
||||
# @Gernot: TODO
|
||||
# SECRET_KEY=$(head /dev/urandom | tr -dc 'A-Za-z0-9!"#$%&()*+,-./:;<=>?@[]^_`{|}~' | head -c 64)
|
||||
# sed: \/& must be escaped...
|
||||
# ESCAPED_SECRET_KEY=$(printf "%s\n" "$SECRET_KEY" | sed -e 's/[\/&]/\\&/g')
|
||||
# sed -i \
|
||||
# -e "/SECRET_KEY/s/%%secret-key%%/$ESCAPED_SECRET_KEY/" \
|
||||
# docker/settings.py
|
||||
|
||||
docker build -f docker/Dockerfile . $@
|
||||
|
@ -2,6 +2,15 @@
|
||||
|
||||
set -e
|
||||
|
||||
# Set DJANGO_SECRET_KEY variable
|
||||
source /run/secrets/django
|
||||
[[ -n "$DJANGO_SECRET_KEY" ]] || {
|
||||
echo "ERROR: Django secret key undefined! Cannot continue."
|
||||
sleep 5
|
||||
exit 2
|
||||
}
|
||||
export SECRET_KEY="$DJANGO_SECRET_KEY"
|
||||
|
||||
# TODO: env variable for this host
|
||||
wait-for-it -t 0 "server-db-setup:8000"
|
||||
|
||||
|
@ -15,6 +15,15 @@ EOF
|
||||
sleep 10
|
||||
}
|
||||
|
||||
# Set DJANGO_SECRET_KEY variable
|
||||
source /run/secrets/django
|
||||
[[ -n "$DJANGO_SECRET_KEY" ]] || {
|
||||
echo "ERROR: Django secret key undefined! Cannot continue."
|
||||
sleep 5
|
||||
exit 2
|
||||
}
|
||||
export SECRET_KEY="$DJANGO_SECRET_KEY"
|
||||
|
||||
# Configure database
|
||||
# TODO: env variables??
|
||||
echo "postgres:5432:instancecfg:openslides:openslides" > "${HOME}/.pgpass"
|
||||
|
Loading…
Reference in New Issue
Block a user