Docker: Add a Docker secret for the Django key

We have decided against including an insecure default key with a mere
warning.  Therefore, unlike the admin and user secrets, the availability
of this secret is a hard requirement.  The instance will not be able to
start before a secret has been generated manually or by a management
tool.
This commit is contained in:
Gernot Schulz 2020-08-14 13:24:45 +02:00 committed by Finn Stutzenstein
parent d48794ae8a
commit 4f194a8794
No known key found for this signature in database
GPG Key ID: 9042F605C6324654
6 changed files with 35 additions and 12 deletions

View File

@ -73,6 +73,8 @@ services:
- server-db-setup - server-db-setup
environment: environment:
<< : *default-osserver-env << : *default-osserver-env
secrets:
- django
ifelse(read_env(`OPENSLIDES_BACKEND_SERVICE_REPLICAS'),,,deploy: ifelse(read_env(`OPENSLIDES_BACKEND_SERVICE_REPLICAS'),,,deploy:
replicas: ifenvelse(`OPENSLIDES_BACKEND_SERVICE_REPLICAS', 1)) replicas: ifenvelse(`OPENSLIDES_BACKEND_SERVICE_REPLICAS', 1))
@ -81,7 +83,8 @@ services:
entrypoint: /usr/local/sbin/entrypoint-db-setup entrypoint: /usr/local/sbin/entrypoint-db-setup
environment: environment:
<< : *default-osserver-env << : *default-osserver-env
ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:) secrets:
- django
ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin) ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
ifelse(USER_SECRET_AVAILABLE, 0,- os_user) ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
depends_on: depends_on:
@ -195,7 +198,9 @@ networks:
back: back:
dbnet: dbnet:
ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:) secrets:
django:
file: ./secrets/django.env
ifelse(ADMIN_SECRET_AVAILABLE, 0,os_admin: ifelse(ADMIN_SECRET_AVAILABLE, 0,os_admin:
file: ./secrets/adminsecret.env) file: ./secrets/adminsecret.env)
ifelse(USER_SECRET_AVAILABLE, 0,os_user: ifelse(USER_SECRET_AVAILABLE, 0,os_user:

View File

@ -71,6 +71,8 @@ services:
# command: "daphne -b 0.0.0.0 -p 8000 openslides.asgi:application" # command: "daphne -b 0.0.0.0 -p 8000 openslides.asgi:application"
environment: environment:
<< : *default-osserver-env << : *default-osserver-env
secrets:
- django
deploy: deploy:
restart_policy: restart_policy:
condition: on-failure condition: on-failure
@ -82,7 +84,8 @@ services:
entrypoint: /usr/local/sbin/entrypoint-db-setup entrypoint: /usr/local/sbin/entrypoint-db-setup
environment: environment:
<< : *default-osserver-env << : *default-osserver-env
ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:) secrets:
- django
ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin) ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
ifelse(USER_SECRET_AVAILABLE, 0,- os_user) ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
@ -229,7 +232,9 @@ networks:
driver_opts: driver_opts:
encrypted: "" encrypted: ""
ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:) secrets:
django:
file: ./secrets/django.env
ifelse(ADMIN_SECRET_AVAILABLE, 0,os_admin: ifelse(ADMIN_SECRET_AVAILABLE, 0,os_admin:
file: ./secrets/adminsecret.env) file: ./secrets/adminsecret.env)
ifelse(USER_SECRET_AVAILABLE, 0,os_user: ifelse(USER_SECRET_AVAILABLE, 0,os_user:

View File

@ -0,0 +1,3 @@
# Define a secret key for Django
# https://docs.djangoproject.com/en/1.10/howto/deployment/checklist/#secret-key
DJANGO_SECRET_KEY=

View File

@ -7,12 +7,4 @@ printf "Server built on %s:\n\nBranch: %s\n\n%s\n" \
"$(git rev-parse --abbrev-ref HEAD)" \ "$(git rev-parse --abbrev-ref HEAD)" \
"$(git show -s --format=raw)" > docker/server-version.txt "$(git show -s --format=raw)" > docker/server-version.txt
# @Gernot: TODO
# SECRET_KEY=$(head /dev/urandom | tr -dc 'A-Za-z0-9!"#$%&()*+,-./:;<=>?@[]^_`{|}~' | head -c 64)
# sed: \/& must be escaped...
# ESCAPED_SECRET_KEY=$(printf "%s\n" "$SECRET_KEY" | sed -e 's/[\/&]/\\&/g')
# sed -i \
# -e "/SECRET_KEY/s/%%secret-key%%/$ESCAPED_SECRET_KEY/" \
# docker/settings.py
docker build -f docker/Dockerfile . $@ docker build -f docker/Dockerfile . $@

View File

@ -2,6 +2,15 @@
set -e set -e
# Set DJANGO_SECRET_KEY variable
source /run/secrets/django
[[ -n "$DJANGO_SECRET_KEY" ]] || {
echo "ERROR: Django secret key undefined! Cannot continue."
sleep 5
exit 2
}
export SECRET_KEY="$DJANGO_SECRET_KEY"
# TODO: env variable for this host # TODO: env variable for this host
wait-for-it -t 0 "server-db-setup:8000" wait-for-it -t 0 "server-db-setup:8000"

View File

@ -15,6 +15,15 @@ EOF
sleep 10 sleep 10
} }
# Set DJANGO_SECRET_KEY variable
source /run/secrets/django
[[ -n "$DJANGO_SECRET_KEY" ]] || {
echo "ERROR: Django secret key undefined! Cannot continue."
sleep 5
exit 2
}
export SECRET_KEY="$DJANGO_SECRET_KEY"
# Configure database # Configure database
# TODO: env variables?? # TODO: env variables??
echo "postgres:5432:instancecfg:openslides:openslides" > "${HOME}/.pgpass" echo "postgres:5432:instancecfg:openslides:openslides" > "${HOME}/.pgpass"