Docker: Add a Docker secret for the Django key
We have decided against including an insecure default key with a mere warning. Therefore, unlike the admin and user secrets, the availability of this secret is a hard requirement. The instance will not be able to start before a secret has been generated manually or by a management tool.
This commit is contained in:
parent
d48794ae8a
commit
4f194a8794
@ -73,6 +73,8 @@ services:
|
|||||||
- server-db-setup
|
- server-db-setup
|
||||||
environment:
|
environment:
|
||||||
<< : *default-osserver-env
|
<< : *default-osserver-env
|
||||||
|
secrets:
|
||||||
|
- django
|
||||||
ifelse(read_env(`OPENSLIDES_BACKEND_SERVICE_REPLICAS'),,,deploy:
|
ifelse(read_env(`OPENSLIDES_BACKEND_SERVICE_REPLICAS'),,,deploy:
|
||||||
replicas: ifenvelse(`OPENSLIDES_BACKEND_SERVICE_REPLICAS', 1))
|
replicas: ifenvelse(`OPENSLIDES_BACKEND_SERVICE_REPLICAS', 1))
|
||||||
|
|
||||||
@ -81,7 +83,8 @@ services:
|
|||||||
entrypoint: /usr/local/sbin/entrypoint-db-setup
|
entrypoint: /usr/local/sbin/entrypoint-db-setup
|
||||||
environment:
|
environment:
|
||||||
<< : *default-osserver-env
|
<< : *default-osserver-env
|
||||||
ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:)
|
secrets:
|
||||||
|
- django
|
||||||
ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
|
ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
|
||||||
ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
|
ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
|
||||||
depends_on:
|
depends_on:
|
||||||
@ -195,7 +198,9 @@ networks:
|
|||||||
back:
|
back:
|
||||||
dbnet:
|
dbnet:
|
||||||
|
|
||||||
ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:)
|
secrets:
|
||||||
|
django:
|
||||||
|
file: ./secrets/django.env
|
||||||
ifelse(ADMIN_SECRET_AVAILABLE, 0,os_admin:
|
ifelse(ADMIN_SECRET_AVAILABLE, 0,os_admin:
|
||||||
file: ./secrets/adminsecret.env)
|
file: ./secrets/adminsecret.env)
|
||||||
ifelse(USER_SECRET_AVAILABLE, 0,os_user:
|
ifelse(USER_SECRET_AVAILABLE, 0,os_user:
|
||||||
|
@ -71,6 +71,8 @@ services:
|
|||||||
# command: "daphne -b 0.0.0.0 -p 8000 openslides.asgi:application"
|
# command: "daphne -b 0.0.0.0 -p 8000 openslides.asgi:application"
|
||||||
environment:
|
environment:
|
||||||
<< : *default-osserver-env
|
<< : *default-osserver-env
|
||||||
|
secrets:
|
||||||
|
- django
|
||||||
deploy:
|
deploy:
|
||||||
restart_policy:
|
restart_policy:
|
||||||
condition: on-failure
|
condition: on-failure
|
||||||
@ -82,7 +84,8 @@ services:
|
|||||||
entrypoint: /usr/local/sbin/entrypoint-db-setup
|
entrypoint: /usr/local/sbin/entrypoint-db-setup
|
||||||
environment:
|
environment:
|
||||||
<< : *default-osserver-env
|
<< : *default-osserver-env
|
||||||
ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:)
|
secrets:
|
||||||
|
- django
|
||||||
ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
|
ifelse(ADMIN_SECRET_AVAILABLE, 0,- os_admin)
|
||||||
ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
|
ifelse(USER_SECRET_AVAILABLE, 0,- os_user)
|
||||||
|
|
||||||
@ -229,7 +232,9 @@ networks:
|
|||||||
driver_opts:
|
driver_opts:
|
||||||
encrypted: ""
|
encrypted: ""
|
||||||
|
|
||||||
ifelse(ADMIN_SECRET_AVAILABLE, 0, secrets:, USER_SECRET_AVAILABLE, 0, secrets:)
|
secrets:
|
||||||
|
django:
|
||||||
|
file: ./secrets/django.env
|
||||||
ifelse(ADMIN_SECRET_AVAILABLE, 0,os_admin:
|
ifelse(ADMIN_SECRET_AVAILABLE, 0,os_admin:
|
||||||
file: ./secrets/adminsecret.env)
|
file: ./secrets/adminsecret.env)
|
||||||
ifelse(USER_SECRET_AVAILABLE, 0,os_user:
|
ifelse(USER_SECRET_AVAILABLE, 0,os_user:
|
||||||
|
3
docker/secrets/django.env.example
Normal file
3
docker/secrets/django.env.example
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
# Define a secret key for Django
|
||||||
|
# https://docs.djangoproject.com/en/1.10/howto/deployment/checklist/#secret-key
|
||||||
|
DJANGO_SECRET_KEY=
|
@ -7,12 +7,4 @@ printf "Server built on %s:\n\nBranch: %s\n\n%s\n" \
|
|||||||
"$(git rev-parse --abbrev-ref HEAD)" \
|
"$(git rev-parse --abbrev-ref HEAD)" \
|
||||||
"$(git show -s --format=raw)" > docker/server-version.txt
|
"$(git show -s --format=raw)" > docker/server-version.txt
|
||||||
|
|
||||||
# @Gernot: TODO
|
|
||||||
# SECRET_KEY=$(head /dev/urandom | tr -dc 'A-Za-z0-9!"#$%&()*+,-./:;<=>?@[]^_`{|}~' | head -c 64)
|
|
||||||
# sed: \/& must be escaped...
|
|
||||||
# ESCAPED_SECRET_KEY=$(printf "%s\n" "$SECRET_KEY" | sed -e 's/[\/&]/\\&/g')
|
|
||||||
# sed -i \
|
|
||||||
# -e "/SECRET_KEY/s/%%secret-key%%/$ESCAPED_SECRET_KEY/" \
|
|
||||||
# docker/settings.py
|
|
||||||
|
|
||||||
docker build -f docker/Dockerfile . $@
|
docker build -f docker/Dockerfile . $@
|
||||||
|
@ -2,6 +2,15 @@
|
|||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
|
# Set DJANGO_SECRET_KEY variable
|
||||||
|
source /run/secrets/django
|
||||||
|
[[ -n "$DJANGO_SECRET_KEY" ]] || {
|
||||||
|
echo "ERROR: Django secret key undefined! Cannot continue."
|
||||||
|
sleep 5
|
||||||
|
exit 2
|
||||||
|
}
|
||||||
|
export SECRET_KEY="$DJANGO_SECRET_KEY"
|
||||||
|
|
||||||
# TODO: env variable for this host
|
# TODO: env variable for this host
|
||||||
wait-for-it -t 0 "server-db-setup:8000"
|
wait-for-it -t 0 "server-db-setup:8000"
|
||||||
|
|
||||||
|
@ -15,6 +15,15 @@ EOF
|
|||||||
sleep 10
|
sleep 10
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Set DJANGO_SECRET_KEY variable
|
||||||
|
source /run/secrets/django
|
||||||
|
[[ -n "$DJANGO_SECRET_KEY" ]] || {
|
||||||
|
echo "ERROR: Django secret key undefined! Cannot continue."
|
||||||
|
sleep 5
|
||||||
|
exit 2
|
||||||
|
}
|
||||||
|
export SECRET_KEY="$DJANGO_SECRET_KEY"
|
||||||
|
|
||||||
# Configure database
|
# Configure database
|
||||||
# TODO: env variables??
|
# TODO: env variables??
|
||||||
echo "postgres:5432:instancecfg:openslides:openslides" > "${HOME}/.pgpass"
|
echo "postgres:5432:instancecfg:openslides:openslides" > "${HOME}/.pgpass"
|
||||||
|
Loading…
Reference in New Issue
Block a user