From bd361329461f5bbd536ff9f9e2bf7de20b2cc02b Mon Sep 17 00:00:00 2001 From: "Adrian A. Baumann" Date: Tue, 30 Dec 2025 17:05:30 +0100 Subject: [PATCH] SECRET_KEY now uses a kubernetes secret with a fallback value for local testing --- argocd/deployment.yaml | 8 ++++++- argocd/secret.yaml | 8 +++++++ labhelper/settings.py | 3 ++- scripts/deploy_secret.sh | 45 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 argocd/secret.yaml create mode 100755 scripts/deploy_secret.sh diff --git a/argocd/deployment.yaml b/argocd/deployment.yaml index 9b78d72..ec8efc1 100644 --- a/argocd/deployment.yaml +++ b/argocd/deployment.yaml @@ -27,10 +27,16 @@ spec: mountPath: /data containers: - name: web - image: git.baumann.gr/adebaumann/labhelper:0.039 + image: git.baumann.gr/adebaumann/labhelper:0.040 imagePullPolicy: Always ports: - containerPort: 8000 + env: + - name: DJANGO_SECRET_KEY + valueFrom: + secretKeyRef: + name: django-secret + key: secret-key volumeMounts: - name: data mountPath: /app/data diff --git a/argocd/secret.yaml b/argocd/secret.yaml new file mode 100644 index 0000000..6a3b418 --- /dev/null +++ b/argocd/secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: django-secret + namespace: labhelper +type: Opaque +stringData: + secret-key: "CHANGE_ME_TO_RANDOM_STRING" diff --git a/labhelper/settings.py b/labhelper/settings.py index 0829e59..bd56439 100644 --- a/labhelper/settings.py +++ b/labhelper/settings.py @@ -10,6 +10,7 @@ For the full list of settings and their values, see https://docs.djangoproject.com/en/5.2/ref/settings/ """ +import os from pathlib import Path # Build paths inside the project like this: BASE_DIR / 'subdir'. @@ -20,7 +21,7 @@ BASE_DIR = Path(__file__).resolve().parent.parent # See https://docs.djangoproject.com/en/5.2/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = 'f0arjg8q3ut4iuqrguqfjaruf0eripIZZN3t1kymy8ugqnj$li2knhha0@gc5v8f3bge=$+gbybj2$jt28uqm' +SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY', 'f0arjg8q3ut4iuqrguqfjaruf0eripIZZN3t1kymy8ugqnj$li2knhha0@gc5v8f3bge=$+gbybj2$jt28uqm') # SECURITY WARNING: don't run with debug turned on in production! DEBUG = True diff --git a/scripts/deploy_secret.sh b/scripts/deploy_secret.sh new file mode 100755 index 0000000..b839081 --- /dev/null +++ b/scripts/deploy_secret.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# Generate and deploy Django secret key to Kubernetes + +NAMESPACE="labhelper" +SECRET_NAME="django-secret" +SECRET_FILE="argocd/secret.yaml" + +# Check if secret file exists +if [ ! -f "$SECRET_FILE" ]; then + echo "Error: $SECRET_FILE not found" + exit 1 +fi + +# Generate random secret key +SECRET_KEY=$(python3 -c "import secrets; print(secrets.token_urlsafe(50))") + +# Create temporary secret file with generated key +TEMP_SECRET_FILE=$(mktemp) +cat "$SECRET_FILE" | sed "s/CHANGE_ME_TO_RANDOM_STRING/$SECRET_KEY/g" > "$TEMP_SECRET_FILE" + +# Check if secret already exists +if kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" &>/dev/null; then + echo "Secret $SECRET_NAME already exists in namespace $NAMESPACE" + read -p "Do you want to replace it? (y/N): " -n 1 -r + echo + if [[ ! $REPLY =~ ^[Yy]$ ]]; then + echo "Aborted" + rm "$TEMP_SECRET_FILE" + exit 0 + fi + kubectl apply -f "$TEMP_SECRET_FILE" + echo "Secret updated successfully" +else + kubectl apply -f "$TEMP_SECRET_FILE" + echo "Secret created successfully" +fi + +# Clean up +rm "$TEMP_SECRET_FILE" + +echo "" +echo "Secret deployed:" +echo " Name: $SECRET_NAME" +echo " Namespace: $NAMESPACE" +echo " Key: secret-key"