Django options pulled out into configmap; Docker build should now succeed despite no ENV-var with secret

2026-01-15 16:34:56 +01:00
parent 67d4087e3a
commit e8f34f7fa5
8 changed files with 480 additions and 39 deletions
--- a/docs/kubernetes-secrets.md
+++ b/docs/kubernetes-secrets.md
@@ -1,15 +1,27 @@
-# Kubernetes Secret Management for VorgabenUI Django
+# Kubernetes Configuration Management for VorgabenUI Django

-This document describes how to manage Django's SECRET_KEY using Kubernetes secrets with the `VORGABENUI_SECRET` environment variable.
+This document describes how to manage Django configuration using Kubernetes secrets and ConfigMaps.

 ## Overview

-The Django SECRET_KEY has been moved from hardcoded configuration to a Kubernetes secret for improved security. This change ensures that:
+Django configuration has been moved to Kubernetes-native resources for improved security and flexibility:

-1. The SECRET_KEY is not stored in version control
-2. Different environments can use different keys
-3. Key rotation is easier to manage
-4. Follows Kubernetes security best practices
+### **Secrets** (for sensitive data)
+- `VORGABENUI_SECRET` - Django SECRET_KEY
+- Future: Database passwords, API keys, etc.
+
+### **ConfigMaps** (for non-sensitive configuration)
+- `DEBUG` - Debug mode setting
+- `DJANGO_ALLOWED_HOSTS` - Allowed hostnames
+- `DJANGO_SETTINGS_MODULE` - Settings module path
+- Application configuration settings
+
+This approach ensures that:
+
+1. Sensitive data is not stored in version control
+2. Configuration is environment-specific
+3. Non-sensitive settings are easily manageable
+4. Follows Kubernetes best practices
 5. Includes fallback for local development

 ## Files Changed
@@ -20,20 +32,52 @@ The Django SECRET_KEY has been moved from hardcoded configuration to a Kubernete
 - Added warning when fallback key is used

 ### Files Created/Updated
+
+#### **Configuration Resources**
+- `argocd/configmap.yaml` - Django configuration (DEBUG, ALLOWED_HOSTS, etc.)
+- `templates/configmap.yaml` - ConfigMap template (excluded from ArgoCD)
 - `templates/secret.yaml` - Secret template (excluded from ArgoCD deployment)
 - `argocd/secret.yaml` - ArgoCD-specific secret template with ignore annotation
- `argocd/deployment.yaml` - Updated with environment variable configuration
- `scripts/deploy-argocd-secret.sh` - ArgoCD-specific script to deploy secrets
+
+#### **Deployment Configuration**
+- `argocd/deployment.yaml` - Updated with Secret and ConfigMap environment variables
 - `.argocdignore` - ArgoCD ignore patterns for templates and scripts
+
+#### **Deployment Scripts**
+- `scripts/deploy-argocd-secret.sh` - ArgoCD-specific script to deploy secrets
+- `scripts/deploy-argocd-configmap.sh` - ArgoCD-specific script to deploy ConfigMap
+
+#### **Application Code**
+- `VorgabenUI/settings.py` - Updated to use environment variables from ConfigMap
+
+#### **Examples and Documentation**
 - `k8s/django-secret.yaml` - Updated for consistency (vorgabenui namespace)
 - `k8s/django-deployment-example.yaml` - Updated example deployment
 - `scripts/deploy-django-secret.sh` - Updated with new defaults

 ## Usage

-### 1. Deploy the Secret (ArgoCD Production)
+### 1. Deploy ConfigMap (ArgoCD Production)

-For the ArgoCD production deployment, use the dedicated script:
+**Deploy configuration first** (required before the application starts):
+
+```bash
+# Deploy ConfigMap to vorgabenui namespace
+./scripts/deploy-argocd-configmap.sh
+
+# Verify existing ConfigMap
+./scripts/deploy-argocd-configmap.sh --verify-only
+
+# Dry run to see what would happen
+./scripts/deploy-argocd-configmap.sh --dry-run
+
+# Get help
+./scripts/deploy-argocd-configmap.sh --help
+```
+
+### 2. Deploy the Secret (ArgoCD Production)
+
+**Deploy secret second** (contains sensitive SECRET_KEY):

 ```bash
 # Deploy secret to vorgabenui namespace
@@ -49,13 +93,13 @@ For the ArgoCD production deployment, use the dedicated script:
 ./scripts/deploy-argocd-secret.sh --help
 ```

-### 2. Deploy Secret for Other Environments
+### 3. Deploy Resources for Other Environments

-For development or other environments, use the general script:
+For development or other environments, use the general scripts:

 ```bash
-# Deploy to vorgabenui namespace (default)
-./scripts/deploy-django-secret.sh
+# Deploy ConfigMap to vorgabenui namespace (default)
+./scripts/deploy-django-secret.sh  # (includes ConfigMap deployment)

 # Deploy to specific namespace
 ./scripts/deploy-django-secret.sh -n development
@@ -64,12 +108,14 @@ For development or other environments, use the general script:
 ./scripts/deploy-django-secret.sh --help
 ```

-### 3. Environment Variable Configuration
+### 4. Environment Variable Configuration

-The ArgoCD deployment (`argocd/deployment.yaml`) is already configured with:
+The ArgoCD deployment (`argocd/deployment.yaml`) is configured with:

+**Secret Variables:**
 ```yaml
 env:
+# Secret configuration
 - name: VORGABENUI_SECRET
  valueFrom:
    secretKeyRef:
@@ -77,21 +123,53 @@ env:
      key: vorgabenui_secret
 ```

+**ConfigMap Variables:**
+```yaml
+# ConfigMap configuration
+- name: DEBUG
+  valueFrom:
+    configMapKeyRef:
+      name: django-config
+      key: DEBUG
+- name: DJANGO_ALLOWED_HOSTS
+  valueFrom:
+    configMapKeyRef:
+      name: django-config
+      key: DJANGO_ALLOWED_HOSTS
+- name: DJANGO_SETTINGS_MODULE
+  valueFrom:
+    configMapKeyRef:
+      name: django-config
+      key: DJANGO_SETTINGS_MODULE
+```
+
 For other deployments, see `k8s/django-deployment-example.yaml` for a complete example.

-### 4. Verify the Deployment
+### 5. Verify the Deployment

-Check that the secret was created:
+**Check ConfigMap:**
+```bash
+kubectl get configmap django-config -n vorgabenui
+kubectl describe configmap django-config -n vorgabenui
+```

+**Check Secret:**
 ```bash
 kubectl get secrets vorgabenui-secrets -n vorgabenui
 kubectl describe secret vorgabenui-secrets -n vorgabenui
 ```

-Check that Django pods can access the secret:
-
+**Check Django pods can access configuration:**
 ```bash
+# Check secret variable
 kubectl exec -n vorgabenui deployment/django -- printenv VORGABENUI_SECRET
+
+# Check ConfigMap variables
+kubectl exec -n vorgabenui deployment/django -- printenv DEBUG
+kubectl exec -n vorgabenui deployment/django -- printenv DJANGO_ALLOWED_HOSTS
+
+# Check all environment variables
+kubectl exec -n vorgabenui deployment/django -- printenv | grep -E "(VORGABENUI|DEBUG|DJANGO)"
 ```

 ## Development Environment
@@ -101,8 +179,24 @@ kubectl exec -n vorgabenui deployment/django -- printenv VORGABENUI_SECRET
 The application now includes a fallback secret key for local development. When running locally:

 1. **Automatic fallback**: If `VORGABENUI_SECRET` is not set and `DEBUG=True`, a fallback key is used automatically
-2. **Warning message**: The application will log a warning when using the fallback key
-3. **Production safety**: Fallback only works when `DEBUG=True` or `DEBUG` env var is set
+2. **Warning message**: The application will log a warning when using the fallback key (except during builds)
+3. **Production safety**: Fallback only works when `DEBUG=True` or in build environments
+
+### Docker Build Support
+
+The Django settings are designed to work seamlessly during Docker builds:
+
+1. **Build environment detection**: Automatically detects Docker builds, CI environments
+2. **Fallback activation**: Uses fallback key during build without requiring environment variables
+3. **No build-time secrets**: No need to provide `VORGABENUI_SECRET` during `docker build`
+4. **Runtime security**: Production containers still require the proper environment variable
+
+**Supported build environments:**
+- Docker builds (`DOCKER_BUILDKIT`)
+- CI environments (`CI`)
+- GitHub Actions (`GITHUB_ACTIONS`)
+- Gitea Actions (`GITEA_ACTIONS`)
+- Local development (`DEBUG=True`)

 ### Manual Environment Variable

@@ -159,12 +253,22 @@ This setup includes multiple approaches to prevent ArgoCD from trying to deploy

 ### Django fails to start with "VORGABENUI_SECRET environment variable is required"

-This means the environment variable is not set in your pod and DEBUG=False. Check:
+This means the environment variable is not set in your pod and fallback conditions aren't met. Check:

-1. The secret exists: `kubectl get secret vorgabenui-secrets -n vorgabenui`
-2. The deployment references the secret correctly
-3. The pod has the environment variable: `kubectl exec <pod-name> -n vorgabenui -- env | grep VORGABENUI_SECRET`
-4. For local development, ensure `DEBUG=True` to use the fallback key
+1. **Secret exists**: `kubectl get secret vorgabenui-secrets -n vorgabenui`
+2. **Deployment references secret correctly**: Check `argocd/deployment.yaml` env section
+3. **Pod has environment variable**: `kubectl exec <pod-name> -n vorgabenui -- env | grep VORGABENUI_SECRET`
+4. **For local development**: Ensure `DEBUG=True` to use the fallback key
+5. **For Docker builds**: Build should work automatically with fallback
+
+### Docker build fails with SECRET_KEY error
+
+This should no longer happen with the updated settings. If you still see issues:
+
+1. **Check build environment variables**: Build should detect `DOCKER_BUILDKIT=1`
+2. **Verify settings changes**: Ensure the updated `settings.py` is being used
+3. **Force environment detection**: Set `CI=1` during build if needed
+4. **Use explicit DEBUG**: Set `DEBUG=True` during build as fallback

 ### Secret deployment fails

@@ -192,9 +296,24 @@ To rotate the SECRET_KEY:

 ## Script Options

-### ArgoCD Production Script (`deploy-argocd-secret.sh`)
+### ArgoCD Production Scripts

-This script is specifically for ArgoCD production deployment:
+#### **ConfigMap Script (`deploy-argocd-configmap.sh`)**
+
+Deploy Django configuration (non-sensitive):
+
+- `--verify-only` - Only verify existing ConfigMap, don't deploy
+- `--dry-run` - Show what would be deployed without applying
+- `-h, --help` - Show help message
+
+Configuration is hardcoded for ArgoCD:
+- Namespace: `vorgabenui`
+- ConfigMap name: `django-config`
+- ConfigMap file: `argocd/configmap.yaml`
+
+#### **Secret Script (`deploy-argocd-secret.sh`)**
+
+Deploy sensitive configuration:

 - `--verify-only` - Only verify existing secret, don't create new one
 - `--dry-run` - Show what would be done without making changes  
@@ -239,4 +358,26 @@ If you're migrating from a completely hardcoded key:
 4. **Test thoroughly** - local development should work with fallback
 5. **Deploy the updated settings.py** after confirming the secret works

-The ArgoCD deployment (`argocd/deployment.yaml`) now includes the environment variable configuration, so Django will automatically pick up the secret after deployment.
+The ArgoCD deployment (`argocd/deployment.yaml`) now includes the environment variable configuration, so Django will automatically pick up the secret after deployment.
+
+## Deployment Order
+
+**Critical: Deploy resources in this order:**
+
+1. **ConfigMap first** (required for Django to start):
+   ```bash
+   ./scripts/deploy-argocd-configmap.sh
+   ```
+
+2. **Secret second** (contains sensitive data):
+   ```bash
+   ./scripts/deploy-argocd-secret.sh
+   ```
+
+3. **Application deployment** (ArgoCD will sync this automatically):
+   ```bash
+   kubectl apply -f argocd/deployment.yaml
+   # OR let ArgoCD sync from Git
+   ```
+
+If you deploy in the wrong order, Django pods will fail to start because they require both the ConfigMap and Secret to be available.