adebaumann/vgui-cicd
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: adebaumann:b0725fb3856b29487cbd3ff0b537e3a4b35a0d74
Branches Tags
adebaumann:development adebaumann:feature/docx adebaumann:feature/imagesintext adebaumann:upgrade/django6 adebaumann:feature/importform adebaumann:simplify adebaumann:feature/dateranges adebaumann:feature/comment-page adebaumann:fix/argocd-ingress_progressing adebaumann:feature/comments adebaumann:feature/nfs-storage adebaumann:improvements/frontend adebaumann:improvements/argocd-service-fix adebaumann:feature/login adebaumann:feature/oblique adebaumann:main adebaumann:feature/gitops adebaumann:feature/add-missing-tests adebaumann:cleanup/remove-diagram-proxy adebaumann:improvement/admin-tweaks adebaumann:improvement/better-design-pre-cdbund adebaumann:complete-refactor adebaumann:feature/json adebaumann:feature/list-of-incomplete-vorgaben adebaumann:improvement/search-in-title adebaumann:improve-dokument-admin adebaumann:helm-charts adebaumann:feature/vorgaben-table adebaumann:feature/textabschnitte-comprehensive-tests adebaumann:feature/dokumente-unit-tests adebaumann:rename_standards adebaumann:consolidate_search adebaumann:django-debug-toolbar
...
compare: adebaumann:upgrade/django6
Branches Tags
adebaumann:feature/docx adebaumann:development adebaumann:feature/imagesintext adebaumann:upgrade/django6 adebaumann:feature/importform adebaumann:simplify adebaumann:feature/dateranges adebaumann:feature/comment-page adebaumann:fix/argocd-ingress_progressing adebaumann:feature/comments adebaumann:feature/nfs-storage adebaumann:improvements/frontend adebaumann:improvements/argocd-service-fix adebaumann:feature/login adebaumann:feature/oblique adebaumann:main adebaumann:feature/gitops adebaumann:feature/add-missing-tests adebaumann:cleanup/remove-diagram-proxy adebaumann:improvement/admin-tweaks adebaumann:improvement/better-design-pre-cdbund adebaumann:complete-refactor adebaumann:feature/json adebaumann:feature/list-of-incomplete-vorgaben adebaumann:improvement/search-in-title adebaumann:improve-dokument-admin adebaumann:helm-charts adebaumann:feature/vorgaben-table adebaumann:feature/textabschnitte-comprehensive-tests adebaumann:feature/dokumente-unit-tests adebaumann:rename_standards adebaumann:consolidate_search adebaumann:django-debug-toolbar

14 Commits
b0725fb385 ... upgrade/dj

Author SHA1 Message Date
Adrian A. Baumann
996584ef68 Some changes after code review; Deploying to Development
Some checks failed
SonarQube Scan / SonarQube Trigger (push) Has been cancelled
Details
Build containers when image tags change / build-if-image-changed (., web, containers, main container, git.baumann.gr/adebaumann/vui) (push) Successful in 5s
Details
Build containers when image tags change / build-if-image-changed (data-loader, loader, initContainers, init-container, git.baumann.gr/adebaumann/vui-data-loader) (push) Successful in 5s
Details
SonarQube Scan / SonarQube Trigger (pull_request) Failing after 10s
Details
2026-01-20 10:17:29 +01:00
Adrian A. Baumann
18fac6e8b9 Code reviewed; Package versions updated to latest (incl. Django 6)
Some checks failed
SonarQube Scan / SonarQube Trigger (push) Has been cancelled
Details
2026-01-20 09:51:08 +01:00
Adrian A. Baumann
492f8b4e90 NFS and kubernetes shenanigans
Some checks failed
Build containers when image tags change / build-if-image-changed (., web, containers, main container, git.baumann.gr/adebaumann/vui) (push) Successful in 29s
Details
Build containers when image tags change / build-if-image-changed (data-loader, loader, initContainers, init-container, git.baumann.gr/adebaumann/vui-data-loader) (push) Successful in 6s
Details
SonarQube Scan / SonarQube Trigger (push) Failing after 1m34s
Details
2026-01-19 23:42:47 +01:00
Adrian A. Baumann
e86e3c19b5 NFS troubleshooting
Some checks failed
Build containers when image tags change / build-if-image-changed (., web, containers, main container, git.baumann.gr/adebaumann/vui) (push) Successful in 1m28s
Details
Build containers when image tags change / build-if-image-changed (data-loader, loader, initContainers, init-container, git.baumann.gr/adebaumann/vui-data-loader) (push) Successful in 7s
Details
SonarQube Scan / SonarQube Trigger (push) Failing after 1m34s
Details
2026-01-19 23:37:44 +01:00
Adrian A. Baumann
938424a02e Kubernetes PVC changed to shared NFS
Some checks failed
SonarQube Scan / SonarQube Trigger (push) Has been cancelled
Details
2026-01-19 22:19:31 +01:00
Adrian A. Baumann
b9e1a06e09 Error pages in correct design
Some checks failed
Build containers when image tags change / build-if-image-changed (., web, containers, main container, git.baumann.gr/adebaumann/vui) (push) Successful in 4s
Details
Build containers when image tags change / build-if-image-changed (data-loader, loader, initContainers, init-container, git.baumann.gr/adebaumann/vui-data-loader) (push) Successful in 5s
Details
SonarQube Scan / SonarQube Trigger (push) Failing after 49s
Details
2026-01-19 13:52:07 +01:00
Adrian A. Baumann
1a0c74bfa2 Static file serving out of DEBUG mode addressed
Some checks failed
Build containers when image tags change / build-if-image-changed (., web, containers, main container, git.baumann.gr/adebaumann/vui) (push) Successful in 1m4s
Details
Build containers when image tags change / build-if-image-changed (data-loader, loader, initContainers, init-container, git.baumann.gr/adebaumann/vui-data-loader) (push) Successful in 5s
Details
SonarQube Scan / SonarQube Trigger (push) Failing after 55s
Details
2026-01-19 13:26:26 +01:00
Adrian A. Baumann
82455358ff Allowed IPs in configmap changed, again
Some checks failed
SonarQube Scan / SonarQube Trigger (push) Failing after 47s
Details
2026-01-15 17:07:15 +01:00
Adrian A. Baumann
713798352d Allowed IPs in configmap changed
Some checks failed
SonarQube Scan / SonarQube Trigger (push) Failing after 48s
Details
2026-01-15 17:05:22 +01:00
Adrian A. Baumann
0e8e2da169 Removed secret deployment from argocd
Some checks failed
SonarQube Scan / SonarQube Trigger (push) Failing after 48s
Details
2026-01-15 16:59:24 +01:00
Adrian A. Baumann
e8f34f7fa5 Django options pulled out into configmap; Docker build should now succeed despite no ENV-var with secret
Some checks failed
Build containers when image tags change / build-if-image-changed (., web, containers, main container, git.baumann.gr/adebaumann/vui) (push) Successful in 39s
Details
Build containers when image tags change / build-if-image-changed (data-loader, loader, initContainers, init-container, git.baumann.gr/adebaumann/vui-data-loader) (push) Successful in 4s
Details
SonarQube Scan / SonarQube Trigger (push) Failing after 47s
Details
2026-01-15 16:34:56 +01:00
Adrian A. Baumann
67d4087e3a Changed secret key deployment; Updated requirements due to vulnerability in urllib
Some checks failed
Build containers when image tags change / build-if-image-changed (., web, containers, main container, git.baumann.gr/adebaumann/vui) (push) Failing after 1m3s
Details
Build containers when image tags change / build-if-image-changed (data-loader, loader, initContainers, init-container, git.baumann.gr/adebaumann/vui-data-loader) (push) Successful in 7s
Details
SonarQube Scan / SonarQube Trigger (push) Failing after 8s
Details
2026-01-15 16:18:25 +01:00
Adrian A. Baumann
ffda7ca601 SECRET_KEY now uses a kubernetes secret with a fallback value for local testing
Some checks failed
Build containers when image tags change / build-if-image-changed (., web, containers, main container, git.baumann.gr/adebaumann/vui) (push) Successful in 2m9s
Details
Build containers when image tags change / build-if-image-changed (data-loader, loader, initContainers, init-container, git.baumann.gr/adebaumann/vui-data-loader) (push) Successful in 9s
Details
SonarQube Scan / SonarQube Trigger (push) Failing after 2m29s
Details
2026-01-15 16:04:25 +01:00
Adrian A. Baumann
9d0a838238 Deployment
Some checks failed
Build containers when image tags change / build-if-image-changed (., web, containers, main container, git.baumann.gr/adebaumann/vui) (push) Successful in 22s
Details
Build containers when image tags change / build-if-image-changed (data-loader, loader, initContainers, init-container, git.baumann.gr/adebaumann/vui-data-loader) (push) Successful in 4s
Details
SonarQube Scan / SonarQube Trigger (push) Failing after 46s
Details
2026-01-09 14:21:29 +01:00
41 changed files with 1757 additions and 413 deletions
Expand all files Collapse all files

22
.argocdignore Normal file
View File

@@ -0,0 +1,22 @@
# ArgoCD ignore patterns
# Exclude template files from ArgoCD deployment
# Secret templates (deployed separately by scripts)
templates/
**/secret.yaml
# Documentation and scripts
docs/
scripts/
*.md
README*
# Development files
.env*
.git*
.vscode/
.idea/
# CI/CD files
.gitea/
.github/

3
.gitignore vendored
View File

@@ -16,4 +16,5 @@ AGENT*.md
# Diagram cache directory
media/diagram_cache/
.env
data/db.sqlite3
data/
dataremote/

8
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM python:3.14 AS baustelle
FROM python:3.15-rc-trixie AS baustelle
RUN mkdir /app
WORKDIR /app
ENV PYTHONDONTWRITEBYTECODE=1
@@ -7,12 +7,12 @@ RUN pip install --upgrade pip
COPY requirements.txt /app/
RUN pip install --no-cache-dir -r requirements.txt
FROM python:3.14-slim
FROM python:3.15-rc-slim-trixie
RUN useradd -m -r appuser && \
mkdir /app && \
chown -R appuser /app
COPY --from=baustelle /usr/local/lib/python3.14/site-packages/ /usr/local/lib/python3.14/site-packages/
COPY --from=baustelle /usr/local/lib/python3.15/site-packages/ /usr/local/lib/python3.15/site-packages/
COPY --from=baustelle /usr/local/bin/ /usr/local/bin/
RUN rm /usr/bin/tar /usr/lib/x86_64-linux-gnu/libncur*
WORKDIR /app
@@ -21,6 +21,8 @@ ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1
USER appuser
EXPOSE 8000
# Set build environment variable to enable fallback secret key during build
ENV DOCKER_BUILDKIT=1
RUN rm -rvf /app/Dockerfile* \
/app/README.md \
/app/argocd \

141
VorgabenUI/settings-docker.py
View File

@@ -1,141 +0,0 @@
"""
Django settings for VorgabenUI project.
Generated by 'django-admin startproject' using Django 5.2.
For more information on this file, see
https://docs.djangoproject.com/en/5.2/topics/settings/
For the full list of settings and their values, see
https://docs.djangoproject.com/en/5.2/ref/settings/
"""
import os
from pathlib import Path
# Build paths inside the project like this: BASE_DIR / 'subdir'.
BASE_DIR = Path(__file__).resolve().parent.parent
# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/5.2/howto/deployment/checklist/
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = os.environ.get("SECRET_KEY")
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = bool(os.environ.get("DEBUG", default=0))
ALLOWED_HOSTS = os.environ.get("DJANGO_ALLOWED_HOSTS","127.0.0.1").split(",")
# Application definition
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'dokumente',
'abschnitte',
'stichworte',
'mptt',
'nested_admin',
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
ROOT_URLCONF = 'VorgabenUI.urls'
TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
],
},
},
]
WSGI_APPLICATION = 'VorgabenUI.wsgi.application'
# Database
# https://docs.djangoproject.com/en/5.2/ref/settings/#databases
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': BASE_DIR / 'data/db.sqlite3',
}
}
# Password validation
# https://docs.djangoproject.com/en/5.2/ref/settings/#auth-password-validators
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
]
# Internationalization
# https://docs.djangoproject.com/en/5.2/topics/i18n/
LANGUAGE_CODE = 'de-ch'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_TZ = True
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/5.2/howto/static-files/
STATIC_URL = '/static/'
STATIC_ROOT="/home/adebaumann/VorgabenUI/staticfiles/"
STATICFILES_DIRS= (
os.path.join(BASE_DIR,"static"),
)
# Media files (User-uploaded content)
MEDIA_URL = '/media/'
MEDIA_ROOT = os.path.join(BASE_DIR, 'media')
# Diagram cache settings
DIAGRAM_CACHE_DIR = 'diagram_cache' # relative to MEDIA_ROOT
# Default primary key field type
# https://docs.djangoproject.com/en/5.2/ref/settings/#default-auto-field
DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
DATA_UPLOAD_MAX_NUMBER_FIELDS=10250
NESTED_ADMIN_LAZY_INLINES = True

41
VorgabenUI/settings.py
View File

@@ -20,13 +20,34 @@ BASE_DIR = Path(__file__).resolve().parent.parent
# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/5.2/howto/deployment/checklist/
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = '429ti9tugj9güLLO))(G&G94KF452R3Fieaek$&6s#zlao-ca!#)_@j6*u+8s&bvfil^qyo%&-sov$ysi'
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True
DEBUG = os.environ.get('DEBUG', 'True').lower() in ('true', '1', 'yes', 'on')
ALLOWED_HOSTS = ["10.128.128.144","localhost","127.0.0.1","*"]
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = os.environ.get('VORGABENUI_SECRET')
if not SECRET_KEY:
# Check if we're in a build environment (Docker build, CI, etc.)
is_build_env = any([
os.environ.get('DOCKER_BUILDKIT'), # Docker build
os.environ.get('CI'), # CI environment
os.environ.get('GITHUB_ACTIONS'), # GitHub Actions
os.environ.get('GITEA_ACTIONS'), # Gitea Actions
])
# Use DEBUG environment variable or assume debug mode for local development
debug_mode = os.environ.get('DEBUG', 'True').lower() in ('true', '1', 'yes', 'on')
if debug_mode or is_build_env:
# Fixed fallback key for local development and build environments
SECRET_KEY = 'dev-fallback-key-for-local-debugging-only-not-for-production-use-12345'
if not is_build_env: # Don't log during build to avoid noise
import logging
logging.warning("🚨 Using fallback SECRET_KEY for local development. This should NEVER happen in production!")
else:
raise ValueError("VORGABENUI_SECRET environment variable is required")
ALLOWED_HOSTS = os.environ.get('DJANGO_ALLOWED_HOSTS', "10.128.128.144,localhost,127.0.0.1,*").split(",")
# Application definition
@@ -37,6 +58,7 @@ INSTALLED_APPS = [
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'whitenoise',
'dokumente',
'abschnitte',
'stichworte',
@@ -48,6 +70,7 @@ INSTALLED_APPS = [
]
MIDDLEWARE = [
'whitenoise.middleware.WhiteNoiseMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
@@ -115,7 +138,7 @@ AUTH_PASSWORD_VALIDATORS = [
LANGUAGE_CODE = 'de-ch'
TIME_ZONE = 'UTC'
TIME_ZONE = 'Europe/Zurich'
USE_I18N = True
@@ -143,6 +166,12 @@ DIAGRAM_CACHE_DIR = 'diagram_cache' # relative to MEDIA_ROOT
# https://docs.djangoproject.com/en/5.2/ref/settings/#default-auto-field
DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
# Custom error pages
handler400 = 'pages.views.custom_400'
handler403 = 'pages.views.custom_403'
handler404 = 'pages.views.custom_404'
handler500 = 'pages.views.custom_500'
DATA_UPLOAD_MAX_NUMBER_FIELDS=10250
NESTED_ADMIN_LAZY_INLINES = True

4
VorgabenUI/urls.py
View File

@@ -40,9 +40,7 @@ urlpatterns = [
path('password_change/done/', auth_views.PasswordChangeDoneView.as_view(template_name='registration/password_change_done.html'), name='password_change_done'),
]
# Serve static files
urlpatterns += static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)
# Serve media files (including cached diagrams)
if settings.DEBUG:
urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
urlpatterns += static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)

25
argocd/configmap.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: django-config
namespace: vorgabenui
data:
# Django Configuration
DEBUG: "false"
DJANGO_ALLOWED_HOSTS: "vorgabenportal.knowyoursecurity.com,localhost,127.0.0.1,*"
DJANGO_SETTINGS_MODULE: "VorgabenUI.settings"
# Application Configuration
LANGUAGE_CODE: "de-ch"
TIME_ZONE: "UTC"
# Static and Media Configuration
STATIC_URL: "/static/"
MEDIA_URL: "/media/"
# Database Configuration (for future use)
# DATABASE_ENGINE: "django.db.backends.sqlite3"
# DATABASE_NAME: "/app/data/db.sqlite3"
# Security Configuration
# CSRF_TRUSTED_ORIGINS: "https://vorgabenportal.knowyoursecurity.com"

31
argocd/deployment.yaml
View File

@@ -14,19 +14,44 @@ spec:
app: django
spec:
securityContext:
fsGroup: 999
fsGroup: 99
fsGroupChangePolicy: "OnRootMismatch"
initContainers:
- name: loader
image: git.baumann.gr/adebaumann/vui-data-loader:0.11
command: [ "sh","-c","cp -n preload/preload.sqlite3 /data/db.sqlite3; chown -R 999:999 /data; ls -la /data; sleep 10; exit 0" ]
command: [ "sh","-c","if [ ! -f /data/db.sqlite3 ] || [ ! -s /data/db.sqlite3 ]; then cp preload/preload.sqlite3 /data/db.sqlite3 && echo 'Database copied from preload'; else echo 'Existing database preserved'; fi" ]
volumeMounts:
- name: data
mountPath: /data
containers:
- name: web
image: git.baumann.gr/adebaumann/vui:0.974
image: git.baumann.gr/adebaumann/vui:0.983
imagePullPolicy: Always
securityContext:
runAsUser: 99
env:
# Secret configuration
- name: VORGABENUI_SECRET
valueFrom:
secretKeyRef:
name: vorgabenui-secrets
key: vorgabenui_secret
# ConfigMap configuration
- name: DEBUG
valueFrom:
configMapKeyRef:
name: django-config
key: DEBUG
- name: DJANGO_ALLOWED_HOSTS
valueFrom:
configMapKeyRef:
name: django-config
key: DJANGO_ALLOWED_HOSTS
- name: DJANGO_SETTINGS_MODULE
valueFrom:
configMapKeyRef:
name: django-config
key: DJANGO_SETTINGS_MODULE
ports:
- containerPort: 8000
volumeMounts:

3
argocd/nfs-pv.yaml
View File

@@ -4,6 +4,9 @@ metadata:
name: django-data-pv
namespace: vorgabenui
spec:
claimRef:
name: django-data-pvc
namespace: vorgabenui
capacity:
storage: 2Gi
accessModes:

512
code-review.md Normal file
View File

@@ -0,0 +1,512 @@
# Code Review: vgui-cicd Django Project
**Date:** January 20, 2026
**Reviewer:** AI Code Review
**Project Path:** /home/adebaumann/development/vgui-cicd
---
## 1. PROJECT STRUCTURE
### Overview
The project follows Django conventions with a clear app structure:
- **VorgabenUI** - Main project settings, URLs, WSGI/ASGI
- **dokumente** - Core document and Vorgabe models (315 lines)
- **abschnitte** - Text section models and utilities
- **stichworte** - Keyword/stichwort models
- **referenzen** - Reference models (MPTT-based)
- **rollen** - Role models
- **pages** - General pages and views
- **diagramm_proxy** - Diagram caching functionality
### Issues Found
**Minor - settings-docker.py**: The `settings-docker.py` file has duplicate `AUTH_PASSWORD_VALIDATORS` definitions (lines 92-105 and 183-199), which is redundant.
- **File**: `/home/adebaumann/development/vgui-cicd/VorgabenUI/settings-docker.py` (lines 92-105 and 183-199)
---
## 2. SETTINGS REVIEW
### Critical Issues
**1. Fallback SECRET_KEY in production** (`/home/adebaumann/development/vgui-cicd/VorgabenUI/settings.py`, lines 27-47)
```python
SECRET_KEY = os.environ.get('VORGABENUI_SECRET')
if not SECRET_KEY:
is_build_env = any([...])
debug_mode = ...
if debug_mode or is_build_env:
SECRET_KEY = 'dev-fallback-key-for-local-debugging-only-not-for-production-use-12345'
```
- **Issue**: Even though there's a check for build environments, the hardcoded fallback key creates a significant security risk if the environment variable is not properly set in production
- **Recommendation**: The fallback should NEVER be enabled, even in development - require the environment variable to be set
**2. DEBUG mode default** (`/home/adebaumann/development/vgui-cicd/VorgabenUI/settings.py`, line 24)
```python
DEBUG = os.environ.get('DEBUG', 'True').lower() in ('true', '1', 'yes', 'on')
```
- **Issue**: DEBUG defaults to True, which could expose sensitive information if environment variables are misconfigured
- **Recommendation**: Require explicit setting of DEBUG to False in production
### Major Issues
**3. ALLOWED_HOSTS with wildcard** (`/home/adebaumann/development/vgui-cicd/VorgabenUI/settings.py`, line 50)
```python
ALLOWED_HOSTS = os.environ.get('DJANGO_ALLOWED_HOSTS', "10.128.128.144,localhost,127.0.0.1,*").split(",")
```
- **Issue**: Default includes `*` which allows any host - dangerous in production
- **Recommendation**: Default should not include wildcard; require explicit configuration
**4. No rate limiting on authentication** (`/home/adebaumann/development/vgui-cicd/VorgabenUI/settings.py`)
- **Issue**: No login throttling or rate limiting configured for authentication endpoints
- **Recommendation**: Add `django-axes` or similar for brute-force protection
**5. SQLite in production** (`/home/adebaumann/development/vgui-cicd/VorgabenUI/settings.py`, lines 109-114)
```python
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': BASE_DIR / 'data/db.sqlite3',
}
}
```
- **Issue**: SQLite is used as default database - not suitable for production with concurrent access
- **Recommendation**: Configure PostgreSQL or other production-ready database
### Minor Issues
**6. TIME_ZONE mismatch** (`/home/adebaumann/development/vgui-cicd/VorgabenUI/settings.py`, lines 139-145)
- **Issue**: `LANGUAGE_CODE = 'de-ch'` but `TIME_ZONE = 'UTC'` - timezone should probably be 'Europe/Zurich' for Swiss deployment
- **File**: `/home/adebaumann/development/vgui-cicd/VorgabenUI/settings.py` (lines 141)
---
## 3. MODELS REVIEW
### Major Issues
**1. Missing `verbose_name` on models** - Several models are missing proper `verbose_name` in their Meta class:
- `Stichwort` (`/home/adebaumann/development/vgui-cicd/stichworte/models.py`, lines 4-11) - missing verbose_name
- `Referenz` (`/home/adebaumann/development/vgui-cicd/referenzen/models.py`, lines 6-27) - missing verbose_name
- `Rolle` (`/home/adebaumann/development/vgui-cicd/rollen/models.py`, lines 5-11) - missing verbose_name
- `Person` (`/home/adebaumann/development/vgui-cicd/dokumente/models.py`, lines 22-30) - missing verbose_name
- `Thema` (`/home/adebaumann/development/vgui-cicd/dokumente/models.py`, lines 32-39) - missing verbose_name
**2. BooleanField with `blank=True` but no default** (`/home/adebaumann/development/vgui-cicd/dokumente/models.py`, line 52)
```python
aktiv = models.BooleanField(blank=True)
```
- **Issue**: BooleanField should have explicit `default=False` for clarity
- **Recommendation**: Add `default=False`
**3. No database constraints for date validation** (`/home/adebaumann/development/vgui-cicd/dokumente/models.py`, lines 96-97)
```python
gueltigkeit_von = models.DateField()
gueltigkeit_bis = models.DateField(blank=True,null=True)
```
- **Issue**: No database-level constraint ensuring `gueltigkeit_bis >= gueltigkeit_von`
- **Recommendation**: Add constraint validation or override `save()` method
### Minor Issues
**4. Inconsistent naming in foreign key fields** - Some models use plural related names inconsistently:
- `autoren` and `pruefende` on `Dokument` use plural (correct)
- Could consider singular `related_name` for consistency where applicable
**5. Missing `related_name` on some ManyToMany fields** (`/home/adebaumann/development/vgui-cicd/dokumente/models.py`, line 289)
```python
autoren = models.ManyToManyField(Person) # Missing related_name
```
- **Recommendation**: Add `related_name='changelog_entries'` for clarity
---
## 4. VIEWS REVIEW
### Critical Issues
**1. No CSRF protection on comment endpoints** (`/home/adebaumann/development/vgui-cicd/dokumente/views.py`, lines 321-377)
```python
@require_POST
@login_required
def add_vorgabe_comment(request, vorgabe_id):
# No @csrf_exempt but also no CSRF token verification in the view
```
- **Issue**: The view uses `@require_POST` but doesn't verify CSRF tokens for the JSON endpoint
- **Recommendation**: Add `@csrf_exempt` ONLY if intentionally bypassing, or ensure CSRF is handled via the X-CSRFToken header (which is done in the template)
**Note**: Looking at line 368, the template sends `'X-CSRFToken': getCookie('csrftoken')`, so this is actually properly handled. **Not a bug.**
**2. XSS in comment display** (`/home/adebaumann/development/vgui-cicd/dokumente/views.py`, lines 305-306)
```python
escaped_text = escape(comment.text).replace('\n', '<br>')
```
- **Issue**: Using `escape()` is good, but line breaks are converted to `<br>` which could still be exploited
- **Note**: The `dangerous_patterns` check at lines 339-343 provides some protection
- **Recommendation**: Consider using a more robust HTML sanitization library
**3. No input validation on comment length** (`/home/adebaumann/development/vgui-cicd/dokumente/views.py`, line 335)
```python
if len(text) > 2000: # Reasonable length limit
```
- **Issue**: This is actually properly implemented with a 2000 character limit
- **Status**: OK
### Major Issues
**4. Referenz view lacks error handling** (`/home/adebaumann/development/vgui-cicd/referenzen/views.py`, lines 11-19)
```python
def detail(request, refid):
referenz_item = Referenz.objects.get(id=refid)
```
- **Issue**: `DoesNotExist` exception not caught - will return 500 error instead of 404
- **Recommendation**: Use `get_object_or_404` for consistency
### Minor Issues
**5. Search view allows complex regex patterns** (`/home/adebaumann/development/vgui-cicd/pages/views.py`, lines 36-70)
- **Issue**: The validation is good but the `groupby` usage at line 54 could fail if data is not properly sorted
- **Recommendation**: Add explicit ordering before groupby
**6. No rate limiting on search** (`/home/adebaumann/development/vgui-cicd/pages/views.py`)
- **Issue**: Search endpoint could be abused for DoS
- **Recommendation**: Add rate limiting
---
## 5. URL CONFIGURATION
### Minor Issues
**1. No URL namespace for include** (`/home/adebaumann/development/vgui-cicd/VorgabenUI/urls.py`, lines 31-35)
```python
path('dokumente/', include("dokumente.urls")),
path('stichworte/', include("stichworte.urls")),
```
- **Issue**: No `app_name` namespace defined in included apps
- **Recommendation**: Add `app_name = 'dokumente'` to `dokumente/urls.py` for cleaner reversals
**2. Inconsistent trailing slashes** - Most URLs have trailing slashes but not all - ensure consistency
---
## 6. TEMPLATES REVIEW
### Critical Issues
**1. XSS vulnerability in `standard_detail.html`** (`/home/adebaumann/development/vgui-cicd/dokumente/templates/standards/standard_detail.html`, lines 163-164)
```html
{% for ref in vorgabe.referenzpfade %}
{{ ref|safe }}{% if not forloop.last %}, {% endif %}
```
- **Issue**: Using `|safe` on reference paths could allow XSS if malicious content is stored
- **Recommendation**: Use `escape` filter and handle line breaks separately
**2. JavaScript in template without CSP** (`/home/adebaumann/development/vgui-cicd/dokumente/templates/standards/standard_detail.html`, lines 249-424)
- **Issue**: Inline JavaScript in template
- **Note**: CSP headers are set in the view (line 316-317), but inline scripts violate strict CSP
- **Recommendation**: Move JavaScript to external file
### Major Issues
**3. Missing ARIA labels and roles** - Several accessibility issues:
- Base template (`/home/adebaumann/development/vgui-cicd/pages/templates/base.html`) has navigation but missing `aria-label` on some elements
- The mobile navigation could use better ARIA attributes
**4. Missing alt attributes on images** (`/home/adebaumann/development/vgui-cicd/pages/templates/base.html`, lines 39-41)
```html
<img src="{% static 'swiss/img/logo-CH.svg' %}"
onerror="this.onerror=null; this.src='{% static 'swiss/img/logo-CH.png' %}'"
alt="Zur Startseite" />
```
- **Issue**: alt is present but could be more descriptive
- **Status**: Acceptable
### Minor Issues
**5. Hardcoded URLs in templates** (`/home/adebaumann/development/vgui-cicd/dokumente/templates/standards/incomplete_vorgaben.html`, line 21)
```html
<a href="/autorenumgebung/dokumente/vorgabe/{{ item.vorgabe.id }}/change/"
```
- **Issue**: Hardcoded admin URL instead of using URL reversal
- **Recommendation**: Use `{% url 'admin:dokumente_vorgabe_change' item.vorgabe.id %}`
---
## 7. FORMS REVIEW
### Minor Issues
**1. No dedicated form classes** - Most form handling is done via Django admin forms or directly in views
- **Recommendation**: Consider creating explicit `ModelForm` classes for views that accept user input (e.g., comment form)
**2. VorgabeForm in admin could have more validation** (`/home/adebaumann/development/vgui-cicd/dokumente/admin.py`, lines 95-107)
- **Issue**: The form only validates Thema is required
- **Recommendation**: Add validation for date ranges and conflicts
---
## 8. MANAGEMENT COMMANDS
### Major Issues
**1. import-document command lacks error recovery** (`/home/adebaumann/development/vgui-cicd/dokumente/management/commands/import-document.py`, lines 288-349)
```python
for v in vorgaben_data:
try:
thema = Thema.objects.get(name=v["thema"])
except Thema.DoesNotExist:
self.stdout.write(self.style.WARNING(...))
continue # Silently skips vorgabe
```
- **Issue**: If one Vorgabe fails, the entire command may leave partial data
- **Recommendation**: Use `transaction.atomic()` to ensure atomicity
**2. No progress indicator for large imports** (`/home/adebaumann/development/vgui-cicd/dokumente/management/commands/import-document.py`)
- **Issue**: For large files, no progress shown
- **Recommendation**: Add progress output
### Minor Issues
**3. export_json command hardcodes "Standard IT-Sicherheit"** (`/home/adebaumann/development/vgui-cicd/dokumente/management/commands/export_json.py`, line 30)
```python
result = {
"Vorgabendokument": {
"Typ": "Standard IT-Sicherheit",
```
- **Issue**: Typ is hardcoded instead of using `dokument.dokumententyp.name`
- **Recommendation**: Use actual dokumententyp
---
## 9. TESTS REVIEW
### Major Issues
**1. No tests for diagram caching** - The `diagramm_proxy` module has no test coverage
- **Recommendation**: Add tests for `diagram_cache.py`
**2. No tests for referenzen views** - The tree view and detail view have no test coverage
- **Recommendation**: Add tests for `referenzen/views.py`
**3. No tests for authentication security** - Missing tests for:
- Brute-force protection
- Session management
- Password policy enforcement
### Minor Issues
**4. Test file organization** - `test_json.py` should be part of `tests.py` or in a proper test package structure
- **Status**: Acceptable but could be improved
**5. Tests rely on hardcoded paths** (`/home/adebaumann/development/vgui-cicd/dokumente/tests.py`, lines 1165-1168)
```python
self.assertContains(response, 'href="/autorenumgebung/dokumente/vorgabe/2/change/"')
```
- **Issue**: Uses hardcoded URL paths instead of URL reversal
- **Recommendation**: Use `reverse('admin:dokumente_vorgabe_change', args=[vorgabe.pk])`
---
## 10. SECURITY REVIEW
### Critical Issues
**1. No rate limiting on any endpoint** - All views lack rate limiting
- **Recommendation**: Add `django-ratelimit` or similar
**2. Diagram cache potentially vulnerable to DoS** (`/home/adebaumann/development/vgui-cicd/diagramm_proxy/diagram_cache.py`, lines 24-67)
```python
def get_cached_diagram(diagram_type, diagram_content):
content_hash = compute_hash(diagram_content)
cache_path = get_cache_path(diagram_type, content_hash)
if default_storage.exists(cache_path):
return cache_path
# Generate diagram via POST request
url = f"{KROKI_UPSTREAM}/{diagram_type}/svg"
```
- **Issue**: No validation on diagram size or content - could lead to DoS via large diagrams
- **Recommendation**: Add size limits and timeout
### Major Issues
**3. CSRF trusted origins only for HTTPS** (`/home/adebaumann/development/vgui-cicd/VorgabenUI/settings.py`, line 104)
```python
CSRF_TRUSTED_ORIGINS=["https://vorgabenportal.knowyoursecurity.com"]
```
- **Issue**: Only one origin configured - ensure this covers all deployment URLs
- **Recommendation**: Make configurable via environment variable
**4. No session expiry configuration** (`/home/adebaumann/development/vgui-cicd/VorgabenUI/settings.py`)
- **Issue**: Sessions don't expire
- **Recommendation**: Set `SESSION_COOKIE_AGE` and `SESSION_SAVE_EVERY_REQUEST`
---
## 11. CODE STYLE COMPLIANCE (AGENTS.md)
### Violations Found
**1. Import order inconsistent** (`/home/adebaumann/development/vgui-cicd/dokumente/views.py`, lines 1-16)
- Imports are not strictly ordered (stdlib, Django, local apps)
- Example: `import parsedatetime` is placed after Django imports
**2. Missing German `verbose_name` on models** (as noted in Section 3)
**3. Function naming** (`/home/adebaumann/development/vgui-cicd/dokumente/models.py`, line 101)
```python
def Vorgabennummer(self): # Should be vorgabennummer (snake_case)
```
- **Issue**: Method name uses PascalCase instead of snake_case per AGENTS.md guidelines
**4. Typo in error message** (`/home/adebaumann/development/vgui-cicd/dokumente/models.py`, line 213)
```python
"Geltungsdauer übeschneidet sich" # Should be "überschneidet sich"
```
---
## 12. PERFORMANCE ISSUES
### Major Issues
**1. N+1 query potential in search** (`/home/adebaumann/development/vgui-cicd/pages/views.py`, lines 53-68)
```python
qs = VorgabeKurztext.objects.filter(inhalt__icontains=suchbegriff)...
```
- **Issue**: Uses `icontains` which cannot use database indexes effectively
- **Recommendation**: Consider PostgreSQL full-text search for better performance
**2. No select_related in referenzen views** (`/home/adebaumann/development/vgui-cicd/referenzen/views.py`, lines 7-8)
```python
def tree(request):
referenz_items = Referenz.objects.all()
```
- **Issue**: No prefetch_related for related data
- **Recommendation**: Add prefetch_related for `referenzerklaerung_set` and `unterreferenzen`
---
## SUMMARY
### Critical Issues (Must Fix)
| # | Issue | Location | Recommendation |
|---|-------|----------|----------------|
| 1 | SECRET_KEY fallback | `VorgabenUI/settings.py:27-47` | Never enable fallback, require env var |
| 2 | DEBUG defaults to True | `VorgabenUI/settings.py:24` | Require explicit False for production |
| 3 | No rate limiting | All views | Add django-ratelimit |
| 4 | Session never expires | `VorgabenUI/settings.py` | Set SESSION_COOKIE_AGE |
| 5 | XSS via `\|safe` filter | `standard_detail.html:163-164` | Use `escape` filter |
### Major Issues (Should Fix)
| # | Issue | Location | Recommendation |
|---|-------|----------|----------------|
| 1 | SQLite database | `VorgabenUI/settings.py:109-114` | Use PostgreSQL for production |
| 2 | ALLOWED_HOSTS wildcard | `VorgabenUI/settings.py:50` | Remove `*` from default |
| 3 | Missing date constraint | `dokumente/models.py:96-97` | Add validation for date ranges |
| 4 | Import not atomic | `import-document.py:288-349` | Wrap in transaction.atomic() |
| 5 | Missing test coverage | Multiple modules | Add tests for untested code |
### Minor Issues (Nice to Fix)
| # | Issue | Location |
|---|-------|----------|
| 1 | Code style violations | `dokumente/views.py:1-16` |
| 2 | Typo: "übeschneidet" | `dokumente/models.py:213` |
| 3 | Missing ARIA labels | `base.html` |
| 4 | Hardcoded URLs in templates | `incomplete_vorgaben.html:21` |
| 5 | Duplicate AUTH_PASSWORD_VALIDATORS | `settings-docker.py:92-105, 183-199` |
---
## RECOMMENDED ACTIONS
### Immediate (Before Production)
1. Set up proper SECRET_KEY via environment variable
2. Configure DEBUG=False explicitly
3. Remove wildcard from ALLOWED_HOSTS default
4. Add rate limiting to all endpoints
5. Configure session expiry
6. Fix XSS vulnerability in template
7. Switch to PostgreSQL database
### Short-term (1-2 Weeks)
1. Add database constraints for date validation
2. Wrap import command in transactions
3. Add missing verbose_name to models
4. Fix code style violations
5. Add test coverage for critical paths
6. Move inline JavaScript to external files
### Long-term (1 Month)
1. Implement PostgreSQL full-text search
2. Add comprehensive test suite
3. Set up CSP headers properly
4. Implement comprehensive authentication security
5. Add performance monitoring
6. Document all security configurations
---
## POSITIVE FINDINGS
1. **Good project organization** - Clear app structure following Django conventions
2. **Proper CSRF handling** - X-CSRFToken header properly implemented
3. **Input validation** - Comment length limits and dangerous pattern checks in place
4. **Good German localization** - German field names and verbose texts throughout
5. **Django admin integration** - Well-configured admin interface
6. **Management commands** - Useful import/export functionality
7. **Referenzen tree structure** - MPTT implementation for hierarchical data
---
## APPENDIX: Additional Issues Detected by LSP
The following issues were detected by the Language Server Protocol (LSP) analyzer:
### dokumente/models.py
| Line | Issue |
|------|-------|
| 14, 26, 36, 274 | `__str__` method return type mismatch - returns `CharField` instead of `str` |
| 70 | Unknown attribute `vorgaben` on `Dokument` |
| 102 | Unknown attribute `nummer` on `ForeignKey` |
| 106, 114 | Unknown attribute `strftime` on `DateField` |
| 137, 144, 196 | Unknown attribute `objects` on `type[Vorgabe]` |
| 173 | Unknown attribute `thema_id` on `Vorgabe` |
| 248, 254, 260, 266 | `Meta` class overrides incompatible parent class |
| 282 | `VorgabenTable.Meta` incompatible with `Vorgabe.Meta` |
| 294 | Unknown attribute `nummer` on `ForeignKey` |
| 314 | Unknown attributes `username` and `Vorgabennummer` on `ForeignKey` |
### dokumente/views.py
| Line | Issue |
|------|-------|
| 22, 133, 265 | Unknown attribute `objects` on `type[Dokument]` |
| 94 | Unknown attribute `objects` on `type[Vorgabe]` |
| 285 | Argument type `str` cannot be assigned to parameter `content` of type `bytes` |
| 345, 412, 440 | Unknown attribute `objects` on `type[VorgabeComment]` |
### abschnitte/models.py
| Line | Issue |
|------|-------|
| 6 | `__str__` method return type mismatch |
| 18 | Argument type `Literal[0]` cannot be assigned to parameter `default` |
### referenzen/models.py
| Line | Issue |
|------|-------|
| 23 | `__str__` method return type mismatch |
| 26 | `Referenz.Meta` overrides incompatible parent `MPTTModel.Meta` |
| 32 | `Referenzerklaerung.Meta` overrides incompatible parent `Textabschnitt.Meta` |
### rollen/models.py
| Line | Issue |
|------|-------|
| 8 | `__str__` method return type mismatch |
| 15 | `RollenBeschreibung.Meta` overrides incompatible parent `Textabschnitt.Meta` |
---
*End of Code Review*

383
docs/kubernetes-secrets.md Normal file
View File

@@ -0,0 +1,383 @@
# Kubernetes Configuration Management for VorgabenUI Django
This document describes how to manage Django configuration using Kubernetes secrets and ConfigMaps.
## Overview
Django configuration has been moved to Kubernetes-native resources for improved security and flexibility:
### **Secrets** (for sensitive data)
- `VORGABENUI_SECRET` - Django SECRET_KEY
- Future: Database passwords, API keys, etc.
### **ConfigMaps** (for non-sensitive configuration)
- `DEBUG` - Debug mode setting
- `DJANGO_ALLOWED_HOSTS` - Allowed hostnames
- `DJANGO_SETTINGS_MODULE` - Settings module path
- Application configuration settings
This approach ensures that:
1. Sensitive data is not stored in version control
2. Configuration is environment-specific
3. Non-sensitive settings are easily manageable
4. Follows Kubernetes best practices
5. Includes fallback for local development
## Files Changed
### VorgabenUI/settings.py
- Replaced hardcoded `SECRET_KEY` with `VORGABENUI_SECRET` environment variable lookup
- Added fallback secret key for local development (only works when DEBUG=True)
- Added warning when fallback key is used
### Files Created/Updated
#### **Configuration Resources**
- `argocd/configmap.yaml` - Django configuration (DEBUG, ALLOWED_HOSTS, etc.)
- `templates/configmap.yaml` - ConfigMap template (excluded from ArgoCD)
- `templates/secret.yaml` - Secret template (excluded from ArgoCD deployment)
- `argocd/secret.yaml` - ArgoCD-specific secret template with ignore annotation
#### **Deployment Configuration**
- `argocd/deployment.yaml` - Updated with Secret and ConfigMap environment variables
- `.argocdignore` - ArgoCD ignore patterns for templates and scripts
#### **Deployment Scripts**
- `scripts/deploy-argocd-secret.sh` - ArgoCD-specific script to deploy secrets
- `scripts/deploy-argocd-configmap.sh` - ArgoCD-specific script to deploy ConfigMap
#### **Application Code**
- `VorgabenUI/settings.py` - Updated to use environment variables from ConfigMap
#### **Examples and Documentation**
- `k8s/django-secret.yaml` - Updated for consistency (vorgabenui namespace)
- `k8s/django-deployment-example.yaml` - Updated example deployment
- `scripts/deploy-django-secret.sh` - Updated with new defaults
## Usage
### 1. Deploy ConfigMap (ArgoCD Production)
**Deploy configuration first** (required before the application starts):
```bash
# Deploy ConfigMap to vorgabenui namespace
./scripts/deploy-argocd-configmap.sh
# Verify existing ConfigMap
./scripts/deploy-argocd-configmap.sh --verify-only
# Dry run to see what would happen
./scripts/deploy-argocd-configmap.sh --dry-run
# Get help
./scripts/deploy-argocd-configmap.sh --help
```
### 2. Deploy the Secret (ArgoCD Production)
**Deploy secret second** (contains sensitive SECRET_KEY):
```bash
# Deploy secret to vorgabenui namespace
./scripts/deploy-argocd-secret.sh
# Verify existing secret
./scripts/deploy-argocd-secret.sh --verify-only
# Dry run to see what would happen
./scripts/deploy-argocd-secret.sh --dry-run
# Get help
./scripts/deploy-argocd-secret.sh --help
```
### 3. Deploy Resources for Other Environments
For development or other environments, use the general scripts:
```bash
# Deploy ConfigMap to vorgabenui namespace (default)
./scripts/deploy-django-secret.sh # (includes ConfigMap deployment)
# Deploy to specific namespace
./scripts/deploy-django-secret.sh -n development
# Get help
./scripts/deploy-django-secret.sh --help
```
### 4. Environment Variable Configuration
The ArgoCD deployment (`argocd/deployment.yaml`) is configured with:
**Secret Variables:**
```yaml
env:
# Secret configuration
- name: VORGABENUI_SECRET
valueFrom:
secretKeyRef:
name: vorgabenui-secrets
key: vorgabenui_secret
```
**ConfigMap Variables:**
```yaml
# ConfigMap configuration
- name: DEBUG
valueFrom:
configMapKeyRef:
name: django-config
key: DEBUG
- name: DJANGO_ALLOWED_HOSTS
valueFrom:
configMapKeyRef:
name: django-config
key: DJANGO_ALLOWED_HOSTS
- name: DJANGO_SETTINGS_MODULE
valueFrom:
configMapKeyRef:
name: django-config
key: DJANGO_SETTINGS_MODULE
```
For other deployments, see `k8s/django-deployment-example.yaml` for a complete example.
### 5. Verify the Deployment
**Check ConfigMap:**
```bash
kubectl get configmap django-config -n vorgabenui
kubectl describe configmap django-config -n vorgabenui
```
**Check Secret:**
```bash
kubectl get secrets vorgabenui-secrets -n vorgabenui
kubectl describe secret vorgabenui-secrets -n vorgabenui
```
**Check Django pods can access configuration:**
```bash
# Check secret variable
kubectl exec -n vorgabenui deployment/django -- printenv VORGABENUI_SECRET
# Check ConfigMap variables
kubectl exec -n vorgabenui deployment/django -- printenv DEBUG
kubectl exec -n vorgabenui deployment/django -- printenv DJANGO_ALLOWED_HOSTS
# Check all environment variables
kubectl exec -n vorgabenui deployment/django -- printenv | grep -E "(VORGABENUI|DEBUG|DJANGO)"
```
## Development Environment
### Local Development with Fallback
The application now includes a fallback secret key for local development. When running locally:
1. **Automatic fallback**: If `VORGABENUI_SECRET` is not set and `DEBUG=True`, a fallback key is used automatically
2. **Warning message**: The application will log a warning when using the fallback key (except during builds)
3. **Production safety**: Fallback only works when `DEBUG=True` or in build environments
### Docker Build Support
The Django settings are designed to work seamlessly during Docker builds:
1. **Build environment detection**: Automatically detects Docker builds, CI environments
2. **Fallback activation**: Uses fallback key during build without requiring environment variables
3. **No build-time secrets**: No need to provide `VORGABENUI_SECRET` during `docker build`
4. **Runtime security**: Production containers still require the proper environment variable
**Supported build environments:**
- Docker builds (`DOCKER_BUILDKIT`)
- CI environments (`CI`)
- GitHub Actions (`GITHUB_ACTIONS`)
- Gitea Actions (`GITEA_ACTIONS`)
- Local development (`DEBUG=True`)
### Manual Environment Variable
You can still set the environment variable manually:
```bash
# Option 1: Export the variable
export VORGABENUI_SECRET="your-development-key-here"
python manage.py runserver
# Option 2: Use a .env file (recommended)
echo "VORGABENUI_SECRET=your-development-key-here" > .env
# Then load it in your settings or use python-dotenv
```
### Development vs Production
- **Local Development**: Fallback key works automatically when `DEBUG=True`
- **Production**: Must have `VORGABENUI_SECRET` environment variable set, no fallback
## ArgoCD Integration and Exclusions
### Preventing ArgoCD from Deploying Secret Templates
This setup includes multiple approaches to prevent ArgoCD from trying to deploy the secret template:
#### 1. Template Directory (`templates/`)
- Secret template moved to `templates/` directory
- ArgoCD deployment script automatically uses this location
- Excluded via `.argocdignore` file
#### 2. ArgoCD Ignore Annotation
- `argocd/secret.yaml` has `argocd.argoproj.io/ignore: "true"` annotation
- Provides fallback if templates directory approach fails
#### 3. `.argocdignore` File
- Global exclusion patterns for templates, scripts, and documentation
- Prevents ArgoCD from syncing non-deployment files
### ArgoCD Sync Behavior
- ArgoCD will sync only the actual deployment files (`deployment.yaml`, `ingress.yaml`, etc.)
- Secret templates are excluded and must be deployed manually using the deployment script
- This ensures secrets are created outside of GitOps workflow for security
## Security Considerations
1. **Never commit the actual SECRET_KEY** - Only templates and scripts are in version control
2. **Use different keys per environment** - Production, staging, and development should all have unique keys
3. **Rotate keys regularly** - Run the deployment script periodically to generate new keys
4. **Limit access** - Use Kubernetes RBAC to control who can access secrets
5. **ArgoCD exclusion** - Secret templates are excluded from ArgoCD to prevent empty/template secrets from being deployed
## Troubleshooting
### Django fails to start with "VORGABENUI_SECRET environment variable is required"
This means the environment variable is not set in your pod and fallback conditions aren't met. Check:
1. **Secret exists**: `kubectl get secret vorgabenui-secrets -n vorgabenui`
2. **Deployment references secret correctly**: Check `argocd/deployment.yaml` env section
3. **Pod has environment variable**: `kubectl exec <pod-name> -n vorgabenui -- env | grep VORGABENUI_SECRET`
4. **For local development**: Ensure `DEBUG=True` to use the fallback key
5. **For Docker builds**: Build should work automatically with fallback
### Docker build fails with SECRET_KEY error
This should no longer happen with the updated settings. If you still see issues:
1. **Check build environment variables**: Build should detect `DOCKER_BUILDKIT=1`
2. **Verify settings changes**: Ensure the updated `settings.py` is being used
3. **Force environment detection**: Set `CI=1` during build if needed
4. **Use explicit DEBUG**: Set `DEBUG=True` during build as fallback
### Secret deployment fails
Check that:
1. You have kubectl access to the cluster
2. You have permission to create secrets in the `vorgabenui` namespace
3. Python3 is available for key generation
4. The ArgoCD secret template exists: `argocd/secret.yaml`
### Key rotation
To rotate the SECRET_KEY:
1. **For ArgoCD production**: Run `./scripts/deploy-argocd-secret.sh` again
2. **For other environments**: Run `./scripts/deploy-django-secret.sh` again
3. Restart your Django pods to pick up the new key:
```bash
# For ArgoCD production
kubectl rollout restart deployment/django -n vorgabenui
# For other environments
kubectl rollout restart deployment/your-django-deployment -n your-namespace
```
## Script Options
### ArgoCD Production Scripts
#### **ConfigMap Script (`deploy-argocd-configmap.sh`)**
Deploy Django configuration (non-sensitive):
- `--verify-only` - Only verify existing ConfigMap, don't deploy
- `--dry-run` - Show what would be deployed without applying
- `-h, --help` - Show help message
Configuration is hardcoded for ArgoCD:
- Namespace: `vorgabenui`
- ConfigMap name: `django-config`
- ConfigMap file: `argocd/configmap.yaml`
#### **Secret Script (`deploy-argocd-secret.sh`)**
Deploy sensitive configuration:
- `--verify-only` - Only verify existing secret, don't create new one
- `--dry-run` - Show what would be done without making changes
- `-h, --help` - Show help message
Configuration is hardcoded for ArgoCD:
- Namespace: `vorgabenui`
- Secret name: `vorgabenui-secrets`
- Secret key: `vorgabenui_secret`
- Template location: `templates/secret.yaml` (excluded from ArgoCD)
### General Script (`deploy-django-secret.sh`)
For development and other environments:
- `-n, --namespace NAMESPACE` - Target Kubernetes namespace (default: vorgabenui)
- `-s, --secret-name NAME` - Secret name (default: vorgabenui-secrets)
- `-k, --key-name NAME` - Secret key name (default: vorgabenui_secret)
- `-h, --help` - Show help message
Environment variables:
- `NAMESPACE` - Override default namespace
## Migration from Hardcoded Key
### Migration from Old Setup
If you're migrating from the previous `DJANGO_SECRET_KEY` setup:
1. **Deploy the new secret** using `./scripts/deploy-argocd-secret.sh`
2. **Update any existing deployments** to use `VORGABENUI_SECRET` instead of `DJANGO_SECRET_KEY`
3. **Test locally** - the fallback key should work automatically in DEBUG mode
4. **Deploy the updated application** - ArgoCD deployment is already configured
### Migration from Hardcoded Key
If you're migrating from a completely hardcoded key:
1. **Backup your current key** (in case you need to rollback)
2. **Deploy the secret first** using the deployment script
3. **Apply the updated ArgoCD deployment** (already done in this setup)
4. **Test thoroughly** - local development should work with fallback
5. **Deploy the updated settings.py** after confirming the secret works
The ArgoCD deployment (`argocd/deployment.yaml`) now includes the environment variable configuration, so Django will automatically pick up the secret after deployment.
## Deployment Order
**Critical: Deploy resources in this order:**
1. **ConfigMap first** (required for Django to start):
```bash
./scripts/deploy-argocd-configmap.sh
```
2. **Secret second** (contains sensitive data):
```bash
./scripts/deploy-argocd-secret.sh
```
3. **Application deployment** (ArgoCD will sync this automatically):
```bash
kubectl apply -f argocd/deployment.yaml
# OR let ArgoCD sync from Git
```
If you deploy in the wrong order, Django pods will fail to start because they require both the ConfigMap and Secret to be available.

7
dokumente/models.py
View File

@@ -12,7 +12,7 @@ class Dokumententyp(models.Model):
verantwortliche_ve = models.CharField(max_length=255)
def __str__(self):
return self.name
return str(self.name)
class Meta:
verbose_name="Dokumententyp"
@@ -28,6 +28,7 @@ class Person(models.Model):
class Meta:
verbose_name_plural="Personen"
ordering = ['name']
verbose_name="Person"
class Thema(models.Model):
name = models.CharField(max_length=100, primary_key=True)
@@ -37,7 +38,7 @@ class Thema(models.Model):
return self.name
class Meta:
verbose_name_plural="Themen"
verbose_name="Thema"
class Dokument(models.Model):
nummer = models.CharField(max_length=50, primary_key=True)
@@ -49,7 +50,7 @@ class Dokument(models.Model):
gueltigkeit_bis = models.DateField(null=True, blank=True)
signatur_cso = models.CharField(max_length=255, blank=True)
anhaenge = models.TextField(blank=True)
aktiv = models.BooleanField(blank=True)
aktiv = models.BooleanField(blank=True,default=False)
def __str__(self):
return f"{self.nummer} {self.name}"

19
k8s/data-loader-pod.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: data-loader
namespace: vorgabenui
spec:
restartPolicy: Never
containers:
- name: loader
image: adebaumann/vgui-preloader:0.5
command: ["sh","-c","cp -v --debug --update=none /preload/preload.sqlite3 /data/db.sqlite3; chown -R 999:999 /data; ls -la /data; exit 0"]
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
persistentVolumeClaim:
claimName: django-data-pvc

BIN
k8s/db/db.sqlite3
View File

Binary file not shown.

68
k8s/deployment.yaml
View File

@@ -1,68 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: django
namespace: vorgabenui
spec:
replicas: 10
selector:
matchLabels:
app: django
template:
metadata:
labels:
app: django
spec:
securityContext:
fsGroup: 999
fsGroupChangePolicy: "OnRootMismatch"
initContainers:
- name: loader
image: adebaumann/vgui-preloader:0.5
command: [ "sh","-c","cp -v --debug --update=none /preload/preload.sqlite3 /data/db.sqlite3; chown -R 999:999 /data; ls -la /data; exit 0" ]
volumeMounts:
- name: data
mountPath: /data
containers:
- name: web
image: docker.io/adebaumann/vui:0.918
imagePullPolicy: Always
ports:
- containerPort: 8000
volumeMounts:
- name: data
mountPath: /app/data
readinessProbe:
httpGet:
path: /
port: 8000
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 2
failureThreshold: 6
livenessProbe:
httpGet:
path: /
port: 8000
initialDelaySeconds: 20
periodSeconds: 20
timeoutSeconds: 2
failureThreshold: 3
volumes:
- name: data
persistentVolumeClaim:
claimName: django-data-pvc
---
apiVersion: v1
kind: Service
metadata:
name: django
namespace: vorgabenui
spec:
type: ClusterIP
selector:
app: django
ports:
- port: 8000
targetPort: 8000

60
k8s/diagrammer.yaml
View File

@@ -1,60 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: kroki
namespace: vorgabenui
spec:
replicas: 1
selector:
matchLabels:
app: kroki
template:
metadata:
labels:
app: kroki
spec:
containers:
- name: kroki
image: docker.io/yuzutech/kroki:latest
ports:
- containerPort: 8000
readinessProbe:
httpGet:
path: /
port: 8000
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 2
failureThreshold: 6
livenessProbe:
httpGet:
path: /
port: 8000
initialDelaySeconds: 20
periodSeconds: 20
timeoutSeconds: 2
failureThreshold: 3
- name: mermaid
image: docker.io/yuzutech/kroki-mermaid:latest
ports:
- containerPort: 8002
- name: bpmn
image: docker.io/yuzutech/kroki-bpmn:latest
ports:
- containerPort: 8003
- name: excalidraw
image: docker.io/yuzutech/kroki-excalidraw:latest
ports:
- containerPort: 8004
---
apiVersion: v1
kind: Service
metadata:
name: svckroki
namespace: vorgabenui
spec:
selector:
app: kroki
ports:
- port: 8000
targetPort: 8000

19
k8s/ingress.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: django
namespace: vorgabenui
annotations:
traefik.ingress.kubernetes.io/router.middlewares: "vorgabenui-vorgabenui-rewrite@kubernetescrd"
spec:
rules:
- host: vorgabenui.adebaumann.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: django
port:
number: 8000

18
k8s/ingressdebug.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: django
namespace: vorgabenui
spec:
ingressClassName: nginx
rules:
- host: vorgabenui.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: django
port:
number: 8000

15
k8s/nfs-pv.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: django-data-pv
namespace: vorgabenui
spec:
capacity:
storage: 2Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs
nfs:
server: 192.168.17.199
path: /mnt/user/vorgabenui

8
k8s/nfs-storageclass.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: nfs
provisioner: kubernetes.io/no-provisioner
allowVolumeExpansion: true
reclaimPolicy: Retain
volumeBindingMode: Immediate

13
k8s/pvc.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: django-data-pvc
namespace: vorgabenui
spec:
accessModes:
- ReadWriteMany
storageClassName: nfs
resources:
requests:
storage: 2Gi

9
k8s/traefik-middleware.yaml
View File

@@ -1,9 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: vorgabenui-rewrite
namespace: vorgabenui
spec:
stripPrefix:
prefixes:
- "/"

16
pages/templates/400.html Normal file
View File

@@ -0,0 +1,16 @@
{% extends "base.html" %}
{% block title %}Ungültige Anfrage{% endblock %}
{% block content %}
<div class="row">
<div class="col-md-12">
<div class="alert alert-warning">
<h2><i class="icon icon--alert"></i> Ungültige Anfrage (400)</h2>
<p>Ihre Anfrage konnte nicht verarbeitet werden.</p>
<p>Bitte überprüfen Sie die eingegebenen Daten und versuchen Sie es erneut.</p>
<p><a href="/" class="btn btn-primary">Zur Startseite</a></p>
</div>
</div>
</div>
{% endblock %}

21
pages/templates/403.html Normal file
View File

@@ -0,0 +1,21 @@
{% extends "base.html" %}
{% block title %}Zugriff verweigert{% endblock %}
{% block content %}
<div class="row">
<div class="col-md-12">
<div class="alert alert-warning">
<h2><i class="icon icon--alert"></i> Zugriff verweigert (403)</h2>
<p>Sie haben keine Berechtigung, auf diese Seite zuzugreifen.</p>
<p>Bitte melden Sie sich an oder wenden Sie sich an den Administrator.</p>
<p>
<a href="/" class="btn btn-primary">Zur Startseite</a>
{% if not user.is_authenticated %}
<a href="{% url 'login' %}" class="btn btn-secondary">Anmelden</a>
{% endif %}
</p>
</div>
</div>
</div>
{% endblock %}

21
pages/templates/404.html Normal file
View File

@@ -0,0 +1,21 @@
{% extends "base.html" %}
{% block title %}Seite nicht gefunden{% endblock %}
{% block content %}
<div class="row">
<div class="col-md-12">
<div class="alert alert-danger">
<h2><i class="icon icon--alert"></i> Seite nicht gefunden (404)</h2>
<p>Die gewünschte Seite konnte nicht gefunden werden.</p>
<p>Mögliche Gründe:</p>
<ul>
<li>Sie haben eine falsche URL eingegeben</li>
<li>Die Seite wurde verschoben oder gelöscht</li>
<li>Sie haben keine Berechtigung für diese Seite</li>
</ul>
<p><a href="/" class="btn btn-primary">Zur Startseite</a></p>
</div>
</div>
</div>
{% endblock %}

16
pages/templates/500.html Normal file
View File

@@ -0,0 +1,16 @@
{% extends "base.html" %}
{% block title %}Serverfehler{% endblock %}
{% block content %}
<div class="row">
<div class="col-md-12">
<div class="alert alert-danger">
<h2><i class="icon icon--alert"></i> Serverfehler (500)</h2>
<p>Bei der Verarbeitung Ihrer Anfrage ist ein interner Fehler aufgetreten.</p>
<p>Der Administrator wurde über dieses Problem informiert.</p>
<p><a href="/" class="btn btn-primary">Zur Startseite</a></p>
</div>
</div>
</div>
{% endblock %}

2
pages/templates/base.html
View File

@@ -219,7 +219,7 @@
</p>
</div>
<div class="col-sm-6 text-right">
<p class="text-muted">Version {{ version|default:"0.973" }}</p>
<p class="text-muted">Version {{ version|default:"0.983" }}</p>
</div>
</div>
</div>

12
pages/views.py
View File

@@ -69,3 +69,15 @@ def search(request):
return render(request,"results.html",{"suchbegriff":safe_search_term,"resultat":result})
def custom_400(request, exception):
return render(request, '400.html', status=400)
def custom_403(request, exception):
return render(request, '403.html', status=403)
def custom_404(request, exception):
return render(request, '404.html', status=404)
def custom_500(request):
return render(request, '500.html', status=500)

17
referenzen/migrations/0004_alter_referenz_options.py Normal file
View File

@@ -0,0 +1,17 @@
# Generated by Django 6.0.1 on 2026-01-20 08:57
from django.db import migrations
class Migration(migrations.Migration):
dependencies = [
('referenzen', '0003_alter_referenzerklaerung_options'),
]
operations = [
migrations.AlterModelOptions(
name='referenz',
options={'verbose_name': 'Referenz', 'verbose_name_plural': 'Referenzen'},
),
]

1
referenzen/models.py
View File

@@ -25,6 +25,7 @@ class Referenz(MPTTModel):
class Meta:
verbose_name_plural="Referenzen"
verbose_name="Referenz"
class Referenzerklaerung (Textabschnitt):
erklaerung = models.ForeignKey(Referenz,on_delete=models.CASCADE)

2
referenzen/views.py
View File

@@ -9,7 +9,7 @@ def tree(request):
def detail(request, refid):
referenz_item = Referenz.objects.get(id=refid)
referenz_item = Referenz.objects.get_object_or_404(id=refid)
referenz_item.erklaerung = render_textabschnitte(referenz_item.referenzerklaerung_set.order_by("order"))
referenz_item.children = list(referenz_item.get_descendants(include_self=True))
for child in referenz_item.children:

48
requirements.txt
View File

@@ -1,36 +1,44 @@
appdirs==1.4.4
asgiref==3.8.1
blessed==1.21.0
certifi==2025.8.3
charset-normalizer==3.4.3
asgiref==3.11.0
bleach==6.3.0
blessed==1.27.0
certifi==2026.1.4
charset-normalizer==3.4.4
coverage==7.13.1
curtsies==0.4.3
cwcwidth==0.1.10
Django==5.2.9
django-admin-sortable2==2.2.8
cwcwidth==0.1.12
Django==6.0.1
django-admin-sortable2==2.3
django-js-asset==3.1.2
django-mptt==0.17.0
django-mptt-admin==2.8.0
django-nested-admin==4.1.1
django-mptt==0.18.0
django-mptt-admin==2.9.0
django-nested-admin==4.1.6
django-nested-inline==0.4.6
django-revproxy==0.13.0
greenlet==3.2.4
greenlet==3.3.0
gunicorn==23.0.0
idna==3.10
idna==3.11
jedi==0.19.2
Markdown==3.8.2
jproperties==2.1.2
Markdown==3.10
packaging==25.0
parsedatetime==2.6
parso==0.8.4
parso==0.8.5
pep8==1.7.1
prompt_toolkit==3.0.51
prompt_toolkit==3.0.52
pyfakefs==5.9.3
Pygments==2.19.2
pysonar==1.2.1.3951
python-dateutil==2.9.0.post0
python-monkey-business==1.1.0
pyxdg==0.28
PyYAML==6.0.3
requests==2.32.5
responses==0.25.8
six==1.17.0
sqlparse==0.5.3
urllib3==2.6.0
wcwidth==0.2.13
bleach==6.1.0
coverage==7.6.1
sqlparse==0.5.5
tomli==2.2.1
urllib3==2.6.3
wcwidth==0.2.14
webencodings==0.5.1
whitenoise==6.11.0

17
rollen/migrations/0002_alter_rolle_options.py Normal file
View File

@@ -0,0 +1,17 @@
# Generated by Django 6.0.1 on 2026-01-20 08:57
from django.db import migrations
class Migration(migrations.Migration):
dependencies = [
('rollen', '0001_initial'),
]
operations = [
migrations.AlterModelOptions(
name='rolle',
options={'verbose_name': 'Rolle (für Relevanz)', 'verbose_name_plural': 'Rolleni (für Relevanz)'},
),
]

3
rollen/models.py
View File

@@ -9,9 +9,10 @@ class Rolle(models.Model):
return self.name
class Meta:
verbose_name_plural="Rollen"
verbose_name="Rolle"
class RollenBeschreibung(Textabschnitt):
abschnitt=models.ForeignKey(Rolle,on_delete=models.CASCADE)
class Meta:
verbose_name_plural="Rollenbeschreibung"
verbose_name="Rollenbeschreibungs-Abschnitt"
verbose_name="Rollenbeschreibungs-Abschnitt"

216
scripts/deploy-argocd-configmap.sh Executable file
View File

@@ -0,0 +1,216 @@
#!/bin/bash
# deploy-argocd-configmap.sh
# Script to deploy Django ConfigMap to vorgabenui namespace for ArgoCD
set -euo pipefail
# ArgoCD-specific configuration (hardcoded for consistency)
NAMESPACE="vorgabenui"
CONFIGMAP_NAME="django-config"
SCRIPT_DIR="$(dirname "$0")"
ARGOCD_DIR="$SCRIPT_DIR/../argocd"
CONFIGMAP_FILE="$ARGOCD_DIR/configmap.yaml"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Logging functions
log_info() {
echo -e "${GREEN}[INFO]${NC} $1"
}
log_warn() {
echo -e "${YELLOW}[WARN]${NC} $1"
}
log_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
log_step() {
echo -e "${BLUE}[STEP]${NC} $1"
}
# Function to check if kubectl is available
check_kubectl() {
if ! command -v kubectl &> /dev/null; then
log_error "kubectl is not installed or not in PATH"
exit 1
fi
}
# Function to check if configmap file exists
check_configmap_file() {
if [ ! -f "$CONFIGMAP_FILE" ]; then
log_error "ConfigMap file not found: $CONFIGMAP_FILE"
log_error "Expected ArgoCD ConfigMap file at: $CONFIGMAP_FILE"
exit 1
fi
}
# Function to deploy the configmap
deploy_configmap() {
log_step "Deploying ConfigMap '$CONFIGMAP_NAME' to namespace '$NAMESPACE'..."
kubectl apply -f "$CONFIGMAP_FILE"
if [ $? -eq 0 ]; then
log_info "Successfully deployed ConfigMap '$CONFIGMAP_NAME'"
return 0
else
log_error "Failed to deploy ConfigMap '$CONFIGMAP_NAME'"
return 1
fi
}
# Function to verify the configmap
verify_configmap() {
log_step "Verifying ConfigMap deployment..."
if kubectl get configmap "$CONFIGMAP_NAME" --namespace="$NAMESPACE" &> /dev/null; then
log_info "✅ ConfigMap '$CONFIGMAP_NAME' exists in namespace '$NAMESPACE'"
echo ""
log_info "ConfigMap details:"
kubectl describe configmap "$CONFIGMAP_NAME" --namespace="$NAMESPACE"
echo ""
log_info "ConfigMap data:"
kubectl get configmap "$CONFIGMAP_NAME" --namespace="$NAMESPACE" -o yaml | grep -A 20 "^data:"
return 0
else
log_error "❌ ConfigMap '$CONFIGMAP_NAME' not found in namespace '$NAMESPACE'"
return 1
fi
}
# Function to show usage
show_usage() {
echo "ArgoCD ConfigMap Deployment Script for VorgabenUI"
echo ""
echo "Usage: $0 [OPTIONS]"
echo ""
echo "This script deploys Django configuration to the vorgabenui namespace for ArgoCD."
echo ""
echo "Options:"
echo " -h, --help Show this help message"
echo " --verify-only Only verify existing ConfigMap, don't deploy"
echo " --dry-run Show what would be deployed without applying"
echo ""
echo "Configuration (hardcoded for ArgoCD):"
echo " Namespace: $NAMESPACE"
echo " ConfigMap Name: $CONFIGMAP_NAME"
echo " ConfigMap File: $CONFIGMAP_FILE"
echo ""
echo "Examples:"
echo " $0 # Deploy ConfigMap"
echo " $0 --verify-only # Verify existing ConfigMap"
echo " $0 --dry-run # Preview deployment"
echo ""
echo "Note: Run this before deploying the ArgoCD deployment to ensure configuration is available."
}
# Parse command line arguments
VERIFY_ONLY=false
DRY_RUN=false
while [[ $# -gt 0 ]]; do
case $1 in
--verify-only)
VERIFY_ONLY=true
shift
;;
--dry-run)
DRY_RUN=true
shift
;;
-h|--help)
show_usage
exit 0
;;
*)
log_error "Unknown option: $1"
show_usage
exit 1
;;
esac
done
# Main execution
main() {
echo ""
log_info "🚀 ArgoCD Django ConfigMap Deployment Script"
log_info "============================================"
echo ""
log_info "Target Configuration:"
log_info " Namespace: $NAMESPACE"
log_info " ConfigMap Name: $CONFIGMAP_NAME"
log_info " ConfigMap File: $CONFIGMAP_FILE"
echo ""
# Perform checks
log_step "Performing pre-flight checks..."
check_kubectl
check_configmap_file
log_info "✅ All pre-flight checks passed"
echo ""
# Verify-only mode
if [ "$VERIFY_ONLY" = true ]; then
log_info "🔍 Verify-only mode - checking existing ConfigMap"
verify_configmap
exit $?
fi
# Dry-run mode
if [ "$DRY_RUN" = true ]; then
log_info "🔍 Dry-run mode - showing what would be deployed:"
echo ""
log_info "ConfigMap content that would be deployed:"
cat "$CONFIGMAP_FILE"
echo ""
log_info "Would run: kubectl apply -f $CONFIGMAP_FILE"
echo ""
log_info "Run without --dry-run to execute the deployment"
exit 0
fi
# Create namespace if it doesn't exist
if ! kubectl get namespace "$NAMESPACE" &> /dev/null; then
log_warn "Namespace '$NAMESPACE' does not exist, creating..."
kubectl create namespace "$NAMESPACE"
log_info "✅ Created namespace '$NAMESPACE'"
fi
# Deploy the ConfigMap
if deploy_configmap; then
echo ""
# Verify deployment
verify_configmap
echo ""
log_info "🎉 ConfigMap deployment completed successfully!"
echo ""
log_info "📋 Next steps:"
log_info "1. Deploy the secret (if not already done):"
echo " ./scripts/deploy-argocd-secret.sh"
echo ""
log_info "2. Apply the updated deployment:"
echo " kubectl apply -f argocd/deployment.yaml"
echo ""
log_info "3. Verify Django pods start with proper configuration"
echo ""
else
log_error "ConfigMap deployment failed"
exit 1
fi
}
# Run main function
main

311
scripts/deploy-argocd-secret.sh Executable file
View File

@@ -0,0 +1,311 @@
#!/bin/bash
# deploy-argocd-secret.sh
# ArgoCD-specific script to generate and deploy Django SECRET_KEY to vorgabenui namespace
set -euo pipefail
# ArgoCD-specific configuration (hardcoded for consistency)
NAMESPACE="vorgabenui"
SECRET_NAME="vorgabenui-secrets"
SECRET_KEY_NAME="vorgabenui_secret"
SCRIPT_DIR="$(dirname "$0")"
ARGOCD_DIR="$SCRIPT_DIR/../argocd"
TEMPLATES_DIR="$SCRIPT_DIR/../templates"
SECRET_TEMPLATE="$TEMPLATES_DIR/secret.yaml"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Logging functions
log_info() {
echo -e "${GREEN}[INFO]${NC} $1"
}
log_warn() {
echo -e "${YELLOW}[WARN]${NC} $1"
}
log_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
log_step() {
echo -e "${BLUE}[STEP]${NC} $1"
}
# Function to generate a secure Django SECRET_KEY
generate_secret_key() {
# Generate a 50-character secret key using Python (same as Django's default)
python3 -c "
import secrets
import string
# Django-style secret key generation
chars = string.ascii_letters + string.digits + '!@#$%^&*(-_=+)'
print(''.join(secrets.choice(chars) for _ in range(50)))
"
}
# Function to check if kubectl is available
check_kubectl() {
if ! command -v kubectl &> /dev/null; then
log_error "kubectl is not installed or not in PATH"
exit 1
fi
}
# Function to check if Python3 is available
check_python() {
if ! command -v python3 &> /dev/null; then
log_error "python3 is not installed or not in PATH"
exit 1
fi
}
# Function to check if secret template exists
check_template() {
if [ ! -f "$SECRET_TEMPLATE" ]; then
# Fallback to argocd directory if templates directory doesn't exist
FALLBACK_TEMPLATE="$ARGOCD_DIR/secret.yaml"
if [ -f "$FALLBACK_TEMPLATE" ]; then
SECRET_TEMPLATE="$FALLBACK_TEMPLATE"
log_warn "Using fallback template: $SECRET_TEMPLATE"
else
log_error "Secret template not found at either:"
log_error " Primary: $TEMPLATES_DIR/secret.yaml"
log_error " Fallback: $FALLBACK_TEMPLATE"
exit 1
fi
fi
}
# Function to create the secret
create_secret() {
local secret_key="$1"
log_step "Creating Kubernetes secret '$SECRET_NAME' in namespace '$NAMESPACE'..."
# Create the secret directly with kubectl (this will create or update)
kubectl create secret generic "$SECRET_NAME" \
--from-literal="$SECRET_KEY_NAME=$secret_key" \
--namespace="$NAMESPACE" \
--dry-run=client -o yaml | kubectl apply -f -
if [ $? -eq 0 ]; then
log_info "Successfully created/updated secret '$SECRET_NAME'"
return 0
else
log_error "Failed to create/update secret '$SECRET_NAME'"
return 1
fi
}
# Function to verify the secret
verify_secret() {
log_step "Verifying secret deployment..."
if kubectl get secret "$SECRET_NAME" --namespace="$NAMESPACE" &> /dev/null; then
log_info "✅ Secret '$SECRET_NAME' exists in namespace '$NAMESPACE'"
# Show secret metadata (without revealing the actual key)
echo ""
log_info "Secret details:"
kubectl describe secret "$SECRET_NAME" --namespace="$NAMESPACE" | grep -E "^(Name|Namespace|Type|Data)"
# Verify the key exists in the secret
if kubectl get secret "$SECRET_NAME" --namespace="$NAMESPACE" -o jsonpath="{.data.$SECRET_KEY_NAME}" &> /dev/null; then
log_info "✅ Secret key '$SECRET_KEY_NAME' is present in the secret"
return 0
else
log_error "❌ Secret key '$SECRET_KEY_NAME' not found in secret"
return 1
fi
else
log_error "❌ Secret '$SECRET_NAME' not found in namespace '$NAMESPACE'"
return 1
fi
}
# Function to test secret in pod (if deployment exists)
test_secret_in_pod() {
log_step "Testing secret accessibility in Django deployment..."
# Check if Django deployment exists
if kubectl get deployment django --namespace="$NAMESPACE" &> /dev/null; then
log_info "Django deployment found, testing secret access..."
# Try to get the secret value from a pod (this will fail if env var not configured)
local pod_name
pod_name=$(kubectl get pods -l app=django --namespace="$NAMESPACE" -o jsonpath="{.items[0].metadata.name}" 2>/dev/null)
if [ -n "$pod_name" ] && [ "$pod_name" != "" ]; then
log_info "Testing secret in pod: $pod_name"
if kubectl exec "$pod_name" --namespace="$NAMESPACE" -- printenv VORGABENUI_SECRET &> /dev/null; then
log_info "✅ VORGABENUI_SECRET environment variable is accessible in pod"
else
log_warn "⚠️ VORGABENUI_SECRET environment variable not found in pod"
log_warn " This is expected if the deployment hasn't been updated yet"
fi
else
log_warn "⚠️ No running Django pods found"
fi
else
log_info "Django deployment not found - secret will be available when deployment is updated"
fi
}
# Function to show usage
show_usage() {
echo "ArgoCD Secret Deployment Script for VorgabenUI"
echo ""
echo "Usage: $0 [OPTIONS]"
echo ""
echo "This script deploys Django SECRET_KEY to the vorgabenui namespace for ArgoCD."
echo ""
echo "Options:"
echo " -h, --help Show this help message"
echo " --verify-only Only verify existing secret, don't create new one"
echo " --dry-run Show what would be done without making changes"
echo ""
echo "Configuration (hardcoded for ArgoCD):"
echo " Namespace: $NAMESPACE"
echo " Secret Name: $SECRET_NAME"
echo " Secret Key: $SECRET_KEY_NAME"
echo " Template: $SECRET_TEMPLATE"
echo ""
echo "Examples:"
echo " $0 # Generate and deploy new secret"
echo " $0 --verify-only # Verify existing secret"
echo " $0 --dry-run # Preview changes"
echo ""
echo "After running this script, update argocd/deployment.yaml to reference the secret."
}
# Parse command line arguments
VERIFY_ONLY=false
DRY_RUN=false
while [[ $# -gt 0 ]]; do
case $1 in
--verify-only)
VERIFY_ONLY=true
shift
;;
--dry-run)
DRY_RUN=true
shift
;;
-h|--help)
show_usage
exit 0
;;
*)
log_error "Unknown option: $1"
show_usage
exit 1
;;
esac
done
# Main execution
main() {
echo ""
log_info "🚀 ArgoCD Django SECRET_KEY Deployment Script"
log_info "============================================="
echo ""
log_info "Target Configuration:"
log_info " Namespace: $NAMESPACE"
log_info " Secret Name: $SECRET_NAME"
log_info " Secret Key Name: $SECRET_KEY_NAME"
echo ""
# Perform checks
log_step "Performing pre-flight checks..."
check_kubectl
check_python
check_template
log_info "✅ All pre-flight checks passed"
echo ""
# Verify-only mode
if [ "$VERIFY_ONLY" = true ]; then
log_info "🔍 Verify-only mode - checking existing secret"
verify_secret
test_secret_in_pod
exit $?
fi
# Generate new secret key
log_step "Generating new Django SECRET_KEY..."
SECRET_KEY=$(generate_secret_key)
if [ -z "$SECRET_KEY" ]; then
log_error "Failed to generate secret key"
exit 1
fi
log_info "✅ Generated secret key (first 10 chars): ${SECRET_KEY:0:10}..."
echo ""
# Dry-run mode
if [ "$DRY_RUN" = true ]; then
log_info "🔍 Dry-run mode - showing what would be done:"
echo ""
log_info "Would create secret with the following command:"
echo " kubectl create secret generic $SECRET_NAME \\"
echo " --from-literal=$SECRET_KEY_NAME='[GENERATED_KEY]' \\"
echo " --namespace=$NAMESPACE \\"
echo " --dry-run=client -o yaml | kubectl apply -f -"
echo ""
log_info "Secret key would be: ${SECRET_KEY:0:10}...${SECRET_KEY: -5}"
echo ""
log_info "Run without --dry-run to execute the deployment"
exit 0
fi
# Create namespace if it doesn't exist
if ! kubectl get namespace "$NAMESPACE" &> /dev/null; then
log_warn "Namespace '$NAMESPACE' does not exist, creating..."
kubectl create namespace "$NAMESPACE"
log_info "✅ Created namespace '$NAMESPACE'"
fi
# Create the secret
if create_secret "$SECRET_KEY"; then
echo ""
# Verify deployment
verify_secret
echo ""
test_secret_in_pod
echo ""
log_info "🎉 Secret deployment completed successfully!"
echo ""
log_info "📋 Next steps:"
log_info "1. Update argocd/deployment.yaml to include environment variable:"
echo ""
echo " env:"
echo " - name: VORGABENUI_SECRET"
echo " valueFrom:"
echo " secretKeyRef:"
echo " name: $SECRET_NAME"
echo " key: $SECRET_KEY_NAME"
echo ""
log_info "2. Apply the updated deployment:"
echo " kubectl apply -f argocd/deployment.yaml"
echo ""
log_info "3. Verify Django pods restart and pick up the new secret"
echo ""
else
log_error "Secret deployment failed"
exit 1
fi
}
# Run main function
main

2
scripts/deploy_secret.sh
View File

@@ -3,7 +3,7 @@
NAMESPACE="vorgabenui"
SECRET_NAME="django-secret"
SECRET_FILE="argocd/secret.yaml"
SECRET_FILE="templates/secret.yaml"
# Check if secret file exists
if [ ! -f "$SECRET_FILE" ]; then

17
stichworte/migrations/0004_alter_stichwort_options.py Normal file
View File

@@ -0,0 +1,17 @@
# Generated by Django 6.0.1 on 2026-01-20 08:57
from django.db import migrations
class Migration(migrations.Migration):
dependencies = [
('stichworte', '0003_alter_stichworterklaerung_options'),
]
operations = [
migrations.AlterModelOptions(
name='stichwort',
options={'verbose_name': 'Stichwort', 'verbose_name_plural': 'Stichworte'},
),
]

1
stichworte/models.py
View File

@@ -9,6 +9,7 @@ class Stichwort(models.Model):
class Meta:
verbose_name_plural="Stichworte"
verbose_name = "Stichwort"
class Stichworterklaerung (Textabschnitt):
erklaerung = models.ForeignKey(Stichwort,on_delete=models.CASCADE)

28
templates/configmap.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: django-config
namespace: vorgabenui
data:
# Django Configuration
DEBUG: "false"
DJANGO_ALLOWED_HOSTS: "vorgabenportal.knowyoursecurity.com,localhost,127.0.0.1"
DJANGO_SETTINGS_MODULE: "VorgabenUI.settings"
# Application Configuration
LANGUAGE_CODE: "de-ch"
TIME_ZONE: "UTC"
# Static and Media Configuration
STATIC_URL: "/static/"
MEDIA_URL: "/media/"
# Database Configuration (for future use)
# DATABASE_ENGINE: "django.db.backends.sqlite3"
# DATABASE_NAME: "/app/data/db.sqlite3"
# Security Configuration
# CSRF_TRUSTED_ORIGINS: "https://vorgabenportal.knowyoursecurity.com"
# Performance Configuration
# DATA_UPLOAD_MAX_NUMBER_FIELDS: "10250"

10
templates/secret.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: Secret
metadata:
name: vorgabenui-secrets
namespace: vorgabenui
type: Opaque
data:
# Base64 encoded SECRET_KEY - populated by deployment script
# This is a TEMPLATE FILE in templates/ directory - not deployed by ArgoCD
vorgabenui_secret: ""