Allow the Django secret key to be set via DJANGO_SECRET_KEY env var#748
Closed
pimzand wants to merge 1 commit into
Closed
Allow the Django secret key to be set via DJANGO_SECRET_KEY env var#748pimzand wants to merge 1 commit into
pimzand wants to merge 1 commit into
Conversation
The entrypoint rewrites SECRET_KEY in djangosettings.py on every start. On a persisted /etc/frepple (Linux install, docker-compose named volume) this is a harmless first-boot stamp. But the Kubernetes manifest in contrib/kubernetes does not persist /etc/frepple, so the config dir resets to the shipped placeholder on every pod (re)start and a fresh key is minted each time — logging out all sessions and rotating SECRET_WEBTOKEN_KEY, the Odoo SSO bridge. Honor a DJANGO_SECRET_KEY environment variable when set (purely additive: unset keeps the previous random-key behavior, so no existing deployment changes), and set it from a Secret in the k8s manifest. Inject via python repr() so arbitrary key characters can't break the substitution. Document the variable for the docker image and the secret for the k8s deployment.
pimzand
force-pushed
the
fix/secret-key-from-env
branch
from
a6f67bf to
da6c00b
Compare
Contributor
Author
|
Superseded by #749. The right fix is to persist |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #747.
Problem
contrib/docker/entrypoint.shrewritesSECRET_KEYindjangosettings.pyon every container start. Where/etc/freppleis persisted (Linux install, docker-compose named volume) this is a harmless first-boot stamp — once a real key is written the placeholder-anchoredsedno longer matches. But the official Kubernetes manifest incontrib/kubernetesdoes not persist/etc/frepple, so the config dir resets to the shipped placeholder on every pod (re)start and a fresh key is minted each time — invalidating all sessions and rotatingSECRET_WEBTOKEN_KEY(the Odoo SSO bridge). The issue explains why simply persisting/etc/freppleon Kubernetes isn't a clean answer.Change
Let the entrypoint honor a
DJANGO_SECRET_KEYenvironment variable: use it when set, fall back to the existing random key when unset. This is purely additive — with the variable unset, behavior is identical to today, so no existing deployment (Linux, docker-compose, current Kubernetes) changes. It keeps the pod stateless and/etc/freppleimage-owned and writable, and letsSECRET_KEYbe supplied the same wayPOSTGRES_*,ODOO_*, andFREPPLE_*already are.contrib/docker/entrypoint.sh— honorDJANGO_SECRET_KEYwhen set. The substitution still only matches the shipped placeholder, so an already-stamped (persisted) key is never touched. Reworked fromsedto a small Python snippet that injects the value viarepr(), so arbitrary key characters can't break the substitution.contrib/kubernetes/frepple-deployment.yaml— setDJANGO_SECRET_KEYfrom a newfrepple-secretSecret (ships a placeholder value with a generate-your-own note).doc/installation-guide/advanced/kubernetes.rst,doc/installation-guide/docker-container.rst— document the variable and the Secret.docker-compose is left unchanged — its named volume already persists the key.