Source SECRET_KEY from secret generated at install time

Signed-off-by: Olivier Léobal <[email protected]>

CHANGELOG.md

@@ -22,6 +22,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - New UserAwaitingApproval (base user with no channel) ([#680](https://github.com/Substra/substra-backend/pull/680))
+- New `SECRET_KEY` optional environment variable ([#671](https://github.com/Substra/substra-backend/pull/671))
+
+### Removed
+
+- BREAKING: `SECRET_KEY_PATH` and `SECRET_KEY_LOAD_AND_STORE` environment variables ([#671](https://github.com/Substra/substra-backend/pull/671))
 
 ## [0.39.0](https://github.com/Substra/substra-backend/releases/tag/0.39.0) 2023-06-27
 

backend/backend/settings/common.py

@@ -12,6 +12,7 @@
 
 import json
 import os
+import secrets
 from datetime import timedelta
 
 import structlog
@@ -21,7 +22,6 @@
 from .deps.jwt import *
 from .deps.org import *
 from .deps.path import *
-from .deps.secret_key import *
 from .deps.utils import to_bool
 
 # SECURITY WARNING: don't run with debug turned on in production!
@@ -38,6 +38,10 @@
 if os.environ.get("POD_IP"):
     ALLOWED_HOSTS.append(os.environ.get("POD_IP"))
 
+# SECRET_KEY is built in Django, but also used for signing JWTs
+# token_urlsafe uses a "reasonable default" length
+SECRET_KEY = os.environ.get("SECRET_KEY", secrets.token_urlsafe())
+
 # Application definition
 
 INSTALLED_APPS = [

charts/substra-backend/templates/configmap-settings.yaml

@@ -8,7 +8,6 @@ data:
   ORG_NAME: {{ .Values.organizationName | quote }}
   MEDIA_ROOT: /var/substra/medias/
   SERVERMEDIAS_ROOT: /var/substra/servermedias/
-  SECRET_KEY_PATH: /var/substra/runtime-secrets/SECRET_KEY
   SUBTUPLE_DIR: /var/substra/medias/subtuple/
   DEFAULT_DOMAIN: {{ .Values.server.defaultDomain | quote }}
   COMMON_HOST_DOMAIN: {{ .Values.server.commonHostDomain | quote }}

charts/substra-backend/templates/deployment-api-events.yaml

@@ -68,8 +68,6 @@ spec:
             initialDelaySeconds: 5
             periodSeconds: 20
           env:
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
             - name: NAMESPACE
               valueFrom:
                   fieldRef:
@@ -131,8 +129,6 @@ spec:
             - secretRef:
                 name: {{ include "substra-backend.database.secret-name" . }}
           env:
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
             - name: DJANGO_SETTINGS_MODULE
               value: backend.settings.{{ .Values.settings }}
       volumes:

charts/substra-backend/templates/deployment-scheduler-worker.yaml

@@ -72,8 +72,6 @@ spec:
                   fieldPath: spec.nodeName
             - name: DJANGO_SETTINGS_MODULE
               value: backend.settings.celery.{{ .Values.settings }}
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
           volumeMounts:
             {{- if .Values.privateCa.enabled }}
             - mountPath: /etc/ssl/certs

charts/substra-backend/templates/deployment-scheduler.yaml

@@ -69,8 +69,6 @@ spec:
                   fieldPath: spec.nodeName
             - name: DJANGO_SETTINGS_MODULE
               value: backend.settings.celery.{{ .Values.settings }}
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
           volumeMounts:
             - name: runtime-db
               mountPath: /var/substra/runtime-db

charts/substra-backend/templates/deployment-server.yaml

@@ -58,6 +58,8 @@ spec:
               name: {{ include "substra.fullname" . }}-database
           - secretRef:
               name: {{ include "substra-backend.database.secret-name" . }}
+          - secretRef:
+              name: {{ include "substra.fullname" . }}-server-key
           - configMapRef:
               name: {{ include "substra.fullname" . }}-oidc
           {{- if .Values.oidc.enabled }}
@@ -73,8 +75,6 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: status.podIP
-          - name: SECRET_KEY_LOAD_AND_STORE
-            value: "True"
           {{- if .Values.server.metrics.enabled }}
           - name: ENABLE_METRICS
             value: "True"
@@ -158,8 +158,6 @@ spec:
             value: {{ $metricsPath }}
           - name: CELERY_MONITORING_ENABLED
             value: "True"
-          - name: SECRET_KEY_LOAD_AND_STORE
-            value: "False" # This container doesn't generate secure data such as tokens
         ports:
           - name: metrics
             containerPort: 8001
@@ -213,8 +211,6 @@ spec:
         env:
         - name: DJANGO_SETTINGS_MODULE
           value: backend.settings.{{ .Values.settings }}
-        - name: SECRET_KEY_LOAD_AND_STORE
-          value: "False" # This container doesn't generate secure data such as tokens
       - name: init-collectstatic
         image: {{ include "substra-backend.images.name" (dict "img" .Values.server.image "defaultTag" $.Chart.AppVersion) }}
         command: ['python', 'manage.py', 'collectstatic', '--noinput']
@@ -226,8 +222,6 @@ spec:
         env:
           - name: DJANGO_SETTINGS_MODULE
             value: backend.settings.{{ .Values.settings }}
-          - name: SECRET_KEY_LOAD_AND_STORE
-            value: "False" # This container doesn't generate secure data such as tokens
         volumeMounts:
           - name: statics
             mountPath: /usr/src/app/backend/statics

charts/substra-backend/templates/deployment-worker-events.yaml

@@ -68,8 +68,6 @@ spec:
             initialDelaySeconds: 5
             periodSeconds: 20
           env:
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
             - name: NAMESPACE
               valueFrom:
                   fieldRef:
@@ -131,8 +129,6 @@ spec:
             - secretRef:
                 name: {{ include "substra-backend.database.secret-name" . }}
           env:
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
             - name: DJANGO_SETTINGS_MODULE
               value: backend.settings.{{ .Values.settings }}
       volumes:

charts/substra-backend/templates/job-migrations.yaml

@@ -60,8 +60,6 @@ spec:
           - secretRef:
               name: {{ include "substra-backend.database.secret-name" . }}
         env:
-          - name: SECRET_KEY_LOAD_AND_STORE
-            value: "False" # This container doesn't generate secure data such as tokens
           - name: DJANGO_SETTINGS_MODULE
             value: backend.settings.{{ .Values.settings }}
         volumeMounts:

charts/substra-backend/templates/secret-server-key.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "substra.fullname" . }}-server-key
+  labels:
+  {{- include "substra.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  SECRET_KEY: {{ randAlphaNum 128 | quote }}

charts/substra-backend/templates/statefulset-worker.yaml

@@ -131,8 +131,6 @@ spec:
             - secretRef:
                 name: {{ include "substra-backend.database.secret-name" . }}
           env:
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
             - name: DJANGO_SETTINGS_MODULE
               value: backend.settings.celery.{{ .Values.settings }}
             - name: DEFAULT_DOMAIN