Source SECRET_KEY from secret generated at install time

Signed-off-by: Olivier Léobal <[email protected]>

CHANGELOG.md

@@ -22,6 +22,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - New UserAwaitingApproval (base user with no channel) ([#680](https://github.com/Substra/substra-backend/pull/680))
+- New `SECRET_KEY` optional environment variable ([#671](https://github.com/Substra/substra-backend/pull/671))
+
+### Removed
+
+- BREAKING: `SECRET_KEY_PATH` and `SECRET_KEY_LOAD_AND_STORE` environment variables ([#671](https://github.com/Substra/substra-backend/pull/671))
 
 ## [0.39.0](https://github.com/Substra/substra-backend/releases/tag/0.39.0) 2023-06-27
 

backend/backend/settings/common.py

@@ -12,6 +12,7 @@
 
 import json
 import os
+import secrets
 from datetime import timedelta
 
 import structlog
@@ -21,7 +22,6 @@
 from .deps.jwt import *
 from .deps.org import *
 from .deps.path import *
-from .deps.secret_key import *
 from .deps.utils import to_bool
 
 # SECURITY WARNING: don't run with debug turned on in production!
@@ -38,6 +38,11 @@
 if os.environ.get("POD_IP"):
     ALLOWED_HOSTS.append(os.environ.get("POD_IP"))
 
+
+SECRET_KEY = os.environ.get(
+    "SECRET_KEY", secrets.token_urlsafe()  # token_urlsafe uses a "reasonable default" length
+)  # built in Django, but also used for signing JWTs
+
 # Application definition
 
 INSTALLED_APPS = [

charts/substra-backend/templates/configmap-settings.yaml

@@ -8,7 +8,6 @@ data:
   ORG_NAME: {{ .Values.organizationName | quote }}
   MEDIA_ROOT: /var/substra/medias/
   SERVERMEDIAS_ROOT: /var/substra/servermedias/
-  SECRET_KEY_PATH: /var/substra/runtime-secrets/SECRET_KEY
   SUBTUPLE_DIR: /var/substra/medias/subtuple/
   DEFAULT_DOMAIN: {{ .Values.server.defaultDomain | quote }}
   COMMON_HOST_DOMAIN: {{ .Values.server.commonHostDomain | quote }}

charts/substra-backend/templates/deployment-api-events.yaml

@@ -68,8 +68,6 @@ spec:
             initialDelaySeconds: 5
             periodSeconds: 20
           env:
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
             - name: NAMESPACE
               valueFrom:
                   fieldRef:
@@ -131,8 +129,6 @@ spec:
             - secretRef:
                 name: {{ include "substra-backend.database.secret-name" . }}
           env:
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
             - name: DJANGO_SETTINGS_MODULE
               value: backend.settings.{{ .Values.settings }}
       volumes:

charts/substra-backend/templates/deployment-scheduler-worker.yaml

@@ -72,8 +72,6 @@ spec:
                   fieldPath: spec.nodeName
             - name: DJANGO_SETTINGS_MODULE
               value: backend.settings.celery.{{ .Values.settings }}
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
           volumeMounts:
             {{- if .Values.privateCa.enabled }}
             - mountPath: /etc/ssl/certs

charts/substra-backend/templates/deployment-scheduler.yaml

@@ -69,8 +69,6 @@ spec:
                   fieldPath: spec.nodeName
             - name: DJANGO_SETTINGS_MODULE
               value: backend.settings.celery.{{ .Values.settings }}
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
           volumeMounts:
             - name: runtime-db
               mountPath: /var/substra/runtime-db

charts/substra-backend/templates/deployment-server.yaml

@@ -58,6 +58,8 @@ spec:
               name: {{ include "substra.fullname" . }}-database
           - secretRef:
               name: {{ include "substra-backend.database.secret-name" . }}
+          - secretRef:
+              name: {{ include "substra.fullname" . }}-server-key
           - configMapRef:
               name: {{ include "substra.fullname" . }}-oidc
           {{- if .Values.oidc.enabled }}
@@ -73,8 +75,6 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: status.podIP
-          - name: SECRET_KEY_LOAD_AND_STORE
-            value: "True"
           {{- if .Values.server.metrics.enabled }}
           - name: ENABLE_METRICS
             value: "True"
@@ -158,8 +158,6 @@ spec:
             value: {{ $metricsPath }}
           - name: CELERY_MONITORING_ENABLED
             value: "True"
-          - name: SECRET_KEY_LOAD_AND_STORE
-            value: "False" # This container doesn't generate secure data such as tokens
         ports:
           - name: metrics
             containerPort: 8001
@@ -213,8 +211,6 @@ spec:
         env:
         - name: DJANGO_SETTINGS_MODULE
           value: backend.settings.{{ .Values.settings }}
-        - name: SECRET_KEY_LOAD_AND_STORE
-          value: "False" # This container doesn't generate secure data such as tokens
       - name: init-collectstatic
         image: {{ include "substra-backend.images.name" (dict "img" .Values.server.image "defaultTag" $.Chart.AppVersion) }}
         command: ['python', 'manage.py', 'collectstatic', '--noinput']
@@ -226,8 +222,6 @@ spec:
         env:
           - name: DJANGO_SETTINGS_MODULE
             value: backend.settings.{{ .Values.settings }}
-          - name: SECRET_KEY_LOAD_AND_STORE
-            value: "False" # This container doesn't generate secure data such as tokens
         volumeMounts:
           - name: statics
             mountPath: /usr/src/app/backend/statics

charts/substra-backend/templates/deployment-worker-events.yaml

@@ -68,8 +68,6 @@ spec:
             initialDelaySeconds: 5
             periodSeconds: 20
           env:
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
             - name: NAMESPACE
               valueFrom:
                   fieldRef:
@@ -131,8 +129,6 @@ spec:
             - secretRef:
                 name: {{ include "substra-backend.database.secret-name" . }}
           env:
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
             - name: DJANGO_SETTINGS_MODULE
               value: backend.settings.{{ .Values.settings }}
       volumes:

charts/substra-backend/templates/job-migrations.yaml

@@ -60,8 +60,6 @@ spec:
           - secretRef:
               name: {{ include "substra-backend.database.secret-name" . }}
         env:
-          - name: SECRET_KEY_LOAD_AND_STORE
-            value: "False" # This container doesn't generate secure data such as tokens
           - name: DJANGO_SETTINGS_MODULE
             value: backend.settings.{{ .Values.settings }}
         volumeMounts:

charts/substra-backend/templates/secret-server-key.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "substra.fullname" . }}-server-key
+  labels:
+  {{- include "substra.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  SECRET_KEY: {{ randAlphaNum 128 | quote }}

charts/substra-backend/templates/statefulset-worker.yaml

@@ -131,8 +131,6 @@ spec:
             - secretRef:
                 name: {{ include "substra-backend.database.secret-name" . }}
           env:
-            - name: SECRET_KEY_LOAD_AND_STORE
-              value: "False" # This container doesn't generate secure data such as tokens
             - name: DJANGO_SETTINGS_MODULE
               value: backend.settings.celery.{{ .Values.settings }}
             - name: DEFAULT_DOMAIN

docs/settings.md

@@ -54,6 +54,7 @@ Accepted true values for `bool` are: `1`, `ON`, `On`, `on`, `T`, `t`, `TRUE`, `T
 | string | `REGISTRY_PULL_DOMAIN` | nil |  |
 | string | `REGISTRY_SCHEME` | nil |  |
 | string | `REGISTRY_SERVICE_NAME` | nil |  |
+| string | `SECRET_KEY` | `secrets.token_urlsafe()` | built in Django, but also used for signing JWTs |
 | string | `SUBPATH` | empty string | prefix for backend endpoints |
 | bool | `TASK_CACHE_DOCKER_IMAGES` | `False` |  |
 | bool | `TASK_CHAINKEYS_ENABLED` | `False` |  |
@@ -63,13 +64,6 @@ Accepted true values for `bool` are: `1`, `ON`, `On`, `on`, `T`, `t`, `TRUE`, `T
 | string | `WORKER_PVC_SUBTUPLE` | nil |  |
 | string | `WORKER_REPLICA_SET_NAME` | nil |  |
 
-## Secret key settings
-
-| Type | Setting | Default value | Comment |
-|------|---------|---------------|---------|
-| bool | `SECRET_KEY_LOAD_AND_STORE` | `True` | Whether to load the secret key from file (and write it there if it doesn't exist) |
-| string | `SECRET_KEY_PATH` | `path.PROJECT_ROOT / 'SECRET'` |  |
-
 ## JWT settings
 
 | Type | Setting | Default value | Comment |

tools/build_settings_doc.py

@@ -207,7 +207,6 @@ def compare_content(generated: pathlib.Path, committed: pathlib.Path) -> bool:
     args = parse_arguments()
     settings = {}
     settings["Global"] = load_settings_from_file(SETTINGS_FOLDER / "common.py")
-    settings["Secret key"] = load_settings_from_file(SETTINGS_FOLDER / "deps/secret_key.py")
     settings["JWT"] = load_settings_from_file(SETTINGS_FOLDER / "deps/jwt.py")
     settings["Orchestrator"] = load_settings_from_file(SETTINGS_FOLDER / "deps/orchestrator.py")
     settings["Task broker"] = load_settings_from_file(SETTINGS_FOLDER / "deps/celery.py")