Merge pull request #86 from aldbr/main_FEAT_add-diracx-secret

feat: add the `DIRACX_SERVICE_AUTH_STATE_KEY` to the secrets
DIRACGrid · Feb 25, 2024 · bd00c28 · bd00c28
2 parents caa5976 + e23f3dd
commit bd00c28
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/diracx/templates/deployment.yaml b/diracx/templates/deployment.yaml
@@ -128,6 +128,8 @@ spec:
             #     name: diracx-env-config
             - secretRef:
                 name: diracx-secrets
+            - secretRef:
+                name: diracx-dynamic-secrets
             {{- if .Values.diracx.sqlDbs.dbs }}
             - secretRef:
                 name: diracx-sql-connection-urls

diff --git a/diracx/templates/init-secrets/_init-secrets.sh.tpl b/diracx/templates/init-secrets/_init-secrets.sh.tpl
@@ -52,6 +52,9 @@ function generate_secret_if_needed(){
 ssh-keygen -P '' -trsa -b4096 -mPEM -f"$PWD/rsa256.key"
 generate_secret_if_needed diracx-token-signing-key --from-file "$PWD/rsa256.key"
 
+# Generate the token state key (to safely pass information between authorize/device requests)
+generate_secret_if_needed diracx-dynamic-secrets --from-literal=DIRACX_SERVICE_AUTH_STATE_KEY=$(head -c 32 /dev/urandom | base64)
+
 {{- if .Values.rabbitmq.enabled }}
 # Generate the secrets for rabbitmq
 generate_secret_if_needed {{ .Values.rabbitmq.auth.existingPasswordSecret }} --from-literal=rabbitmq-password=$(gen_random 'a-zA-Z0-9' 32)