Use secrets for passwords in compose

[noissue]
pulp · Sep 1, 2023 · d3970f0 · d3970f0
1 parent 3a103c4
commit d3970f0
Show file tree

Hide file tree

Showing 6 changed files with 58 additions and 11 deletions.
diff --git a/images/compose/assets/app_secret.txt b/images/compose/assets/app_secret.txt
@@ -0,0 +1 @@
+django-insecure-7*q3urjf4m1l&x)9i#t^!75t!@c5)6h+rfd12+lc=9oa98c-9w
diff --git a/...ssets/certs/database_fields.symmetric.key → images/compose/assets/db_encryption_key.txt b/...ssets/certs/database_fields.symmetric.key → images/compose/assets/db_encryption_key.txt
diff --git a/images/compose/assets/db_password.txt b/images/compose/assets/db_password.txt
@@ -0,0 +1 @@
+password
diff --git a/images/compose/assets/settings.py b/images/compose/assets/settings.py
@@ -1,6 +1,14 @@
-SECRET_KEY = "aabbcc"
+with open("/run/secrets/app_secret", "r") as fp:
+    app_secret = fp.readline()[:-1]
+
+with open("/run/secrets/db_password", "r") as fp:
+    db_password = fp.readline()[:-1]
+
+
+SECRET_KEY = app_secret
 CONTENT_ORIGIN = "http://pulp_content:24816"
-DATABASES = {"default": {"HOST": "postgres", "ENGINE": "django.db.backends.postgresql", "NAME": "pulp", "USER": "pulp", "PASSWORD": "password", "PORT": "5432", "CONN_MAX_AGE": 0, "OPTIONS": {"sslmode": "prefer"}}}
+DATABASES = {"default": {"HOST": "postgres", "ENGINE": "django.db.backends.postgresql", "NAME": "pulp", "USER": "pulp", "PASSWORD": db_password, "PORT": "5432", "CONN_MAX_AGE": 0, "OPTIONS": {"sslmode": "prefer"}}}
+DB_ENCRYPTION_KEY = "/run/secrets/db_encryption_key"
 CACHE_ENABLED = True
 REDIS_HOST = "redis"
 REDIS_PORT = 6379

diff --git a/images/compose/compose.folders.yml b/images/compose/compose.folders.yml
@@ -6,13 +6,15 @@ services:
     image: "docker.io/library/postgres:13"
     environment:
       POSTGRES_USER: pulp
-      POSTGRES_PASSWORD: password
+      POSTGRES_PASSWORD_FILE: "/run/secrets/db_password"
       POSTGRES_DB: pulp
       POSTGRES_INITDB_ARGS: '--auth-host=scram-sha-256'
       POSTGRES_HOST_AUTH_METHOD: 'scram-sha-256'
     volumes:
       - "../../pgsql:/var/lib/postgresql:Z"
       - "./assets/postgres/passwd:/etc/passwd:Z"
+    secrets:
+      - db_password
     networks:
       - pulp_internal
     restart: always
@@ -66,8 +68,11 @@ services:
     user: pulp
     volumes:
       - "./assets/settings.py:/etc/pulp/settings.py:z"
-      - "./assets/certs:/etc/pulp/certs:z"
       - "../../pulp_storage:/var/lib/pulp:z"
+    secrets:
+      - app_secret
+      - db_password
+      - db_encryption_key
     networks:
       - pulp_internal
     environment:
@@ -88,8 +93,11 @@ services:
     user: pulp
     volumes:
       - "./assets/settings.py:/etc/pulp/settings.py:z"
-      - "./assets/certs:/etc/pulp/certs:z"
       - "../../pulp_storage:/var/lib/pulp:z"
+    secrets:
+      - app_secret
+      - db_password
+      - db_encryption_key
     networks:
       - pulp_internal
     restart: always
@@ -107,15 +115,26 @@ services:
     user: pulp
     volumes:
       - "./assets/settings.py:/etc/pulp/settings.py:z"
-      - "./assets/certs:/etc/pulp/certs:z"
       - "../../pulp_storage:/var/lib/pulp:z"
+    secrets:
+      - app_secret
+      - db_password
+      - db_encryption_key
     networks:
       - pulp_internal
     restart: always
 
 networks:
   pulp_internal:
 
+secrets:
+  app_secret:
+    file: ./assets/app_secret.txt
+  db_password:
+    file: ./assets/db_password.txt
+  db_encryption_key:
+    file: ./assets/db_encryption_key.txt
+
 volumes:
   redis_data:
     name: redis_data${DEV_VOLUME_SUFFIX:-dev}
diff --git a/images/compose/compose.yml b/images/compose/compose.yml
@@ -6,13 +6,14 @@ services:
     image: "docker.io/library/postgres:13"
     environment:
       POSTGRES_USER: pulp
-      POSTGRES_PASSWORD: password
+      POSTGRES_PASSWORD_FILE: "/run/secrets/db_password"
       POSTGRES_DB: pulp
       POSTGRES_INITDB_ARGS: '--auth-host=scram-sha-256'
       POSTGRES_HOST_AUTH_METHOD: 'scram-sha-256'
     volumes:
       - "pg_data:/var/lib/postgresql"
-      - "./assets/postgres/passwd:/etc/passwd:Z"
+    secrets:
+      - db_password
     networks:
       - pulp_internal
     restart: always
@@ -66,8 +67,11 @@ services:
     user: pulp
     volumes:
       - "./assets/settings.py:/etc/pulp/settings.py:z"
-      - "./assets/certs:/etc/pulp/certs:z"
       - "pulp:/var/lib/pulp"
+    secrets:
+      - app_secret
+      - db_password
+      - db_encryption_key
     networks:
       - pulp_internal
     environment:
@@ -88,8 +92,11 @@ services:
     user: pulp
     volumes:
       - "./assets/settings.py:/etc/pulp/settings.py:z"
-      - "./assets/certs:/etc/pulp/certs:z"
       - "pulp:/var/lib/pulp"
+    secrets:
+      - app_secret
+      - db_password
+      - db_encryption_key
     networks:
       - pulp_internal
     restart: always
@@ -107,15 +114,26 @@ services:
     user: pulp
     volumes:
       - "./assets/settings.py:/etc/pulp/settings.py:z"
-      - "./assets/certs:/etc/pulp/certs:z"
       - "pulp:/var/lib/pulp"
+    secrets:
+      - app_secret
+      - db_password
+      - db_encryption_key
     networks:
       - pulp_internal
     restart: always
 
 networks:
   pulp_internal:
 
+secrets:
+  app_secret:
+    file: ./assets/app_secret.txt
+  db_password:
+    file: ./assets/db_password.txt
+  db_encryption_key:
+    file: ./assets/db_encryption_key.txt
+
 volumes:
   pulp:
     name: pulp${DEV_VOLUME_SUFFIX:-dev}