diff --git a/images/compose/assets/app_secret.txt b/images/compose/assets/app_secret.txt new file mode 100644 index 00000000..f6e3fbbd --- /dev/null +++ b/images/compose/assets/app_secret.txt @@ -0,0 +1 @@ +django-insecure-7*q3urjf4m1l&x)9i#t^!75t!@c5)6h+rfd12+lc=9oa98c-9w diff --git a/images/compose/assets/certs/database_fields.symmetric.key b/images/compose/assets/db_encryption_key.txt similarity index 100% rename from images/compose/assets/certs/database_fields.symmetric.key rename to images/compose/assets/db_encryption_key.txt diff --git a/images/compose/assets/db_password.txt b/images/compose/assets/db_password.txt new file mode 100644 index 00000000..f3097ab1 --- /dev/null +++ b/images/compose/assets/db_password.txt @@ -0,0 +1 @@ +password diff --git a/images/compose/assets/settings.py b/images/compose/assets/settings.py index 6b7dd5cc..91c39476 100644 --- a/images/compose/assets/settings.py +++ b/images/compose/assets/settings.py @@ -1,6 +1,14 @@ -SECRET_KEY = "aabbcc" +with open("/run/secrets/app_secret", "r") as fp: + app_secret = fp.readline()[:-1] + +with open("/run/secrets/db_password", "r") as fp: + db_password = fp.readline()[:-1] + + +SECRET_KEY = app_secret CONTENT_ORIGIN = "http://pulp_content:24816" -DATABASES = {"default": {"HOST": "postgres", "ENGINE": "django.db.backends.postgresql", "NAME": "pulp", "USER": "pulp", "PASSWORD": "password", "PORT": "5432", "CONN_MAX_AGE": 0, "OPTIONS": {"sslmode": "prefer"}}} +DATABASES = {"default": {"HOST": "postgres", "ENGINE": "django.db.backends.postgresql", "NAME": "pulp", "USER": "pulp", "PASSWORD": db_password, "PORT": "5432", "CONN_MAX_AGE": 0, "OPTIONS": {"sslmode": "prefer"}}} +DB_ENCRYPTION_KEY = "/run/secrets/db_encryption_key" CACHE_ENABLED = True REDIS_HOST = "redis" REDIS_PORT = 6379 diff --git a/images/compose/compose.folders.yml b/images/compose/compose.folders.yml index a30f192e..f55dd658 100644 --- a/images/compose/compose.folders.yml +++ b/images/compose/compose.folders.yml @@ -6,13 +6,15 @@ services: image: "docker.io/library/postgres:13" environment: POSTGRES_USER: pulp - POSTGRES_PASSWORD: password + POSTGRES_PASSWORD_FILE: "/run/secrets/db_password" POSTGRES_DB: pulp POSTGRES_INITDB_ARGS: '--auth-host=scram-sha-256' POSTGRES_HOST_AUTH_METHOD: 'scram-sha-256' volumes: - "../../pgsql:/var/lib/postgresql:Z" - "./assets/postgres/passwd:/etc/passwd:Z" + secrets: + - db_password networks: - pulp_internal restart: always @@ -66,8 +68,11 @@ services: user: pulp volumes: - "./assets/settings.py:/etc/pulp/settings.py:z" - - "./assets/certs:/etc/pulp/certs:z" - "../../pulp_storage:/var/lib/pulp:z" + secrets: + - app_secret + - db_password + - db_encryption_key networks: - pulp_internal environment: @@ -88,8 +93,11 @@ services: user: pulp volumes: - "./assets/settings.py:/etc/pulp/settings.py:z" - - "./assets/certs:/etc/pulp/certs:z" - "../../pulp_storage:/var/lib/pulp:z" + secrets: + - app_secret + - db_password + - db_encryption_key networks: - pulp_internal restart: always @@ -107,8 +115,11 @@ services: user: pulp volumes: - "./assets/settings.py:/etc/pulp/settings.py:z" - - "./assets/certs:/etc/pulp/certs:z" - "../../pulp_storage:/var/lib/pulp:z" + secrets: + - app_secret + - db_password + - db_encryption_key networks: - pulp_internal restart: always @@ -116,6 +127,14 @@ services: networks: pulp_internal: +secrets: + app_secret: + file: ./assets/app_secret.txt + db_password: + file: ./assets/db_password.txt + db_encryption_key: + file: ./assets/db_encryption_key.txt + volumes: redis_data: name: redis_data${DEV_VOLUME_SUFFIX:-dev} diff --git a/images/compose/compose.yml b/images/compose/compose.yml index 41d87e83..1b59af58 100644 --- a/images/compose/compose.yml +++ b/images/compose/compose.yml @@ -6,13 +6,14 @@ services: image: "docker.io/library/postgres:13" environment: POSTGRES_USER: pulp - POSTGRES_PASSWORD: password + POSTGRES_PASSWORD_FILE: "/run/secrets/db_password" POSTGRES_DB: pulp POSTGRES_INITDB_ARGS: '--auth-host=scram-sha-256' POSTGRES_HOST_AUTH_METHOD: 'scram-sha-256' volumes: - "pg_data:/var/lib/postgresql" - - "./assets/postgres/passwd:/etc/passwd:Z" + secrets: + - db_password networks: - pulp_internal restart: always @@ -66,8 +67,11 @@ services: user: pulp volumes: - "./assets/settings.py:/etc/pulp/settings.py:z" - - "./assets/certs:/etc/pulp/certs:z" - "pulp:/var/lib/pulp" + secrets: + - app_secret + - db_password + - db_encryption_key networks: - pulp_internal environment: @@ -88,8 +92,11 @@ services: user: pulp volumes: - "./assets/settings.py:/etc/pulp/settings.py:z" - - "./assets/certs:/etc/pulp/certs:z" - "pulp:/var/lib/pulp" + secrets: + - app_secret + - db_password + - db_encryption_key networks: - pulp_internal restart: always @@ -107,8 +114,11 @@ services: user: pulp volumes: - "./assets/settings.py:/etc/pulp/settings.py:z" - - "./assets/certs:/etc/pulp/certs:z" - "pulp:/var/lib/pulp" + secrets: + - app_secret + - db_password + - db_encryption_key networks: - pulp_internal restart: always @@ -116,6 +126,14 @@ services: networks: pulp_internal: +secrets: + app_secret: + file: ./assets/app_secret.txt + db_password: + file: ./assets/db_password.txt + db_encryption_key: + file: ./assets/db_encryption_key.txt + volumes: pulp: name: pulp${DEV_VOLUME_SUFFIX:-dev}