Add the pulp_secret_key field

git-hyagi · git-hyagi · commit 0f40e6326bd1 · 2023-08-21T16:09:00.000-03:00
closes: #1040
diff --git a/CHANGES/1040.feature b/CHANGES/1040.feature
@@ -0,0 +1 @@
+Added the `pulp_secret_key` field to set the Django `SECRET_KEY`.
diff --git a/apis/repo-manager.pulpproject.org/v1beta2/pulp_backup_types.go b/apis/repo-manager.pulpproject.org/v1beta2/pulp_backup_types.go
@@ -75,6 +75,12 @@ type PulpBackupSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret"}
 	PostgresConfigurationSecret string `json:"postgres_configuration_secret"`
 
+	// Secret where the Django SECRET_KEY configuration can be found
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Django SECRET_KEY configuration"
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret"}
+	PulpSecretKey string `json:"pulp_secret_key,omitempty"`
+
 	// Affinity is a group of affinity scheduling rules.
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
diff --git a/apis/repo-manager.pulpproject.org/v1beta2/pulp_types.go b/apis/repo-manager.pulpproject.org/v1beta2/pulp_types.go
@@ -360,6 +360,12 @@ type PulpSpec struct {
 	// Job to run django migrations
 	MigrationJob PulpJob `json:"migration_job,omitempty"`
 
+	// Name of the Secret to provide Django cryptographic signing.
+	// Default: "pulp-secret-key"
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"}
+	PulpSecretKey string `json:"pulp_secret_key,omitempty"`
+
 	/*
 	 DEPRECATED FIELDS FROM ANSIBLE VERSION
 	*/
@@ -1129,6 +1135,8 @@ type PulpStatus struct {
 	ExternalCacheSecret string `json:"external_cache_secret,omitempty"`
 	// Pulp metrics collection enabled
 	TelemetryEnabled bool `json:"telemetry_enabled,omitempty"`
+	// Name of the Secret to provide Django cryptographic signing.
+	PulpSecretKey string `json:"pulp_secret_key,omitempty"`
 
 	// [DEPRECATED] Temporarily adding to keep compatibility with ansible version.
 	StoragePersistentVolumeClaim       string `json:"storagePersistentVolumeClaim,omitempty"`
diff --git a/bundle/manifests/pulp-operator.clusterserviceversion.yaml b/bundle/manifests/pulp-operator.clusterserviceversion.yaml
@@ -325,7 +325,7 @@ metadata:
     capabilities: Full Lifecycle
     categories: Integration & Delivery
     containerImage: quay.io/pulp/pulp-operator:devel
-    createdAt: "2023-08-09T19:33:08Z"
+    createdAt: "2023-08-21T15:47:03Z"
     description: Pulp is a platform for managing repositories of software packages
       and making them available to a large number of consumers.
     operators.operatorframework.io/builder: operator-sdk-v1.29.0
@@ -544,6 +544,11 @@ spec:
       - description: Label selector used to identify postgres pod for executing migration
         displayName: Postgres Label Selector
         path: postgres_label_selector
+      - description: Secret where the Django SECRET_KEY configuration can be found
+        displayName: Django SECRET_KEY configuration
+        path: pulp_secret_key
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:Secret
       statusDescriptors:
       - description: Administrator password secret used by the deployed instance
         displayName: Admin Password Secret
@@ -3248,6 +3253,12 @@ spec:
         path: postgres_tolerations
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: 'Name of the Secret to provide Django cryptographic signing.
+          Default: "pulp-secret-key"'
+        displayName: Pulp Secret Key
+        path: pulp_secret_key
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - description: Definition of /etc/pulp/settings.py config file.
         displayName: Pulp Settings
         path: pulp_settings
diff --git a/bundle/manifests/repo-manager.pulpproject.org_pulpbackups.yaml b/bundle/manifests/repo-manager.pulpproject.org_pulpbackups.yaml
@@ -2922,6 +2922,10 @@ spec:
                 description: Label selector used to identify postgres pod for executing
                   migration
                 type: string
+              pulp_secret_key:
+                description: Secret where the Django SECRET_KEY configuration can
+                  be found
+                type: string
             type: object
           status:
             description: PulpBackupStatus defines the observed state of PulpBackup
diff --git a/bundle/manifests/repo-manager.pulpproject.org_pulps.yaml b/bundle/manifests/repo-manager.pulpproject.org_pulps.yaml
@@ -25060,6 +25060,10 @@ spec:
                       type: string
                   type: object
                 type: array
+              pulp_secret_key:
+                description: 'Name of the Secret to provide Django cryptographic signing.
+                  Default: "pulp-secret-key"'
+                type: string
               pulp_settings:
                 description: Definition of /etc/pulp/settings.py config file.
                 type: object
@@ -28001,6 +28005,9 @@ spec:
               object_storage_s3_secret:
                 description: The secret for S3 compliant object storage configuration.
                 type: string
+              pulp_secret_key:
+                description: Name of the Secret to provide Django cryptographic signing.
+                type: string
               storagePersistentVolumeClaim:
                 description: '[DEPRECATED] Temporarily adding to keep compatibility
                   with ansible version.'
diff --git a/config/crd/bases/repo-manager.pulpproject.org_pulpbackups.yaml b/config/crd/bases/repo-manager.pulpproject.org_pulpbackups.yaml
@@ -2923,6 +2923,10 @@ spec:
                 description: Label selector used to identify postgres pod for executing
                   migration
                 type: string
+              pulp_secret_key:
+                description: Secret where the Django SECRET_KEY configuration can
+                  be found
+                type: string
             type: object
           status:
             description: PulpBackupStatus defines the observed state of PulpBackup
diff --git a/config/crd/bases/repo-manager.pulpproject.org_pulps.yaml b/config/crd/bases/repo-manager.pulpproject.org_pulps.yaml
@@ -25061,6 +25061,10 @@ spec:
                       type: string
                   type: object
                 type: array
+              pulp_secret_key:
+                description: 'Name of the Secret to provide Django cryptographic signing.
+                  Default: "pulp-secret-key"'
+                type: string
               pulp_settings:
                 description: Definition of /etc/pulp/settings.py config file.
                 type: object
@@ -28002,6 +28006,9 @@ spec:
               object_storage_s3_secret:
                 description: The secret for S3 compliant object storage configuration.
                 type: string
+              pulp_secret_key:
+                description: Name of the Secret to provide Django cryptographic signing.
+                type: string
               storagePersistentVolumeClaim:
                 description: '[DEPRECATED] Temporarily adding to keep compatibility
                   with ansible version.'
diff --git a/config/manifests/bases/pulp-operator.clusterserviceversion.yaml b/config/manifests/bases/pulp-operator.clusterserviceversion.yaml
@@ -200,6 +200,11 @@ spec:
       - description: Label selector used to identify postgres pod for executing migration
         displayName: Postgres Label Selector
         path: postgres_label_selector
+      - description: Secret where the Django SECRET_KEY configuration can be found
+        displayName: Django SECRET_KEY configuration
+        path: pulp_secret_key
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:Secret
       statusDescriptors:
       - description: Administrator password secret used by the deployed instance
         displayName: Admin Password Secret
@@ -1292,6 +1297,12 @@ spec:
         path: postgres_tolerations
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: 'Name of the Secret to provide Django cryptographic signing.
+          Default: "pulp-secret-key"'
+        displayName: Pulp Secret Key
+        path: pulp_secret_key
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - description: Definition of /etc/pulp/settings.py config file.
         displayName: Pulp Settings
         path: pulp_settings
diff --git a/controllers/backup/README.md b/controllers/backup/README.md
@@ -48,6 +48,7 @@ PulpBackupSpec defines the desired state of PulpBackup
 | postgres_label_selector | Label selector used to identify postgres pod for executing migration | string | true |
 | admin_password_secret | Secret where the administrator password can be found | string | false |
 | postgres_configuration_secret | Secret where the database configuration can be found | string | true |
+| pulp_secret_key | Secret where the Django SECRET_KEY configuration can be found | string | false |
 | affinity | Affinity is a group of affinity scheduling rules. | *corev1.Affinity | false |
 
 [Back to Custom Resources](#custom-resources)
diff --git a/controllers/backup/controller.go b/controllers/backup/controller.go
@@ -28,7 +28,6 @@ import (
 	v1 "k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/rest"
diff --git a/controllers/backup/secret.go b/controllers/backup/secret.go
@@ -47,11 +47,18 @@ func (r *RepoManagerBackupReconciler) backupSecret(ctx context.Context, pulpBack
 		return err
 	}
 
+	pulpSecretKey := getPulpSecretKey(ctx, pulpBackup)
 	adminPasswordSecret := getAdminPasswordSecret(ctx, pulpBackup)
 	postgresCfgSecret := getPostgresCfgSecret(ctx, pulpBackup)
 	dbFieldsEncryption := getDBFieldsEncryption(ctx, pulpBackup, pulp)
 	containerTokenSecret := getContainerTokenSecret(ctx, pulpBackup, pulp)
 
+	// PULP-SECRET-KEY
+	if err := r.createBackupFile(ctx, secretType{"pulp_secret_key", pulpBackup, backupDir, "pulp_secret_key.yaml", pulpSecretKey, pod}); err != nil {
+		return err
+	}
+	log.Info("PulpSecretKey secret backup finished")
+
 	// pulp-admin and pulp-postgres-configuration secrets will not be stored in secret.yaml file like in pulp-operator
 	// we are splitting them in admin_secret.yaml and postgres_configuration.yaml files
 	// PULP-ADMIN SECRET
diff --git a/controllers/backup/utils.go b/controllers/backup/utils.go
@@ -56,6 +56,16 @@ func getAdminPasswordSecret(ctx context.Context, pulpBackup *repomanagerpulpproj
 	return adminPasswordSecret
 }
 
+// getPulpSecretKey returns the pulp_secret_key if provided, if not will return
+// the default one based on deployment_name
+func getPulpSecretKey(ctx context.Context, pulpBackup *repomanagerpulpprojectorgv1beta2.PulpBackup) string {
+	adminPasswordSecret := pulpBackup.Spec.PulpSecretKey
+	if len(adminPasswordSecret) == 0 {
+		adminPasswordSecret = getDeploymentName(ctx, pulpBackup) + "-secret-key"
+	}
+	return adminPasswordSecret
+}
+
 // getBackupPVC returns the backup_pvc if provided, if not will return the default one based
 // on deployment_name
 func getBackupPVC(ctx context.Context, pulpBackup *repomanagerpulpprojectorgv1beta2.PulpBackup) string {
diff --git a/controllers/repo_manager/README.md b/controllers/repo_manager/README.md
@@ -229,6 +229,7 @@ PulpSpec defines the desired state of Pulp
 | ee_defaults | Name of the ConfigMap with the list of Execution Environments that should be synchronized. Default: ee-default-images | string | false |
 | admin_password_job | Job to reset pulp admin password | [PulpJob](#pulpjob) | false |
 | migration_job | Job to run django migrations | [PulpJob](#pulpjob) | false |
+| pulp_secret_key | Name of the Secret to provide Django cryptographic signing. Default: \"pulp-secret-key\" | string | false |
 | image_pull_secret | [DEPRECATED] Temporarily adding to keep compatibility with ansible version. Image pull secret for container images. Default: \"\" | string | false |
 | affinity | [DEPRECATED] Temporarily adding to keep compatibility with ansible version. Affinity is a group of affinity scheduling rules. | *[Affinity](#affinity) | false |
 | redis_image | [DEPRECATED] Temporarily adding to keep compatibility with ansible version. The image name for the redis image. Default: \"redis:latest\" | string | false |
@@ -284,6 +285,7 @@ PulpStatus defines the observed state of Pulp
 | admin_password_secret | Secret where the administrator password can be found | string | false |
 | external_cache_secret | Name of the secret with the parameters to connect to an external Redis cluster | string | false |
 | telemetry_enabled | Pulp metrics collection enabled | bool | false |
+| pulp_secret_key | Name of the Secret to provide Django cryptographic signing. | string | false |
 | storagePersistentVolumeClaim | [DEPRECATED] Temporarily adding to keep compatibility with ansible version. | string | false |
 | webURL |  | string | false |
 | databaseConfigurationSecret |  | string | false |
diff --git a/controllers/repo_manager/api.go b/controllers/repo_manager/api.go
@@ -86,6 +86,22 @@ func (r *RepoManagerReconciler) pulpApiController(ctx context.Context, pulp *rep
 	if len(pulp.Spec.AdminPasswordSecret) > 1 {
 		adminSecretName = pulp.Spec.AdminPasswordSecret
 	}
+	// update pulp CR admin-password secret with default name
+	if err := controllers.UpdateCRField(ctx, r.Client, pulp, "AdminPasswordSecret", adminSecretName); err != nil {
+		return ctrl.Result{}, err
+	}
+
+	// if .spec.pulp_secret_key is not defined, operator will default to "pulp-secret-key"
+	djangoKey := pulp.Name + "-secret-key"
+	if len(pulp.Spec.PulpSecretKey) > 0 {
+		djangoKey = pulp.Spec.PulpSecretKey
+	}
+	// update pulp CR pulp_secret_key secret with default name
+	// we need to set this field "early" because it will be used to populate
+	// pulp-server-secret with its value
+	if err := controllers.UpdateCRField(ctx, r.Client, pulp, "PulpSecretKey", djangoKey); err != nil {
+		return ctrl.Result{}, err
+	}
 
 	// update pulp CR with container_token_secret secret value
 	if len(pulp.Spec.ContainerTokenSecret) == 0 {
@@ -99,6 +115,8 @@ func (r *RepoManagerReconciler) pulpApiController(ctx context.Context, pulp *rep
 
 	// list of pulp-api resources that should be provisioned
 	resources := []ApiResource{
+		// pulp-secret-key secret
+		{ResourceDefinition{ctx, &corev1.Secret{}, djangoKey, "PulpSecretKey", conditionType, pulp}, pulpDjangoKeySecret},
 		// pulp-server secret
 		{Definition: ResourceDefinition{Context: ctx, Type: &corev1.Secret{}, Name: pulp.Name + "-server", Alias: "Server", ConditionType: conditionType, Pulp: pulp}, Function: pulpServerSecret},
 		// pulp-db-fields-encryption secret
@@ -132,11 +150,6 @@ func (r *RepoManagerReconciler) pulpApiController(ctx context.Context, pulp *rep
 		}
 	}
 
-	// update pulp CR admin-password secret with default name
-	if err := controllers.UpdateCRField(ctx, r.Client, pulp, "AdminPasswordSecret", pulp.Name+"-admin-password"); err != nil {
-		return ctrl.Result{}, err
-	}
-
 	// Ensure the deployment spec is as expected
 	apiDeployment := &appsv1.Deployment{}
 	r.Get(ctx, types.NamespacedName{Name: pulp.Name + "-api", Namespace: pulp.Namespace}, apiDeployment)
@@ -419,6 +432,12 @@ MEDIA_ROOT = ""
 	}
 	pulp_settings = pulp_settings + fmt.Sprintln("TOKEN_SERVER = \""+tokenServer+"\"")
 
+	if secretKey, err := loadDjangoKey(resources); err != nil {
+		return &corev1.Secret{}
+	} else {
+		pulp_settings = pulp_settings + fmt.Sprintln("SECRET_KEY = \""+secretKey+"\"")
+	}
+
 	// add custom settings to the secret
 	pulp_settings = addCustomPulpSettings(pulp, pulp_settings)
 
@@ -452,13 +471,13 @@ func pulpDBFieldsEncryptionSecret(resources controllers.FunctionResources) clien
 	return sec
 }
 
-// pulp-admin-passowrd
+// pulp-admin-password
 func pulpAdminPasswordSecret(resources controllers.FunctionResources) client.Object {
 
 	pulp := resources.Pulp
 	sec := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      pulp.Name + "-admin-password",
+			Name:      pulp.Spec.AdminPasswordSecret,
 			Namespace: pulp.Namespace,
 		},
 		StringData: map[string]string{
@@ -470,6 +489,22 @@ func pulpAdminPasswordSecret(resources controllers.FunctionResources) client.Obj
 	return sec
 }
 
+// pulpDjangoKeySecret defines the Secret with the pulp-secret-key
+func pulpDjangoKeySecret(resources controllers.FunctionResources) client.Object {
+	pulp := resources.Pulp
+	sec := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      pulp.Spec.PulpSecretKey,
+			Namespace: pulp.Namespace,
+		},
+		StringData: map[string]string{
+			"secret_key": djangoKey(),
+		},
+	}
+	ctrl.SetControllerReference(pulp, sec, resources.Scheme)
+	return sec
+}
+
 // pulp-container-auth
 func pulpContainerAuth(resources controllers.FunctionResources) client.Object {
 	pulp := resources.Pulp
@@ -554,3 +589,16 @@ func storageClassProvided(pulp *repomanagerpulpprojectorgv1beta2.Pulp) bool {
 	_, storageType := controllers.MultiStorageConfigured(pulp, "Pulp")
 	return storageType[0] == controllers.SCNameType
 }
+
+// loadDjangoKey retrieves the django SECRET_KEY from the k8s Secret
+func loadDjangoKey(resources controllers.FunctionResources) (string, error) {
+	pulp := resources.Pulp
+	djangoKey := pulp.Spec.PulpSecretKey
+	resources.Logger.V(1).Info("Retrieving the data from "+pulp.Spec.PulpSecretKey+" Secret", "Secret.Namespace", pulp.Namespace, "Secret.Name", djangoKey)
+	secretKey, err := controllers.RetrieveSecretData(resources.Context, djangoKey, pulp.Namespace, true, resources.Client, "secret_key")
+	if err != nil {
+		resources.Logger.Error(err, "Secret Not Found!", "Secret.Namespace", pulp.Namespace, "Secret.Name", djangoKey)
+		return "", err
+	}
+	return secretKey["secret_key"], nil
+}
diff --git a/controllers/repo_manager/controller.go b/controllers/repo_manager/controller.go
@@ -239,7 +239,7 @@ func indexerFunc(obj client.Object) []string {
 	pulp := obj.(*repomanagerpulpprojectorgv1beta2.Pulp)
 	var keys []string
 
-	secrets := []string{"ObjectStorageAzureSecret", "ObjectStorageS3Secret", "SSOSecret", "AdminPasswordSecret"}
+	secrets := []string{"ObjectStorageAzureSecret", "ObjectStorageS3Secret", "SSOSecret", "AdminPasswordSecret", "PulpSecretKey"}
 	for _, secretField := range secrets {
 		structField := reflect.Indirect(reflect.ValueOf(pulp)).FieldByName("Spec").FieldByName(secretField).String()
 		if structField != "" {
diff --git a/controllers/repo_manager/precheck.go b/controllers/repo_manager/precheck.go
@@ -185,6 +185,7 @@ func checkImmutableFields(ctx context.Context, r *RepoManagerReconciler, pulp *r
 		{FieldName: "ContainerTokenSecret", FieldPath: repomanagerpulpprojectorgv1beta2.PulpSpec{}},
 		{FieldName: "AdminPasswordSecret", FieldPath: repomanagerpulpprojectorgv1beta2.PulpSpec{}},
 		{FieldName: "ExternalCacheSecret", FieldPath: repomanagerpulpprojectorgv1beta2.Cache{}},
+		{FieldName: "PulpSecretKey", FieldPath: repomanagerpulpprojectorgv1beta2.PulpSpec{}},
 	}
 	for _, field := range immutableFields {
 		// if tried to modify an immutable field we should trigger a reconcile loop
diff --git a/controllers/repo_manager/status.go b/controllers/repo_manager/status.go
@@ -239,6 +239,18 @@ func (r *RepoManagerReconciler) pulpStatus(ctx context.Context, pulp *repomanage
 		r.Status().Update(ctx, pulp)
 	}
 
+	// we will only set .status.pulp_secret_key in the first execution (len==0)
+	// and we'll set with the value from pulp.spec.pulp_secret_key if defined
+	if len(pulp.Status.PulpSecretKey) == 0 && len(pulp.Spec.PulpSecretKey) > 0 {
+		pulp.Status.PulpSecretKey = pulp.Spec.PulpSecretKey
+		r.Status().Update(ctx, pulp)
+
+		// if pulp.spec.pulp_secret_key is not defined we should set .status with the default value
+	} else if len(pulp.Status.PulpSecretKey) == 0 && len(pulp.Spec.PulpSecretKey) == 0 {
+		pulp.Status.PulpSecretKey = "pulp-secret-key"
+		r.Status().Update(ctx, pulp)
+	}
+
 	return ctrl.Result{}, nil
 }
 
diff --git a/controllers/repo_manager/utils.go b/controllers/repo_manager/utils.go
@@ -58,6 +58,16 @@ func createPwd(pwdSize int) string {
 	return string(pwd)
 }
 
+// Generate a random string to use as a django SECRET_KEY
+func djangoKey() string {
+	const chars = "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)"
+	pwd := make([]byte, 50)
+	for i := range pwd {
+		pwd[i] = chars[rand.Intn(len(chars))]
+	}
+	return string(pwd)
+}
+
 // sortKeys will return an ordered slice of strings defined with the keys from a.
 // It is used to make sure that custom settings from pulp-server secret
 // will be built in the same order and avoiding issues when verifying if its
diff --git a/controllers/restore/secret.go b/controllers/restore/secret.go
diff --git a/docs/configuring/secrets.md b/docs/configuring/secrets.md
diff --git a/main.go b/main.go

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Added the `pulp_secret_key` field to set the Django `SECRET_KEY`.