Merge branch '1142-validate-passwords-in-flux-env' into 'main'

Resolve "Validate passwords in .flux.env"

Closes #1142

See merge request stackspin/stackspin!931

docs/installation/install_stackspin.rst

@@ -21,8 +21,10 @@ Configuration
 
 Copy the file ``install/.flux.env.example`` to your cluster dir
 ``clusters/stackspin.example.org/.flux.env``. This file contains the last bit of
-information you need to configure.  Make sure not to put any quotes around your
-values, because that can make the resulting yaml files invalid.
+information you need to configure. Make sure not to put any quotes around your
+values, because that can make the resulting yaml files invalid. Also, using a
+dollar sign ``$`` or double quote ``"`` may lead to problems, so please avoid
+using those characters in the values.
 
 Cluster information
 ~~~~~~~~~~~~~~~~~~~

install/generate_secrets.py

@@ -8,9 +8,14 @@ password as well as a htpasswd encoded version of it.
 See https://open.greenhost.net/stackspin/stackspin/-/issues/891 for the
 context why we use this script and not a helm chart to generate secrets.
 
-usage: python generate_secrets.py template_filename.j2
+usage: `python generate_secrets.py $appName`
+
+As a special case, `python generate_secrets.py stackspin` will check that the
+`stackspin-cluster-variables` secret exists and that its values do not contain
+problematic characters.
 """
 
+import base64
 import crypt
 import os
 import secrets
@@ -47,14 +52,34 @@ def main():
         sys.exit(1)
     app_name = sys.argv[1]
 
-    # Create app variables secret
-    create_variables_secret(
-        app_name, f"stackspin-{app_name}-variables.yaml.jinja", env)
-    # Create a secret that contains the oauth variables for Hydra Maester
-    if app_name not in APPS_WITHOUT_OAUTH:
+    if app_name == "stackspin":
+        # This is a special case: we don't generate new secrets, but verify the
+        # validity of the cluster variables (populated from .flux.env).
+        verify_cluster_variables()
+    else:
+        # Create app variables secret
         create_variables_secret(
-            app_name, "stackspin-oauth-variables.yaml.jinja", env)
-    create_basic_auth_secret(app_name, env)
+            app_name, f"stackspin-{app_name}-variables.yaml.jinja", env)
+        # Create a secret that contains the oauth variables for Hydra Maester
+        if app_name not in APPS_WITHOUT_OAUTH:
+            create_variables_secret(
+                app_name, "stackspin-oauth-variables.yaml.jinja", env)
+        create_basic_auth_secret(app_name, env)
+
+
+def verify_cluster_variables():
+    data = get_kubernetes_secret_data("stackspin-cluster-variables", "flux-system")
+    if data is None:
+       raise Exception("Secret stackspin-cluster-variables was not found.")
+    message = "In secret stackspin-cluster-variables, key {}, the character {}" \
+        " was used which will probably lead to problems, so aborting." \
+        " You can update the value by using `kubectl edit secret -n" \
+        " flux-system stackspin-cluster-variables`."
+    for key, value in data.items():
+        decoded_value = base64.b64decode(value).decode("ascii")
+        for character in ["\"", "$"]:
+            if character in decoded_value:
+                raise Exception(message.format(key, character))
 
 
 def get_templates_dir():

install/install-stackspin.sh

@@ -5,6 +5,9 @@ set -euo pipefail
 # shellcheck source=install/flux-version-check.sh
 . "$(dirname "$0")/flux-version-check.sh"
 
+# Verify validity of cluster variables.
+python "$(dirname "$0")/generate_secrets.py" stackspin
+
 # Check if stackspin-cluster-variables secret exists
 smtp_password=$(kubectl get secret -n flux-system stackspin-cluster-variables --template '{{.data.outgoing_mail_smtp_password}}' | base64 -d)
 smtp_password_urlencoded=$(python -c "import urllib.parse; print(urllib.parse.quote('${smtp_password}', safe=''), end='')" | base64 -w0)