Commit e6136b57 authored by Maarten de Waard's avatar Maarten de Waard
Browse files

Merge branch '1142-validate-passwords-in-flux-env' into 'main'

Resolve "Validate passwords in .flux.env"

Closes #1142

See merge request stackspin/stackspin!931
parents 129ccdce 8be624cd
......@@ -21,8 +21,10 @@ Configuration
Copy the file ``install/.flux.env.example`` to your cluster dir
``clusters/stackspin.example.org/.flux.env``. This file contains the last bit of
information you need to configure. Make sure not to put any quotes around your
values, because that can make the resulting yaml files invalid.
information you need to configure. Make sure not to put any quotes around your
values, because that can make the resulting yaml files invalid. Also, using a
dollar sign ``$`` or double quote ``"`` may lead to problems, so please avoid
using those characters in the values.
Cluster information
~~~~~~~~~~~~~~~~~~~
......
......@@ -8,9 +8,14 @@ password as well as a htpasswd encoded version of it.
See https://open.greenhost.net/stackspin/stackspin/-/issues/891 for the
context why we use this script and not a helm chart to generate secrets.
usage: python generate_secrets.py template_filename.j2
usage: `python generate_secrets.py $appName`
As a special case, `python generate_secrets.py stackspin` will check that the
`stackspin-cluster-variables` secret exists and that its values do not contain
problematic characters.
"""
import base64
import crypt
import os
import secrets
......@@ -47,14 +52,34 @@ def main():
sys.exit(1)
app_name = sys.argv[1]
# Create app variables secret
create_variables_secret(
app_name, f"stackspin-{app_name}-variables.yaml.jinja", env)
# Create a secret that contains the oauth variables for Hydra Maester
if app_name not in APPS_WITHOUT_OAUTH:
if app_name == "stackspin":
# This is a special case: we don't generate new secrets, but verify the
# validity of the cluster variables (populated from .flux.env).
verify_cluster_variables()
else:
# Create app variables secret
create_variables_secret(
app_name, "stackspin-oauth-variables.yaml.jinja", env)
create_basic_auth_secret(app_name, env)
app_name, f"stackspin-{app_name}-variables.yaml.jinja", env)
# Create a secret that contains the oauth variables for Hydra Maester
if app_name not in APPS_WITHOUT_OAUTH:
create_variables_secret(
app_name, "stackspin-oauth-variables.yaml.jinja", env)
create_basic_auth_secret(app_name, env)
def verify_cluster_variables():
data = get_kubernetes_secret_data("stackspin-cluster-variables", "flux-system")
if data is None:
raise Exception("Secret stackspin-cluster-variables was not found.")
message = "In secret stackspin-cluster-variables, key {}, the character {}" \
" was used which will probably lead to problems, so aborting." \
" You can update the value by using `kubectl edit secret -n" \
" flux-system stackspin-cluster-variables`."
for key, value in data.items():
decoded_value = base64.b64decode(value).decode("ascii")
for character in ["\"", "$"]:
if character in decoded_value:
raise Exception(message.format(key, character))
def get_templates_dir():
......
......@@ -5,6 +5,9 @@ set -euo pipefail
# shellcheck source=install/flux-version-check.sh
. "$(dirname "$0")/flux-version-check.sh"
# Verify validity of cluster variables.
python "$(dirname "$0")/generate_secrets.py" stackspin
# Check if stackspin-cluster-variables secret exists
smtp_password=$(kubectl get secret -n flux-system stackspin-cluster-variables --template '{{.data.outgoing_mail_smtp_password}}' | base64 -d)
smtp_password_urlencoded=$(python -c "import urllib.parse; print(urllib.parse.quote('${smtp_password}', safe=''), end='')" | base64 -w0)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment