ci: Adjust secrets in values.yaml (#7288)

* ci: Require secrets, even in "development"

* ci: More secrets-requiring

* ci: Strip whitespace out before b64 decoding

* ci: Adjust values.yaml

* ci: Comment in values.yaml

helm/settings_local.py

@@ -9,6 +9,11 @@ from ietf import __release_hash__
 from ietf.settings import *                                          # pyflakes:ignore
 
 
+def _remove_whitespace_and_b64decode(s):
+    """Helper to strip out whitespace and base64 decode"""
+    return b64decode("".join(s.split()))
+
+
 # Default to "development". Production _must_ set DATATRACKER_SERVER_MODE="production" in the env!
 SERVER_MODE = os.environ.get("DATATRACKER_SERVER_MODE", "development")
 
@@ -16,56 +21,56 @@ SERVER_MODE = os.environ.get("DATATRACKER_SERVER_MODE", "development")
 _SECRET_KEY = os.environ.get("DATATRACKER_DJANGO_SECRET_KEY", None)
 if _SECRET_KEY is not None:
     SECRET_KEY = _SECRET_KEY
-elif SERVER_MODE == "production":
+else:
-    raise RuntimeError("DATATRACKER_DJANGO_SECRET_KEY must be set in production")    
+    raise RuntimeError("DATATRACKER_DJANGO_SECRET_KEY must be set")    
 
 _NOMCOM_APP_SECRET_B64 = os.environ.get("DATATRACKER_NOMCOM_APP_SECRET_B64", None)
 if _NOMCOM_APP_SECRET_B64 is not None:
-    NOMCOM_APP_SECRET = b64decode(_NOMCOM_APP_SECRET_B64)
+    NOMCOM_APP_SECRET = _remove_whitespace_and_b64decode(_NOMCOM_APP_SECRET_B64)
-elif SERVER_MODE == "production":
+else:
-    raise RuntimeError("DATATRACKER_NOMCOM_APP_SECRET_B64 must be set in production")
+    raise RuntimeError("DATATRACKER_NOMCOM_APP_SECRET_B64 must be set")
 
 _IANA_SYNC_PASSWORD = os.environ.get("DATATRACKER_IANA_SYNC_PASSWORD", None)
 if _IANA_SYNC_PASSWORD is not None:
     IANA_SYNC_PASSWORD = _IANA_SYNC_PASSWORD
-elif SERVER_MODE == "production":
+else:
-    raise RuntimeError("DATATRACKER_IANA_SYNC_PASSWORD must be set in production")    
+    raise RuntimeError("DATATRACKER_IANA_SYNC_PASSWORD must be set")    
 
 _RFC_EDITOR_SYNC_PASSWORD = os.environ.get("DATATRACKER_RFC_EDITOR_SYNC_PASSWORD", None)
 if _RFC_EDITOR_SYNC_PASSWORD is not None:
     RFC_EDITOR_SYNC_PASSWORD = os.environ.get("DATATRACKER_RFC_EDITOR_SYNC_PASSWORD")
-elif SERVER_MODE == "production":
+else:
-    raise RuntimeError("DATATRACKER_RFC_EDITOR_SYNC_PASSWORD must be set in production")
+    raise RuntimeError("DATATRACKER_RFC_EDITOR_SYNC_PASSWORD must be set")
 
 _YOUTUBE_API_KEY = os.environ.get("DATATRACKER_YOUTUBE_API_KEY", None)
 if _YOUTUBE_API_KEY is not None:
     YOUTUBE_API_KEY = _YOUTUBE_API_KEY
-elif SERVER_MODE == "production":
+else:
-    raise RuntimeError("DATATRACKER_YOUTUBE_API_KEY must be set in production")
+    raise RuntimeError("DATATRACKER_YOUTUBE_API_KEY must be set")
 
 _GITHUB_BACKUP_API_KEY = os.environ.get("DATATRACKER_GITHUB_BACKUP_API_KEY", None)
 if _GITHUB_BACKUP_API_KEY is not None:
     GITHUB_BACKUP_API_KEY = _GITHUB_BACKUP_API_KEY
-elif SERVER_MODE == "production":
+else:
-    raise RuntimeError("DATATRACKER_GITHUB_BACKUP_API_KEY must be set in production")    
+    raise RuntimeError("DATATRACKER_GITHUB_BACKUP_API_KEY must be set")    
 
 _API_KEY_TYPE = os.environ.get("DATATRACKER_API_KEY_TYPE", None)
 if _API_KEY_TYPE is not None:
     API_KEY_TYPE = _API_KEY_TYPE
-elif SERVER_MODE == "production":
+else:
-    raise RuntimeError("DATATRACKER_API_KEY_TYPE must be set in production")    
+    raise RuntimeError("DATATRACKER_API_KEY_TYPE must be set")    
 
 _API_PUBLIC_KEY_PEM_B64 = os.environ.get("DATATRACKER_API_PUBLIC_KEY_PEM_B64", None)
 if _API_PUBLIC_KEY_PEM_B64 is not None:
-    API_PUBLIC_KEY_PEM = b64decode(_API_PUBLIC_KEY_PEM_B64)
+    API_PUBLIC_KEY_PEM = _remove_whitespace_and_b64decode(_API_PUBLIC_KEY_PEM_B64)
-elif SERVER_MODE == "production":
+else:
-    raise RuntimeError("DATATRACKER_API_PUBLIC_KEY_PEM_B64 must be set in production")    
+    raise RuntimeError("DATATRACKER_API_PUBLIC_KEY_PEM_B64 must be set")    
 
 _API_PRIVATE_KEY_PEM_B64 = os.environ.get("DATATRACKER_API_PRIVATE_KEY_PEM_B64", None)
 if _API_PRIVATE_KEY_PEM_B64 is not None:
-    API_PRIVATE_KEY_PEM = b64decode(_API_PRIVATE_KEY_PEM_B64)
+    API_PRIVATE_KEY_PEM = _remove_whitespace_and_b64decode(_API_PRIVATE_KEY_PEM_B64)
-elif SERVER_MODE == "production":
+else:
-    raise RuntimeError("DATATRACKER_API_PRIVATE_KEY_PEM_B64 must be set in production")    
+    raise RuntimeError("DATATRACKER_API_PRIVATE_KEY_PEM_B64 must be set")    
 
 # Set DEBUG if DATATRACKER_DEBUG env var is the word "true"
 DEBUG = os.environ.get("DATATRACKER_DEBUG", "false").lower() == "true"
@@ -73,7 +78,7 @@ DEBUG = os.environ.get("DATATRACKER_DEBUG", "false").lower() == "true"
 # DATATRACKER_ALLOWED_HOSTS env var is a comma-separated list of allowed hosts
 _allowed_hosts_str = os.environ.get("DATATRACKER_ALLOWED_HOSTS", None)
 if _allowed_hosts_str is not None:
-    ALLOWED_HOSTS = [h.strip() for h in _allowed_hosts_str.split(",")]
+    ALLOWED_HOSTS = [h.strip() for h in _allowed_hosts_str.split("\n")]
 
 DATABASES = {
     "default": {
@@ -90,16 +95,19 @@ DATABASES = {
 _ADMINS = os.environ.get("DATATRACKER_ADMINS", None)
 if _ADMINS is not None:
     ADMINS = [parseaddr(admin) for admin in _ADMINS.split("\n")]
-elif SERVER_MODE == "production":
+else:
-    raise RuntimeError("DATATRACKER_ADMINS must be set in production")    
+    raise RuntimeError("DATATRACKER_ADMINS must be set")    
 
 USING_DEBUG_EMAIL_SERVER = os.environ.get("DATATRACKER_EMAIL_DEBUG", "false").lower() == "true"
 EMAIL_HOST = os.environ.get("DATATRACKER_EMAIL_HOST", "localhost")
 EMAIL_PORT = int(os.environ.get("DATATRACKER_EMAIL_PORT", "2025"))
 
+_celery_password = os.environ.get("CELERY_PASSWORD", None)
+if _celery_password is None:
+    raise RuntimeError("CELERY_PASSWORD must be set")
 CELERY_BROKER_URL = "amqp://datatracker:{password}@{host}/{queue}".format(
     host=os.environ.get("RABBITMQ_HOSTNAME", "rabbitmq"),
-    password=os.environ.get("CELERY_PASSWORD", ""),
+    password=_celery_password,
     queue=os.environ.get("RABBITMQ_QUEUE", "dt")
 )
 

helm/values.yaml

@@ -582,36 +582,62 @@ autoscaling:
 
 env:
   # n.b., these are debug values / non-secret secrets
-  DATATRACKER_SERVER_MODE: "development"  # defaults to "production"
+  DATATRACKER_SERVER_MODE: "development"  # development for staging, production for production
   DATATRACKER_ADMINS: |-
     Robert Sparks <rjsparks@nostrum.com>
     Ryan Cross <rcross@amsl.com>
     Kesara Rathnayake <kesara@staff.ietf.org>
     Jennifer Richards <jennifer@staff.ietf.org>
     Nicolas Giard <nick@staff.ietf.org>
-  DATATRACKER_ALLOWED_HOSTS: "*"  # empty for production
+  DATATRACKER_ALLOWED_HOSTS: ".ietf.org"  # newline-separated list also allowed
   # DATATRACKER_DATATRACKER_DEBUG: "false"
+  
+  # DB access details - needs to be filled in
   # DATATRACKER_DBHOST: "db"
   # DATATRACKER_DBPORT: "5432"
   # DATATRACKER_DBNAME: "datatracker"
-  # DATATRACKER_DBUSER: "django"
+  # DATATRACKER_DBUSER: "django"  # secret
-  DATATRACKER_DBPASS: "RkTkDPFnKpko"
+  # DATATRACKER_DBPASS: "RkTkDPFnKpko"  # secret
-  DATATRACKER_DJANGO_SECRET_KEY: "PDwXboUq!=hPjnrtG2=ge#N$Dwy+wn@uivrugwpic8mxyPfHk"
+  
-  DATATRACKER_EMAIL_DEBUG: "true"
+  DATATRACKER_DJANGO_SECRET_KEY: "PDwXboUq!=hPjnrtG2=ge#N$Dwy+wn@uivrugwpic8mxyPfHk"  # secret
-  DATATRACKER_EMAIL_HOST: "localhost"
+
-  DATATRACKER_EMAIL_PORT: "2025"
+  # DATATRACKER_EMAIL_DEBUG: "true"
-  # DATATRACKER_NOMCOM_APP_SECRET_B64: "<base64-encoded bytes>"
+  
-  DATATRACKER_IANA_SYNC_PASSWORD: "this-is-the-iana-sync-password"
+  # Outgoing email details
-  DATATRACKER_RFC_EDITOR_SYNC_PASSWORD: "this-is-the-rfc-editor-sync-password"
+  # DATATRACKER_EMAIL_HOST: "localhost"  # defaults to localhost
-  DATATRACKER_YOUTUBE_API_KEY: "this-is-the-youtube-api-key"
+  # DATATRACKER_EMAIL_PORT: "2025"  # defaults to 2025
-  DATATRACKER_GITHUB_BACKUP_API_KEY: "this-is-the-github-backup-api-key"
+
-  # DATATRACKER_API_KEY_TYPE: "ES265"
+  # The value here is the default from settings.py (i.e., not actually secret)
-  # DATATRACKER_API_PUBLIC_KEY_PEM_B64: "<base64-encoded PEM"
+  DATATRACKER_NOMCOM_APP_SECRET_B64: "m9pzMezVoFNJfsvU9XSZxGnXnwup6P5ZgCQeEnROOoQ="  # secret
-  # DATATRACKER_API_PRIVATE_KEY_PEM_B64: "<base64-encoded PEM"
+
+  DATATRACKER_IANA_SYNC_PASSWORD: "this-is-the-iana-sync-password"  # secret
+  DATATRACKER_RFC_EDITOR_SYNC_PASSWORD: "this-is-the-rfc-editor-sync-password"  # secret
+  DATATRACKER_YOUTUBE_API_KEY: "this-is-the-youtube-api-key"  # secret
+  DATATRACKER_GITHUB_BACKUP_API_KEY: "this-is-the-github-backup-api-key"  # secret
+
+  # API key configuration
+  DATATRACKER_API_KEY_TYPE: "ES265"
+  # secret - value here is the default from settings.py (i.e., not actually secret)
+  DATATRACKER_API_PUBLIC_KEY_PEM_B64: |-
+    Ci0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tCk1Ga3dFd1lIS29aSXpqMENBUVlJS
+    29aSXpqMERBUWNEUWdBRXFWb2pzYW9mREpTY3VNSk4rdHNodW15Tk01TUUKZ2Fyel
+    ZQcWtWb3ZtRjZ5RTdJSi9kdjRGY1YrUUtDdEovck9TOGUzNlk4WkFFVll1dWtoZXM
+    weVoxdz09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=
+  # secret - value here is the default from settings.py (i.e., not actually secret)
+  DATATRACKER_API_PRIVATE_KEY_PEM_B64: |- 
+    Ci0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tLQpNSUdIQWdFQU1CTUdCeXFHU000O
+    UFnRUdDQ3FHU000OUF3RUhCRzB3YXdJQkFRUWdvSTZMSmtvcEtxOFhySGk5ClFxR1
+    F2RTRBODNURllqcUx6KzhnVUxZZWNzcWhSQU5DQUFTcFdpT3hxaDhNbEp5NHdrMzY
+    yeUc2Ykkwemt3U0IKcXZOVStxUldpK1lYcklUc2duOTIvZ1Z4WDVBb0swbitzNUx4
+    N2ZwanhrQVJWaTY2U0Y2elRKblgKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
+
   # DATATRACKER_MEETECHO_API_BASE: "https://meetings.conf.meetecho.com/api/v1/"
-  DATATRACKER_MEETECHO_CLIENT_ID: "this-is-the-meetecho-client-id"
+  DATATRACKER_MEETECHO_CLIENT_ID: "this-is-the-meetecho-client-id"  # secret
-  DATATRACKER_MEETECHO_CLIENT_SECRET: "this-is-the-meetecho-client-secret"
+  DATATRACKER_MEETECHO_CLIENT_SECRET: "this-is-the-meetecho-client-secret"  # secret
+
   # DATATRACKER_MATOMO_SITE_ID: "7"  # must be present to enable Matomo
   # DATATRACKER_MATOMO_DOMAIN_PATH: "analytics.ietf.org"
-  CELERY_PASSWORD: "this-is-a-secret"
+
-  # DATATRACKER_APP_API_TOKENS_JSON: "<JSON blob>" 
+  CELERY_PASSWORD: "this-is-a-secret"  # secret
+
+  DATATRACKER_APP_API_TOKENS_JSON: "{}"  # secret