Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-6787

fix some issues around secrets handling

XMLWordPrintable

      Hi team,

      What

      I noticed that the current config.yaml.j2 contains some hard-coded secrets, and confirmed in an internal environment that they were unchanged as part of the mirror-registry deployment process.

      Why

      I believe users of mirror-registry will want unique passwords & secrets, most importantly the CSRF SECRET_KEY since that has significant implications on session hijacking.

      How

      1. Add new task secret-vars.yaml that will generate random strings using the already imported community.general.random_string library.
      2. Export those secrets as facts
      3. Update the config.yaml.j2 to use those facts as part of deployment
      4. Update install-postgres-service.yaml and install-redis-service.yaml to create podman secrets using the facts
      5. Update postgres.service.j2 and redis.service.j2 to utilize the secrets created

      This will not impact upgrades, only initial deployments.

      I've done the DCO sign-off, and believe this PR is ready to merge, however I'm happy to update/modify based on feedback from this team.

      Cheers,

      -BadgerOps

              robryan@redhat.com Ross Bryan (Inactive)
              doconnor@redhat.com Dave O'Connor
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: