Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-6787

fix some issues around secrets handling

XMLWordPrintable

    • 0

      Hi team,

      What

      I noticed that the current config.yaml.j2 contains some hard-coded secrets, and confirmed in an internal environment that they were unchanged as part of the mirror-registry deployment process.

      Why

      I believe users of mirror-registry will want unique passwords & secrets, most importantly the CSRF SECRET_KEY since that has significant implications on session hijacking.

      How

      1. Add new task secret-vars.yaml that will generate random strings using the already imported community.general.random_string library.
      2. Export those secrets as facts
      3. Update the config.yaml.j2 to use those facts as part of deployment
      4. Update install-postgres-service.yaml and install-redis-service.yaml to create podman secrets using the facts
      5. Update postgres.service.j2 and redis.service.j2 to utilize the secrets created

      This will not impact upgrades, only initial deployments.

      I've done the DCO sign-off, and believe this PR is ready to merge, however I'm happy to update/modify based on feedback from this team.

      Cheers,

      -BadgerOps

            robryan@redhat.com Ross Bryan
            doconnor@redhat.com Dave O'Connor
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: