swh/production: Align webapps secret keys and fallbacks
This the migration the swh-cassandra namespace, there is a secret key misalignment between the different webapps.
After this, the webapp will use the same secret keys with the former ones as fallbacks
Related to swh/infra/sysadm-environment#5503 (closed)
helm diff
[swh] Comparing changes between branches production and swh-web-secret-keys (per environment)...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment staging, namespace swh...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra-next-version...
[swh] Generate config in swh-web-secret-keys branch for environment staging...
[swh] Generate config in swh-web-secret-keys branch for environment staging...
[swh] Generate config in swh-web-secret-keys branch for environment staging...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production, namespace swh...
[swh] Generate config in production branch for environment production, namespace swh-cassandra...
[swh] Generate config in production branch for environment production, namespace swh-cassandra-next-version...
[swh] Generate config in swh-web-secret-keys branch for environment production...
[swh] Generate config in swh-web-secret-keys branch for environment production...
[swh] Generate config in swh-web-secret-keys branch for environment production...
------------- diff for environment staging namespace swh -------------
No differences
------------- diff for environment staging namespace swh-cassandra -------------
No differences
------------- diff for environment staging namespace swh-cassandra-next-version -------------
No differences
------------- diff for environment production namespace swh -------------
--- /tmp/swh-chart.swh.ibW67IG8/production-swh.before 2024-12-23 12:07:40.677319598 +0100
+++ /tmp/swh-chart.swh.ibW67IG8/production-swh.after 2024-12-23 12:07:41.141295339 +0100
@@ -2254,20 +2254,21 @@
token: ${GITLAB_AFN_TOKEN}
trigger_url: https://gitlab.softwareheritage.org/api/v4/projects/474/trigger/pipeline
history_counters_url: http://counters-rpc-ingress/counters_history/history.json#
es_workers_index_url: http://esnode1.internal.softwareheritage.org:9200/swh_workers-*
secret_key: "${DJANGO_SECRET_KEY}"
secret_key_fallbacks:
- "${DJANGO_SECRET_KEY_FALLBACK_1}"
- "${DJANGO_SECRET_KEY_FALLBACK_2}"
+ - "${DJANGO_SECRET_KEY_FALLBACK_3}"
production_db:
host: postgresql-web-rw.internal.softwareheritage.org
port: 5432
name: swh-web
user: swh-web
password: ${POSTGRESQL_PASSWORD}
client_config:
sentry_dsn: ${SWH_SENTRY_DSN}
@@ -5560,21 +5561,21 @@
app: web-postgresql
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
template:
metadata:
labels:
app: web-postgresql
annotations:
- checksum/config: 92b58a6349c3280805c438ae798307c24827cbe3e75569febca16df302b2c798
+ checksum/config: 3faef2c924beb8ca9bff3885cbeda7aae3b6871f9a0bf545702032f0a2acee0d
checksum/config-logging: 81fb24577eb1777be8690f58c1e92d701777fe4ff045bb8445feb924947b9f84
checksum/config-utils: d75ca13b805bce6a8ab59c8e24c938f2283108f6a79134f6e71db86308651dc6
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: swh/web
operator: In
@@ -5620,20 +5621,26 @@
secretKeyRef:
key: webapp-django-secret-key-fallback-1
name: swh-webapp-django-secret
optional: false
- name: DJANGO_SECRET_KEY_FALLBACK_2
valueFrom:
secretKeyRef:
key: webapp-django-secret-key-fallback-2
name: swh-webapp-django-secret
optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_3
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-3
+ name: swh-webapp-django-secret
+ optional: false
- name: GITLAB_AFN_TOKEN
valueFrom:
secretKeyRef:
key: gitlab_afn_token
name: common-secrets
optional: false
- name: GIVE_PRIVATE_TOKEN
valueFrom:
secretKeyRef:
key: private-token
------------- diff for environment production namespace swh-cassandra -------------
--- /tmp/swh-chart.swh.ibW67IG8/production-swh-cassandra.before 2024-12-23 12:07:41.009302239 +0100
+++ /tmp/swh-chart.swh.ibW67IG8/production-swh-cassandra.after 2024-12-23 12:07:41.477277773 +0100
@@ -10134,20 +10134,24 @@
add_forge_now:
email_address: add-forge-now@archive.softwareheritage.org
gitlab_pipeline:
token: ${GITLAB_AFN_TOKEN}
trigger_url: https://gitlab.softwareheritage.org/api/v4/projects/474/trigger/pipeline
history_counters_url: http://counters-rpc-ingress-swh-cassandra/counters_history/history.json#
es_workers_index_url: http://esnode1.internal.softwareheritage.org:9200/swh_workers-*
secret_key: "${DJANGO_SECRET_KEY}"
+ secret_key_fallbacks:
+ - "${DJANGO_SECRET_KEY_FALLBACK_1}"
+ - "${DJANGO_SECRET_KEY_FALLBACK_2}"
+ - "${DJANGO_SECRET_KEY_FALLBACK_3}"
production_db:
host: postgresql-web-rw.internal.softwareheritage.org
port: 5432
name: swh-web
user: swh-web
password: ${POSTGRESQL_PASSWORD}
client_config:
sentry_dsn: ${SWH_SENTRY_DSN}
@@ -10367,20 +10371,24 @@
add_forge_now:
email_address: add-forge-now@archive.softwareheritage.org
gitlab_pipeline:
token: ${GITLAB_AFN_TOKEN}
trigger_url: https://gitlab.softwareheritage.org/api/v4/projects/474/trigger/pipeline
history_counters_url: http://counters-rpc-ingress-swh-cassandra/counters_history/history.json#
es_workers_index_url: http://esnode1.internal.softwareheritage.org:9200/swh_workers-*
secret_key: "${DJANGO_SECRET_KEY}"
+ secret_key_fallbacks:
+ - "${DJANGO_SECRET_KEY_FALLBACK_1}"
+ - "${DJANGO_SECRET_KEY_FALLBACK_2}"
+ - "${DJANGO_SECRET_KEY_FALLBACK_3}"
production_db:
host: postgresql-web-rw.internal.softwareheritage.org
port: 5432
name: swh-web
user: swh-web
password: ${POSTGRESQL_PASSWORD}
client_config:
sentry_dsn: ${SWH_SENTRY_DSN}
@@ -27934,21 +27942,21 @@
app: web-archive
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
template:
metadata:
labels:
app: web-archive
annotations:
- checksum/config: 7b25fff89f0183c2a796941875370afae58588fd4883038e3d410eeec3537f3b
+ checksum/config: 492d9b1847a07eb3673a65376f3179a4764e8ebcd1d51bd808c727b7b4d37918
checksum/config-logging: af7bf52757798a2fcd4c237ed3de9df87c15b7f38419128a8d67d02b8a485097
checksum/config-utils: 13a26f6add17e96ce01550153c77dcd48de60241a3f4db3c93d5467234be2a7f
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: swh/web
operator: In
@@ -27982,20 +27990,38 @@
secretKeyRef:
key: username
name: deposit-secrets
optional: false
- name: DJANGO_SECRET_KEY
valueFrom:
secretKeyRef:
key: webapp-django-secret-key
name: swh-webapp-django-secret
optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_1
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-1
+ name: swh-webapp-django-secret
+ optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_2
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-2
+ name: swh-webapp-django-secret
+ optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_3
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-3
+ name: swh-webapp-django-secret
+ optional: false
- name: GITLAB_AFN_TOKEN
valueFrom:
secretKeyRef:
key: gitlab_afn_token
name: common-secrets
optional: false
- name: GIVE_PRIVATE_TOKEN
valueFrom:
secretKeyRef:
key: private-token
@@ -28202,21 +28228,21 @@
app: web-webhooks
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
template:
metadata:
labels:
app: web-webhooks
annotations:
- checksum/config: 20a04e26c742d670598f4fc3b7dbbc773ff9e154934c4da06a761633c6e2f6a1
+ checksum/config: b770206f758fb43a9401d000424e2474a82ce4d773989fbf9e1d744691a32a6d
checksum/config-logging: 8204fa505554e2a92718b6446f5335481339d9b88337df1e300a3cdc6868c0a8
checksum/config-utils: 13a26f6add17e96ce01550153c77dcd48de60241a3f4db3c93d5467234be2a7f
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: swh/web
operator: In
@@ -28250,20 +28276,38 @@
secretKeyRef:
key: username
name: deposit-secrets
optional: false
- name: DJANGO_SECRET_KEY
valueFrom:
secretKeyRef:
key: webapp-django-secret-key
name: swh-webapp-django-secret
optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_1
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-1
+ name: swh-webapp-django-secret
+ optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_2
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-2
+ name: swh-webapp-django-secret
+ optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_3
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-3
+ name: swh-webapp-django-secret
+ optional: false
- name: GITLAB_AFN_TOKEN
valueFrom:
secretKeyRef:
key: gitlab_afn_token
name: common-secrets
optional: false
- name: GIVE_PRIVATE_TOKEN
valueFrom:
secretKeyRef:
key: private-token
@@ -29196,20 +29240,38 @@
secretKeyRef:
key: username
name: deposit-secrets
optional: false
- name: DJANGO_SECRET_KEY
valueFrom:
secretKeyRef:
key: webapp-django-secret-key
name: swh-webapp-django-secret
optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_1
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-1
+ name: swh-webapp-django-secret
+ optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_2
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-2
+ name: swh-webapp-django-secret
+ optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_3
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-3
+ name: swh-webapp-django-secret
+ optional: false
- name: GITLAB_AFN_TOKEN
valueFrom:
secretKeyRef:
key: gitlab_afn_token
name: common-secrets
optional: false
- name: GIVE_PRIVATE_TOKEN
valueFrom:
secretKeyRef:
key: private-token
@@ -29276,20 +29338,38 @@
secretKeyRef:
key: username
name: deposit-secrets
optional: false
- name: DJANGO_SECRET_KEY
valueFrom:
secretKeyRef:
key: webapp-django-secret-key
name: swh-webapp-django-secret
optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_1
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-1
+ name: swh-webapp-django-secret
+ optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_2
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-2
+ name: swh-webapp-django-secret
+ optional: false
+ - name: DJANGO_SECRET_KEY_FALLBACK_3
+ valueFrom:
+ secretKeyRef:
+ key: webapp-django-secret-key-fallback-3
+ name: swh-webapp-django-secret
+ optional: false
- name: GITLAB_AFN_TOKEN
valueFrom:
secretKeyRef:
key: gitlab_afn_token
name: common-secrets
optional: false
- name: GIVE_PRIVATE_TOKEN
valueFrom:
secretKeyRef:
key: private-token
Edited by Vincent Sellier