feat(ckan): add token handling

teutonet · Nov 20, 2024 · b0d5275 · b0d5275
1 parent bb9f399
commit b0d5275
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 3 deletions.
diff --git a/charts/ckan/templates/ckan/configmap.yaml b/charts/ckan/templates/ckan/configmap.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: my-configmap
+data:
+  ckan-init.sh: |-
+    #!/bin/bash
+    echo "Do this"
+
+    beaker.session.secret=$(python3 -c 'import secrets; print(secrets.token_urlsafe())');
+    WTF_CSRF_SECRET_KEY=$(python3 -c 'import secrets; print(secrets.token_urlsafe()));
+    JWT_SECRET=$(python3 -c 'import secrets; print("string:" + secrets.token_urlsafe())');
+
+    ckan -c $CKAN_INI user token add ckan_admin test
+    ckan -c $CKAN_INI user token add ckan_admin datapusherApiKey | tail -n 1 | tr -d '\t';
+    ckan -c $CKAN_INI user token add ckan_admin emailApiKey | tail -n 1 | tr -d '\t';
+    echo "Do that"
diff --git a/charts/ckan/templates/ckan/cronjob.yaml b/charts/ckan/templates/ckan/cronjob.yaml
@@ -0,0 +1,25 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: hello
+spec:
+  schedule: "0 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: ckan-mail
+              image: busybox:1.28
+              imagePullPolicy: IfNotPresent
+              command:
+                - /bin/sh
+                - -c
+                - "curl https://{{ .Values.ckan.ingress.hostname }}/api/3/action/ -H \"Authorization: Bearer $EMAIL_API_KEY\""
+              env:
+                - name: EMAIL_API_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ printf "%s-%s-config" (include "common.names.fullname" $) "ckan" }}
+                      key: emailApiKey
+          restartPolicy: OnFailure
diff --git a/charts/ckan/templates/ckan/deployment.yaml b/charts/ckan/templates/ckan/deployment.yaml
@@ -27,18 +27,30 @@ spec:
         - name: "ckan"
           persistentVolumeClaim:
             claimName: {{ $claimName }}
+        - name: configmap-volume
+          configMap:
+            defaultMode: 0777
+            name: my-configmap
       securityContext:
       {{- toYaml .Values.ckan.podSecurityContext | default dict | nindent 8 }}
-      {{ if .Values.ckan.persistence -}}
       initContainers:
+        {{ if .Values.ckan.persistence -}}
         - name: set-volume-ownsership
           image: {{ printf "%s/busybox" ($.Values.global.imageRegistry | default (include "ckan.defaultRegistry" (dict))) }}:1.36
           command: ["sh", "-c", "chown -R 92:92 /var/lib/ckan"] # 92 is the uid and gid of ckan user/group
           volumeMounts:
             - name: ckan
               mountPath: /var/lib/ckan
               readOnly: false
-      {{ end }}
+        {{ end }}
+        - name: ckan-initiate
+          image: {{ include "common.images.image" (dict "imageRoot" .Values.ckan.image "global" .Values.global) }}
+          command: ["sh","-c","/srv/app/ckan-init.sh"]
+          volumeMounts:
+            - name: configmap-volume
+              mountPath: /srv/app/ckan-init.sh
+              readOnly: true
+              subPath: ckan-init.sh
       containers:
         - name: {{ printf "%s-%s" .Chart.Name $name }}
           env:
@@ -147,8 +159,28 @@ spec:
               value: "http://{{ printf "%s-%s" (include "common.names.fullname" $) "datapusher" }}:{{ include "ckan.datapusher.service.port" $ }}"
             - name: CKAN_DATAPUSHER_FORMATS
               value: {{ .Values.ckan.datapusher.formats | join " " | quote }}
+            - name: CKAN__DATAPUSHER__API_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ printf "%s-%s-config" (include "common.names.fullname" $) $name }}
+                  key: datapusherApiKey
             - name: CKAN__DATAPUSHER__CALLBACK_URL_BASE
               value: "http://{{ printf "%s-%s" (include "common.names.fullname" $) "ckan" }}:{{ include "ckan.ckan.service.port" $ }}/"
+            - name: CKAN_BEAKER_SESSION_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ printf "%s-%s-config" (include "common.names.fullname" $) $name }}
+                  key: beakerSessionSecret
+            - name: WTF_CSRF_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ printf "%s-%s-config" (include "common.names.fullname" $) $name }}
+                  key: wtfCsrfSecretKey
+            - name: JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ printf "%s-%s-config" (include "common.names.fullname" $) $name }}
+                  key: jwtSecret
             - name: CKAN__PLUGINS
               value: {{ .Values.ckan.plugins | join " " | quote }}
           securityContext:

diff --git a/charts/ckan/templates/ckan/secret.yaml b/charts/ckan/templates/ckan/secret.yaml
@@ -1,5 +1,8 @@
 {{- $name := (printf "%s-%s-config" (include "common.names.fullname" .) "ckan") -}}
 {{- $sysAdminPassword := include "common.secrets.passwords.manage" (dict "secret" $name "length" 42 "strong" false "key" "sysAdminPassword" "providedValues" (list "ckan.sysadmin.password") "skipB64enc" true "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" .Release.Namespace) | mergeOverwrite (deepCopy .Release)))) }}
+{{- $beakerSessionSecret := include "common.secrets.passwords.manage" (dict "secret" $name "length" 42 "strong" false "key" "beakerSessionSecret" "providedValues" (list "ckan.beakerSessionSecret") "skipB64enc" false "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" .Release.Namespace) | mergeOverwrite (deepCopy .Release)))) }}
+{{- $wtfCsrfSecretKey := include "common.secrets.passwords.manage" (dict "secret" $name "length" 42 "strong" false "key" "wtfCsrfSecretKey" "providedValues" (list "ckan.wtfCsrfSecretKey") "skipB64enc" false "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" .Release.Namespace) | mergeOverwrite (deepCopy .Release)))) }}
+{{- $jwtSecret := include "common.secrets.passwords.manage" (dict "secret" $name "length" 42 "strong" false "key" "jwtSecret" "providedValues" (list "ckan.jwtSecret") "skipB64enc" false "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" .Release.Namespace) | mergeOverwrite (deepCopy .Release)))) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -11,6 +14,11 @@ stringData:
   sysAdminUsername: {{ .Values.ckan.sysadmin.name | default "ckan_admin" | quote }}
   sysAdminPassword: {{ $sysAdminPassword }}
   sysAdminEmail: {{ .Values.ckan.sysadmin.email | default "[email protected]" | quote }}
+  beakerSessionSecret: {{ $beakerSessionSecret }}
+  wtfCsrfSecretKey: {{ $wtfCsrfSecretKey }}
+  jwtSecret: {{ printf "string:%s" $jwtSecret }}
+  datapusherApiKey: {{ "" }}
+  emailApiKey: {{ "" }}
   {{- if .Values.ckan.smtp }}
   smtpPassword: {{ .Values.ckan.smtp.password | quote }}
-  {{- end }}
+  {{- end }}