Skip to content

ChRIS backend production services secret configuration files

Jump to bottom
Jennings Zhang edited this page Jun 5, 2023 · 32 revisions

Abstract

This page describes the configuration files required by the production deployment of the ChRIS backend services. Those files can contain secret variables such as API keys and authentication passwords as well as other configuration variables.

Currently required files

  • .chris.env
  • .chris_db.env
  • .chris_store.env
  • .chris_store_db.env
  • .pfcon.env
  • .pman.env
  • .swift_service.env

Those files should be copied within a secrets folder created under the appropriate path inside the source of the repo, like:

git clone https://github.com/FNNDSC/ChRIS_ultron_backend
cd ChRIS_ultron_backend
mkdir swarm/prod/secrets

Secret configuration file options

.chris.env

DJANGO_SETTINGS_MODULE=config.settings.production
CUBE_CELERY_POLL_INTERVAL=5.0
DJANGO_DB_MIGRATE=on
DJANGO_COLLECTSTATIC=on
DJANGO_ALLOWED_HOSTS=*
DJANGO_SECRET_KEY=key1
DJANGO_CORS_ALLOW_ALL_ORIGINS=true
DJANGO_CORS_ALLOWED_ORIGINS=https://babymri.org
DJANGO_SECURE_PROXY_SSL_HEADER=
DJANGO_USE_X_FORWARDED_HOST=false
STATIC_ROOT=/home/localuser/mod_wsgi-0.0.0.0:8000/htdocs/static/
DEFAULT_FILE_STORAGE=swift.storage.SwiftStorage
SWIFT_CONTAINER_NAME=users

.chris_db.env

POSTGRES_DB=chris
POSTGRES_USER=chris
POSTGRES_PASSWORD=password1

.chris_store.env

DJANGO_SETTINGS_MODULE=config.settings.production
DJANGO_DB_MIGRATE=on
DJANGO_ALLOWED_HOSTS=*
DJANGO_SECRET_KEY=key2
DJANGO_CORS_ALLOW_ALL_ORIGINS=true
DJANGO_CORS_ALLOWED_ORIGINS=https://babymri.org
DJANGO_SECURE_PROXY_SSL_HEADER=
DJANGO_USE_X_FORWARDED_HOST=false
SWIFT_CONTAINER_NAME=store_users

.chris_store_db.env

POSTGRES_DB=chris_store
POSTGRES_USER=chris
POSTGRES_PASSWORD=password2

.pfcon.env

SECRET_KEY=key3

.pman.env

SECRET_KEY=key4

.swift_service.env

SWIFT_USERNAME=chris:password3
SWIFT_KEY=key5

Reverse Proxy Settings

If the app is behind a reverse-proxy to enable HTTPS upgrade, in .chris.env and .chris_store.env set

DJANGO_SECURE_PROXY_SSL_HEADER=HTTP_X_FORWARDED_PROTO,https
DJANGO_USE_X_FORWARDED_HOST=true

See https://github.com/FNNDSC/ChRIS_ultron_backEnd/wiki/Deployment#fix

Automatic Script

If you're using ./deploy.sh and want things to "just work," use this script to set random values to all the required variables.

#!/bin/bash
# purpose: set up swarm/prod/secrets/*.env
# https://github.com/FNNDSC/ChRIS_ultron_backEnd/wiki/ChRIS-backend-production-services-secret-configuration-files

DJANGO_CORS_ALLOW_ALL_ORIGINS=${DJANGO_CORS_ALLOW_ALL_ORIGINS:-true}
DJANGO_CORS_ALLOWED_ORIGINS=${DJANGO_CORS_ALLOWED_ORIGINS:-"https://babymri.org"}

# Create a random mixed-case alphanumieric string of given length (default 60)
function generate_password () {
  head /dev/urandom | tr -dc A-Za-z0-9 | head -c "${1:-60}"
}

secrets_dir=./swarm/prod/secrets

if [ -d "$secrets_dir" ]; then
  echo $secrets_dir already exists
  exit 1
fi

mkdir $secrets_dir
cd $secrets_dir

cat > .chris.env << EOF
DJANGO_SETTINGS_MODULE=config.settings.production
CUBE_CELERY_POLL_INTERVAL=5.0
DJANGO_ALLOWED_HOSTS=*
DJANGO_SECRET_KEY=$(generate_password)
DJANGO_CORS_ALLOW_ALL_ORIGINS=$DJANGO_CORS_ALLOW_ALL_ORIGINS
DJANGO_CORS_ALLOWED_ORIGINS=$DJANGO_CORS_ALLOWED_ORIGINS
STATIC_ROOT=/home/localuser/mod_wsgi-0.0.0.0:8000/htdocs/static/
DJANGO_SECURE_PROXY_SSL_HEADER=
DJANGO_USE_X_FORWARDED_HOST=false
SWIFT_CONTAINER_NAME=users
EOF

cat > .chris_db.env << EOF
POSTGRES_DB=chris
POSTGRES_USER=chris
POSTGRES_PASSWORD=$(generate_password)
EOF

cat > .chris_store.env << EOF
DJANGO_SETTINGS_MODULE=config.settings.production
DJANGO_ALLOWED_HOSTS=*
DJANGO_SECRET_KEY=$(generate_password)
DJANGO_CORS_ALLOW_ALL_ORIGINS=$DJANGO_CORS_ALLOW_ALL_ORIGINS
DJANGO_CORS_ALLOWED_ORIGINS=$DJANGO_CORS_ALLOWED_ORIGINS
SWIFT_CONTAINER_NAME=store_users
DJANGO_SECURE_PROXY_SSL_HEADER=
DJANGO_USE_X_FORWARDED_HOST=false
EOF

cat > .chris_store_db.env << EOF
POSTGRES_DB=chris_store
POSTGRES_USER=chris
POSTGRES_PASSWORD=$(generate_password)
EOF

# this is hard coded
cat > .swift_service.env << EOF
SWIFT_USERNAME=chris:chris1234
SWIFT_KEY=testing
EOF

cd -

# wrapper around generate_password to print a newline after the result
function print_password () {
  generate_password $1
  printf "\n"
}

echo "Here are some more passwords for you to use for when setting up superuser accounts"
print_password 8
print_password 8
print_password 8
print_password 8
print_password 12
print_password 12
print_password 12
print_password 12
print_password 60
print_password 60
print_password 60
print_password 60
Clone this wiki locally