From ddddeb569aebdd3491a84459b87f9107b1fbe712 Mon Sep 17 00:00:00 2001
From: Zoran Sinnema <zsinnema@gmail.com>
Date: Fri, 14 May 2021 14:51:16 +0200
Subject: [PATCH] #193 chore: moved the social keys and secrets to a k8 secret

---
 scidash/main/settings.py              | 18 +++++++++++-------
 service/deployment/docker-compose.yml |  9 ++++++++-
 service/docker/Dockerfile-scidash     |  1 +
 service/k8s/scidash.yaml              | 25 ++++++++++++++++++++++---
 4 files changed, 42 insertions(+), 11 deletions(-)

diff --git a/scidash/main/settings.py b/scidash/main/settings.py
index d9ed014a..337c2016 100644
--- a/scidash/main/settings.py
+++ b/scidash/main/settings.py
@@ -102,23 +102,27 @@
 # see https://python-social-auth.readthedocs.io/en/latest/backends/index.html
 # for configation of social backends
 
+def get_secret(secret):
+    sec_path = os.getenv('SECRETS_PATH','/etc/secrets')
+    with open(os.path.join(sec_path, secret)) as fh:
+        return fh.read()
+
 # GOOGLE
 # https://python-social-auth.readthedocs.io/en/latest/backends/google.html
 # see https://developers.google.com/identity/protocols/oauth2?csw=1#Registering
 # to get google client id (key) and secret
-SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = '732706977649-oou1hmc5q4mbrsida2bvu0mplmsebok0.apps.googleusercontent.com'
-SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = 'WbtBzkxLVODaSi9PcPHS2DuL'
+SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = get_secret('SOCIAL_AUTH_GOOGLE_OAUTH2_KEY')
+SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = get_secret('SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET')
 
 # TWITTER
 # https://python-social-auth.readthedocs.io/en/latest/backends/twitter.html
-SOCIAL_AUTH_TWITTER_KEY = 'YLbWDorRWSsO1FQo5kanraUzt'
-SOCIAL_AUTH_TWITTER_SECRET = '2D8ICyjXOMssEdfaw0v8Qtyb2vEGpFUYTjLdIZ1YiMJE0TR0rx'
-# twitter bearer token: AAAAAAAAAAAAAAAAAAAAAPJuPgEAAAAAhP2wPOYLMrjP0RNRzfFGj%2BUgJrE%3DlEjIikC9mLUfDpQsVMyPuAK4f5k4TNHQHLXVGqmkeDVEzbPkv2
+SOCIAL_AUTH_TWITTER_KEY = get_secret('SOCIAL_AUTH_TWITTER_KEY')
+SOCIAL_AUTH_TWITTER_SECRET = get_secret('SOCIAL_AUTH_TWITTER_SECRET')
 
 # GITHUB
 # https://python-social-auth.readthedocs.io/en/latest/backends/github.html
-SOCIAL_AUTH_GITHUB_KEY = '6e17b37f51445888e940'
-SOCIAL_AUTH_GITHUB_SECRET = 'b920fd48bb6a057225989692bb5eacb84032bab5'
+SOCIAL_AUTH_GITHUB_KEY = get_secret('SOCIAL_AUTH_GITHUB_KEY')
+SOCIAL_AUTH_GITHUB_SECRET = get_secret('SOCIAL_AUTH_GITHUB_SECRET')
 
 AUTHENTICATION_BACKENDS = (
     'social_core.backends.open_id.OpenIdAuth',
diff --git a/service/deployment/docker-compose.yml b/service/deployment/docker-compose.yml
index dc0cc0bd..d27614b1 100644
--- a/service/deployment/docker-compose.yml
+++ b/service/deployment/docker-compose.yml
@@ -1,13 +1,17 @@
-version: '2'
+version: '3'
 
 services:
   scidash-redis:
     image: redis
+    ports:
+      - 6379:6379
     expose:
       - 6379
   scidash-postgres:
     image: metacell/scidash_db:latest
     container_name: scidash_db
+    ports:
+      - 5432:5432
     expose:
       - 5432
     volumes:
@@ -17,6 +21,8 @@ services:
     container_name: scidash_virgo
     volumes:
       - geppettoTmp-volume:/opt/virgo/geppettoTmp
+    ports:
+      - 8080:8080
     expose:
       - 8080
     mem_reservation: 5120m
@@ -33,6 +39,7 @@ services:
       - SYS_ADMIN
     volumes:
       - geppettoTmp-volume:/opt/virgo/geppettoTmp
+      - ./secrets:/etc/secrets
     ports:
       - 8000:8000
     depends_on:
diff --git a/service/docker/Dockerfile-scidash b/service/docker/Dockerfile-scidash
index 9c8781ad..6d4b2c59 100644
--- a/service/docker/Dockerfile-scidash
+++ b/service/docker/Dockerfile-scidash
@@ -68,6 +68,7 @@ RUN cp ./service/dotenv/scidash_env .env
 
 USER root
 RUN echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/userns.conf
+RUN mkdir -p /etc/secrets
 
 USER developer
 CMD ./service/scripts/run.sh
diff --git a/service/k8s/scidash.yaml b/service/k8s/scidash.yaml
index ee569690..e333adff 100644
--- a/service/k8s/scidash.yaml
+++ b/service/k8s/scidash.yaml
@@ -1,4 +1,17 @@
 apiVersion: v1
+kind: Secret
+metadata:
+  name: scidash
+type: Opaque
+stringData:
+  SOCIAL_AUTH_GOOGLE_OAUTH2_KEY: key
+  SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET: secret
+  SOCIAL_AUTH_TWITTER_KEY: key
+  SOCIAL_AUTH_TWITTER_SECRET: secret
+  SOCIAL_AUTH_GITHUB_KEY: key
+  SOCIAL_AUTH_GITHUB_SECRET: secret
+---
+apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: scidash-geppettotmp
@@ -30,18 +43,21 @@ spec:
     spec:
       containers:
       - name: scidash
-        image: us.gcr.io/metacellllc/scidash:{{CF_BUILD_ID}}
+        image: metacell/scidash:latest
         imagePullPolicy: IfNotPresent
         env:
         - name: CF_BUILD_ID
-          value: "{{CF_BUILD_ID}}"
+          value: latest
         - name: ENVIRONMENT
-          value: "{{ENVIRONMENT}}"
+          value: Development
         ports:
         - containerPort: 8000
         volumeMounts:
         - name: scidash-geppettotmp
           mountPath: /opt/virgo/geppettoTmp
+        - name: secrets
+          mountPath: "/etc/secrets"
+          readOnly: true
       affinity:
         podAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -56,6 +72,9 @@ spec:
       - name: scidash-geppettotmp
         persistentVolumeClaim:
           claimName: scidash-geppettotmp
+      - name: secrets
+        secret:
+          secretName: scidash
 ---
 apiVersion: v1
 kind: Service