Add JWT_PUBLIC_KEY_BASE64_ENCODED

.env-sample

@@ -3,7 +3,8 @@ DJANGO_SECRET_KEY=RANDOM-STRING-FOR-SECRET-KEYS
 
 # For other, look at main/settings.py:env for available options.
 
-# Generate using `cat secret-key | base64 -w 0`
+# Generate using `cat key | base64 -w 0`
 JWT_PRIVATE_KEY_BASE64_ENCODED=
+JWT_PUBLIC_BASE64_ENCODED=
 # JWT_PRIVATE_KEY=
-JWT_PUBLIC_KEY=
+# JWT_PUBLIC_KEY=

azure-pipelines.yml

@@ -117,7 +117,7 @@ jobs:
       NS_INITIATIVES_API_TOKEN: $(STAGING_NS_INITIATIVES_API_TOKEN)
       # JWT
       JWT_PRIVATE_KEY_BASE64_ENCODED: $(STAGING_JWT_PRIVATE_KEY_BASE64_ENCODED)
-      JWT_PUBLIC_KEY: $(STAGING_JWT_PUBLIC_KEY)
+      JWT_PUBLIC_KEY_BASE64_ENCODED: $(STAGING_JWT_PUBLIC_KEY_BASE64_ENCODED)
       JWT_EXPIRE_TIMESTAMP_DAYS: $(STAGING_JWT_EXPIRE_TIMESTAMP_DAYS)
 
   - bash: $(Pipeline.Workspace)/go-api/deploy/scripts/cideploy --production
@@ -198,5 +198,5 @@ jobs:
       NS_INITIATIVES_API_TOKEN: $(PRODUCTION_NS_INITIATIVES_API_TOKEN)
       # JWT
       JWT_PRIVATE_KEY_BASE64_ENCODED: $(PRODUCTION_JWT_PRIVATE_KEY_BASE64_ENCODED)
-      JWT_PUBLIC_KEY: $(PRODUCTION_JWT_PUBLIC_KEY)
+      JWT_PUBLIC_KEY_BASE64_ENCODED: $(PRODUCTION_JWT_PUBLIC_KEY_BASE64_ENCODED)
       JWT_EXPIRE_TIMESTAMP_DAYS: $(PRODUCTION_JWT_EXPIRE_TIMESTAMP_DAYS)

deploy/bin/deploy

@@ -173,6 +173,6 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
         --set env.NS_INITIATIVES_API_KEY=${TF_VAR_NS_INITIATIVES_API_KEY} \
         --set env.NS_INITIATIVES_API_TOKEN=${TF_VAR_NS_INITIATIVES_API_TOKEN} \
         --set "env.JWT_PRIVATE_KEY_BASE64_ENCODED=${TF_VAR_JWT_PRIVATE_KEY_BASE64_ENCODED}" \
-        --set "env.JWT_PUBLIC_KEY=${TF_VAR_JWT_PUBLIC_KEY}" \
+        --set "env.JWT_PUBLIC_KEY_BASE64_ENCODED=${TF_VAR_JWT_PUBLIC_KEY_BASE64_ENCODED}" \
         --set env.JWT_EXPIRE_TIMESTAMP_DAYS=${TF_VAR_JWT_EXPIRE_TIMESTAMP_DAYS}
 fi

deploy/docker-compose.yml

@@ -78,7 +78,7 @@ services:
         - TF_VAR_NS_INITIATIVES_API_TOKEN=${NS_INITIATIVES_API_TOKEN}
         # JWT
         - TF_VAR_JWT_PRIVATE_KEY_BASE64_ENCODED=${JWT_PRIVATE_KEY_BASE64_ENCODED}
-        - TF_VAR_JWT_PUBLIC_KEY=${JWT_PUBLIC_KEY}
+        - TF_VAR_JWT_PUBLIC_KEY_BASE64_ENCODED=${JWT_PUBLIC_KEY_BASE64_ENCODED}
         - TF_VAR_JWT_EXPIRE_TIMESTAMP_DAYS=${JWT_EXPIRE_TIMESTAMP_DAYS}
         # Maintenance mode
         - TF_VAR_DJANGO_READ_ONLY=${DJANGO_READ_ONLY}

deploy/helm/ifrcgo-helm/templates/config/secret.yaml

@@ -50,5 +50,5 @@ stringData:
   NS_INITIATIVES_API_KEY: "{{ .Values.env.NS_INITIATIVES_API_KEY}}"
   NS_INITIATIVES_API_TOKEN: "{{ .Values.env.NS_INITIATIVES_API_TOKEN}}"
   JWT_PRIVATE_KEY_BASE64_ENCODED: "{{ .Values.env.JWT_PRIVATE_KEY_BASE64_ENCODED}}"
-  JWT_PUBLIC_KEY: "{{ .Values.env.JWT_PUBLIC_KEY}}"
+  JWT_PUBLIC_KEY_BASE64_ENCODED: "{{ .Values.env.JWT_PUBLIC_KEY_BASE64_ENCODED}}"
   JWT_EXPIRE_TIMESTAMP_DAYS: "{{ .Values.env.JWT_EXPIRE_TIMESTAMP_DAYS}}"

deploy/helm/ifrcgo-helm/values.yaml

@@ -57,7 +57,7 @@ env:
   NS_INITIATIVES_API_KEY: ''
   NS_DOCUMENT_API_TOKEN: ''
   JWT_PRIVATE_KEY_BASE64_ENCODED: ''
-  JWT_PUBLIC_KEY: ''
+  JWT_PUBLIC_KEY_BASE64_ENCODED: ''
   JWT_EXPIRE_TIMESTAMP_DAYS: ''
 
 secrets:

deploy/terraform/main.tf

@@ -67,7 +67,7 @@ module "resources" {
   NS_INITIATIVES_API_KEY = var.NS_INITIATIVES_API_KEY
   NS_INITIATIVES_API_TOKEN = var.NS_INITIATIVES_API_TOKEN
   JWT_PRIVATE_KEY_BASE64_ENCODED = var.JWT_PRIVATE_KEY_BASE64_ENCODED
-  JWT_PUBLIC_KEY = var.JWT_PUBLIC_KEY
+  JWT_PUBLIC_KEY_BASE64_ENCODED = var.JWT_PUBLIC_KEY_BASE64_ENCODED
   JWT_EXPIRE_TIMESTAMP_DAYS = var.JWT_EXPIRE_TIMESTAMP_DAYS
 }
 

deploy/terraform/resources/helm-ifrcgo.tf

@@ -252,8 +252,8 @@ resource "helm_release" "ifrcgo" {
   }
 
   set {
-    name = "env.JWT_PUBLIC_KEY"
-    value = var.JWT_PUBLIC_KEY
+    name = "env.JWT_PUBLIC_KEY_BASE64_ENCODED"
+    value = var.JWT_PUBLIC_KEY_BASE64_ENCODED
   }
 
   set {

deploy/terraform/resources/variables.tf

@@ -291,7 +291,7 @@ variable "JWT_PRIVATE_KEY_BASE64_ENCODED" {
   default = ""
 }
 
-variable "JWT_PUBLIC_KEY" {
+variable "JWT_PUBLIC_KEY_BASE64_ENCODED" {
   type = string
   default = ""
 }

deploy/terraform/variables.tf

@@ -296,7 +296,7 @@ variable "JWT_PRIVATE_KEY_BASE64_ENCODED" {
   default = ""
 }
 
-variable "JWT_PUBLIC_KEY" {
+variable "JWT_PUBLIC_KEY_BASE64_ENCODED" {
   type = string
   default = ""
 }

main/settings.py

@@ -102,6 +102,7 @@
     DISABLE_API_CACHE=(bool, False),
     # jwt private and public key
     JWT_PRIVATE_KEY_BASE64_ENCODED=(str, None),
+    JWT_PUBLIC_KEY_BASE64_ENCODED=(str, None),
     JWT_PRIVATE_KEY=(str, None),
     JWT_PUBLIC_KEY=(str, None),
     JWT_EXPIRE_TIMESTAMP_DAYS=(int, 365),
@@ -608,15 +609,17 @@
 # A character which is rarely used in strings – for separator:
 SEP = '¤'
 
-JWT_PRIVATE_KEY = env('JWT_PRIVATE_KEY')
-if env('JWT_PRIVATE_KEY_BASE64_ENCODED'):
-    # TODO: Instead use docker/k8 secrets file mount?
-    try:
-        JWT_PRIVATE_KEY = base64.b64decode(env('JWT_PRIVATE_KEY_BASE64_ENCODED'))
-    except Exception:
-        logger.error('Failed to decode JWT_PRIVATE_KEY_BASE64_ENCODED', exc_info=True)
-
-JWT_PUBLIC_KEY = env('JWT_PUBLIC_KEY')
+def decode_base64(env_key, fallback_env_key):
+    if encoded_value := env(env_key):
+        # TODO: Instead use docker/k8 secrets file mount?
+        try:
+            return base64.b64decode(encoded_value)
+        except Exception:
+            logger.error(f'Failed to decode {env_key}', exc_info=True)
+    return env(fallback_env_key)
+
+JWT_PRIVATE_KEY = decode_base64('JWT_PRIVATE_KEY_BASE64_ENCODED', 'JWT_PRIVATE_KEY')
+JWT_PUBLIC_KEY = decode_base64('JWT_PUBLIC_KEY_BASE64_ENCODED', 'JWT_PUBLIC_KEY')
 JWT_EXPIRE_TIMESTAMP_DAYS = env('JWT_EXPIRE_TIMESTAMP_DAYS')
 
 # Need to load this to overwrite modeltranslation module