Add JWT_PRIVATE_KEY_BASE64_ENCODED config

- To avoid new line issues

.env-sample

@@ -3,5 +3,7 @@ DJANGO_SECRET_KEY=RANDOM-STRING-FOR-SECRET-KEYS
 
 # For other, look at main/settings.py:env for available options.
 
-JWT_PRIVATE_KEY=
-JWT_PUBLIC_KEY=
+# Generate using `cat secret-key | base64 -w 0`
+JWT_PRIVATE_KEY_BASE64_ENCODED=
+# JWT_PRIVATE_KEY=
+JWT_PUBLIC_KEY=

azure-pipelines.yml

@@ -116,7 +116,7 @@ jobs:
       NS_INITIATIVES_API_KEY: $(STAGING_NS_INITIATIVES_API_KEY)
       NS_INITIATIVES_API_TOKEN: $(STAGING_NS_INITIATIVES_API_TOKEN)
       # JWT
-      JWT_PRIVATE_KEY: $(STAGING_JWT_PRIVATE_KEY)
+      JWT_PRIVATE_KEY_BASE64_ENCODED: $(STAGING_JWT_PRIVATE_KEY_BASE64_ENCODED)
       JWT_PUBLIC_KEY: $(STAGING_JWT_PUBLIC_KEY)
       JWT_EXPIRE_TIMESTAMP_DAYS: $(STAGING_JWT_EXPIRE_TIMESTAMP_DAYS)
 
@@ -197,6 +197,6 @@ jobs:
       NS_INITIATIVES_API_KEY: $(PRODUCTION_NS_INITIATIVES_API_KEY)
       NS_INITIATIVES_API_TOKEN: $(PRODUCTION_NS_INITIATIVES_API_TOKEN)
       # JWT
-      JWT_PRIVATE_KEY: $(PRODUCTION_JWT_PRIVATE_KEY)
+      JWT_PRIVATE_KEY_BASE64_ENCODED: $(PRODUCTION_JWT_PRIVATE_KEY_BASE64_ENCODED)
       JWT_PUBLIC_KEY: $(PRODUCTION_JWT_PUBLIC_KEY)
       JWT_EXPIRE_TIMESTAMP_DAYS: $(PRODUCTION_JWT_EXPIRE_TIMESTAMP_DAYS)

deploy/bin/deploy

@@ -172,7 +172,7 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
         --set env.NS_DOCUMENT_API_KEY=${TF_VAR_NS_DOCUMENT_API_KEY} \
         --set env.NS_INITIATIVES_API_KEY=${TF_VAR_NS_INITIATIVES_API_KEY} \
         --set env.NS_INITIATIVES_API_TOKEN=${TF_VAR_NS_INITIATIVES_API_TOKEN} \
-        --set "env.JWT_PRIVATE_KEY=${TF_VAR_JWT_PRIVATE_KEY}" \
+        --set "env.JWT_PRIVATE_KEY_BASE64_ENCODED=${TF_VAR_JWT_PRIVATE_KEY_BASE64_ENCODED}" \
         --set "env.JWT_PUBLIC_KEY=${TF_VAR_JWT_PUBLIC_KEY}" \
         --set env.JWT_EXPIRE_TIMESTAMP_DAYS=${TF_VAR_JWT_EXPIRE_TIMESTAMP_DAYS}
 fi

deploy/docker-compose.yml

@@ -77,7 +77,7 @@ services:
         - TF_VAR_NS_INITIATIVES_API_KEY=${NS_INITIATIVES_API_KEY}
         - TF_VAR_NS_INITIATIVES_API_TOKEN=${NS_INITIATIVES_API_TOKEN}
         # JWT
-        - TF_VAR_JWT_PRIVATE_KEY=${JWT_PRIVATE_KEY}
+        - TF_VAR_JWT_PRIVATE_KEY_BASE64_ENCODED=${JWT_PRIVATE_KEY_BASE64_ENCODED}
         - TF_VAR_JWT_PUBLIC_KEY=${JWT_PUBLIC_KEY}
         - TF_VAR_JWT_EXPIRE_TIMESTAMP_DAYS=${JWT_EXPIRE_TIMESTAMP_DAYS}
         # Maintenance mode

deploy/helm/ifrcgo-helm/templates/config/secret.yaml

@@ -49,6 +49,6 @@ stringData:
   NS_DOCUMENT_API_KEY: "{{ .Values.env.NS_DOCUMENT_API_KEY}}"
   NS_INITIATIVES_API_KEY: "{{ .Values.env.NS_INITIATIVES_API_KEY}}"
   NS_INITIATIVES_API_TOKEN: "{{ .Values.env.NS_INITIATIVES_API_TOKEN}}"
-  JWT_PRIVATE_KEY: "{{ .Values.env.JWT_PRIVATE_KEY}}"
+  JWT_PRIVATE_KEY_BASE64_ENCODED: "{{ .Values.env.JWT_PRIVATE_KEY_BASE64_ENCODED}}"
   JWT_PUBLIC_KEY: "{{ .Values.env.JWT_PUBLIC_KEY}}"
   JWT_EXPIRE_TIMESTAMP_DAYS: "{{ .Values.env.JWT_EXPIRE_TIMESTAMP_DAYS}}"

deploy/helm/ifrcgo-helm/values.yaml

@@ -56,7 +56,7 @@ env:
   NS_DOCUMENT_API_KEY: ''
   NS_INITIATIVES_API_KEY: ''
   NS_DOCUMENT_API_TOKEN: ''
-  JWT_PRIVATE_KEY: ''
+  JWT_PRIVATE_KEY_BASE64_ENCODED: ''
   JWT_PUBLIC_KEY: ''
   JWT_EXPIRE_TIMESTAMP_DAYS: ''
 

deploy/terraform/main.tf

@@ -66,7 +66,7 @@ module "resources" {
   NS_DOCUMENT_API_KEY = var.NS_DOCUMENT_API_KEY
   NS_INITIATIVES_API_KEY = var.NS_INITIATIVES_API_KEY
   NS_INITIATIVES_API_TOKEN = var.NS_INITIATIVES_API_TOKEN
-  JWT_PRIVATE_KEY= var.JWT_PRIVATE_KEY
+  JWT_PRIVATE_KEY_BASE64_ENCODED = var.JWT_PRIVATE_KEY_BASE64_ENCODED
   JWT_PUBLIC_KEY = var.JWT_PUBLIC_KEY
   JWT_EXPIRE_TIMESTAMP_DAYS = var.JWT_EXPIRE_TIMESTAMP_DAYS
 }

deploy/terraform/resources/helm-ifrcgo.tf

@@ -247,8 +247,8 @@ resource "helm_release" "ifrcgo" {
   }
 
   set {
-    name = "env.JWT_PRIVATE_KEY"
-    value = var.JWT_PRIVATE_KEY
+    name = "env.JWT_PRIVATE_KEY_BASE64_ENCODED"
+    value = var.JWT_PRIVATE_KEY_BASE64_ENCODED
   }
 
   set {

deploy/terraform/resources/variables.tf

@@ -286,7 +286,7 @@ variable "NS_DOCUMENT_API_TOKEN" {
   default = ""
 }
 
-variable "JWT_PRIVATE_KEY" {
+variable "JWT_PRIVATE_KEY_BASE64_ENCODED" {
   type = string
   default = ""
 }

deploy/terraform/variables.tf

@@ -291,7 +291,7 @@ variable "NS_INITIATIVES_API_TOKEN" {
   default = ""
 }
 
-variable "JWT_PRIVATE_KEY" {
+variable "JWT_PRIVATE_KEY_BASE64_ENCODED" {
   type = string
   default = ""
 }
@@ -304,4 +304,4 @@ variable "JWT_PUBLIC_KEY" {
 variable "JWT_EXPIRE_TIMESTAMP_DAYS" {
   type = string
   default = ""
-}
+}

main/settings.py

@@ -1,15 +1,19 @@
 import os
 import sys
 import pytz
-from datetime import datetime
+import logging
+import base64
 import environ
+from datetime import datetime
 
 from django.utils.translation import gettext_lazy as _
 from urllib3.util.retry import Retry
 from corsheaders.defaults import default_headers
 
 from main import sentry
 
+logger = logging.getLogger(__name__)
+
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'
 
@@ -97,6 +101,7 @@
     # Misc
     DISABLE_API_CACHE=(bool, False),
     # jwt private and public key
+    JWT_PRIVATE_KEY_BASE64_ENCODED=(str, None),
     JWT_PRIVATE_KEY=(str, None),
     JWT_PUBLIC_KEY=(str, None),
     JWT_EXPIRE_TIMESTAMP_DAYS=(int, 365),
@@ -604,6 +609,13 @@
 SEP = '¤'
 
 JWT_PRIVATE_KEY = env('JWT_PRIVATE_KEY')
+if env('JWT_PRIVATE_KEY_BASE64_ENCODED'):
+    # TODO: Instead use docker/k8 secrets file mount?
+    try:
+        JWT_PRIVATE_KEY = base64.b64decode(env('JWT_PRIVATE_KEY_BASE64_ENCODED'))
+    except Exception:
+        logger.error('Failed to decode JWT_PRIVATE_KEY_BASE64_ENCODED', exc_info=True)
+
 JWT_PUBLIC_KEY = env('JWT_PUBLIC_KEY')
 JWT_EXPIRE_TIMESTAMP_DAYS = env('JWT_EXPIRE_TIMESTAMP_DAYS')