Add a generic services password for use with applications deployed wi…

…th workshops.
educates · Feb 7, 2023 · da7936c · da7936c
1 parent 6703241
commit da7936c
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/session-manager/handlers/workshopsession.py b/session-manager/handlers/workshopsession.py
@@ -566,8 +566,7 @@ def resolve_security_policy(name):
             .get("policy", namespace_security_policy)
         )
 
-    # Calculate a random password for the image registry and git server
-    # applications if required.
+    # Generate a random password for the image registry if required.
 
     characters = string.ascii_letters + string.digits
 
@@ -582,6 +581,11 @@ def resolve_security_policy(name):
         applications.properties("registry")["password"] = registry_password
         applications.properties("registry")["secret"] = registry_secret
 
+    # Generate a random password to be used for any services or applications
+    # deployed for a workshop.
+
+    services_password = "".join(random.sample(characters, 32))
+
     # Validate that any secrets to be copied into the workshop environment
     # namespace exist. This is done before creating the session namespace so we
     # can fail with a transient error and try again later. Note that we don't
@@ -929,6 +933,7 @@ def resolve_security_policy(name):
         ssh_private_key=ssh_private_key,
         ssh_public_key=ssh_public_key,
         ssh_keys_secret=f"{session_namespace}-ssh-keys",
+        services_password=services_password,
     )
 
     application_variables_list = workshop_spec.get("session").get("variables", [])
@@ -1361,6 +1366,10 @@ def resolve_security_policy(name):
                                     "name": "POLICY_NAME",
                                     "value": namespace_security_policy,
                                 },
+                                {
+                                    "name": "SERVICES_PASSWORD",
+                                    "value": services_password,
+                                },
                             ],
                             "volumeMounts": [
                                 {

diff --git a/workshop-images/base-environment/opt/renderer/src/backend/modules/config.ts b/workshop-images/base-environment/opt/renderer/src/backend/modules/config.ts
@@ -55,6 +55,7 @@ export let config = {
     storage_class: process.env.STORAGE_CLASS || "",
     policy_engine: process.env.POLICY_ENGINE || "none",
     policy_name: process.env.POLICY_NAME || "restricted",
+    services_password: process.env.SERVICES_PASSWORD || "",
 
     // Google analytics tracking ID.
 
@@ -118,6 +119,7 @@ config.variables.push({ name: "ingress_class", content: config.ingress_class })
 config.variables.push({ name: "storage_class", content: config.storage_class })
 config.variables.push({ name: "policy_engine", content: config.policy_engine })
 config.variables.push({ name: "policy_name", content: config.policy_name })
+config.variables.push({ name: "services_password", content: config.services_password })
 
 if (fs.existsSync("/var/run/secrets/kubernetes.io/serviceaccount/token")) {
     let data = fs.readFileSync("/var/run/secrets/kubernetes.io/serviceaccount/token")