✨(backend) support _FILE environment variables for secrets

Allow configuration variables that handles secrets, like `DJANGO_SECRET_KEY` to be able to read from a file which is given through an environment file. For example, if `DJANGO_SECRET_KEY_FILE` is set to `/var/lib/docs/django-secret-key`, the value of `DJANGO_SECRET_KEY` will be the content of `/var/lib/docs/django-secret-key`.
2025-04-28 18:18:39 +02:00
parent 7e63e9e460
commit 31e8ed3a00
2 changed files with 11 additions and 9 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,7 @@ and this project adheres to
 - 🐛(frontend) fix meta title #1017
 - 🔧(git) set LF line endings for all text files #1032
 - 📝(docs) minor fixes to docs/env.md
+- ✨(backend) support `_FILE` environment variables for secrets #912

 ### Removed

--- a/src/backend/impress/settings.py
+++ b/src/backend/impress/settings.py
@@ -19,6 +19,7 @@ from django.utils.translation import gettext_lazy as _
 import sentry_sdk
 from configurations import Configuration, values
 from csp.constants import NONE
+from lasuite.configuration.values import SecretFileValue
 from sentry_sdk.integrations.django import DjangoIntegration
 from sentry_sdk.integrations.logging import ignore_logger

@@ -68,7 +69,7 @@ class Base(Configuration):

    # Security
    ALLOWED_HOSTS = values.ListValue([])
-    SECRET_KEY = values.Value(None)
+    SECRET_KEY = SecretFileValue(None)
    SERVER_TO_SERVER_API_TOKENS = values.ListValue([])

    # Application definition
@@ -87,7 +88,7 @@ class Base(Configuration):
                "impress", environ_name="DB_NAME", environ_prefix=None
            ),
            "USER": values.Value("dinum", environ_name="DB_USER", environ_prefix=None),
-            "PASSWORD": values.Value(
+            "PASSWORD": SecretFileValue(
                "pass", environ_name="DB_PASSWORD", environ_prefix=None
            ),
            "HOST": values.Value(
@@ -125,10 +126,10 @@ class Base(Configuration):
    AWS_S3_ENDPOINT_URL = values.Value(
        environ_name="AWS_S3_ENDPOINT_URL", environ_prefix=None
    )
-    AWS_S3_ACCESS_KEY_ID = values.Value(
+    AWS_S3_ACCESS_KEY_ID = SecretFileValue(
        environ_name="AWS_S3_ACCESS_KEY_ID", environ_prefix=None
    )
-    AWS_S3_SECRET_ACCESS_KEY = values.Value(
+    AWS_S3_SECRET_ACCESS_KEY = SecretFileValue(
        environ_name="AWS_S3_SECRET_ACCESS_KEY", environ_prefix=None
    )
    AWS_S3_REGION_NAME = values.Value(
@@ -393,7 +394,7 @@ class Base(Configuration):
    EMAIL_BRAND_NAME = values.Value(None)
    EMAIL_HOST = values.Value(None)
    EMAIL_HOST_USER = values.Value(None)
-    EMAIL_HOST_PASSWORD = values.Value(None)
+    EMAIL_HOST_PASSWORD = SecretFileValue(None)
    EMAIL_LOGO_IMG = values.Value(None)
    EMAIL_PORT = values.PositiveIntegerValue(None)
    EMAIL_USE_TLS = values.BooleanValue(False)
@@ -416,7 +417,7 @@ class Base(Configuration):
    COLLABORATION_API_URL = values.Value(
        None, environ_name="COLLABORATION_API_URL", environ_prefix=None
    )
-    COLLABORATION_SERVER_SECRET = values.Value(
+    COLLABORATION_SERVER_SECRET = SecretFileValue(
        None, environ_name="COLLABORATION_SERVER_SECRET", environ_prefix=None
    )
    COLLABORATION_WS_URL = values.Value(
@@ -491,7 +492,7 @@ class Base(Configuration):
    OIDC_RP_CLIENT_ID = values.Value(
        "impress", environ_name="OIDC_RP_CLIENT_ID", environ_prefix=None
    )
-    OIDC_RP_CLIENT_SECRET = values.Value(
+    OIDC_RP_CLIENT_SECRET = SecretFileValue(
        None,
        environ_name="OIDC_RP_CLIENT_SECRET",
        environ_prefix=None,
@@ -606,7 +607,7 @@ class Base(Configuration):
    AI_FEATURE_ENABLED = values.BooleanValue(
        default=False, environ_name="AI_FEATURE_ENABLED", environ_prefix=None
    )
-    AI_API_KEY = values.Value(None, environ_name="AI_API_KEY", environ_prefix=None)
+    AI_API_KEY = SecretFileValue(None, environ_name="AI_API_KEY", environ_prefix=None)
    AI_BASE_URL = values.Value(None, environ_name="AI_BASE_URL", environ_prefix=None)
    AI_MODEL = values.Value(None, environ_name="AI_MODEL", environ_prefix=None)
    AI_ALLOW_REACH_FROM = values.Value(
@@ -627,7 +628,7 @@ class Base(Configuration):
    }

    # Y provider microservice
-    Y_PROVIDER_API_KEY = values.Value(
+    Y_PROVIDER_API_KEY = SecretFileValue(
        environ_name="Y_PROVIDER_API_KEY",
        environ_prefix=None,
    )