servala/servala-portal
3
0
Fork 0
Code Issues 23 Pull requests 1 Projects 1 Releases Packages 2 Activity Actions

Add and document reencrypt_fields command

Browse source
This commit is contained in:
Tobias Kunze 2025-03-21 15:58:52 +01:00
parent 899bffb974
commit 4e603246f7
5 changed files with 41 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.env.example
View file

@ -5,10 +5,13 @@
SERVALA_ENVIRONMENT='development' SERVALA_ENVIRONMENT='development'
# Set SERVALA_PREVIOUS_SECRET_KEY when rotating to a new secret key in order to not expire all sessions and to remain able to read encrypted fields! # Set SERVALA_PREVIOUS_SECRET_KEY when rotating to a new secret key in order to not expire all sessions and to remain able to read encrypted fields!
# In order to retire the previous key, run the ``reencrypt_fields`` command. Once you drop the previous secret key from
# the rotation, all sessions that still rely on that key will be invalidated (i.e., users will have to log in again).
# SERVALA_PREVIOUS_SECRET_KEY='' # SERVALA_PREVIOUS_SECRET_KEY=''
SERVALA_SECRET_KEY='django-insecure-8sl^1&1f-$3%w7cf)q(rcvi4jo(#s3ug-@be0ooc2ioep*&%7@' SERVALA_SECRET_KEY='django-insecure-8sl^1&1f-$3%w7cf)q(rcvi4jo(#s3ug-@be0ooc2ioep*&%7@'
# Set SERVALA_PREVIOUS_SALT_KEY when rotating to a new salt in order to remain able to read encrypted fields! # Set SERVALA_PREVIOUS_SALT_KEY when rotating to a new salt in order to remain able to read encrypted fields!
# In order to retire the previous key, run the ``reencrypt_fields`` command.
# SERVALA_PREVIOUS_SALT_KEY='' # SERVALA_PREVIOUS_SALT_KEY=''
SERVALA_SALT_KEY='eed6UaCi3euZojai5Iequ8ochookun1o' SERVALA_SALT_KEY='eed6UaCi3euZojai5Iequ8ochookun1o'

17
README.md
View file

@ -91,3 +91,20 @@ See `.forgejo/workflows/build-deploy-staging.yaml` for the actual workflow.
Deployment files are in the `deployment/kustomize` folder and makes use of [Kustomize](https://kustomize.io/) to account for differences between the deployment stages. Deployment files are in the `deployment/kustomize` folder and makes use of [Kustomize](https://kustomize.io/) to account for differences between the deployment stages.
Stages are configured with overlays in `deployment/kustomize/overlays/$environment`. Stages are configured with overlays in `deployment/kustomize/overlays/$environment`.
## Maintenance and management commands
You can interface with the Django server and project by running commands like this:
```bash
uv run --env-file=.env src/manage.py COMMAND
```
Useful commands:
- ``migrate``: Make sure database migrations are applied.
- ``showmigrations``: Show current database migrations status. Good for debugging.
- ``runserver``: Run development server
- ``clearsessions``: Clear away expired user sessions. Recommended to run regularly, e.g. weekly or monthly (doesnt
need to be frequent, but otherwise, the database is going to bloat eventually)
- ``reencrypt_fields``: Run after you changed your ``SERVALA_SECRET_KEY`` or ``SERVALA_SALT_KEY`` in order to use the
new keys, and be able to retire the previous ones.

0
src/servala/core/management/__init__.py Normal file
View file

0
src/servala/core/management/commands/__init__.py Normal file
View file

21
src/servala/core/management/commands/reencrypt_fields.py Normal file
View file

@ -0,0 +1,21 @@
from django.core.management.base import BaseCommand
from django.db import transaction
from servala.core.models.service import ControlPlane
class Command(BaseCommand):
help = "Re-encrypts all encrypted fields. Use when rotating SECRET_KEY/SALT"
def handle(self, *args, **options):
self.stdout.write("Starting re-encryption of ControlPlane objects...")
count = 0
with transaction.atomic():
for control_plane in ControlPlane.objects.all():
control_plane.save()
count += 1
self.stdout.write(
self.style.SUCCESS(f"Re-encrypted {count} ControlPlane objects")
)