wordpress-charmers team mailing list archive

[Thomas Cuthbert <thomas.cuthbert@xxxxxxxxxxxxx>]

Thomas Cuthbert has proposed merging ~tcuthbert/charm-k8s-wordpress/+git/charm-k8s-wordpress:master into charm-k8s-wordpress:master.

Requested reviews:
  Wordpress Charmers (wordpress-charmers)

For more details, see:
https://code.launchpad.net/~tcuthbert/charm-k8s-wordpress/+git/charm-k8s-wordpress/+merge/385457
-- 
Your team Wordpress Charmers is requested to review the proposed merge of ~tcuthbert/charm-k8s-wordpress/+git/charm-k8s-wordpress:master into charm-k8s-wordpress:master.

diff --git a/src/charm.py b/src/charm.py
index a4cd679..e6af8ed 100755
--- a/src/charm.py
+++ b/src/charm.py
@@ -2,11 +2,13 @@
 
 import io
 import logging
+import subprocess
 import sys
 from pprint import pprint
+from typing import Dict
 from yaml import safe_load
 
-from wordpress import Wordpress
+from wordpress import Wordpress, password_generator, WORDPRESS_SECRETS
 
 sys.path.append("lib")
 
@@ -61,6 +63,29 @@ def generate_pod_config(config, secured=True):
     return pod_config
 
 
+def _leader_get(attribute: str):
+    cmd = ['leader-get', '--format=yaml', attribute]
+    return safe_load(subprocess.check_output(cmd).decode('UTF-8'))
+
+
+def _leader_set(settings: Dict[str, str]):
+    cmd = ['leader-set'] + ['{}={}'.format(k, v or '') for k, v in settings.items()]
+    subprocess.check_call(cmd)
+
+
+def create_wordpress_secrets():
+    for secret in WORDPRESS_SECRETS:
+        if not _leader_get(secret):
+            _leader_set({secret: password_generator(64)})
+
+
+def gather_wordpress_secrets():
+    rv = {}
+    for secret in WORDPRESS_SECRETS:
+        rv[secret] = _leader_get(secret)
+    return rv
+
+
 class WordpressInitialiseEvent(EventBase):
     """Custom event for signalling Wordpress initialisation.
 
@@ -143,6 +168,7 @@ class WordpressK8sCharm(CharmBase):
     def configure_pod(self):
         # Only the leader can set_spec().
         if self.model.unit.is_leader():
+            create_wordpress_secrets()
             resources = self.make_pod_resources()
             spec = self.make_pod_spec()
             spec.update(resources)
@@ -184,7 +210,7 @@ class WordpressK8sCharm(CharmBase):
                         },
                     }
                 ]
-            }
+            },
         }
 
         out = io.StringIO()
@@ -196,6 +222,7 @@ class WordpressK8sCharm(CharmBase):
     def make_pod_spec(self):
         config = self.model.config
         full_pod_config = generate_pod_config(config, secured=False)
+        full_pod_config.update(gather_wordpress_secrets())
         secure_pod_config = generate_pod_config(config, secured=True)
 
         ports = [
diff --git a/src/wordpress.py b/src/wordpress.py
index 6da3e69..a3f586e 100644
--- a/src/wordpress.py
+++ b/src/wordpress.py
@@ -11,6 +11,18 @@ from yaml import safe_load
 logger = logging.getLogger()
 
 
+WORDPRESS_SECRETS = [
+    "AUTH_KEY",
+    "SECURE_AUTH_KEY",
+    "LOGGED_IN_KEY",
+    "NONCE_KEY",
+    "AUTH_SALT",
+    "SECURE_AUTH_SALT",
+    "LOGGED_IN_SALT",
+    "NONCE_SALT",
+]
+
+
 def import_requests():
     # Workaround until https://github.com/canonical/operator/issues/156 is fixed.
     try:
@@ -23,9 +35,9 @@ def import_requests():
     return requests
 
 
-def password_generator():
+def password_generator(length=24):
     alphabet = string.ascii_letters + string.digits
-    return ''.join(secrets.choice(alphabet) for i in range(24))
+    return ''.join(secrets.choice(alphabet) for i in range(length))
 
 
 class Wordpress: