secrets.json > keypass for important tokens, passwords?

[hanneshapke]

Hi @patrickbeeson,

Thank you for setting up the initial repo for the portlandpython.org site. I have tried to test the repo, but it is asking for a secrets.json file. What variables/constants are stored in your secrets.json?

Would it be ok to a store an encrypted version of the json file somewhere (but not in this repo!) or store all tokens and passwords in a keypass (e.g. kbdx file) and we read all variables from the bash environment?

What do you think?
-Hannes

[patrickbeeson]

Hey Hannes!

You can get a sense of what's being stored in the secrets.json file by looking in the settings. I've not used a keypass before but I'm certainly open to anything.

I'm currently storing the secret key, db name (prod), db password (prod) and email host password (prod) in the json file.

Of course, those values don't mean much yet since we don't have a production environment configured. Also, we have yet to solve for email sending.

But you'll need the secret key to run locally. How would you like to share this value?

[hanneshapke]

Hey Patrick,

I am sorry for the late reply. I created a secrets.json with the required keys and random values and everything worked fine (the basic test suite ran fine). Have you used the secrets.json option with Heroku? Is it difficult to upload the file without adding it to the repo (for the automatic deployment)?

Heroku handles environment variables nicely and I used to keep all variables/passwords in a keypass file which could be shared between the contributors. However, the way with the secrets.json file seems very clean. I would suggest: If Heroku runs fine with the secrets.json file, let's go with that. Otherwise, I would create a file with the environment variables. What do you think?

[patrickbeeson]

Environment variables would work nicely. I'm open to whatever is easier for
contributors and the deployment environment.

Can you point me to docs outlining what's needed?

On Mon, Sep 21, 2015 at 3:15 PM, Hannes Hapke notifications@github.com
wrote:

Hey Patrick,

I am sorry for the late reply. I created a secrets.json with the required
keys and random values and everything worked fine (the basic test suite ran
fine). Have you used the secrets.json option with Heroku? Is it difficult
to upload the file without adding it to the repo (for the automatic
deployment)?

Heroku handles environment variables nicely and I used to keep all
variables/passwords in a keypass file which could be shared between the
contributors. However, the way with the secrets.json file seems very clean.
I would suggest: If Heroku runs fine with the secrets.json file, let's go
with that. Otherwise, I would create a file with the environment variables.
What do you think?

—
Reply to this email directly or view it on GitHub
#8 (comment)
.

Patrick Beeson
patrick@patrickbeeson.com

[hanneshapke]

Hi Patrick,

Nothing is needed at this stage. I rewrote the get_secret method so that it reads env variables and raises an error if the key isn't set. This could be better handled in the future with os.environ.get() and with a default value.

Based on the changes, I created the hook to travis-ci.org/portlandpython/portlandpython.org/. I had to drop the Python 2.6 support due to a strange Django error, but we shouldn't use 2.6 at this stage anymore.

Once we run actual tests (my current sample test isn't executed), the coverage results can be found here.

My next step is the setup for the automatic push to a Heroku staging environment. It will be based on the encryption keys settings. The setup is a bit weird and in the past I only used codeship which integrates very nicely with Heroku. Give me a few days and I can write up some documentation about the whole process.