From 175348eeb85b09f634e13aeb5be18a24cece0fa5 Mon Sep 17 00:00:00 2001
From: bhoff <bruce.hoff@sagebase.org>
Date: Sat, 16 Nov 2024 06:03:28 -0800
Subject: [PATCH 1/2] IT-4010: Add http/secret parameter, necessary for
 multiple servers behind an LB to work correctly

---
 README.md                              |  4 +++-
 docker_fargate/docker_fargate_stack.py | 14 +++++++++-----
 resources/dev/config.yml               |  1 +
 resources/prod/config.yml              |  1 +
 startup.sh                             |  5 +++++
 5 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 06ddf78..861fb83 100644
--- a/README.md
+++ b/README.md
@@ -10,8 +10,10 @@ We use the [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/late
 In dev the secret is named `registry-dev-DockerFargateStack/dev/ecs` and in the prod stack,
 `registry-prod-DockerFargateStack/prod/ecs`
 
-A secret is a collection of key-value pairs.  For this application there is just one pair.  The key should be `notification_auth` and the value is the
+A secret is a collection of key-value pairs.  For this application there are two pairs.  The key for the first should be `notification_auth` and the value is the
 Base64 encoded "Basic auth" credentials which are a shared-secret with Synapse as the event notification recipient.
+The key for the second should be 'http_secret' and the value is a cryptogrphically generated string for use by the
+server as described [here](https://distribution.github.io/distribution/about/configuration/).
 
 ### Registry container
 We use the open source Docker `registry`, available on DockerHub.  This container requires several configuration files to be mounted.
diff --git a/docker_fargate/docker_fargate_stack.py b/docker_fargate/docker_fargate_stack.py
index 3fab588..eb553f6 100644
--- a/docker_fargate/docker_fargate_stack.py
+++ b/docker_fargate/docker_fargate_stack.py
@@ -31,11 +31,11 @@
 
 BUCKET_NAME = "BUCKET_NAME"
 
-SECRET_JSON_KEY="notification_auth"
+NOTIFICATION_AUTH_SECRET_JSON_KEY="notification_auth"
+HTTP_SECRET_SECRET_JSON_KEY="http_secret"
 
-def get_secret(scope: Construct, id: str, name: str, secret_json_key) -> str:
-    isecret = sm.Secret.from_secret_name_v2(scope, id, name)
-    return ecs.Secret.from_secrets_manager(isecret, secret_json_key)
+def get_secret(scope: Construct, id: str, name: str) -> str:
+    return sm.Secret.from_secret_name_v2(scope, id, name)
     # see also: https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_ecs/Secret.html
     # see also: ecs.Secret.from_ssm_parameter(ssm.IParameter(parameter_name=name))
 
@@ -92,8 +92,12 @@ def __init__(self, scope: Construct, context: str, env: dict, vpc: ec2.Vpc, **kw
             container_insights=True)
 
         secret_name = f'{env.get(config.STACK_NAME_PREFIX_CONTEXT)}-DockerFargateStack/{context}/ecs'
+        sm_secret = get_secret(self, secret_name, secret_name)
         secrets = {
-            SECRET_JSON_KEY: get_secret(self, secret_name, secret_name, SECRET_JSON_KEY),
+            NOTIFICATION_AUTH_SECRET_JSON_KEY: 
+                ecs.Secret.from_secrets_manager(sm_secret, NOTIFICATION_AUTH_SECRET_JSON_KEY),
+            HTTP_SECRET_SECRET_JSON_KEY: 
+            	ecs.Secret.from_secrets_manager(sm_secret, HTTP_SECRET_SECRET_JSON_KEY),
             "AWS_SECRET_ACCESS_KEY": ecs.Secret.from_secrets_manager(secret_stored_access_key)
         }
 
diff --git a/resources/dev/config.yml b/resources/dev/config.yml
index 43ca5ea..b74b77e 100644
--- a/resources/dev/config.yml
+++ b/resources/dev/config.yml
@@ -15,6 +15,7 @@ http:
     tls:
         certificate: /etc/docker/registry/ssl/certificate.pem
         key: /etc/docker/registry/ssl/privatekey.pem
+    secret: http_secret
 
 storage:
     cache:
diff --git a/resources/prod/config.yml b/resources/prod/config.yml
index e06f24d..ee57895 100644
--- a/resources/prod/config.yml
+++ b/resources/prod/config.yml
@@ -15,6 +15,7 @@ http:
     tls:
         certificate: /etc/docker/registry/ssl/certificate.pem
         key: /etc/docker/registry/ssl/privatekey.pem
+    secret: http_secret
 
 storage:
     cache:
diff --git a/startup.sh b/startup.sh
index dd1fd23..d784188 100755
--- a/startup.sh
+++ b/startup.sh
@@ -1,5 +1,10 @@
 #!/bin/sh
 
+# Inject http_secret into config.yml
+# The value is taken from the environment variable, `http_secret` which,
+# during ECS deployment comes from the AWS Secrets Manager.
+sed -i "s/http_secret/$http_secret/g" /etc/docker/registry/config.yml
+
 # Inject notification listener authorization credentials into config.yml
 # The value is taken from the environment variable, `notification_auth` which,
 # during ECS deployment comes from the AWS Secrets Manager.

From 385033f41e37d92da5d14090eab40d0edfb18f56 Mon Sep 17 00:00:00 2001
From: bhoff <bruce.hoff@sagebase.org>
Date: Sat, 16 Nov 2024 06:03:54 -0800
Subject: [PATCH 2/2] IT-4010: Add http/secret parameter, necessary for
 multiple servers behind an LB to work correctly

---
 docker_fargate/docker_fargate_stack.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docker_fargate/docker_fargate_stack.py b/docker_fargate/docker_fargate_stack.py
index eb553f6..8b6852a 100644
--- a/docker_fargate/docker_fargate_stack.py
+++ b/docker_fargate/docker_fargate_stack.py
@@ -94,10 +94,10 @@ def __init__(self, scope: Construct, context: str, env: dict, vpc: ec2.Vpc, **kw
         secret_name = f'{env.get(config.STACK_NAME_PREFIX_CONTEXT)}-DockerFargateStack/{context}/ecs'
         sm_secret = get_secret(self, secret_name, secret_name)
         secrets = {
-            NOTIFICATION_AUTH_SECRET_JSON_KEY: 
+            NOTIFICATION_AUTH_SECRET_JSON_KEY:
                 ecs.Secret.from_secrets_manager(sm_secret, NOTIFICATION_AUTH_SECRET_JSON_KEY),
-            HTTP_SECRET_SECRET_JSON_KEY: 
-            	ecs.Secret.from_secrets_manager(sm_secret, HTTP_SECRET_SECRET_JSON_KEY),
+            HTTP_SECRET_SECRET_JSON_KEY:
+                ecs.Secret.from_secrets_manager(sm_secret, HTTP_SECRET_SECRET_JSON_KEY),
             "AWS_SECRET_ACCESS_KEY": ecs.Secret.from_secrets_manager(secret_stored_access_key)
         }