Skip to content

Use crypto/rand for Django SECRET_KEY generation#605

Merged
openshift-merge-bot[bot] merged 1 commit into
openstack-k8s-operators:mainfrom
stuggi:fix-secret-key-prng
Jun 29, 2026
Merged

Use crypto/rand for Django SECRET_KEY generation#605
openshift-merge-bot[bot] merged 1 commit into
openstack-k8s-operators:mainfrom
stuggi:fix-secret-key-prng

Conversation

@stuggi

@stuggi stuggi commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Replace math/rand-based rand.String(10) (~47 bits entropy) with lib-common's util.GeneratePassword(50) which uses crypto/rand, matching Django's own default SECRET_KEY length.

The key is used to HMAC-sign CSRF tokens and session cookies.

Existing deployments are not affected — the secret is only generated when it does not already exist (ensureHorizonSecret checks for an existing secret before creating a new one).

Jira: OSPRH-31813

Replace math/rand-based rand.String(10) (~47 bits entropy) with
lib-common's util.GeneratePassword(50) which uses crypto/rand,
matching Django's own default SECRET_KEY length.

The key is used to HMAC-sign CSRF tokens and session cookies.

Existing deployments are not affected — the secret is only generated
when it does not already exist (ensureHorizonSecret checks for an
existing secret before creating a new one).

Jira: OSPRH-31813

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Martin Schuppert <mschuppert@redhat.com>
@openshift-ci openshift-ci Bot requested review from abays and mcgonago June 24, 2026 07:25
@stuggi stuggi requested a review from deshipu June 26, 2026 08:35

@fmount fmount left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fmount, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot Bot merged commit 65d82f7 into openstack-k8s-operators:main Jun 29, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants