don't delete settings that are marked as read_only

awx/conf/views.py

@@ -148,6 +148,8 @@ class SettingSingletonDetail(RetrieveUpdateDestroyAPIView):
     def perform_destroy(self, instance):
         settings_change_list = []
         for setting in self.get_queryset().exclude(key='LICENSE'):
+            if settings_registry.get_setting_field(setting.key).read_only:
+                continue
             setting.delete()
             settings_change_list.append(setting.key)
         if settings_change_list and 'migrate_to_database_settings' not in sys.argv:

awx/main/tests/functional/api/test_settings.py

@@ -5,6 +5,8 @@
 import pytest
 import os
 
+from django.conf import settings
+
 # Mock
 import mock
 
@@ -259,3 +261,28 @@ def test_isolated_job_setting_validation(get, patch, admin, setting_name):
 
     data = get(url, user=admin).data
     assert data[setting_name] != -1
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize('key, expected', [
+    ['AWX_ISOLATED_PRIVATE_KEY', '$encrypted$'],
+    ['AWX_ISOLATED_PUBLIC_KEY', 'secret'],
+])
+def test_isolated_keys_readonly(get, patch, delete, admin, key, expected):
+    Setting.objects.create(
+        key=key,
+        value='secret'
+    ).save()
+    assert getattr(settings, key) == 'secret'
+
+    url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'jobs'})
+    resp = get(url, user=admin)
+    assert resp.data[key] == expected
+
+    patch(url, user=admin, data={
+        key: 'new-secret'
+    })
+    assert getattr(settings, key) == 'secret'
+
+    delete(url, user=admin)
+    assert getattr(settings, key) == 'secret'