[jira] [Commented] (FINERACT-881) Remove all hard-coded default passwords from Kubernetes Deployment

Mon, 13 Apr 2020 09:06:05 -0700 


    [ 
https://issues.apache.org/jira/browse/FINERACT-881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17082442#comment-17082442
 ] 

Michael Vorburger commented on FINERACT-881:
--------------------------------------------

While looking again at the docker-compose.yml for FINERACT-762, I've noticed 
that we can simplify something which will be useful here (because it makes it 
easier to use a Kubernetes Secret for fineract_tenants_pwd), see 
[https://github.com/apache/fineract/pull/759,] and apply the same to the 
Kubernetes YAML as well as part of work for this issue.

> Remove all hard-coded default passwords from Kubernetes Deployment
> ------------------------------------------------------------------
>
>                 Key: FINERACT-881
>                 URL: https://issues.apache.org/jira/browse/FINERACT-881
>             Project: Apache Fineract
>          Issue Type: Bug
>            Reporter: Michael Vorburger
>            Priority: Major
>              Labels: kubernetes, security, technical
>
> The Kubernetes deployment contributed in FINERACT-783 by creates a Kubernetes 
> Deployment using 2 passwords hard-coded in YAML, for the tenants and demo DB 
> (based on Fineract's Docker Compose set-up).
> One of the passwords is in a Kubernetes Secret, so it shouldn't be able to 
> see it at runtime, but that is kind of pointless because unless someone 
> changes the default, its default can be seen in source.
> The other password is in a -D Java property in the YAML, and not even in a 
> secret.
> The goal of this issue is to:
> (a) replace the password in the -D Java property by a Kubernetes secret... 
> This may require some Java code changes to be able to pass it as an 
> Environment Variable instead of a Java System Property; I think since we've 
> done FINERACT-796, this should be relatively easy, now that we don't use 
> Tomcat XML for a JNDI DS anymore.
> (b) remove the hard-coded default value from the Secret YAML, and instead 
> during installation create the database passwords as secrets randomly. 
> Research on the web re. best practices how to do this (reach out to see if 
> Fineract CN may have already solve this?). At the simplest, you could imagine 
> just doing something like [https://stackoverflow.com/a/59678911/421602] in 
> our {{kubernetes/kubectl-startup.sh}}.
> FYI [~xurror], [~awasum], [~angeh]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to