Michael Vorburger created FINERACT-881: ------------------------------------------
Summary: Remove all hard-coded passwords from Kubernetes Deployment Key: FINERACT-881 URL: https://issues.apache.org/jira/browse/FINERACT-881 Project: Apache Fineract Issue Type: Bug Reporter: Michael Vorburger The Kubernetes deployment contributed in FINERACT-783 by creates a Kubernetes Deployment using 2 passwords hard-coded in YAML, for the tenants and demo DB (based on Fineract's Docker Compose set-up). One of the passwords is in a Kubernetes Secret, so it shouldn't be able to see it at runtime, but that is kind of pointless because unless someone changes the default, its default can be seen in source. The other password is in a -D Java property in the YAML, and not even in a secret. The goal of this issue is to: (a) replace the password in the -D Java property by a Kubernetes secret... This may require some Java code changes to be able to pass it as an Environment Variable instead of a Java System Property; I think since we've doneĀ FINERACT-796, this should be relatively easy, now that we don't use Tomcat XML for a JNDI DS anymore. (b) remove the hard-coded default value from the Secret YAML, and instead during installation create the database passwords as secrets randomly. Research on the web re. best practices how to do this (reach out to see if Fineract CN may have already solve this?). At the simplest, you could imagine just doing something like [https://stackoverflow.com/a/59678911/421602] in our {{kubernetes/kubectl-startup.sh}}. FYI [~xurror], [~awasum], [~angeh] -- This message was sent by Atlassian Jira (v8.3.4#803005)