Michael Vorburger created FINERACT-881:
------------------------------------------

             Summary: Remove all hard-coded passwords from Kubernetes Deployment
                 Key: FINERACT-881
                 URL: https://issues.apache.org/jira/browse/FINERACT-881
             Project: Apache Fineract
          Issue Type: Bug
            Reporter: Michael Vorburger


The Kubernetes deployment contributed in FINERACT-783 by creates a Kubernetes 
Deployment using 2 passwords hard-coded in YAML, for the tenants and demo DB 
(based on Fineract's Docker Compose set-up).

One of the passwords is in a Kubernetes Secret, so it shouldn't be able to see 
it at runtime, but that is kind of pointless because unless someone changes the 
default, its default can be seen in source.

The other password is in a -D Java property in the YAML, and not even in a 
secret.

The goal of this issue is to:

(a) replace the password in the -D Java property by a Kubernetes secret... This 
may require some Java code changes to be able to pass it as an Environment 
Variable instead of a Java System Property; I think since we've doneĀ 
FINERACT-796, this should be relatively easy, now that we don't use Tomcat XML 
for a JNDI DS anymore.

(b) remove the hard-coded default value from the Secret YAML, and instead 
during installation create the database passwords as secrets randomly. Research 
on the web re. best practices how to do this (reach out to see if Fineract CN 
may have already solve this?). At the simplest, you could imagine just doing 
something like [https://stackoverflow.com/a/59678911/421602] in our 
{{kubernetes/kubectl-startup.sh}}.

FYI [~xurror], [~awasum], [~angeh]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to