[ https://issues.apache.org/jira/browse/FINERACT-881?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Vorburger updated FINERACT-881: --------------------------------------- Summary: Remove all hard-coded default passwords from Kubernetes Deployment (was: Remove all hard-coded passwords from Kubernetes Deployment) > Remove all hard-coded default passwords from Kubernetes Deployment > ------------------------------------------------------------------ > > Key: FINERACT-881 > URL: https://issues.apache.org/jira/browse/FINERACT-881 > Project: Apache Fineract > Issue Type: Bug > Reporter: Michael Vorburger > Priority: Major > Labels: kubernetes, security, technical > > The Kubernetes deployment contributed in FINERACT-783 by creates a Kubernetes > Deployment using 2 passwords hard-coded in YAML, for the tenants and demo DB > (based on Fineract's Docker Compose set-up). > One of the passwords is in a Kubernetes Secret, so it shouldn't be able to > see it at runtime, but that is kind of pointless because unless someone > changes the default, its default can be seen in source. > The other password is in a -D Java property in the YAML, and not even in a > secret. > The goal of this issue is to: > (a) replace the password in the -D Java property by a Kubernetes secret... > This may require some Java code changes to be able to pass it as an > Environment Variable instead of a Java System Property; I think since we've > done FINERACT-796, this should be relatively easy, now that we don't use > Tomcat XML for a JNDI DS anymore. > (b) remove the hard-coded default value from the Secret YAML, and instead > during installation create the database passwords as secrets randomly. > Research on the web re. best practices how to do this (reach out to see if > Fineract CN may have already solve this?). At the simplest, you could imagine > just doing something like [https://stackoverflow.com/a/59678911/421602] in > our {{kubernetes/kubectl-startup.sh}}. > FYI [~xurror], [~awasum], [~angeh] -- This message was sent by Atlassian Jira (v8.3.4#803005)