[jira] [Updated] (FINERACT-881) Remove all hard-coded default passwords from Kubernetes Deployment

Sun, 12 Apr 2020 03:11:45 -0700 


     [ 
https://issues.apache.org/jira/browse/FINERACT-881?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Vorburger updated FINERACT-881:
---------------------------------------
    Summary: Remove all hard-coded default passwords from Kubernetes Deployment 
 (was: Remove all hard-coded passwords from Kubernetes Deployment)

> Remove all hard-coded default passwords from Kubernetes Deployment
> ------------------------------------------------------------------
>
>                 Key: FINERACT-881
>                 URL: https://issues.apache.org/jira/browse/FINERACT-881
>             Project: Apache Fineract
>          Issue Type: Bug
>            Reporter: Michael Vorburger
>            Priority: Major
>              Labels: kubernetes, security, technical
>
> The Kubernetes deployment contributed in FINERACT-783 by creates a Kubernetes 
> Deployment using 2 passwords hard-coded in YAML, for the tenants and demo DB 
> (based on Fineract's Docker Compose set-up).
> One of the passwords is in a Kubernetes Secret, so it shouldn't be able to 
> see it at runtime, but that is kind of pointless because unless someone 
> changes the default, its default can be seen in source.
> The other password is in a -D Java property in the YAML, and not even in a 
> secret.
> The goal of this issue is to:
> (a) replace the password in the -D Java property by a Kubernetes secret... 
> This may require some Java code changes to be able to pass it as an 
> Environment Variable instead of a Java System Property; I think since we've 
> done FINERACT-796, this should be relatively easy, now that we don't use 
> Tomcat XML for a JNDI DS anymore.
> (b) remove the hard-coded default value from the Secret YAML, and instead 
> during installation create the database passwords as secrets randomly. 
> Research on the web re. best practices how to do this (reach out to see if 
> Fineract CN may have already solve this?). At the simplest, you could imagine 
> just doing something like [https://stackoverflow.com/a/59678911/421602] in 
> our {{kubernetes/kubectl-startup.sh}}.
> FYI [~xurror], [~awasum], [~angeh]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to