Michael Vorburger created FINERACT-881:
------------------------------------------
Summary: Remove all hard-coded passwords from Kubernetes Deployment
Key: FINERACT-881
URL: https://issues.apache.org/jira/browse/FINERACT-881
Project: Apache Fineract
Issue Type: Bug
Reporter: Michael Vorburger
The Kubernetes deployment contributed in FINERACT-783 by creates a Kubernetes
Deployment using 2 passwords hard-coded in YAML, for the tenants and demo DB
(based on Fineract's Docker Compose set-up).
One of the passwords is in a Kubernetes Secret, so it shouldn't be able to see
it at runtime, but that is kind of pointless because unless someone changes the
default, its default can be seen in source.
The other password is in a -D Java property in the YAML, and not even in a
secret.
The goal of this issue is to:
(a) replace the password in the -D Java property by a Kubernetes secret... This
may require some Java code changes to be able to pass it as an Environment
Variable instead of a Java System Property; I think since we've doneĀ
FINERACT-796, this should be relatively easy, now that we don't use Tomcat XML
for a JNDI DS anymore.
(b) remove the hard-coded default value from the Secret YAML, and instead
during installation create the database passwords as secrets randomly. Research
on the web re. best practices how to do this (reach out to see if Fineract CN
may have already solve this?). At the simplest, you could imagine just doing
something like [https://stackoverflow.com/a/59678911/421602] in our
{{kubernetes/kubectl-startup.sh}}.
FYI [~xurror], [~awasum], [~angeh]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
