klesh
commented
1 month ago OK, can these randomly generated values be retrieved by the user afterward?
Open jekader opened 1 month ago
klesh
commented
1 month ago OK, can these randomly generated values be retrieved by the user afterward?
jekader
commented
1 month ago Sure, all of them are stored in plaintext in the relevant secret objects.
Here's how this is handled in documentation for Grafana:
- How to set the Grafana admin password? If not explicitly set, a random password will be generated and saved in a Kubernetes Secret
https://github.com/apache/incubator-devlake-helm-chart/blob/main/HelmSetup.md?plain=1#L284
It's a best practice to follow the same pattern for all sensitive data. Then, in the quick start, have the passwords explicitly set to some demo values to make things easier to test out.
klesh
commented
1 month ago I see. Sounds reasonable to me. Would you like to work on it?
This helm chart currently deploys a very insecure devlake instance by default: authentication for the UI is disabled, DB passwords are hardcoded while the user is asked to generate the cumbersome encryption key manually which is exported as an env var and lost immediately anyways.
This makes the setup quite vulnerable by so I propose populating all access credentials with random values if they are not explicitly set and have the user retrieve them from the created secret objects if needed. This is already the workflow for Grafana and works just fine.
lake.encryptionSecret.secretmysql.usernamemysql.passwordui.basicAuth.enabledui.basicAuth.password