-
Notifications
You must be signed in to change notification settings - Fork 0
Removed hardcoded secrets #121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
47570f0
f847876
ed8a19e
d0b8c9f
d19c812
1fa2820
13c238c
d56dd74
ddb231d
14a1cc5
3a515d4
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -30,6 +30,44 @@ jobs: | |
| printf '%s\n' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/deploy_key | ||
| chmod 600 ~/.ssh/deploy_key | ||
|
|
||
| - name: Write compose .env file | ||
| env: | ||
| POSTGRES_PASSWORD: ${{ secrets.DB_ADMIN_PASSWORD }} | ||
| ORGANIZATION_DB_PASSWORD: ${{ secrets.DB_ORGANIZATION_PASSWORD }} | ||
| MEMBER_DB_PASSWORD: ${{ secrets.DB_MEMBER_PASSWORD }} | ||
| EVENT_DB_PASSWORD: ${{ secrets.DB_EVENT_PASSWORD }} | ||
| FEEDBACK_DB_PASSWORD: ${{ secrets.DB_FEEDBACK_PASSWORD }} | ||
| FINANCE_DB_PASSWORD: ${{ secrets.DB_FINANCE_PASSWORD }} | ||
| LETTER_DB_PASSWORD: ${{ secrets.DB_LETTER_PASSWORD }} | ||
| REPORTS_DB_PASSWORD: ${{ secrets.DB_REPORTS_PASSWORD }} | ||
| KEYCLOAK_ADMIN_PASSWORD: ${{ secrets.KEYCLOAK_ADMIN_PASSWORD }} | ||
| KEYCLOAK_DB_PASSWORD: ${{ secrets.KEYCLOAK_DB_PASSWORD }} | ||
| KEYCLOAK_REALM_ADMIN_PASSWORD: ${{ secrets.KEYCLOAK_REALM_ADMIN_PASSWORD }} | ||
| KEYCLOAK_REALM_USER_PASSWORD: ${{ secrets.KEYCLOAK_REALM_USER_PASSWORD }} | ||
| FORWARD_AUTH_COOKIE_SECRET: ${{ secrets.FORWARD_AUTH_COOKIE_SECRET }} | ||
| KEYCLOAK_ADMIN_CLIENT_SECRET: ${{ secrets.KEYCLOAK_ADMIN_CLIENT_SECRET }} | ||
| FORWARD_AUTH_CLIENT_SECRET: ${{ secrets.FORWARD_AUTH_CLIENT_SECRET }} | ||
| GRAFANA_OAUTH_CLIENT_SECRET: ${{ secrets.GRAFANA_OAUTH_CLIENT_SECRET }} | ||
| run: | | ||
| cat > /tmp/compose.env << ENVFILE | ||
| POSTGRES_PASSWORD=$POSTGRES_PASSWORD | ||
| ORGANIZATION_DB_PASSWORD=$ORGANIZATION_DB_PASSWORD | ||
| MEMBER_DB_PASSWORD=$MEMBER_DB_PASSWORD | ||
| EVENT_DB_PASSWORD=$EVENT_DB_PASSWORD | ||
| FEEDBACK_DB_PASSWORD=$FEEDBACK_DB_PASSWORD | ||
| FINANCE_DB_PASSWORD=$FINANCE_DB_PASSWORD | ||
| LETTER_DB_PASSWORD=$LETTER_DB_PASSWORD | ||
| REPORTS_DB_PASSWORD=$REPORTS_DB_PASSWORD | ||
| KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD | ||
| KEYCLOAK_DB_PASSWORD=$KEYCLOAK_DB_PASSWORD | ||
| KEYCLOAK_REALM_ADMIN_PASSWORD=$KEYCLOAK_REALM_ADMIN_PASSWORD | ||
| KEYCLOAK_REALM_USER_PASSWORD=$KEYCLOAK_REALM_USER_PASSWORD | ||
| FORWARD_AUTH_COOKIE_SECRET=$FORWARD_AUTH_COOKIE_SECRET | ||
| KEYCLOAK_ADMIN_CLIENT_SECRET=$KEYCLOAK_ADMIN_CLIENT_SECRET | ||
| FORWARD_AUTH_CLIENT_SECRET=$FORWARD_AUTH_CLIENT_SECRET | ||
| GRAFANA_OAUTH_CLIENT_SECRET=$GRAFANA_OAUTH_CLIENT_SECRET | ||
| ENVFILE | ||
|
|
||
| - name: Write genai .env file | ||
| env: | ||
| GENAI_ENV_CONTENT: ${{ secrets.GENAI_ENV_CONTENT }} | ||
|
|
@@ -59,6 +97,7 @@ jobs: | |
| infra/ansible/playbook.yml \ | ||
| -e "repo_url=https://github.com/${{ github.repository }}.git" \ | ||
| -e "branch=${{ github.ref_name }}" \ | ||
| -e "compose_env_file=/tmp/compose.env" \ | ||
| -e "genai_env_file=/tmp/genai.env" \ | ||
| -e "letter_env_file=/tmp/letter.env" | ||
|
|
||
|
|
@@ -253,5 +292,21 @@ jobs: | |
| --namespace "$NAMESPACE" \ | ||
| --set global.image.tag=${{ github.sha }} \ | ||
| --set keycloak.hostname=https://ge83mom-devops26.stud.k8s.aet.cit.tum.de/auth \ | ||
| --set database.password="${{ secrets.DB_ADMIN_PASSWORD }}" \ | ||
| --set database.users.organization.password="${{ secrets.DB_ORGANIZATION_PASSWORD }}" \ | ||
| --set database.users.member.password="${{ secrets.DB_MEMBER_PASSWORD }}" \ | ||
| --set database.users.event.password="${{ secrets.DB_EVENT_PASSWORD }}" \ | ||
| --set database.users.feedback.password="${{ secrets.DB_FEEDBACK_PASSWORD }}" \ | ||
| --set database.users.finance.password="${{ secrets.DB_FINANCE_PASSWORD }}" \ | ||
| --set database.users.letter.password="${{ secrets.DB_LETTER_PASSWORD }}" \ | ||
| --set database.users.reports.password="${{ secrets.DB_REPORTS_PASSWORD }}" \ | ||
| --set keycloak.adminPassword="${{ secrets.KEYCLOAK_ADMIN_PASSWORD }}" \ | ||
| --set keycloak.db.password="${{ secrets.KEYCLOAK_DB_PASSWORD }}" \ | ||
| --set keycloak.users.admin.password="${{ secrets.KEYCLOAK_REALM_ADMIN_PASSWORD }}" \ | ||
| --set keycloak.users.user.password="${{ secrets.KEYCLOAK_REALM_USER_PASSWORD }}" \ | ||
|
Comment on lines
+295
to
+306
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Inspect Helm secret injection sites and template consumers before switching to --set-string or a values file.
rg -n -C 2 -- '--set .*secrets\.|database\.users\..*password|keycloak\..*password|forwardAuth\..*Secret' .github/workflows infra/helm/team-devoopsRepository: AET-DevOps26/team-devoops Length of output: 7434 🏁 Script executed: #!/bin/bash
set -euo pipefail
# Inspect the exact deploy command and the corresponding Helm value consumers.
sed -n '270,305p' .github/workflows/cd.yml
printf '\n---\n'
sed -n '1,120p' infra/helm/team-devoops/templates/secret-db.yaml
printf '\n---\n'
sed -n '1,80p' infra/helm/team-devoops/templates/keycloak-secret.yaml
printf '\n---\n'
sed -n '1,80p' infra/helm/team-devoops/templates/keycloak-realm-configmap.yaml
printf '\n---\n'
sed -n '1,90p' infra/helm/team-devoops/templates/forward-auth.yamlRepository: AET-DevOps26/team-devoops Length of output: 7746 🏁 Script executed: #!/bin/bash
set -euo pipefail
# Check whether these values are documented as plain strings or can be interpreted as numbers/bools.
sed -n '1,40p' infra/helm/team-devoops/values.yaml
printf '\n---\n'
sed -n '176,220p' infra/helm/team-devoops/values.yamlRepository: AET-DevOps26/team-devoops Length of output: 3444 🌐 Web query:
💡 Result: In Helm, the --set and --set-string flags serve different purposes regarding type coercion [1][2][3]. --set The --set flag attempts to automatically detect and coerce values into appropriate types (such as integers, floats, booleans, or strings) [4][5][6]. Because of this, it can sometimes behave unexpectedly when a value looks like a number or boolean but should be treated as a string (e.g., a password containing only digits or a Git commit hash) [5][6][7]. --set-string The --set-string flag is designed to force values to be treated as strings, bypassing the automatic type coercion performed by the --set parser [5][6]. It is the recommended approach for values like passwords, image tags, or any other data where you want to ensure the input is interpreted strictly as a string [6]. Important Notes: 1. Syntax Compatibility: Despite its name, --set-string still supports Helm's complex value syntax, allowing you to define arrays and dictionaries (e.g., --set-string list={1,2,3}) [5]. It simply forces the terminal leaf values to be strings rather than native types [5]. 2. Not a Literal Flag: It is important to note that --set-string is not a "literal" flag [5]. It does not prevent all interpretation; for example, it may still be subject to shell expansion or Helm's internal parsing of complex structures [4][5]. If you require a value to be treated absolutely literally, or if you encounter issues where --set-string does not produce the desired result (such as with certain boolean-looking strings), you may need to quote the value or ensure your Helm chart templates handle the input correctly [4][5]. 3. Precedence: When using these flags, the last (right-most) value specified takes precedence if the same key is set multiple times [1]. For security-sensitive data like passwords, using --set-string is a standard practice to prevent Helm from misinterpreting numeric strings as integers or floating-point numbers [6]. Citations:
Use 🤖 Prompt for AI Agents |
||
| --set forwardAuth.cookieSecret="${{ secrets.FORWARD_AUTH_COOKIE_SECRET }}" \ | ||
| --set forwardAuth.clientSecret="${{ secrets.FORWARD_AUTH_CLIENT_SECRET }}" \ | ||
| --set monitoring.grafana.oauthClientSecret="${{ secrets.GRAFANA_OAUTH_CLIENT_SECRET }}" \ | ||
| --set services.organization-service.env.KEYCLOAK_ADMIN_CLIENT_SECRET="${{ secrets.KEYCLOAK_ADMIN_CLIENT_SECRET }}" \ | ||
| --set services.member-service.env.KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET="${{ secrets.KEYCLOAK_ADMIN_CLIENT_SECRET }}" \ | ||
| --rollback-on-failure --timeout 15m | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # Local secrets for `docker compose up` (run from infra/, see README "Running Locally"). | ||
| # Copy to `.env` (gitignored) and fill in real values. Never commit `.env`. | ||
| # | ||
| # Each value below has a matching GitHub secret that's the single source of truth across | ||
| # both deploy targets: CI assembles infra/.env on the Azure VM from these secrets, and | ||
| # passes the same secrets individually via --set to `helm upgrade` for Kubernetes. See | ||
| # README "Required GitHub secrets / variables" for the full mapping. | ||
|
|
||
| POSTGRES_PASSWORD=app_admin_password | ||
| ORGANIZATION_DB_PASSWORD=organization_password | ||
| MEMBER_DB_PASSWORD=member_password | ||
| EVENT_DB_PASSWORD=event_password | ||
| FEEDBACK_DB_PASSWORD=feedback_password | ||
| FINANCE_DB_PASSWORD=finance_password | ||
| LETTER_DB_PASSWORD=letter_password | ||
| REPORTS_DB_PASSWORD=reports_password | ||
| KEYCLOAK_ADMIN_PASSWORD=admin | ||
| KEYCLOAK_DB_PASSWORD=keycloak_password | ||
| KEYCLOAK_REALM_ADMIN_PASSWORD=admin123 | ||
| KEYCLOAK_REALM_USER_PASSWORD=user123 | ||
| FORWARD_AUTH_COOKIE_SECRET=VdpPltrnS+cc+1hswmya727K69iG7MpMZH/LOLlmox0= | ||
|
Comment on lines
+9
to
+21
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Replace the example credentials with placeholders. These are still real-looking secrets, not examples. In particular, the 🧰 Tools🪛 Betterleaks (1.6.0)[high] 21-21: Detected a Generic API Key, potentially exposing access to various services and sensitive operations. (generic-api-key) 🪛 dotenv-linter (4.0.0)[warning] 10-10: [UnorderedKey] The ORGANIZATION_DB_PASSWORD key should go before the POSTGRES_PASSWORD key (UnorderedKey) [warning] 11-11: [UnorderedKey] The MEMBER_DB_PASSWORD key should go before the ORGANIZATION_DB_PASSWORD key (UnorderedKey) [warning] 12-12: [UnorderedKey] The EVENT_DB_PASSWORD key should go before the MEMBER_DB_PASSWORD key (UnorderedKey) [warning] 13-13: [UnorderedKey] The FEEDBACK_DB_PASSWORD key should go before the MEMBER_DB_PASSWORD key (UnorderedKey) [warning] 14-14: [UnorderedKey] The FINANCE_DB_PASSWORD key should go before the MEMBER_DB_PASSWORD key (UnorderedKey) [warning] 15-15: [UnorderedKey] The LETTER_DB_PASSWORD key should go before the MEMBER_DB_PASSWORD key (UnorderedKey) [warning] 17-17: [UnorderedKey] The KEYCLOAK_ADMIN_PASSWORD key should go before the LETTER_DB_PASSWORD key (UnorderedKey) [warning] 18-18: [UnorderedKey] The KEYCLOAK_DB_PASSWORD key should go before the LETTER_DB_PASSWORD key (UnorderedKey) [warning] 19-19: [UnorderedKey] The KEYCLOAK_REALM_ADMIN_PASSWORD key should go before the LETTER_DB_PASSWORD key (UnorderedKey) [warning] 20-20: [UnorderedKey] The KEYCLOAK_REALM_USER_PASSWORD key should go before the LETTER_DB_PASSWORD key (UnorderedKey) [warning] 21-21: [UnorderedKey] The FORWARD_AUTH_COOKIE_SECRET key should go before the KEYCLOAK_ADMIN_PASSWORD key (UnorderedKey) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
|
|
||
| # OIDC/OAuth client secrets. Rendered into the matching client's "secret" field in | ||
| # infra/keycloak/realm-config.json at container start; must equal whatever the consuming | ||
| # service (grafana, traefik-forward-auth, organization-service/member-service) is | ||
| # configured with, or the OIDC handshake fails. Values below just mirror what used to be | ||
| # hardcoded directly in realm-config.json -- fine for local dev, not real secrets. | ||
| KEYCLOAK_ADMIN_CLIENT_SECRET=org-role-sync-secret | ||
| FORWARD_AUTH_CLIENT_SECRET=traefik-forward-auth-secret | ||
| GRAFANA_OAUTH_CLIENT_SECRET=grafana-oauth-secret | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Write and validate all Compose secrets.
This file omits
GRAFANA_OAUTH_CLIENT_SECRETandFORWARD_AUTH_CLIENT_SECRET, so Compose falls back to the literal defaults ininfra/docker-compose.yml. Add those secrets and fail fast if any required value is empty.🤖 Prompt for AI Agents