Deployment spec leaks connection passwords

[jobo-prod]

Hello there,

there are some open issues with good ideas about how to specify secrets and connection strings. However, I believe this is still a slightly different topic. If I am mistaken, feel free to close this one.

In the web Deployment spec of the Helm chart, connection strings are directly set as environment variables. These URIs contain passwords, so they should only be defined in secrets and never directly visible in other resources.

If I get it right, moving these values from the container env into the Secret should be sufficient for now. The same holds for the worker deployments and the init job, since they all use envFrom the secret. I'd be happy to propose a PR for this, if you like.

Cheers

[lindhe]

You are right that this is an issue. While this should be fixed via the Issues you mention (e.g. via PR #152), a work around for the moment is to specify the connection strings via invenio.extra_env_from_secret. Since environment variables from invenio.extra_env_from_secret is specified later in the YAML, it will override the default values you linked. Very ugly, but it works.

The real fix is to get the improved Secrets management in place, as already mentioned. Since it's possible to work around this issue, I don't see any reason to implement anything else until we get the real fix sorted out. 🙂 Marking this as closed, please ping me if you disagree.

[jobo-prod]

Got it, thanks!