[FOLIO-759] Update how db credentials are passed to modules in CI builds Created: 03/Aug/17  Updated: 15/Jan/19

Status: Open
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P3
Reporter: Wayne Schneider Assignee: Wayne Schneider
Resolution: Unresolved Votes: 0
Labels: ci, for-next-sprint, sprint20
Remaining Estimate: Not Specified
Time Spent: 15 minutes
Original estimate: Not Specified

Issue links:
Blocks
blocks FOLIO-1134 Secure public AWS instances Open
Sprint:
Development Team: Core: Platform

 Description   

Up to now it's been convenient to use environment variables, but really, db credentials should not be exposed by the /_/discovery/modules endpoint.



 Comments   
Comment by Wayne Schneider [ 03/Aug/17 ]

We can use this issue to work out a rough model for more secure production deployment.

Comment by Jakub Skoczen [ 09/Aug/17 ]

Wayne Schneider what's this about?

Comment by Jakub Skoczen [ 09/Aug/17 ]

Note: how does it relate to the refactoring Okapi services as Internal Modules?

Comment by Wayne Schneider [ 15/Aug/17 ]

Jakub Skoczen – see for example http://folio-testing-backend01.aws.indexdata.com:9130/_/discovery/modules – we are using environment variables to pass the database credentials to the RMB-based modules, and those credentials are exposed on the Okapi discovery endpoint. This is not how we would want do it in production (though it was very convenient to get things up and running). We had a discussion on Slack about it and agreed to open up an issue.

One way to address the issue is to put the credentials in a configuration file, possibly secured as documented here: https://github.com/folio-org/raml-module-builder#securing-db-configuration-file. This may require building a new Docker image for deployment based on the Jenkins artifact with the config file added and the entry point updated, or some other method of invoking the Docker image.

Comment by Wayne Schneider [ 16/Mar/18 ]

Updated issue name and description to make it more precise.

Generated at Thu Feb 08 23:08:07 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.