JanssenProject
feat(docker): add support for using external secrets for initialization phase
Prepare
- [x] Read PR guidelines
- [x] Read license information
Description
Target issue
closes #7547
Implementation Details
Test and Document the changes
- [ ] Static code analysis has been run locally and issues have been fixed
- [ ] Relevant unit and integration tests have been added/updated
- [ ] Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)
Codecov Report
Attention: Patch coverage is 63.79310% with 21 lines in your changes missing coverage. Please review.
Please upload report for BASE (
main@8b125a4). Learn more about missing BASE report.
:exclamation: Current head 4e716c1 differs from pull request most recent head 059d30f
Please upload reports for the commit 059d30f to get more accurate results.
Additional details and impacted files
@@ Coverage Diff @@
## main #8197 +/- ##
=======================================
Coverage ? 59.93%
=======================================
Files ? 36
Lines ? 3190
Branches ? 0
=======================================
Hits ? 1912
Misses ? 1278
Partials ? 0
| Flag | Coverage Δ | |
|---|---|---|
| unittests | 59.93% <63.79%> (?) |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Quality Gate passed for 'agama parent'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
![sonarqubecloud[bot] avatar](https://avatars.githubusercontent.com/in/12526?v=4 "Published by a pub.dev verified publisher"){kind=small}
Quality Gate passed for 'orm'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'jans-cli'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'jans-pycloudlib'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
See analysis details on SonarCloud
Quality Gate passed for 'Jans-Keycloak-Link'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'Jans lock server parent'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'jans-config-api-parent'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'keycloak-integration-parent'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'Fido2 API'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'SCIM API'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'jans-linux-setup'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'jans-core'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'orm'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'keycloak-integration-parent'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'Jans-Keycloak-Link'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'Fido2 API'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'SCIM API'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.
| DryRun Security | Status | Findings |
|---|---|---|
| Server-Side Request Forgery Analyzer | :white_check_mark: | 0 findings |
| Configured Codepaths Analyzer | :white_check_mark: | 0 findings |
| Secrets Analyzer | :white_check_mark: | 0 findings |
| Authn/Authz Analyzer | :grey_exclamation: | 7 findings |
| SQL Injection Analyzer | :white_check_mark: | 0 findings |
| Sensitive Files Analyzer | :grey_exclamation: | 7 findings |
| IDOR Analyzer | :white_check_mark: | 0 findings |
[!Note] :green_circle: Risk threshold not exceeded.
Change Summary (click to expand)
The following is a summary of changes in this pull request made by me, your security buddy :robot:. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.
Summary:
The code changes in this pull request cover a wide range of Janssen application components, focusing on improving the security and maintainability of the application's deployment and configuration. Key security-related changes include:
- Updating the default Couchbase user from "admin" to a more specific "jans" user, reducing the risk of unauthorized access.
- Enhancing the handling of sensitive information, such as passwords and certificates, by using Kubernetes Secrets and secure credential management practices.
- Introducing flexibility in persistence layer configuration, allowing the application to be deployed with different data storage options (Couchbase, LDAP, SQL) while maintaining secure practices.
- Improving logging and monitoring capabilities, including Prometheus integration, to enable better security monitoring and incident response.
- Implementing the principle of least privilege by running the application as a non-root user and adjusting file permissions accordingly.
Overall, the changes in this pull request demonstrate a strong focus on application security, with a emphasis on secure credential management, flexible persistence configuration, and improved monitoring and logging capabilities. These improvements help to reduce the attack surface and enhance the overall security posture of the Janssen application ecosystem.
Files Changed:
charts/janssen-all-in-one/templates/secret.yaml: Updates the naming of sensitive fields, such as passwords, to improve clarity and consistency.charts/janssen/charts/auth-server-key-rotation/templates/cronjobs.yaml: Handles the configuration and execution of the authentication server's key rotation process, including the management of various secrets and credentials.charts/janssen/charts/auth-server/templates/deployment.yml: Manages the deployment configuration for the authentication server, including the handling of secrets and persistence types.charts/janssen-all-in-one/templates/cronjobs.yaml: Configures the cronjobs responsible for the authentication server's key rotation and Keycloak-related tasks, with a focus on secure credential management.charts/janssen/charts/casa/templates/deployment.yaml: Updates the deployment configuration for the Casa application, removing unnecessary persistence-related components.charts/janssen/charts/config-api/templates/deployment.yaml: Modifies the deployment configuration for the Config API application, handling different persistence types and cloud integrations securely.charts/janssen/charts/fido2/templates/deployment.yml: Updates the deployment configuration for the FIDO2 application, focusing on secure credential management and persistence layer changes.charts/janssen/charts/config/templates/secrets.yaml: Manages the generation and handling of various secrets used by the Janssen application, including passwords and authentication-related keys.charts/janssen/charts/kc-scheduler/templates/cronjobs.yaml: Updates the cronjob configuration for the Keycloak Scheduler, handling persistence-related changes.charts/janssen/charts/link/templates/deployment.yaml: Modifies the deployment configuration for the Link application, removing SQL-related persistence components.charts/janssen/charts/saml/templates/deployment.yaml: Updates the deployment configuration for the SAML application, handling changes to the persistence layer.charts/janssen/charts/persistence/templates/jobs.yml: Manages the persistence loader job, ensuring secure handling of sensitive credentials.docker-jans-all-in-one/Dockerfile: Updates the base image version and Couchbase user for the Janssen All-in-One Docker image.docker-jans-auth-server/README.md: Updates the default Couchbase user from "admin" to "jans".docker-jans-auth-server/Dockerfile: Updates the base image version and Couchbase user for the Janssen Auth Server Docker image.docker-jans-auth-server/scripts/wait.py: Removes the explicit wait for the persistence layer, which may have security implications and should be reviewed.docker-jans-casa/Dockerfile: Updates the base image version, Couchbase user, and Jetty configuration for the Janssen Casa Docker image.docker-jans-casa/README.md: Updates the default Couchbase user from "admin" to "jans".docker-jans-casa/scripts/wait.py: Removes the explicit wait for the persistence layer, which may have security implications an
Powered by DryRun Security
![dryrunsecurity[bot] avatar](https://avatars.githubusercontent.com/in/377039?v=4 "Published by a pub.dev verified publisher"){kind=small}
Quality Gate passed for 'agama parent'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'jans-linux-setup'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'jans-cli'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'jans-core'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'jans-config-api-parent'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
See analysis details on SonarCloud
Quality Gate passed for 'jans-pycloudlib'
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
See analysis details on SonarCloud