fix: protect mongo and redis by password [run-int-tests]

Signed-off-by: Ilya Kheifets <[email protected]>

Author: ikheifets-splunk

charts/splunk-connect-for-snmp/templates/_helpers.tpl

@@ -1,10 +1,36 @@
 {{- define "splunk-connect-for-snmp.mongo_uri" -}}
+
+{{- if or (not (empty .Values.mongodb.auth.existingSecret)) (not (empty .Values.mongodb.auth.rootPassword)) }}
+    {{- $mongoPassword := "" }}
+
+    {{- if (not (empty .Values.mongodb.auth.existingSecret)) }}
+        {{- $mongoSecretName := .Values.mongodb.auth.existingSecret }}
+        {{- $mongoSecret := lookup "v1" "Secret" .Release.Namespace $mongoSecretName }}
+
+        {{- if not $mongoSecret }}
+            {{- fail (printf "Secret '%s' not found in namespace '%s'. Please create it before deploying." $mongoSecretName .Release.Namespace) }}
+        {{- end }}
+
+        {{- $mongoPassword = get $mongoSecret.data "mongodb-root-password" | b64dec }}
+    {{- else }}
+        {{- $mongoPassword = .Values.mongodb.auth.rootPassword }}
+    {{- end }}
+
+    {{- if eq .Values.mongodb.architecture "replicaset" }}
+        {{- printf "mongodb+srv://root:%s@%s-mongodb-headless.%s.svc.%s/?tls=false&ssl=false&replicaSet=rs0"  $mongoPassword .Release.Name .Release.Namespace .Values.mongodb.clusterDomain}}
+    {{- else }}
+        {{- printf "mongodb://root:%s@%s-mongodb:27017" $mongoPassword  .Release.Name }}
+    {{- end }}
+{{- else }}
+
 {{- if eq .Values.mongodb.architecture "replicaset" }}
 {{- printf "mongodb+srv://%s-mongodb-headless.%s.svc.%s/?tls=false&ssl=false&replicaSet=rs0" .Release.Name .Release.Namespace .Values.mongodb.clusterDomain}}
 {{- else }}
 {{- printf "mongodb://%s-mongodb:27017" .Release.Name }}
-{{- end }}  
-{{- end }}  
+{{- end }}
+
+{{- end }}
+{{- end }}
 
 {{- define "splunk-connect-for-snmp.mongodbHost" -}}
 {{- if .Values.mongodbHost }}
@@ -15,18 +41,73 @@
 {{- end }}
 
 {{- define "splunk-connect-for-snmp.celery_url" -}}
+
+{{- if or (not (empty .Values.redis.auth.existingSecret)) (not (empty .Values.redis.auth.password)) }}
+
+    {{- $redisPassword := "" }}
+
+    {{- if (not (empty .Values.redis.auth.existingSecret)) }}
+        {{- $redisSecretName := .Values.redis.auth.existingSecret }}
+        {{- $redisSecret := lookup "v1" "Secret" .Release.Namespace $redisSecretName }}
+
+        {{- if not $redisSecret }}
+            {{- fail (printf "Secret '%s' not found in namespace '%s'. Please create it before deploying." $redisSecretName .Release.Namespace) }}
+        {{- end }}
+
+        {{- $redisPassword = get $redisSecret.data "redis-password" | b64dec }}
+    {{- else }}
+        {{- $redisPassword = .Values.redis.auth.password }}
+    {{- end }}
+
+    {{- if and ( eq .Values.redis.architecture "replication" ) .Values.redis.sentinel.enabled  }}
+        {{- printf "redis://:%s@%s-redis:6379/0" $redisPassword .Release.Name }}
+    {{- else }}
+        {{- printf "redis://:%s@%s-redis-master:6379/0" $redisPassword .Release.Name }}
+    {{- end }}
+{{- else }}
+
+
 {{- if and ( eq .Values.redis.architecture "replication" ) .Values.redis.sentinel.enabled  }}
 {{- printf "redis://%s-redis:6379/0" .Release.Name }}
 {{- else }}
 {{- printf "redis://%s-redis-master:6379/0" .Release.Name }}
+{{- end }}
+
 {{- end }}
 {{- end }}
 
 {{- define "splunk-connect-for-snmp.redis_url" -}}
+
+{{- if or (not (empty .Values.redis.auth.existingSecret)) (not (empty .Values.redis.auth.password)) }}
+
+    {{- $redisPassword := "" }}
+
+    {{- if (not (empty .Values.redis.auth.existingSecret)) }}
+        {{- $redisSecretName := .Values.redis.auth.existingSecret }}
+        {{- $redisSecret := lookup "v1" "Secret" .Release.Namespace $redisSecretName }}
+
+        {{- if not $redisSecret }}
+            {{- fail (printf "Secret '%s' not found in namespace '%s'. Please create it before deploying." $redisSecretName .Release.Namespace) }}
+        {{- end }}
+
+        {{- $redisPassword = get $redisSecret.data "redis-password" | b64dec }}
+    {{- else }}
+        {{- $redisPassword = .Values.redis.auth.password }}
+    {{- end }}
+
+    {{- if and ( eq .Values.redis.architecture "replication" ) .Values.redis.sentinel.enabled  }}
+        {{- printf "redis://:%s@%s-redis:6379/1" $redisPassword .Release.Name }}
+    {{- else }}
+        {{- printf "redis://:%s@%s-redis-master:6379/1" $redisPassword .Release.Name }}
+    {{- end }}
+{{- else }}
+
 {{- if and ( eq .Values.redis.architecture "replication" ) .Values.redis.sentinel.enabled  }}
 {{- printf "redis://%s-redis:6379/1" .Release.Name }}
 {{- else }}
 {{- printf "redis://%s-redis-master:6379/1" .Release.Name }}
+{{- end }}
+
 {{- end }}
 {{- end }}
 

charts/splunk-connect-for-snmp/templates/mongodb-6.0-upgrade-job.yaml

@@ -20,17 +20,38 @@ spec:
                   {{- else }}
                     {{ .Values.mongodb.image.repository }}:{{ .Values.mongodb.image.tag }}
                   {{- end }}
+
+          {{- $mongoPass := lookup "v1" "Secret" .Release.Namespace "snmp-mongodb" }}
+          {{- $mongoSecret := lookup "v1" "Secret" .Release.Namespace .Values.mongodb.auth.existingSecret }}
+          
+          {{- if $mongoPass }}
+          env:
+            - name: MONGO_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: snmp-mongodb
+                  key: mongodb-root-password
+          {{- end }}
+
+          {{- if and $mongoSecret .Values.mongodb.auth.existingSecret}}
+          env:
+            - name: MONGO_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mongodb.auth.existingSecret }}
+                  key: mongodb-root-password
+          {{- end }}
           command:
             - /bin/bash
             - -c
             - |
               echo "Checking current mongo FCV"
-              FCV=$(mongosh --host {{ include "splunk-connect-for-snmp.mongodbHost" . | quote }} --quiet --eval 'db.adminCommand({ getParameter: 1, featureCompatibilityVersion: 1 }).featureCompatibilityVersion.version')
+              FCV=$(mongosh --host {{ include "splunk-connect-for-snmp.mongodbHost" . | quote }} {{- if or $mongoPass .Values.mongodb.auth.existingSecret }} --username root --password $MONGO_PASSWORD {{- end }} --quiet --eval 'db.adminCommand({ getParameter: 1, featureCompatibilityVersion: 1 }).featureCompatibilityVersion.version')
               echo "Current Mongo Feature Compatibility Version: $FCV"
               
               if [[ "$FCV" < "6.0" ]]; then
                 echo "FCV < 6.0, setting to 6.0"
-                mongosh --host {{ include "splunk-connect-for-snmp.mongodbHost" . | quote }}  --eval 'db.adminCommand({ setFeatureCompatibilityVersion: "6.0" })'
+                mongosh --host {{ include "splunk-connect-for-snmp.mongodbHost" . | quote }} {{- if or $mongoPass .Values.mongodb.auth.existingSecret }}  --username root --password $MONGO_PASSWORD {{- end }} --eval 'db.adminCommand({ setFeatureCompatibilityVersion: "6.0" })'
               else
                 echo "FCV >= 6.0, nothing to be changed"
               fi

docs/dockercompose/11-protect-by-password.md

@@ -0,0 +1,31 @@
+## Protect Mongo and Redis by password
+
+In your `docker-compose.yaml` [specify](https://hub.docker.com/r/bitnami/redis) for Redis container `REDIS_PASSWORD` or `REDIS_PASSWORD_FILE`:
+
+```
+  redis:
+  ...
+    environment:
+      - REDIS_PASSWORD=...
+```
+
+The same thing you to [specify](https://hub.docker.com/r/bitnami/mongodb) for Mongo container using `MONGODB_ROOT_PASSWORD`:
+
+```
+  mongo:
+  ...
+    environment:
+      - MONGODB_ROOT_PASSWORD=...
+```
+
+After that just update connection string:
+
+```
+REDIS_URL: redis://:pass@redis:6379/1
+CELERY_BROKER_URL: redis://:pass@redis:6379/0
+MONGO_URI: mongodb://root:pass@mongo:27017/
+```
+
+!!! Warning
+    If you wanna update the password you need to make it manually using `mongo` and `redis` cli.
+    And only after that you need to update `REDIS_PASSWORD`/ `MONGODB_ROOT_PASSWORD` and connection strings.

docs/microk8s/configuration/protect-by-password.md

@@ -0,0 +1,55 @@
+# Protect Mongo and Redis by password
+
+## Using secrets
+
+Create secrets for Mongo and Redis:
+
+```
+microk8s kubectl create secret generic redis-auth-secret \
+  --from-literal=redis-password=your_password -n sc4snmp
+
+microk8s kubectl create secret generic mongodb-auth-secret \
+  --from-literal=mongodb-root-password=your_password -n sc4snmp
+```
+
+Reference on this secrets in  `values.yaml`:
+
+```
+redis:
+    auth:
+        enabled: true
+        existingSecret: "redis-auth-secret"
+
+mongodb:
+    auth:
+        enabled: true
+        existingSecret: "mongodb-auth-secret"
+```
+
+Redeploy SC4SNMP
+
+!!! Warning
+    In case of failing migration jobs, update password manually using `mongosh` CLI.
+
+
+## Using password
+
+
+Set passwords in  `values.yaml`:
+
+```
+redis:
+    auth:
+        enabled: true
+        password: "redis-auth-secret"
+
+mongodb:
+    auth:
+        enabled: true
+        rootPassword: "mongodb-auth-secret"
+```
+
+Redeploy SC4SNMP
+
+!!! Warning
+    In case of failing migration jobs, update password manually using `mongosh` CLI.

mkdocs.yml

@@ -55,6 +55,7 @@ nav:
       - Offline installation: "dockercompose/8-offline-installation.md"
       - Sending logs to Splunk: "dockercompose/9-splunk-logging.md"
       - Enable IPv6: "dockercompose/10-enable-ipv6.md"
+      - Protect redis and mongo by password: "dockercompose/11-protect-by-password.md"
   - Getting Started with Microk8s:
       - Installation:
         - Splunk Requirements: "microk8s/splunk-requirements.md"
@@ -80,6 +81,7 @@ nav:
           - SNMPv3 configuration: "microk8s/configuration/snmpv3-configuration.md"
           - Splunk Infrastructure Monitoring: "microk8s/configuration/sim-configuration.md"
           - CoreDNS: "microk8s/configuration/coredns-configuration.md"
+          - Protect redis and mongo by password: "microk8s/configuration/protect-by-password.md"
       - Offline Installation:
           - Install Microk8s: "microk8s/offlineinstallation/offline-microk8s.md"
           - Install Splunk OpenTelemetry Collector for Kubernetes: "microk8s/offlineinstallation/offline-sck.md"