security pass for secret access #325

New issue

Open

opened 2023-11-12 12:10:24 +00:00 by jessebot · 0 comments

jessebot commented 2023-11-12 12:10:24 +00:00 (Migrated from github.com)

Copy link

Description

Before we get into actual production, we need to do a security pass. We've already ensured secure database connections everywhere. The next step is taking a look at what prevents other connected users from viewing secrets such as:

• root credentials
• postgres certs

Not sure if RBAC makes the most sense here... like restricting access to a specific cluster role or service account?

Needs to be reviewed (and possibly updated for) the following apps.

nextcloud

• nextcloud config
• minio tenant secret config
• postgresql certs
  • server-certs
  • client-certs
  • keypair-server-certs
  • keypair-client-certs

zitadel

• minio tenant
• postgresql certs
  • server-certs
  • client-certs
  • keypair-server-certs
  • keypair-client-certs

mastodon

• minio tenant secret config
• mastodon secret config
• mastodon default config configmap while we're at it
• postgresql certs
  • server-certs
  • client-certs
  • keypair-server-certs
  • keypair-client-certs

matrix

• matrix secret config
• minio tenant secret config
• postgresql certs
  • server-certs
  • client-certs
  • keypair-server-certs
  • keypair-client-certs

bitwarden eso provider

• credentials secret

argocd

• oidc secret

# Description Before we get into actual production, we need to do a security pass. We've already ensured secure database connections everywhere. The next step is taking a look at what prevents other connected users from viewing secrets such as: - root credentials - postgres certs Not sure if RBAC makes the most sense here... like restricting access to a specific cluster role or service account? Needs to be reviewed (and possibly updated for) the following apps. ## nextcloud - [ ] nextcloud config - [ ] minio tenant secret config - postgresql certs - [ ] server-certs - [ ] client-certs - [ ] keypair-server-certs - [ ] keypair-client-certs ## zitadel - [ ] minio tenant - postgresql certs - [ ] server-certs - [ ] client-certs - [ ] keypair-server-certs - [ ] keypair-client-certs ## mastodon - [ ] minio tenant secret config - [ ] mastodon secret config - [ ] mastodon default config configmap while we're at it - postgresql certs - [ ] server-certs - [ ] client-certs - [ ] keypair-server-certs - [ ] keypair-client-certs ## matrix - [ ] matrix secret config - [ ] minio tenant secret config - postgresql certs - [ ] server-certs - [ ] client-certs - [ ] keypair-server-certs - [ ] keypair-client-certs ## bitwarden eso provider - [ ] credentials secret ## argocd - [ ] oidc secret

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

harbor-refresh

cloudymax-patch-1

forgejo-federation

renovate/tempo-distributed-1.x

renovate/postgresql-18.x

renovate/argo-cd-9.x

renovate/kubevirt-vm-0.x

renovate/hashicorp-vault-1.x

renovate/openbao-0.x

renovate/nextcloud-8.x

finish-juicefs

renovate/kubevirt-stack-0.x

temporary-storage-class-fix

swfs-kubevirt

no-smtp-env-vars

new-loki

forgejo-testing

renovate/https-github.com-metallb-metallb.git-0.x

environment-promotion-idea

valkey-nextcloud

renovate/registry-1.docker.io-bitnamicharts-valkey-2.x

simple

renovate/seaweedfs-4.x

grafana-login-enabled

no-smtp-zitadel

try-wrenix-pr-480

add-rss-bot

disable-modsecurity

testing-haproxy

routhinator-may-2-suggestion

bradley

feat/workflows

fix/home-assistant-proxy

feat/ingress-metrics-enabled

argo-multi-source-issue

max-testing

add-nvidia-apps

old-secrets-for-peertube

before-hookshot-removal

nextclouud-s3-as-primary-object-store

before-eso-helm-chart-test-merge

before-nextcloud-cron-removal

maxs-old-bweso

Labels

Clear labels   

WAF

something to do with our WAF

  

blocked

unable to move forward at this time

  

bug

Something isn't working

  

ci/cd

antyhing to do with continous integration/deployment including renovatebot

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

ingress

  

invalid

This doesn't seem right

  

monitoring

  

question

Further information is requested

  

security

  

wontfix

This will not be worked on

  

😭 email

anything to do with SMTP or email generally

No labels

WAF

blocked

bug

ci/cd

documentation

duplicate

enhancement

good first issue

help wanted

ingress

invalid

monitoring

question

security

wontfix

😭 email

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

small-hack/argocd-apps#325

No description provided.