will/rxminder
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
rxminder/SECURITY.md

196 lines
5.3 KiB
Markdown
Raw Permalink Blame History

# 🔐 Security Configuration Guide for RxMinder
This guide outlines the security configurations in RxMinder and how to properly secure your deployment.
> **📋 Related Documentation**: For application-level security practices (password requirements, authentication, etc.), see [`docs/development/APPLICATION_SECURITY.md`](docs/development/APPLICATION_SECURITY.md)
## ⚠️ Critical Security Updates
We use a template-based approach with environment variables for secure, user-friendly credential management.
## 🔑 Template-Based Configuration
### Kubernetes Deployment
**Files**: `k8s/*.yaml.template`
RxMinder uses Kubernetes template files that automatically substitute environment variables. No manual base64 encoding required!
**Template files:**
- `k8s/couchdb-secret.yaml.template` - Database credentials
- `k8s/ingress.yaml.template` - Ingress configuration
- `k8s/configmap.yaml.template` - Application configuration
- `k8s/frontend-deployment.yaml.template` - Frontend deployment
**Example secret template:**
```yaml
apiVersion: v1
kind: Secret
metadata:
name: couchdb-secret
labels:
app: ${APP_NAME:-rxminder}
type: Opaque
stringData:
username: ${COUCHDB_USER:-admin}
password: ${COUCHDB_PASSWORD:-change-this-secure-password}
```
### Environment Variables
**File**: `.env`
```env
# Application Name (used in Kubernetes labels)
APP_NAME=rxminder
# Database Credentials (automatically substituted in templates)
COUCHDB_USER=admin
COUCHDB_PASSWORD=your-very-secure-password
VITE_COUCHDB_USER=admin
VITE_COUCHDB_PASSWORD=your-very-secure-password
# Kubernetes Configuration
INGRESS_HOST=rxminder.yourdomain.com
```
## 🚀 Template-Based Deployment
### Quick Start
1. **Copy environment template:**
```bash
cp .env.example .env
```
2. **Update .env with your secure credentials:**
```bash
# Edit .env with your secure passwords and configuration
nano .env
```
3. **Deploy with templates:**
```bash
./scripts/k8s-deploy-template.sh deploy
```
The deployment script automatically:
- ✅ Loads environment variables from `.env`
- ✅ Substitutes variables in template files
- ✅ Applies resources in correct dependency order
- ✅ Runs database seeding
- ✅ Shows deployment status
## 🛡️ Security Best Practices
### 1. **Strong Passwords**
- Use passwords with at least 16 characters
- Include uppercase, lowercase, numbers, and symbols
- Use a password manager to generate unique passwords
### 2. **Environment-Specific Credentials**
- **Development**: Use different credentials than production
- **Staging**: Use different credentials than production
- **Production**: Use strong, unique credentials
### 3. **Credential Rotation**
- Rotate database credentials regularly
- Update Kubernetes secrets using `kubectl`
- Update Docker environment variables
### 4. **Secret Management**
- Never commit actual credentials to version control
- Use Kubernetes secrets for production deployments
- Consider external secret management (HashiCorp Vault, etc.)
## 🔄 Updating Credentials
### Kubernetes Environment
```bash
# Create new secret with secure credentials
kubectl create secret generic couchdb-secret \
--from-literal=username=your-secure-username \
--from-literal=password=your-very-secure-password \
--dry-run=client -o yaml | kubectl apply -f -
# Restart pods to pick up new credentials
kubectl rollout restart statefulset/couchdb
kubectl rollout restart deployment/frontend
```
### Docker Environment
````bash
### Docker Environment
```bash
# Update environment variables and restart containers
export COUCHDB_PASSWORD="your-very-secure-password"
export VITE_COUCHDB_PASSWORD="your-very-secure-password"
docker compose down && docker compose up -d
````
## 🔄 CI/CD Security
### GitHub Actions / Gitea Workflows
Set these secrets in your repository settings:
- `VITE_COUCHDB_PASSWORD`: Your production CouchDB password
- `GITEA_TOKEN` / `GITHUB_TOKEN`: For container registry authentication
**Important**: CI/CD workflows use secure fallback values but should use repository secrets for production builds.
### Test Environments
Test databases use secure passwords by default:
- CI containers: `test-secure-password`
- End-to-end tests: Use dedicated test credentials (acceptable for testing)
## ✅ Security Checklist
```
## ⚡ Quick Security Checklist
- [ ] Changed default admin password in `k8s/couchdb-secret.yaml`
- [ ] Updated `.env` file with secure credentials
- [ ] Used different passwords for each environment
- [ ] Credentials are not in version control (in `.gitignore`)
- [ ] Reviewed all scripts for hardcoded values
- [ ] Configured proper network policies (if using Kubernetes)
- [ ] Set up TLS/SSL for production deployments
## 🚨 Emergency Response
If credentials are compromised:
1. **Immediately** change passwords in all environments
2. Rotate Kubernetes secrets
3. Review access logs
4. Update any applications using the old credentials
5. Consider rotating container registry credentials if needed
## 📚 Additional Resources
- [CouchDB Security Best Practices](https://docs.couchdb.org/en/stable/intro/security.html)
- [Kubernetes Secrets Management](https://kubernetes.io/docs/concepts/configuration/secret/)
- [Docker Secrets](https://docs.docker.com/engine/swarm/secrets/)
---
**Remember**: Security is an ongoing process, not a one-time setup. Regularly review and update your security configurations.
```
Reference in New Issue View Git Blame Copy Permalink