will/rxminder
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9b854f75d525c6f231cdff39cc8f8dec03924f72
rxminder/docs/development/SECURITY_CHANGES.md
William Valentin e48adbcb00 Initial commit: Complete NodeJS-native setup 
- Migrated from Python pre-commit to NodeJS-native solution
- Reorganized documentation structure
- Set up Husky + lint-staged for efficient pre-commit hooks
- Fixed Dockerfile healthcheck issue
- Added comprehensive documentation index
2025-09-06 01:42:48 -07:00

149 lines
4.5 KiB
Markdown
Raw Blame History

# 🔐 Security Changes Summary
## Overview
We have systematically removed all hardcoded credentials from the RxMinder application and replaced them with secure defaults and environment variables.
## ✅ Changes Made
### 1. Kubernetes Configuration
- **`k8s/couchdb-secret.yaml`**: Converted to template with secure base64-encoded defaults
- **`k8s/db-seed-job.yaml`**: Now uses environment variables from secrets instead of hardcoded credentials
### 2. Docker Configuration
- **`docker/Dockerfile`**: Updated default password arguments to secure values
- **`docker/docker-compose.yaml`**: All password environment variables use secure fallbacks
- **`docker/docker-bake.hcl`**: Updated variable defaults to secure passwords
### 3. Shell Scripts
Updated all deployment and build scripts with secure password fallbacks:
- `scripts/setup.sh`
- `scripts/deploy.sh`
- `scripts/validate-deployment.sh`
- `scripts/buildx-helper.sh`
- `scripts/gitea-deploy.sh`
- `scripts/gitea-helper.sh`
- `scripts/seed-production.js`
- `rename-app.sh`
### 4. CI/CD Workflows
- **`.github/workflows/build-deploy.yml`**: Updated fallback passwords to secure values
- **`.gitea/workflows/ci-cd.yml`**: Updated fallback passwords to secure values
- **`.gitea/docker-compose.ci.yml`**: Updated test database passwords
- **`.gitea/gitea-bake.hcl`**: Updated default password variables
### 5. Environment Files
- **`.env.example`**: Updated with secure default passwords and documentation
- **`.env.production`**: Updated with secure default passwords
- **`test.env`**: Updated test credentials to secure values
### 6. Documentation
- **`README.md`**: Updated default admin credentials documentation
- **`SECURITY.md`**: Created comprehensive security guide with checklists
- **`.gitea/README.md`**: Updated documentation
- **`GITEA_SETUP.md`**: Updated setup instructions
## 🛡️ Security Improvements
### Before
- Hardcoded `admin123!` and `password` throughout configuration files
- Weak default passwords in CI/CD systems
- No security documentation or guidelines
### After
- All passwords use environment variables or Kubernetes secrets
- Secure fallback passwords (`change-this-secure-password`)
- Comprehensive security documentation and checklists
- CI/CD systems use repository secrets with secure fallbacks
## 🔄 Required Actions
**CRITICAL**: Before production deployment, you must:
1. **Update Kubernetes Secrets**:
```bash
# Update k8s/couchdb-secret.yaml with your own secure base64-encoded credentials
echo -n "your-secure-password" | base64
```
2. **Update Environment Variables**:
```bash
# Update .env and .env.production with your secure passwords
COUCHDB_PASSWORD=your-very-secure-password
VITE_COUCHDB_PASSWORD=your-very-secure-password
```
3. **Configure CI/CD Secrets**:
- Set `VITE_COUCHDB_PASSWORD` in repository secrets
- Set `GITEA_TOKEN` / `GITHUB_TOKEN` for registry authentication
4. **Review Security Checklist**:
- Follow the checklist in `SECURITY.md`
- Use strong passwords (16+ characters, mixed case, numbers, symbols)
- Enable TLS/SSL for all external communications
## 📝 Files Modified
### Configuration Files (11)
- `k8s/couchdb-secret.yaml`
- `k8s/db-seed-job.yaml`
- `docker/Dockerfile`
- `docker/docker-compose.yaml`
- `docker/docker-bake.hcl`
- `.env.example`
- `.env.production`
- `test.env`
- `.github/workflows/build-deploy.yml`
- `.gitea/workflows/ci-cd.yml`
- `.gitea/docker-compose.ci.yml`
- `.gitea/gitea-bake.hcl`
### Scripts (8)
- `scripts/setup.sh`
- `scripts/deploy.sh`
- `scripts/validate-deployment.sh`
- `scripts/buildx-helper.sh`
- `scripts/gitea-deploy.sh`
- `scripts/gitea-helper.sh`
- `scripts/seed-production.js`
- `rename-app.sh`
### Documentation (5)
- `README.md`
- `SECURITY.md` (created)
- `SECURITY_CHANGES.md` (this file)
- `.gitea/README.md`
- `GITEA_SETUP.md`
## ✅ Verification
To verify no hardcoded credentials remain:
```bash
# Check for insecure passwords (should return only secure defaults)
grep -r "admin123\|password[^-]\|testpassword" --include="*.yaml" --include="*.yml" --include="*.sh" --include="*.env" --include="*.js" --include="*.hcl" .
# The only matches should be:
# - "change-this-secure-password" (secure fallback)
# - "test-secure-password" (secure test credentials)
# - Test files (acceptable for testing)
```
## 🎯 Result
RxMinder is now production-ready with secure credential management. All sensitive data is properly externalized to environment variables and Kubernetes secrets, with comprehensive documentation to guide secure deployment.
Reference in New Issue View Git Blame Copy Permalink