feat(docker): add support for using external secrets for initialization phase

[iromli]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #7547

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

[codecov]

Codecov Report

Attention: Patch coverage is 63.79310% with 21 lines in your changes missing coverage. Please review.

Please upload report for BASE (main@8b125a4). Learn more about missing BASE report.

❗ Current head 4e716c1 differs from pull request most recent head 059d30f

Please upload reports for the commit 059d30f to get more accurate results.

Files	Patch %	Lines
...-pycloudlib/jans/pycloudlib/lock/couchbase_lock.py	0.00%	9 Missing ⚠️
...ycloudlib/jans/pycloudlib/persistence/couchbase.py	80.64%	6 Missing ⚠️
...ans-pycloudlib/jans/pycloudlib/persistence/ldap.py	25.00%	3 Missing ⚠️
jans-pycloudlib/jans/pycloudlib/lock/ldap_lock.py	0.00%	1 Missing ⚠️
jans-pycloudlib/jans/pycloudlib/lock/sql_lock.py	0.00%	1 Missing ⚠️
jans-pycloudlib/jans/pycloudlib/persistence/sql.py	90.90%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8197   +/-   ##
=======================================
  Coverage        ?   59.93%           
=======================================
  Files           ?       36           
  Lines           ?     3190           
  Branches        ?        0           
=======================================
  Hits            ?     1912           
  Misses          ?     1278           
  Partials        ?        0           

Flag	Coverage Δ
unittests	59.93% <63.79%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sonarqubecloud]

Quality Gate passed for 'agama parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'orm'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'jans-pycloudlib'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'Jans-Keycloak-Link'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'Jans lock server parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'keycloak-integration-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'Fido2 API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'jans-core'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'orm'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'keycloak-integration-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'Jans-Keycloak-Link'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'Fido2 API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	7 findings
SQL Injection Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	7 findings
IDOR Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request cover a wide range of Janssen application components, focusing on improving the security and maintainability of the application's deployment and configuration. Key security-related changes include:

1. Updating the default Couchbase user from "admin" to a more specific "jans" user, reducing the risk of unauthorized access.
2. Enhancing the handling of sensitive information, such as passwords and certificates, by using Kubernetes Secrets and secure credential management practices.
3. Introducing flexibility in persistence layer configuration, allowing the application to be deployed with different data storage options (Couchbase, LDAP, SQL) while maintaining secure practices.
4. Improving logging and monitoring capabilities, including Prometheus integration, to enable better security monitoring and incident response.
5. Implementing the principle of least privilege by running the application as a non-root user and adjusting file permissions accordingly.

Overall, the changes in this pull request demonstrate a strong focus on application security, with a emphasis on secure credential management, flexible persistence configuration, and improved monitoring and logging capabilities. These improvements help to reduce the attack surface and enhance the overall security posture of the Janssen application ecosystem.

Files Changed:

1. charts/janssen-all-in-one/templates/secret.yaml: Updates the naming of sensitive fields, such as passwords, to improve clarity and consistency.
2. charts/janssen/charts/auth-server-key-rotation/templates/cronjobs.yaml: Handles the configuration and execution of the authentication server's key rotation process, including the management of various secrets and credentials.
3. charts/janssen/charts/auth-server/templates/deployment.yml: Manages the deployment configuration for the authentication server, including the handling of secrets and persistence types.
4. charts/janssen-all-in-one/templates/cronjobs.yaml: Configures the cronjobs responsible for the authentication server's key rotation and Keycloak-related tasks, with a focus on secure credential management.
5. charts/janssen/charts/casa/templates/deployment.yaml: Updates the deployment configuration for the Casa application, removing unnecessary persistence-related components.
6. charts/janssen/charts/config-api/templates/deployment.yaml: Modifies the deployment configuration for the Config API application, handling different persistence types and cloud integrations securely.
7. charts/janssen/charts/fido2/templates/deployment.yml: Updates the deployment configuration for the FIDO2 application, focusing on secure credential management and persistence layer changes.
8. charts/janssen/charts/config/templates/secrets.yaml: Manages the generation and handling of various secrets used by the Janssen application, including passwords and authentication-related keys.
9. charts/janssen/charts/kc-scheduler/templates/cronjobs.yaml: Updates the cronjob configuration for the Keycloak Scheduler, handling persistence-related changes.
10. charts/janssen/charts/link/templates/deployment.yaml: Modifies the deployment configuration for the Link application, removing SQL-related persistence components.
11. charts/janssen/charts/saml/templates/deployment.yaml: Updates the deployment configuration for the SAML application, handling changes to the persistence layer.
12. charts/janssen/charts/persistence/templates/jobs.yml: Manages the persistence loader job, ensuring secure handling of sensitive credentials.
13. docker-jans-all-in-one/Dockerfile: Updates the base image version and Couchbase user for the Janssen All-in-One Docker image.
14. docker-jans-auth-server/README.md: Updates the default Couchbase user from "admin" to "jans".
15. docker-jans-auth-server/Dockerfile: Updates the base image version and Couchbase user for the Janssen Auth Server Docker image.
16. docker-jans-auth-server/scripts/wait.py: Removes the explicit wait for the persistence layer, which may have security implications and should be reviewed.
17. docker-jans-casa/Dockerfile: Updates the base image version, Couchbase user, and Jetty configuration for the Janssen Casa Docker image.
18. docker-jans-casa/README.md: Updates the default Couchbase user from "admin" to "jans".
19. docker-jans-casa/scripts/wait.py: Removes the explicit wait for the persistence layer, which may have security implications an

Powered by DryRun Security

[sonarqubecloud]

Quality Gate passed for 'agama parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'jans-core'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'jans-pycloudlib'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud