GDB-10752 Add password hash for the security provisioner

Ontotext-AD · Sep 9, 2024 · eb757d1 · eb757d1
1 parent f193bc8
commit eb757d1
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,8 +10,9 @@
     - Local backups support saving the GraphDB backup archives in volume from an existing persistent volume claim, configured
       with `backup.local`
     - Cloud backups support uploading the GraphDB backup archives in one of the supported cloud object storage services, configured
-      with `backup.cloud`
     - Added a new example under [examples/backup-local](examples/backup-local) showing how to use the local backup feature
+      with `backup.cloud`
+- Added a new property - `security.provisioner.passwordHash`
 
 ### Fixed
 

diff --git a/files/config/users.js b/files/config/users.js
@@ -16,7 +16,7 @@
     {{- include "grahdb.security.extra-users.json" . | nindent 4 }}
     "{{ .Values.security.provisioner.username }}" : {
       "username" : "{{ .Values.security.provisioner.username }}",
-      "password" : "{bcrypt}{{ htpasswd .Values.security.provisioner.username .Values.security.provisioner.password | trimPrefix (printf "%s:" .Values.security.provisioner.username) }}",
+      "password" : {{ .Values.security.provisioner.passwordHash | default ( include "graphdb.security.provisioner.passwordHash" . ) | quote }},
       "grantedAuthorities" : [ "ROLE_ADMIN" ],
       "appSettings" : {
         "DEFAULT_INFERENCE" : true,

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -97,3 +97,10 @@ Converts custom users YAML to a pretty JSON for insertion in users.js
   {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Calculate provisoner's bcrypt-hashed password
+*/}}
+{{- define "graphdb.security.provisioner.passwordHash" -}}
+  {{- printf "{bcrypt}%s" ( htpasswd .Values.security.provisioner.username .Values.security.provisioner.password | trimPrefix (printf "%s:" .Values.security.provisioner.username)) -}}
+{{- end -}}
diff --git a/values.yaml b/values.yaml
@@ -258,6 +258,10 @@ security:
     # Note: The user is created regardless of if the existingSecret is provided or not.
     username: provisioner
     password: iHaveSuperpowers
+    # Define an initial password for the provisioner user as a bcrypt hash.
+    # If the password is not specified, it will use the default one specified in the provisioner.password.
+    # Important: This value must be a bcrypt encrypted hash, not a plaintext string. The format is "{bcrypt}<the-encrypted-hash>"
+    passwordHash: ""
     # Reference to Secret with a basic authentication token of an existing user to use for provisioning tasks instead of the default user in the initial
     # user.js that is created using the plaintext username and password configurations from above.
     # Note that the user must already exist in GraphDB for this to work properly.