Dapr Redis container and component definitions should have password configured

In what area(s)?

/area runtime /area test-and-release

What version of Dapr?

1.0.1

Expected Behavior

Actual Behavior

When I install the dapr and run the runtime for a long time. We got the security scan result for the host machine with related docker image such as redis-server .

[root@fnwk1 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 738c660bee97 daprio/dapr "./placement" 2 months ago Up 3 days 0.0.0.0:50005->50005/tcp dapr_placement cc0aa4b3f9b1 openzipkin/zipkin "start-zipkin" 2 months ago Up 3 days (healthy) 9410/tcp, 0.0.0.0:9411->9411/tcp dapr_zipkin c8f023598e97 redis "docker-entrypoint.s…" 2 months ago Up 3 days 0.0.0.0:6379->6379/tcp dapr_redis

Steps to Reproduce the Problem

wget -q https://raw.githubusercontent.com/dapr/cli/master/install/install.sh -O - | /bin/bash dapr init docker ps

Release Note

RELEASE NOTE:

@dapr/maintainers-dapr can we look into adding a password to the Redis config (article here) and then add it to the statestore.yaml and pubsub.yaml configs?

Would binding to localhost only instead of 0.0.0.0 be enough to pass the criteria for the scanner?

We should use https://github.com/dapr/cli/issues/741 to build this.

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.