pega-helm-charts icon indicating copy to clipboard operation
pega-helm-charts copied to clipboard

Published 20 hours ago verified publisher icon pegasystems

Kubernates -Tomcat context.xml having DB password as a plain text (inside the container)

Open raj-kotha opened this issue 2 years ago • 1 comments

Describe the bug

Tomcat context.xml having DB password as a plain text

To Reproduce NA

Expected behavior

Encrypted DB password

Chart version

Server (if applicable, please complete the following information):

  • OS: [e.g. Ubuntu 18.04]
  • Environment: [e.g. Amazon EKS, Open Source Kubernetes 1.11, etc.]
  • Database: [e.g. PostgreSQL]

Additional context

raj-kotha avatar Aug 03 '22 19:08 raj-kotha

This is not a bug, this is a well-known Tomcat limitation. Tomcat does not offer a way to encrypt passwords. See https://cwiki.apache.org/confluence/display/TOMCAT/Password for details.

In the same way you should secure your context.xml against unauthorized (read) access in a bare metal or VM environment, you should also secure your Kubernetes cluster against access of the context.xml file inside the container.

rbogendoerfer avatar Aug 08 '22 14:08 rbogendoerfer

https://github.com/pegasystems/pega-helm-charts/blob/master/charts/pega/config/deploy/context.xml.tmpl this context.xml.tmpl will get resolved to context.xml when we do helm deploy. when it resolves, the password and other values are securely sent inside the pod. Once inside the tomcat folder, tomcat reads the file as it is only with plain text. thats tomcat feature that it can read only as plain text.

pega-sagas1 avatar Oct 27 '22 07:10 pega-sagas1