Adding Support for Infisical Password Vault#1609
Conversation
Accidentally pushed with OED_PRODUCTION set to yes
Added: 1. Banners for the make sure to change this value notifications, also added a notification for the token secret. 2. Fixed spelling error. 3. Added spaces to comments. 4. A variable that checks what the installation type is at the start and is used for all checks.
Added comments in docker-compose.yml to alert users as to the fact passwords are only drawn from this file once. Added something to the .env file to show the code that the password has already been generated. Changed a redundant if statement to an else.
Changes to address feedback on 1/19, added/edited comments, changed changePass.js to changePostgresPass.js
|
@Zachary-Squires Thanks for working on this. I realize it is a work in progress but I had two thoughts from only looking at this a little:
Please let me know if anything is not clear or your have thoughts. |
This reverts commit 24e2fb3.
|
I'm noting this PR contains code from PR #1554 as it is necessary. That PR will should be merged first so all those changes go away before this PR merged. |
huss
left a comment
huss
left a comment
There was a problem hiding this comment.
Thanks to @Zachary-Squires for looking into this, adding the code and the documentation. Overall, this seems good. I have not yet tried it because it is a draft and I wanted to get my first thoughts back to you. I made a few comments to consider. I also put in a comment on the docs on your GitHub account. Please let me know if anything is not clear or you have any thoughts/questions.
| - OED_MAIL_FROM=mydomain@example.com # The email address that the email will come from | ||
| - OED_MAIL_TO=someone@example.com # Set the destination address here for where to send emails | ||
| - OED_MAIL_ORG=My Organization Name # Org name for mail that is included in the subject | ||
| - PASSWORD_VAULT=no # Set to yes to load DB passwords from Infisical |
There was a problem hiding this comment.
When the design doc is in place for OED, it might be nice to put a link to it here so people can easily find the directions for enabling the vault.
huss
left a comment
huss
left a comment
There was a problem hiding this comment.
@Zachary-Squires Thank you for the update addressing most of the comments. The one step left is to put in a pull request to the OED dev docs and then add the link in the one file (per other comment). After that someone else can finalize the work for general usage in OED and test the system. Please let me know if you need anything.
2 participants
Description
This PR adds optional support for Infisical, an open source free secrets manager that can be self hosted. This PR allows the POSTGRES_PASSWORD and OED_DB_PASSWORD variables to be stored inside the Infisical password vault instead of the .env for increased security. I've created a tutorial as to how to do this which is here: https://gist.github.com/Zachary-Squires/b7d673922d251ec4d0edc5aa752ec06f
Fixes Security Issue 5
Type of change
Checklist
Limitations
Currently Infisical can only host the passwords for the database, in future this could be expanded to also host user passwords.