make admin password configurable in Helm Chart #71
Conversation
|
Hey @derfabianpeter! 👋🏻 Thanks for the PR! Even though the password is bcrypt-hashed, it doesn't sit well with me to expose the admin password hash in the container args, where it can be examined by anyone with GET access to the pod. Could we rather have the helm chart insert the hash into a secret, and then expose that secret to the container as an env var to be called as For example, here's how it's done on the bitnami etcd chart:
With a little adjustment, we could enhance the portainer chart to:
Even better (but I've not tested this explicitly), it looks as helm has a built-in htpasswd function, so we could allow a user to specify an admin password in cleartext in their Cheers! |
|
Hey @funkypenguin, totally agree with you that my approach is not really well suited for today's understanding of security. I just wanted to get the ball rolling on that topic. I also agree that using a secret would be the way to go, but I'm currently not sure what options Portainer offers to make use of a Secret-File or EnvVar for the Admin Password. Maybe someone can shed a light on this so we can make improvements to the proposed solution. Using HELM's integrated htpasswd option would be a nice thing, but I'm totally fine with computing the hash outside of HELM. |
If we use I've created a branch in this repo named D |
|
hello, Some news on it ? |
|
Not really. We went with the solution @funkypenguin suggested in the end. No further changes to the chart required. |
Ok thanks. I also ok with this solution, but if I understand, that this PR is not apply (?), should I make local modification of portainer chart ? I would keep on official release. You confirm than official Chart do not support this feature ? I need to use @funkypenguin branch or make this change locally, exact ? Tk |
|
Hi @mysiki I just checked our code again - since the PR did not get merged (I tried pinging @funkypenguin on this topic in Slack but he never got back at me), we worked around the issue by installing Portainer through the official HELM chart and then use its API to create the initial user with a password we chose. Since we're wrapping the deployment process in Ansible, we didn't see the need to wait for feedback here but instead went with another solution that worked without altering the HELM chart. I'd still be open to contribute code for a better HELM chart, but I guess that would require involvement from the team. |
|
Rooooo ! I don't know than I can manage it with API ! Perfect (I'm on ansible too). Thanks ! https://app.swaggerhub.com/apis/portainer/portainer-ce/2.11.0#/users/UserAdminInit |
|
Hey @derfabianpeter, I will get back to you on this really shortly! |
Hi,
picking up on a discussion in the Ambassador Slack. My team is working on a Kubernetes Platform and tries to integrate Portainer as an application. For this we'd need to be able to bootstrap Portainer with a password (and ideally even more config revolving around auth and endpoints).
This MR deals with the necessary changes to accept a config value
admin.password(a HASH built according to your docs) that results in the--admin-passwordflag being added to theargssection of the container spec if not empty.This is a typical use case for us (and has been in the years before with Docker Swarm) so we thought to submit a PR for discussion instead of hacking a way around it or forking the chart.