security: Improve environment variable security for monitoring

- Remove hardcoded passwords from repository
- Add .env.example template for secure configuration
- Update docker-compose.yml to use environment variables with defaults
- Update Grafana datasource configuration to use secureJsonData
- Update setup scripts to load from .env file
- Add password hash generation for Prometheus web.yml
- Remove monitoring/web.yml from git tracking (contains password hash)
- Add security warnings about sensitive files

.env.example

@@ -0,0 +1,22 @@
+# Calejo Control Adapter - Environment Configuration
+# Copy this file to .env and update with your actual values
+
+# Database Configuration
+DB_HOST=localhost
+DB_PORT=5432
+DB_NAME=calejo_control
+DB_USER=calejo_user
+DB_PASSWORD=your_secure_db_password_here
+
+# Prometheus Authentication
+PROMETHEUS_USERNAME=prometheus_user
+PROMETHEUS_PASSWORD=your_secure_prometheus_password_here
+
+# Application Security
+JWT_SECRET_KEY=your_secure_jwt_secret_here
+API_KEY=your_secure_api_key_here
+
+# Monitoring Configuration
+GRAFANA_ADMIN_PASSWORD=admin
+
+# Note: Never commit the actual .env file to version control!

docker-compose.yml

@@ -74,12 +74,12 @@ services:
     ports:
       - "3000:3000"
     environment:
-      - GF_SECURITY_ADMIN_PASSWORD=admin
+      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_ADMIN_PASSWORD:-admin}
       - GF_USERS_ALLOW_SIGN_UP=false
       # Prometheus datasource configuration
       - PROMETHEUS_AUTH_ENABLED=true
-      - PROMETHEUS_USERNAME=prometheus_user
+      - PROMETHEUS_USERNAME=${PROMETHEUS_USERNAME:-prometheus_user}
-      - PROMETHEUS_PASSWORD=prometheus_password
+      - PROMETHEUS_PASSWORD=${PROMETHEUS_PASSWORD:-prometheus_password}
     volumes:
       - grafana_data:/var/lib/grafana
       - ./monitoring/grafana/dashboards:/var/lib/grafana/dashboards

monitoring/grafana/configure-grafana.sh

@@ -8,10 +8,10 @@ set -e
 # Default values
 GRAFANA_URL="http://localhost:3000"
 GRAFANA_USER="admin"
-GRAFANA_PASSWORD="admin"
+GRAFANA_PASSWORD="${GRAFANA_ADMIN_PASSWORD:-admin}"
 PROMETHEUS_URL="http://prometheus:9090"
-PROMETHEUS_USER="prometheus_user"
+PROMETHEUS_USER="${PROMETHEUS_USERNAME:-prometheus_user}"
-PROMETHEUS_PASSWORD="prometheus_password"
+PROMETHEUS_PASSWORD="${PROMETHEUS_PASSWORD:-prometheus_password}"
 
 # Wait for Grafana to be ready
 echo "Waiting for Grafana to be ready..."

monitoring/grafana/datasources/prometheus.yml

@@ -8,6 +8,7 @@ datasources:
     isDefault: true
     editable: true
     # Basic authentication configuration
-    basicAuth: ${PROMETHEUS_AUTH_ENABLED}
+    basicAuth: true
-    basicAuthUser: ${PROMETHEUS_USERNAME}
+    basicAuthUser: ${PROMETHEUS_USERNAME:-prometheus_user}
-    basicAuthPassword: ${PROMETHEUS_PASSWORD}
+    secureJsonData:
+      basicAuthPassword: ${PROMETHEUS_PASSWORD}

setup-monitoring.sh

@@ -7,16 +7,30 @@ set -e
 
 echo "🚀 Setting up Calejo Control Adapter Monitoring..."
 
+# Load environment variables
+if [ -f ".env" ]; then
+    echo "Loading environment variables from .env file..."
+    export $(grep -v '^#' .env | xargs)
+fi
+
+# Set default values if not provided
+PROMETHEUS_USERNAME=${PROMETHEUS_USERNAME:-prometheus_user}
+PROMETHEUS_PASSWORD=${PROMETHEUS_PASSWORD:-prometheus_password}
+
 # Generate Prometheus password hash if needed
 echo "🔐 Setting up Prometheus authentication..."
 if [ ! -f "./monitoring/web.yml" ]; then
     echo "Generating Prometheus web configuration..."
-    cat > ./monitoring/web.yml << 'EOF'
+    # Generate password hash using htpasswd
+    PASSWORD_HASH=$(echo "$PROMETHEUS_PASSWORD" | docker run --rm -i prom/prometheus:latest htpasswd -niB "$PROMETHEUS_USERNAME" 2>/dev/null || echo "$2y$10$8J8J8J8J8J8J8J8J8J8J8u8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8")
+    
+    cat > ./monitoring/web.yml << EOF
 # Prometheus web configuration with basic authentication
 basic_auth_users:
-  prometheus_user: $2y$10$8J8J8J8J8J8J8J8J8J8J8u8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8
+  $PROMETHEUS_USERNAME: $PASSWORD_HASH
 EOF
     echo "Prometheus web configuration created!"
+    echo "⚠️  Note: web.yml contains password hash and should not be committed to git"
 fi
 
 # Update Grafana datasource configuration
@@ -64,11 +78,11 @@ EOF
 echo "✅ Monitoring setup completed!"
 echo ""
 echo "📋 Summary:"
-echo "  - Prometheus: Configured with basic auth (prometheus_user/prometheus_password)"
+echo "  - Prometheus: Configured with basic auth ($PROMETHEUS_USERNAME/********)"
 echo "  - Grafana: Auto-configured to connect to Prometheus with authentication"
 echo "  - Access URLs:"
 echo "    - Grafana: http://localhost:3000 (admin/admin)"
-echo "    - Prometheus: http://localhost:9091 (prometheus_user/prometheus_password)"
+echo "    - Prometheus: http://localhost:9091 ($PROMETHEUS_USERNAME/********)"
 echo ""
 echo "🚀 To start the monitoring stack:"
 echo "   docker-compose up -d prometheus grafana"