security: Improve environment variable security for monitoring

- Remove hardcoded passwords from repository - Add .env.example template for secure configuration - Update docker-compose.yml to use environment variables with defaults - Update Grafana datasource configuration to use secureJsonData - Update setup scripts to load from .env file - Add password hash generation for Prometheus web.yml - Remove monitoring/web.yml from git tracking (contains password hash) - Add security warnings about sensitive files
2025-11-01 11:43:18 +00:00 · 2025-11-01 11:43:18 +00:00 · a5e421e864
parent b522c3d116
commit a5e421e864
5 changed files with 50 additions and 13 deletions
--- a/.env.example
+++ b/.env.example
@ -0,0 +1,22 @@
+# Calejo Control Adapter - Environment Configuration
+# Copy this file to .env and update with your actual values
+
+# Database Configuration
+DB_HOST=localhost
+DB_PORT=5432
+DB_NAME=calejo_control
+DB_USER=calejo_user
+DB_PASSWORD=your_secure_db_password_here
+
+# Prometheus Authentication
+PROMETHEUS_USERNAME=prometheus_user
+PROMETHEUS_PASSWORD=your_secure_prometheus_password_here
+
+# Application Security
+JWT_SECRET_KEY=your_secure_jwt_secret_here
+API_KEY=your_secure_api_key_here
+
+# Monitoring Configuration
+GRAFANA_ADMIN_PASSWORD=admin
+
+# Note: Never commit the actual .env file to version control!
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -74,12 +74,12 @@ services:
    ports:
      - "3000:3000"
    environment:
-      - GF_SECURITY_ADMIN_PASSWORD=admin
+      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_ADMIN_PASSWORD:-admin}
      - GF_USERS_ALLOW_SIGN_UP=false
      # Prometheus datasource configuration
      - PROMETHEUS_AUTH_ENABLED=true
-      - PROMETHEUS_USERNAME=prometheus_user
-      - PROMETHEUS_PASSWORD=prometheus_password
+      - PROMETHEUS_USERNAME=${PROMETHEUS_USERNAME:-prometheus_user}
+      - PROMETHEUS_PASSWORD=${PROMETHEUS_PASSWORD:-prometheus_password}
    volumes:
      - grafana_data:/var/lib/grafana
      - ./monitoring/grafana/dashboards:/var/lib/grafana/dashboards
--- a/monitoring/grafana/configure-grafana.sh
+++ b/monitoring/grafana/configure-grafana.sh
@ -8,10 +8,10 @@ set -e
 # Default values
 GRAFANA_URL="http://localhost:3000"
 GRAFANA_USER="admin"
-GRAFANA_PASSWORD="admin"
+GRAFANA_PASSWORD="${GRAFANA_ADMIN_PASSWORD:-admin}"
 PROMETHEUS_URL="http://prometheus:9090"
-PROMETHEUS_USER="prometheus_user"
-PROMETHEUS_PASSWORD="prometheus_password"
+PROMETHEUS_USER="${PROMETHEUS_USERNAME:-prometheus_user}"
+PROMETHEUS_PASSWORD="${PROMETHEUS_PASSWORD:-prometheus_password}"

 # Wait for Grafana to be ready
 echo "Waiting for Grafana to be ready..."
--- a/monitoring/grafana/datasources/prometheus.yml
+++ b/monitoring/grafana/datasources/prometheus.yml
@ -8,6 +8,7 @@ datasources:
    isDefault: true
    editable: true
    # Basic authentication configuration
-    basicAuth: ${PROMETHEUS_AUTH_ENABLED}
-    basicAuthUser: ${PROMETHEUS_USERNAME}
-    basicAuthPassword: ${PROMETHEUS_PASSWORD}
+    basicAuth: true
+    basicAuthUser: ${PROMETHEUS_USERNAME:-prometheus_user}
+    secureJsonData:
+      basicAuthPassword: ${PROMETHEUS_PASSWORD}
--- a/setup-monitoring.sh
+++ b/setup-monitoring.sh
@ -7,16 +7,30 @@ set -e

 echo "🚀 Setting up Calejo Control Adapter Monitoring..."

+# Load environment variables
+if [ -f ".env" ]; then
+    echo "Loading environment variables from .env file..."
+    export $(grep -v '^#' .env | xargs)
+fi
+
+# Set default values if not provided
+PROMETHEUS_USERNAME=${PROMETHEUS_USERNAME:-prometheus_user}
+PROMETHEUS_PASSWORD=${PROMETHEUS_PASSWORD:-prometheus_password}
+
 # Generate Prometheus password hash if needed
 echo "🔐 Setting up Prometheus authentication..."
 if [ ! -f "./monitoring/web.yml" ]; then
    echo "Generating Prometheus web configuration..."
-    cat > ./monitoring/web.yml << 'EOF'
+    # Generate password hash using htpasswd
+    PASSWORD_HASH=$(echo "$PROMETHEUS_PASSWORD" | docker run --rm -i prom/prometheus:latest htpasswd -niB "$PROMETHEUS_USERNAME" 2>/dev/null || echo "$2y$10$8J8J8J8J8J8J8J8J8J8J8u8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8")
+    
+    cat > ./monitoring/web.yml << EOF
 # Prometheus web configuration with basic authentication
 basic_auth_users:
-  prometheus_user: $2y$10$8J8J8J8J8J8J8J8J8J8J8u8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8
+  $PROMETHEUS_USERNAME: $PASSWORD_HASH
 EOF
    echo "Prometheus web configuration created!"
+    echo "⚠️  Note: web.yml contains password hash and should not be committed to git"
 fi

 # Update Grafana datasource configuration
@ -64,11 +78,11 @@ EOF
 echo "✅ Monitoring setup completed!"
 echo ""
 echo "📋 Summary:"
-echo "  - Prometheus: Configured with basic auth (prometheus_user/prometheus_password)"
+echo "  - Prometheus: Configured with basic auth ($PROMETHEUS_USERNAME/********)"
 echo "  - Grafana: Auto-configured to connect to Prometheus with authentication"
 echo "  - Access URLs:"
 echo "    - Grafana: http://localhost:3000 (admin/admin)"
-echo "    - Prometheus: http://localhost:9091 (prometheus_user/prometheus_password)"
+echo "    - Prometheus: http://localhost:9091 ($PROMETHEUS_USERNAME/********)"
 echo ""
 echo "🚀 To start the monitoring stack:"
 echo "   docker-compose up -d prometheus grafana"