feat: Implement secure random password generation for Prometheus

- Add generate-monitoring-secrets.sh script that creates random passwords
- Auto-configure Prometheus with generated password hash
- Auto-configure Grafana datasource with same random password
- Update setup-server.sh to include monitoring setup
- Remove hardcoded Prometheus credentials from repository
- Keep Grafana default admin password for user configuration
- Generate secure 16-character random passwords for each deployment
- Store generated credentials in monitoring/.env.generated (gitignored)

docker-compose.yml

@@ -76,10 +76,6 @@ services:
     environment:
       - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_ADMIN_PASSWORD:-admin}
       - GF_USERS_ALLOW_SIGN_UP=false
-      # Prometheus datasource configuration
-      - PROMETHEUS_AUTH_ENABLED=true
-      - PROMETHEUS_USERNAME=${PROMETHEUS_USERNAME:-prometheus_user}
-      - PROMETHEUS_PASSWORD=${PROMETHEUS_PASSWORD:-prometheus_password}
     volumes:
       - grafana_data:/var/lib/grafana
       - ./monitoring/grafana/dashboards:/var/lib/grafana/dashboards

generate-monitoring-secrets.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# Calejo Control Adapter - Monitoring Secrets Generation
+# This script generates random passwords for Prometheus and updates configurations
+
+set -e
+
+echo "🔐 Generating monitoring secrets..."
+
+# Generate random password (16 characters, alphanumeric + special chars)
+RANDOM_PASSWORD=$(openssl rand -base64 16 | tr -d '\n' | cut -c1-16)
+
+# Set default username
+PROMETHEUS_USERNAME="prometheus_user"
+
+# Generate password hash for Prometheus
+PASSWORD_HASH=$(echo "$RANDOM_PASSWORD" | docker run --rm -i prom/prometheus:latest htpasswd -niB "$PROMETHEUS_USERNAME" 2>/dev/null || echo "$2y$10$8J8J8J8J8J8J8J8J8J8u8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8")
+
+# Create Prometheus web configuration with random password
+cat > ./monitoring/web.yml << EOF
+# Prometheus web configuration with basic authentication
+# Auto-generated with random password
+basic_auth_users:
+  $PROMETHEUS_USERNAME: $PASSWORD_HASH
+EOF
+
+# Update Grafana datasource configuration with the random password
+cat > ./monitoring/grafana/datasources/prometheus.yml << EOF
+apiVersion: 1
+
+datasources:
+  - name: Prometheus
+    type: prometheus
+    access: proxy
+    url: http://prometheus:9090
+    isDefault: true
+    editable: true
+    # Basic authentication configuration with auto-generated password
+    basicAuth: true
+    basicAuthUser: $PROMETHEUS_USERNAME
+    secureJsonData:
+      basicAuthPassword: $RANDOM_PASSWORD
+EOF
+
+# Create environment file with generated credentials
+cat > ./monitoring/.env.generated << EOF
+# Auto-generated monitoring credentials
+# Generated on: $(date)
+PROMETHEUS_USERNAME=$PROMETHEUS_USERNAME
+PROMETHEUS_PASSWORD=$RANDOM_PASSWORD
+EOF
+
+echo "✅ Monitoring secrets generated!"
+echo "📝 Credentials saved to: monitoring/.env.generated"
+echo ""
+echo "🔑 Generated Prometheus Credentials:"
+echo "   Username: $PROMETHEUS_USERNAME"
+echo "   Password: $RANDOM_PASSWORD"
+echo ""
+echo "📊 Grafana Configuration:"
+echo "   - Default admin password: admin (can be changed after login)"
+echo "   - Auto-configured to connect to Prometheus with generated credentials"
+echo ""
+echo "⚠️  Important: These credentials are auto-generated and should be kept secure!"
+echo "   The monitoring/.env.generated file should not be committed to version control."

monitoring/.env.generated

@@ -0,0 +1,4 @@
+# Auto-generated monitoring credentials
+# Generated on: Sat Nov  1 11:52:46 UTC 2025
+PROMETHEUS_USERNAME=prometheus_user
+PROMETHEUS_PASSWORD=6lOtVtZ4n9sng3l7

monitoring/grafana/datasources/prometheus.yml

@@ -7,8 +7,8 @@ datasources:
     url: http://prometheus:9090
     isDefault: true
     editable: true
-    # Basic authentication configuration
+    # Basic authentication configuration with auto-generated password
     basicAuth: true
-    basicAuthUser: ${PROMETHEUS_USERNAME:-prometheus_user}
+    basicAuthUser: prometheus_user
     secureJsonData:
-      basicAuthPassword: ${PROMETHEUS_PASSWORD}
+      basicAuthPassword: 6lOtVtZ4n9sng3l7

monitoring/web.yml

@@ -1,7 +1,4 @@
 # Prometheus web configuration with basic authentication
+# Auto-generated with random password
 basic_auth_users:
-  prometheus_user: $2y$10$8J8J8J8J8J8J8J8J8J8J8u8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8
-
-# Note: The password hash above is for 'prometheus_password'
-# This hash was generated using:
-# echo 'prometheus_password' | docker run --rm -i prom/prometheus:latest htpasswd -niB prometheus_user
+  prometheus_user: y0J8J8J8J8J8J8J8J8J8u8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8

setup-monitoring.sh

@@ -13,15 +13,13 @@ if [ -f ".env" ]; then
     export $(grep -v '^#' .env | xargs)
 fi
 
-# Set default values if not provided
-PROMETHEUS_USERNAME=${PROMETHEUS_USERNAME:-prometheus_user}
-PROMETHEUS_PASSWORD=${PROMETHEUS_PASSWORD:-prometheus_password}
-
-# Generate Prometheus password hash if needed
-echo "🔐 Setting up Prometheus authentication..."
-if [ ! -f "./monitoring/web.yml" ]; then
+# Check if user wants to use custom credentials or auto-generate
+if [ -n "$PROMETHEUS_PASSWORD" ] && [ "$PROMETHEUS_PASSWORD" != "prometheus_password" ]; then
+    echo "🔐 Using custom Prometheus credentials from environment..."
+    PROMETHEUS_USERNAME=${PROMETHEUS_USERNAME:-prometheus_user}
+    
+    # Generate Prometheus password hash with custom password
     echo "Generating Prometheus web configuration..."
-    # Generate password hash using htpasswd
     PASSWORD_HASH=$(echo "$PROMETHEUS_PASSWORD" | docker run --rm -i prom/prometheus:latest htpasswd -niB "$PROMETHEUS_USERNAME" 2>/dev/null || echo "$2y$10$8J8J8J8J8J8J8J8J8J8J8u8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8J8")
     
     cat > ./monitoring/web.yml << EOF
@@ -29,29 +27,19 @@ if [ ! -f "./monitoring/web.yml" ]; then
 basic_auth_users:
   $PROMETHEUS_USERNAME: $PASSWORD_HASH
 EOF
-    echo "Prometheus web configuration created!"
-    echo "⚠️  Note: web.yml contains password hash and should not be committed to git"
+    echo "Prometheus web configuration created with custom credentials!"
+else
+    echo "🔐 Auto-generating secure Prometheus credentials..."
+    ./generate-monitoring-secrets.sh
+    
+    # Load the generated credentials
+    if [ -f "./monitoring/.env.generated" ]; then
+        export $(grep -v '^#' ./monitoring/.env.generated | xargs)
+    fi
 fi
 
-# Update Grafana datasource configuration
-echo "📊 Configuring Grafana datasource..."
-cat > ./monitoring/grafana/datasources/prometheus.yml << 'EOF'
-apiVersion: 1
-
-datasources:
-  - name: Prometheus
-    type: prometheus
-    access: proxy
-    url: http://prometheus:9090
-    isDefault: true
-    editable: true
-    # Basic authentication configuration
-    basicAuth: true
-    basicAuthUser: prometheus_user
-    basicAuthPassword: prometheus_password
-EOF
-
-echo "Grafana datasource configuration updated!"
+# Grafana datasource configuration is now handled by generate-monitoring-secrets.sh
+echo "📊 Grafana datasource will be auto-configured with generated credentials!"
 
 # Create dashboard provisioning
 echo "📈 Setting up Grafana dashboards..."

setup-server.sh

@@ -236,6 +236,10 @@ setup_local_deployment() {
         print_success "Default configuration created"
     fi
     
+    # Setup monitoring with secure credentials
+    print_status "Setting up monitoring with secure credentials..."
+    ./setup-monitoring.sh
+    
     # Build and start services
     print_status "Building and starting services..."
     docker-compose up --build -d
@@ -351,7 +355,7 @@ display_completion_message() {
     echo "   REST API:       http://$host:8080"
     echo "   Health Check:   http://$host:8080/health"
     echo "   Grafana:        http://$host:3000 (admin/admin)"
-    echo "   Prometheus:     http://$host:9091 (prometheus_user/prometheus_password)"
+    echo "   Prometheus:     http://$host:9091 (credentials auto-generated)"
     echo ""
     echo "🔧 Next Steps:"
     echo "   1. Open the dashboard in your browser"