Remove hardcoded secrets and implement dynamic secret generation

.gitignore

@@ -49,3 +49,4 @@ package-lock.json
 .settings/*
 .env.bak
 cp.env.bak
+.generated.env

.local.env

@@ -1,6 +1,6 @@
 SENTRIUS_VERSION=1.1.110
 SENTRIUS_SSH_VERSION=1.1.19
-SENTRIUS_KEYCLOAK_VERSION=1.1.26
+SENTRIUS_KEYCLOAK_VERSION=1.1.31
 SENTRIUS_AGENT_VERSION=1.1.19
 SENTRIUS_AI_AGENT_VERSION=1.1.34
 LLMPROXY_VERSION=1.0.22

.local.env.bak

@@ -1,6 +1,6 @@
-SENTRIUS_VERSION=1.1.109
+SENTRIUS_VERSION=1.1.110
 SENTRIUS_SSH_VERSION=1.1.19
-SENTRIUS_KEYCLOAK_VERSION=1.1.26
+SENTRIUS_KEYCLOAK_VERSION=1.1.30
 SENTRIUS_AGENT_VERSION=1.1.19
 SENTRIUS_AI_AGENT_VERSION=1.1.34
 LLMPROXY_VERSION=1.0.22

agent-launcher/src/main/resources/application.properties

@@ -1,5 +1,5 @@
 keystore.file=sso.jceks
-keystore.password=keystorepassword
+keystore.password=${KEYSTORE_PASSWORD:keystorepassword}
 
 keystore.alias=KEYBOX-ENCRYPTION_KEY
 keystore.algorithm=AES

ai-agent/src/main/resources/assessor.properties

@@ -51,7 +51,7 @@ server.error.whitelabel.enabled=false
 keycloak.realm=sentrius
 keycloak.base-url=${KEYCLOAK_BASE_URL:http://localhost:8180}
 spring.security.oauth2.client.registration.keycloak.client-id=java-agents
-spring.security.oauth2.client.registration.keycloak.client-secret=e4WgJovH8MzcAvRnFg3rROAbeDIwiYmx
+spring.security.oauth2.client.registration.keycloak.client-secret=${KEYCLOAK_CLIENT_SECRET:}
 spring.security.oauth2.client.registration.keycloak.authorization-grant-type=client_credentials
 spring.security.oauth2.client.registration.keycloak.redirect-uri=http://192.168.1.162:8080/login/oauth2/code/keycloak
 spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email

ai-agent/src/main/resources/challenger.properties

@@ -46,7 +46,7 @@ server.error.whitelabel.enabled=false
 keycloak.realm=sentrius
 keycloak.base-url=${KEYCLOAK_BASE_URL:http://localhost:8180}
 spring.security.oauth2.client.registration.keycloak.client-id=ai-agents-assessor
-spring.security.oauth2.client.registration.keycloak.client-secret=e4WgJovH8MzcAvRnFg3rROAbeDIwiYmy
+spring.security.oauth2.client.registration.keycloak.client-secret=${KEYCLOAK_CLIENT_SECRET:}
 spring.security.oauth2.client.registration.keycloak.authorization-grant-type=client_credentials
 spring.security.oauth2.client.registration.keycloak.redirect-uri=http://192.168.1.162:8080/login/oauth2/code/keycloak
 spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email

ai-agent/src/main/resources/chat-helper.properties

@@ -52,7 +52,7 @@ keycloak.realm=sentrius
 keycloak.base-url=${KEYCLOAK_BASE_URL:http://localhost:8180}
 ## These are programmatically set.
 spring.security.oauth2.client.registration.keycloak.client-id=java-agents
-spring.security.oauth2.client.registration.keycloak.client-secret=e4WgJovH8MzcAvRnFg3rROAbeDIwiYmxsdgd
+spring.security.oauth2.client.registration.keycloak.client-secret=${KEYCLOAK_CLIENT_SECRET:}
 spring.security.oauth2.client.registration.keycloak.authorization-grant-type=client_credentials
 spring.security.oauth2.client.registration.keycloak.redirect-uri=http://192.168.1.162:8080/login/oauth2/code/keycloak
 spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email

ai-agent/src/main/resources/terminal-helper.properties

@@ -51,7 +51,7 @@ server.error.whitelabel.enabled=false
 keycloak.realm=sentrius
 keycloak.base-url=${KEYCLOAK_BASE_URL:http://localhost:8180}
 spring.security.oauth2.client.registration.keycloak.client-id=java-agents
-spring.security.oauth2.client.registration.keycloak.client-secret=e4WgJovH8MzcAvRnFg3rROAbeDIwiYmx
+spring.security.oauth2.client.registration.keycloak.client-secret=${KEYCLOAK_CLIENT_SECRET:}
 spring.security.oauth2.client.registration.keycloak.authorization-grant-type=client_credentials
 spring.security.oauth2.client.registration.keycloak.redirect-uri=http://192.168.1.162:8080/login/oauth2/code/keycloak
 spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email

analytics/src/main/resources/application.properties

@@ -1,5 +1,5 @@
 keystore.file=sso.jceks
-keystore.password=keystorepassword
+keystore.password=${KEYSTORE_PASSWORD:keystorepassword}
 
 keystore.alias=KEYBOX-ENCRYPTION_KEY
 keystore.algorithm=AES
@@ -16,7 +16,7 @@ spring.flyway.baseline-on-migrate=true
 
 spring.datasource.url=jdbc:postgresql://home.guard.local:5432/sentrius
 spring.datasource.username=postgres
-spring.datasource.password=password
+spring.datasource.password=${DATABASE_PASSWORD:password}
 spring.datasource.driver-class-name=org.postgresql.Driver
 
 # Connection pool settings
@@ -51,7 +51,7 @@ server.error.whitelabel.enabled=false
 keycloak.realm=sentrius
 keycloak.base-url=${KEYCLOAK_BASE_URL:http://localhost:8180}
 spring.security.oauth2.client.registration.keycloak.client-id=sentrius-api
-spring.security.oauth2.client.registration.keycloak.client-secret=nGkEukexSWTvDzYjSkDmeUlM0FJ5Jhh0
+spring.security.oauth2.client.registration.keycloak.client-secret=${KEYCLOAK_CLIENT_SECRET:}
 spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
 spring.security.oauth2.client.registration.keycloak.redirect-uri=http://192.168.1.162:8080/login/oauth2/code/keycloak
 spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email

api/src/main/resources/application.properties

@@ -1,5 +1,5 @@
 keystore.file=sso.jceks
-keystore.password=keystorepassword
+keystore.password=${KEYSTORE_PASSWORD:keystorepassword}
 
 keystore.alias=KEYBOX-ENCRYPTION_KEY
 keystore.algorithm=AES
@@ -22,7 +22,7 @@ spring.thymeleaf.suffix=.html
 
 spring.datasource.url=jdbc:postgresql://home.guard.local:5432/sentrius
 spring.datasource.username=postgres
-spring.datasource.password=password
+spring.datasource.password=${DATABASE_PASSWORD:password}
 spring.datasource.driver-class-name=org.postgresql.Driver
 
 # Connection pool settings

docker/keycloak/Dockerfile

@@ -14,10 +14,18 @@ RUN /opt/keycloak/bin/kc.sh build
 FROM quay.io/keycloak/keycloak:24.0.1
 COPY --from=builder /opt/keycloak/ /opt/keycloak/
 
-COPY ./realms/sentrius-realm.json /opt/keycloak/data/import/sentrius-realm.json
+# Copy realm template and processing script
+COPY ./realms/sentrius-realm.json.template /opt/keycloak/data/import/sentrius-realm.json.template
+COPY ./process-realm-template.sh /opt/keycloak/bin/process-realm-template.sh
+COPY ./startup.sh /opt/keycloak/bin/startup.sh
 
-RUN ls -l /opt/keycloak/data/import/sentrius-realm.json
+# Make scripts executable and ensure data directory is writable
+USER root
+RUN chmod +x /opt/keycloak/bin/process-realm-template.sh && \
+    chmod +x /opt/keycloak/bin/startup.sh && \
+    chown -R keycloak:keycloak /opt/keycloak/data
+USER keycloak
 
-ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
-CMD ["start-dev", "--proxy=passthrough", "--import-realm", "--import-realm-overwrite=true", "--health-enabled=true"]
+RUN ls -l /opt/keycloak/data/import/sentrius-realm.json.template
 
+ENTRYPOINT ["/opt/keycloak/bin/startup.sh"]

docker/keycloak/README.md

@@ -0,0 +1,30 @@
+# Keycloak Realm Configuration
+
+This realm configuration file contains client definitions for Sentrius with dynamic secret injection.
+
+## 🔐 Dynamic Secret Management
+
+The Keycloak container now supports dynamic secret injection through environment variables:
+
+- **SENTRIUS_API_CLIENT_SECRET** - Secret for sentrius-api client
+- **SENTRIUS_LAUNCHER_CLIENT_SECRET** - Secret for sentrius-launcher-service client  
+- **JAVA_AGENTS_CLIENT_SECRET** - Secret for java-agents client
+- **AI_AGENT_ASSESSOR_CLIENT_SECRET** - Secret for ai-agent-assessor client
+
+## How It Works
+
+1. **Template Processing**: The `sentrius-realm.json.template` file contains environment variable placeholders
+2. **Runtime Substitution**: During container startup, the `process-realm-template.sh` script replaces placeholders with actual values
+3. **Helm Integration**: The Helm chart generates OAuth2 secrets and passes them as environment variables
+4. **Automatic Import**: Keycloak imports the processed realm with the dynamically generated secrets
+
+## Environment Variable Integration
+
+The Helm chart automatically:
+- Generates random 32-character secrets when none are provided
+- Passes these secrets as environment variables to the Keycloak container
+- Ensures consistency between Helm-managed OAuth2 secrets and Keycloak realm configuration
+
+## Fallback Behavior
+
+If environment variables are not provided, the startup script generates default random secrets to ensure the container can start successfully.

docker/keycloak/process-realm-template.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+
+# Process realm template with environment variable substitution
+# This script replaces environment variable placeholders in the realm template
+# with actual values before Keycloak imports the realm
+
+# Set paths - different for container vs local testing
+if [ -f "/opt/keycloak/data/import/sentrius-realm.json.template" ]; then
+    # Container environment
+    REALM_TEMPLATE="/opt/keycloak/data/import/sentrius-realm.json.template"
+    REALM_OUTPUT="/opt/keycloak/data/import/sentrius-realm.json"
+elif [ -f "./realms/sentrius-realm.json.template" ]; then
+    # Local testing environment
+    REALM_TEMPLATE="./realms/sentrius-realm.json.template"
+    REALM_OUTPUT="${REALM_OUTPUT:-./sentrius-realm.json}"
+else
+    echo "Error: Realm template not found"
+    echo "  Looked for: /opt/keycloak/data/import/sentrius-realm.json.template"
+    echo "  Looked for: ./realms/sentrius-realm.json.template"
+    exit 1
+fi
+
+echo "Processing Keycloak realm template..."
+echo "  Template: $REALM_TEMPLATE"
+echo "  Output: $REALM_OUTPUT"
+
+# Set default values for secrets if not provided
+if command -v openssl >/dev/null 2>&1; then
+    # Use openssl if available
+    export SENTRIUS_API_CLIENT_SECRET="${SENTRIUS_API_CLIENT_SECRET:-default-api-secret-$(openssl rand -hex 16)}"
+    export SENTRIUS_LAUNCHER_CLIENT_SECRET="${SENTRIUS_LAUNCHER_CLIENT_SECRET:-default-launcher-secret-$(openssl rand -hex 16)}"
+    export JAVA_AGENTS_CLIENT_SECRET="${JAVA_AGENTS_CLIENT_SECRET:-default-agents-secret-$(openssl rand -hex 16)}"
+    export AI_AGENT_ASSESSOR_CLIENT_SECRET="${AI_AGENT_ASSESSOR_CLIENT_SECRET:-default-assessor-secret-$(openssl rand -hex 16)}"
+else
+    # Fallback to simple random generation using date and process ID
+    RAND_SUFFIX=$(date +%s%N | cut -b1-13)$$
+    export SENTRIUS_API_CLIENT_SECRET="${SENTRIUS_API_CLIENT_SECRET:-default-api-secret-${RAND_SUFFIX}}"
+    export SENTRIUS_LAUNCHER_CLIENT_SECRET="${SENTRIUS_LAUNCHER_CLIENT_SECRET:-default-launcher-secret-${RAND_SUFFIX}a}"
+    export JAVA_AGENTS_CLIENT_SECRET="${JAVA_AGENTS_CLIENT_SECRET:-default-agents-secret-${RAND_SUFFIX}b}"
+    export AI_AGENT_ASSESSOR_CLIENT_SECRET="${AI_AGENT_ASSESSOR_CLIENT_SECRET:-default-assessor-secret-${RAND_SUFFIX}c}"
+fi
+
+# Set default values for other placeholders
+# set in helm chart
+#export ROOT_URL="${ROOT_URL:-http://localhost:8080}"
+# set in helm chart
+#export REDIRECT_URIS="${REDIRECT_URIS:-http://localhost:8080}"
+export GOOGLE_CLIENT_ID="${GOOGLE_CLIENT_ID:-}"
+export GOOGLE_CLIENT_SECRET="${GOOGLE_CLIENT_SECRET:-}"
+
+echo "Substituting environment variables in realm template..."
+echo "  SENTRIUS_API_CLIENT_SECRET: ${SENTRIUS_API_CLIENT_SECRET:0:8}..."
+echo "  SENTRIUS_LAUNCHER_CLIENT_SECRET: ${SENTRIUS_LAUNCHER_CLIENT_SECRET:0:8}..."
+echo "  JAVA_AGENTS_CLIENT_SECRET: ${JAVA_AGENTS_CLIENT_SECRET:0:8}..."
+echo "  AI_AGENT_ASSESSOR_CLIENT_SECRET: ${AI_AGENT_ASSESSOR_CLIENT_SECRET:0:8}..."
+
+# Use sed to replace environment variables (since envsubst may not be available)
+# Replace ${VAR} with actual values
+sed -e "s|\${SENTRIUS_API_CLIENT_SECRET}|${SENTRIUS_API_CLIENT_SECRET}|g" \
+    -e "s|\${SENTRIUS_LAUNCHER_CLIENT_SECRET}|${SENTRIUS_LAUNCHER_CLIENT_SECRET}|g" \
+    -e "s|\${JAVA_AGENTS_CLIENT_SECRET}|${JAVA_AGENTS_CLIENT_SECRET}|g" \
+    -e "s|\${AI_AGENT_ASSESSOR_CLIENT_SECRET}|${AI_AGENT_ASSESSOR_CLIENT_SECRET}|g" \
+    -e "s|\${GOOGLE_CLIENT_ID}|${GOOGLE_CLIENT_ID}|g" \
+    -e "s|\${GOOGLE_CLIENT_SECRET}|${GOOGLE_CLIENT_SECRET}|g" \
+    "$REALM_TEMPLATE" > "$REALM_OUTPUT"
+
+  # these two are set helm chart
+  #    -e "s|\${ROOT_URL}|${ROOT_URL}|g" \
+  #    -e "s|\${REDIRECT_URIS}|${REDIRECT_URIS}|g" \
+
+if [ $? -eq 0 ]; then
+    echo "Realm template processed successfully: $REALM_OUTPUT"
+else
+    echo "Error: Failed to process realm template"
+    exit 1
+fi
+
+# Validate the JSON is valid
+if command -v jq >/dev/null 2>&1; then
+    if ! jq empty < "$REALM_OUTPUT" >/dev/null 2>&1; then
+        echo "Error: Generated realm JSON is invalid"
+        exit 1
+    fi
+    echo "Generated realm JSON is valid"
+else
+    echo "Note: jq not available, skipping JSON validation"
+fi

docker/keycloak/realms/sentrius-realm.json → docker/keycloak/realms/sentrius-realm.json.template

@@ -6,7 +6,7 @@
       "clientId": "sentrius-api",
       "enabled": true,
       "clientAuthenticatorType": "client-secret",
-      "secret": "nGkEukexSWTvDzYjSkDmeUlM0FJ5Jhh0",
+      "secret": "${SENTRIUS_API_CLIENT_SECRET}",
       "rootUrl": "${ROOT_URL}",
       "baseUrl": "${ROOT_URL}",
       "serviceAccountsEnabled": true,
@@ -40,7 +40,7 @@
       "clientId": "sentrius-launcher-service",
       "enabled": true,
       "clientAuthenticatorType": "client-secret",
-      "secret": "nGkEukexSWTSjklj3sddgvDzYjSkDmeUlM0FJ5Jhh0",
+      "secret": "${SENTRIUS_LAUNCHER_CLIENT_SECRET}",
       "rootUrl": "${ROOT_URL}",
       "baseUrl": "${ROOT_URL}",
 
@@ -81,7 +81,7 @@
       "enabled": true,
       "alwaysDisplayInConsole": false,
       "clientAuthenticatorType": "client-secret",
-      "secret": "e4WgJovH8MzcAvRnFg3rROAbeDIwiYmx",
+      "secret": "${JAVA_AGENTS_CLIENT_SECRET}",
       "redirectUris": [
         "${REDIRECT_URIS}/*"
       ],
@@ -168,7 +168,7 @@
       "enabled": true,
       "alwaysDisplayInConsole": false,
       "clientAuthenticatorType": "client-secret",
-      "secret": "e4WgJovH8MzcAvRnFg3rROAbeDIwiYmy",
+      "secret": "${AI_AGENT_ASSESSOR_CLIENT_SECRET}",
       "redirectUris": [
         "${REDIRECT_URIS}/*"
       ],

docker/keycloak/startup.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+echo "Starting Keycloak with dynamic realm processing..."
+
+# Process the realm template
+/opt/keycloak/bin/process-realm-template.sh
+
+# Start Keycloak with the processed realm
+exec /opt/keycloak/bin/kc.sh start-dev --proxy=passthrough --import-realm --import-realm-overwrite=true --health-enabled=true

docs/secret-management.md

@@ -0,0 +1,92 @@
+# Sentrius Secret Management
+
+## Overview
+
+Hardcoded secrets have been removed from the Helm charts and application properties files. The system now supports both dynamic secret generation and external secret management.
+
+## Dynamic Secret Generation
+
+When no secrets are provided in values.yaml, the Helm charts will automatically generate random secrets for:
+
+- OAuth2 client secrets (32 characters)
+- Database passwords (32 characters) 
+- Keystore passwords (24 characters)
+- Keycloak admin passwords (24 characters)
+- Neo4j authentication strings (16 character passwords)
+
+## Providing Custom Secrets
+
+You can override the generated secrets by setting them in your values.yaml:
+
+```yaml
+# Example custom secrets
+secrets:
+  db:
+    username: "my-db-user"
+    password: "my-secure-password"
+    keystorePassword: "my-keystore-password"
+
+sentrius:
+  oauth2:
+    client_secret: "my-oauth2-secret"
+
+keycloak:
+  adminPassword: "my-keycloak-admin-password"
+  clientSecret: "my-keycloak-client-secret"
+  db:
+    password: "my-keycloak-db-password"
+
+neo4j:
+  env:
+    NEO4J_AUTH: "neo4j/my-neo4j-password"
+```
+
+## Environment Variables
+
+Application properties files now use environment variables with fallback defaults:
+
+- `KEYCLOAK_CLIENT_SECRET` - OAuth2 client secret for Keycloak
+- `DATABASE_PASSWORD` - Database password (defaults to "password")
+- `KEYSTORE_PASSWORD` - Keystore password (defaults to "keystorepassword")
+
+## Keycloak Realm Dynamic Configuration
+
+The Keycloak Docker container now supports dynamic realm configuration with automatic secret injection:
+
+### How It Works
+
+1. **Template Processing**: The Keycloak realm configuration uses a template file (`sentrius-realm.json.template`) with environment variable placeholders
+2. **Runtime Substitution**: During container startup, secrets are injected via environment variables:
+   - `SENTRIUS_API_CLIENT_SECRET` - Secret for sentrius-api client
+   - `SENTRIUS_LAUNCHER_CLIENT_SECRET` - Secret for sentrius-launcher-service client
+   - `JAVA_AGENTS_CLIENT_SECRET` - Secret for java-agents client
+   - `AI_AGENT_ASSESSOR_CLIENT_SECRET` - Secret for ai-agent-assessor client
+3. **Helm Integration**: The Helm chart automatically generates these secrets and passes them to the Keycloak container
+4. **Fallback Generation**: If no secrets are provided, the container generates secure random defaults
+
+### Build Integration
+
+When building the Keycloak container with `./build-images.sh --sentrius-keycloak`, the system:
+- Includes the realm template and processing script
+- Configures automatic secret substitution during startup
+- Ensures consistency between Helm-generated OAuth2 secrets and Keycloak realm configuration
+
+## Production Deployment
+
+For production environments, it is recommended to:
+
+1. Use an external secret management system (HashiCorp Vault, AWS Secrets Manager, etc.)
+2. Set all secrets explicitly in your values.yaml file
+3. Use Kubernetes secrets or external secret operators
+4. Never commit secrets to version control
+
+## Removed Hardcoded Secrets
+
+The following hardcoded secrets were removed:
+
+- `nGkEukexSWTvDzYjSkDmeUlM0FJ5Jhh0` (multiple OAuth2 client secrets)
+- `e4WgJovH8MzcAvRnFg3rROAbeDIwiYmx` (agent client secret)
+- `KLJMLKSDJGlkj23@#jasdlkjg@#dsagsagdsag` (AI agent client secret)
+- `neo4j/testingsecret` (Neo4j authentication)
+- Base64 encoded database credentials
+- Hardcoded keystore passwords