[Feature Request]: use random passwords by default

[jekader]

This helm chart currently deploys a very insecure devlake instance by default: authentication for the UI is disabled, DB passwords are hardcoded while the user is asked to generate the cumbersome encryption key manually which is exported as an env var and lost immediately anyways.

This makes the setup quite vulnerable by so I propose populating all access credentials with random values if they are not explicitly set and have the user retrieve them from the created secret objects if needed. This is already the workflow for Grafana and works just fine.

Specifically:

Value	Current default	Proposed default
lake.encryptionSecret.secret	manually provided by user	random
mysql.username	merico	random
mysql.password	merico	random
ui.basicAuth.enabled	false	true
ui.basicAuth.password	-	random

[klesh]

OK, can these randomly generated values be retrieved by the user afterward?

[jekader]

Sure, all of them are stored in plaintext in the relevant secret objects.

Here's how this is handled in documentation for Grafana:

4. How to set the Grafana admin password? If not explicitly set, a random password will be generated and saved in a Kubernetes Secret

https://github.com/apache/incubator-devlake-helm-chart/blob/main/HelmSetup.md?plain=1#L284

It's a best practice to follow the same pattern for all sensitive data. Then, in the quick start, have the passwords explicitly set to some demo values to make things easier to test out.

[klesh]

I see. Sounds reasonable to me. Would you like to work on it?

[jekader]

Sure, will try once I have time. Helm needs some workarounds so that it does not overwrite values on each update but here's a good example we can use:

helm/helm#3053 (comment)