fix: Replace hardcoded password with dynamic value

adskyiproger · adskyiproger · commit 7e876e528de4 · 2026-01-13T17:43:30.000+02:00
diff --git a/.github/TEMPLATES/secret-mapping-opencrvs.yml b/.github/TEMPLATES/secret-mapping-opencrvs.yml
@@ -54,4 +54,10 @@ smtp-config:
 # This string is supplied to the clients and nginx config and ensures that the format of your domain above can be configurable for CORS purposes.
 
 # NOTIFICATION_TRANSPORT
-# A prop which can be used to configure either Email or SMS for staff and beneficiary comms or potentially both.
+# A prop which can be used to configure either Email or SMS for staff and beneficiary comms or potentially both.
+
+# One time password while installation
+opencrvs-superuser:
+  type: Opaque
+  data:
+    - SUPER_USER_PASSWORD
diff --git a/.github/workflows/deploy-opencrvs.yml b/.github/workflows/deploy-opencrvs.yml
@@ -118,7 +118,7 @@ jobs:
       - name: Deploy with Helm
         id: deploy
         run: |
-          helm upgrade --install opencrvs oci://ghcr.io/opencrvs/opencrvs-services \
+          helm upgrade --install opencrvs oci://ghcr.io/opencrvs/opencrvs-services:0.1.26 \
             --timeout 15m \
             --namespace "opencrvs-${ENV}" \
             -f environments/${ENV}/opencrvs-services/values.yaml \
@@ -130,6 +130,7 @@ jobs:
             --set image.tag="$CORE_IMAGE_TAG" \
             --set countryconfig.image.tag="$COUNTRYCONFIG_IMAGE_TAG" \
             --set countryconfig.image.name="$COUNTRYCONFIG_IMAGE_NAME" \
+            --set data_seed.env.ACTIVATE_USERS="${{ vars.ACTIVATE_USERS || 'false' }}" \
             --set hostname=${{ vars.DOMAIN }} 2>&1 | sed '/USER-SUPPLIED VALUES:/,$d'; exit ${PIPESTATUS[0]};
       - name: Cleanup Helm Locks
         if: failure() || cancelled()
diff --git a/.github/workflows/k8s-reindex.yml b/.github/workflows/k8s-reindex.yml
@@ -46,7 +46,7 @@ jobs:
             helm template -f ${namespace}.json \
                 --namespace ${namespace} \
                 -s templates/elasticsearch-reindex-job.yaml \
-                oci://ghcr.io/opencrvs/opencrvs-services | kubectl apply --wait -n ${namespace} -f -
+                oci://ghcr.io/opencrvs/opencrvs-services:0.1.26 | kubectl apply --wait -n ${namespace} -f -
       - name: Checking elasticsearch-reindex job status
         run: |
           while true; do
diff --git a/.github/workflows/k8s-reset-data.yml b/.github/workflows/k8s-reset-data.yml
@@ -101,7 +101,7 @@ jobs:
                 --set data_seed.enabled=true \
                 --namespace ${namespace} \
                 -s templates/${{ matrix.job-name }}-job.yaml \
-                oci://ghcr.io/opencrvs/opencrvs-services | kubectl apply -n ${namespace} --wait=true -f -
+                oci://ghcr.io/opencrvs/opencrvs-services:0.1.26 | kubectl apply -n ${namespace} --wait=true -f -
         - name: Checking ${{ matrix.job-name }} job status
           run: |
             while true; do
diff --git a/.github/workflows/k8s-seed-data.yml b/.github/workflows/k8s-seed-data.yml
@@ -100,7 +100,7 @@ jobs:
                 --set data_seed.env.ACTIVATE_USERS=${{ vars.ACTIVATE_USERS || 'false' }} \
                 --namespace ${namespace} \
                 -s templates/${{ matrix.job-name }}-job.yaml \
-                oci://ghcr.io/opencrvs/opencrvs-services | kubectl apply -n ${namespace} --wait=true -f -
+                oci://ghcr.io/opencrvs/opencrvs-services:0.1.26 | kubectl apply -n ${namespace} --wait=true -f -
         - name: Checking ${{ matrix.job-name }} job status
           run: |
             while true; do
diff --git a/charts/opencrvs-services/Chart.yaml b/charts/opencrvs-services/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: opencrvs-services
 description: OpenCRVS Services
 type: application
-version: 0.1.23
-appVersion: 1.9.0
+version: 0.1.26
+appVersion: 1.9.6
diff --git a/charts/opencrvs-services/templates/data-migration-job.yaml b/charts/opencrvs-services/templates/data-migration-job.yaml
@@ -21,6 +21,11 @@ spec:
         - name: migration
           image: "ghcr.io/opencrvs/ocrvs-migration:{{ .Values.image.tag }}"
           env:
+            - name: SUPER_USER_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: SUPER_USER_PASSWORD
+                  name: opencrvs-superuser
           {{- if eq .Values.elasticsearch.auth_mode "disabled" }}
             - name: ES_HOST
               value: "{{ .Values.elasticsearch.host }}:{{ .Values.elasticsearch.port }}"
diff --git a/charts/opencrvs-services/templates/data-seed-job.yaml b/charts/opencrvs-services/templates/data-seed-job.yaml
@@ -25,6 +25,11 @@ spec:
               value: "http://gateway.{{ .Release.Namespace }}.svc.cluster.local:7070"
             - name: COUNTRY_CONFIG_HOST
               value: http://countryconfig.{{ .Release.Namespace }}.svc.cluster.local:3040
+            - name: SUPER_USER_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: SUPER_USER_PASSWORD
+                  name: opencrvs-superuser
           {{- if or (eq .Values.minio.auth_mode "auto") (eq .Values.minio.auth_mode "use_secret") }}
             - name: MINIO_ROOT_USER
               valueFrom:
diff --git a/charts/opencrvs-services/templates/opencrvs-superuser.yaml b/charts/opencrvs-services/templates/opencrvs-superuser.yaml
@@ -0,0 +1,15 @@
+{{- $secret_name := "opencrvs-superuser" }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secret_name }}
+{{- if not $secret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secret_name }}
+  annotations:
+    "helm.sh/resource-policy": keep
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "0"
+type: Opaque
+data:
+  SUPER_USER_PASSWORD: {{ randAlphaNum 32 | b64enc }}
+{{- end }}
diff --git a/charts/opencrvs-services/values.yaml b/charts/opencrvs-services/values.yaml
@@ -319,9 +319,7 @@ scheduler: {}
 # One time jobs:
 
 # data_migration: Job to migrate datastores while deployment
-data_migration:
-  env:
-    SUPER_USER_PASSWORD: "password"
+data_migration: {}
 
 
 # data_cleanup: Wipe all persistent data from datastores including users
@@ -335,8 +333,6 @@ data_cleanup:
 data_seed:
   enabled: true
   env:
-    # Default password for admin user for initial data seed
-    SUPER_USER_PASSWORD: "password"
     # When users are seeded, are they immediately active using a test password and
     # six zeros as a 2-Factor auth code. Always set to false in production and staging.
     ACTIVATE_USERS: "true"
