fix: protect mongo and redis by password [run-int-tests][run-ui-tests]

Signed-off-by: Ilya Kheifets <[email protected]>

Author: ikheifets-splunk

charts/splunk-connect-for-snmp/templates/_helpers.tpl

@@ -1,10 +1,30 @@
 {{- define "splunk-connect-for-snmp.mongo_uri" -}}
+
+{{- if and .Values.mongodb.auth.enabled .Values.mongodb.auth.existingSecret }}
+    {{- $mongoSecretName := .Values.mongodb.auth.existingSecret }}
+    {{- $mongoSecret := lookup "v1" "Secret" .Release.Namespace $mongoSecretName }}
+
+    {{- if not $mongoSecret }}
+        {{- fail (printf "Secret '%s' not found in namespace '%s'. Please create it before deploying." $mongoSecretName .Release.Namespace) }}
+    {{- end }}
+
+    {{- $mongoPassword := get $mongoSecret.data "mongodb-root-password" | b64dec }}
+
+    {{- if eq .Values.mongodb.architecture "replicaset" }}
+        {{- printf "mongodb+srv://root:%s@%s-mongodb-headless.%s.svc.%s/?tls=false&ssl=false&replicaSet=rs0"  $mongoPassword .Release.Name .Release.Namespace .Values.mongodb.clusterDomain}}
+    {{- else }}
+        {{- printf "mongodb://root:%s@%s-mongodb:27017" $mongoPassword  .Release.Name }}
+    {{- end }}
+{{- else }}
+
 {{- if eq .Values.mongodb.architecture "replicaset" }}
 {{- printf "mongodb+srv://%s-mongodb-headless.%s.svc.%s/?tls=false&ssl=false&replicaSet=rs0" .Release.Name .Release.Namespace .Values.mongodb.clusterDomain}}
 {{- else }}
 {{- printf "mongodb://%s-mongodb:27017" .Release.Name }}
-{{- end }}  
-{{- end }}  
+{{- end }}
+
+{{- end }}
+{{- end }}
 
 {{- define "splunk-connect-for-snmp.mongodbHost" -}}
 {{- if .Values.mongodbHost }}
@@ -15,18 +35,59 @@
 {{- end }}
 
 {{- define "splunk-connect-for-snmp.celery_url" -}}
+
+{{- if and .Values.redis.auth.enabled .Values.redis.auth.existingSecret }}
+    {{- $redisSecretName := .Values.redis.auth.existingSecret }}
+    {{- $redisSecret := lookup "v1" "Secret" .Release.Namespace $redisSecretName }}
+
+    {{- if not $redisSecret }}
+        {{- fail (printf "Secret '%s' not found in namespace '%s'. Please create it before deploying." $redisSecretName .Release.Namespace) }}
+    {{- end }}
+
+    {{- $redisPassword := get $redisSecret.data "redis-password" | b64dec }}
+
+    {{- if and ( eq .Values.redis.architecture "replication" ) .Values.redis.sentinel.enabled  }}
+        {{- printf "redis://:%s@%s-redis:6379/0" $redisPassword .Release.Name }}
+    {{- else }}
+        {{- printf "redis://:%s@%s-redis-master:6379/0" $redisPassword .Release.Name }}
+    {{- end }}
+{{- else }}
+
+
 {{- if and ( eq .Values.redis.architecture "replication" ) .Values.redis.sentinel.enabled  }}
 {{- printf "redis://%s-redis:6379/0" .Release.Name }}
 {{- else }}
 {{- printf "redis://%s-redis-master:6379/0" .Release.Name }}
+{{- end }}
+
 {{- end }}
 {{- end }}
 
 {{- define "splunk-connect-for-snmp.redis_url" -}}
+
+{{- if and .Values.redis.auth.enabled .Values.redis.auth.existingSecret }}
+    {{- $redisSecretName := .Values.redis.auth.existingSecret }}
+    {{- $redisSecret := lookup "v1" "Secret" .Release.Namespace $redisSecretName }}
+
+    {{- if not $redisSecret }}
+        {{- fail (printf "Secret '%s' not found in namespace '%s'. Please create it before deploying." $redisSecretName .Release.Namespace) }}
+    {{- end }}
+
+    {{- $redisPassword := get $redisSecret.data "redis-password" | b64dec }}
+
+    {{- if and ( eq .Values.redis.architecture "replication" ) .Values.redis.sentinel.enabled  }}
+        {{- printf "redis://:%s@%s-redis:6379/1" $redisPassword .Release.Name }}
+    {{- else }}
+        {{- printf "redis://:%s@%s-redis-master:6379/1" $redisPassword .Release.Name }}
+    {{- end }}
+{{- else }}
+
 {{- if and ( eq .Values.redis.architecture "replication" ) .Values.redis.sentinel.enabled  }}
 {{- printf "redis://%s-redis:6379/1" .Release.Name }}
 {{- else }}
 {{- printf "redis://%s-redis-master:6379/1" .Release.Name }}
+{{- end }}
+
 {{- end }}
 {{- end }}
 

charts/splunk-connect-for-snmp/templates/mongodb-6.0-upgrade-job.yaml

@@ -16,17 +16,27 @@ spec:
       containers:
         - name: mongo-fcv-check
           image: {{ .Values.mongodb.image.repository }}:{{ .Values.mongodb.image.tag }}
+
+          {{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.mongodb.auth.existingSecret }}
+          {{- if $secret }}
+          env:
+            - name: MONGO_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{  .Values.mongodb.auth.existingSecret }}
+                  key: mongodb-root-password
+          {{- end }}
           command:
             - /bin/bash
             - -c
             - |
               echo "Checking current mongo FCV"
-              FCV=$(mongosh --host {{ include "splunk-connect-for-snmp.mongodbHost" . | quote }} --quiet --eval 'db.adminCommand({ getParameter: 1, featureCompatibilityVersion: 1 }).featureCompatibilityVersion.version')
+              FCV=$(mongosh --host {{ include "splunk-connect-for-snmp.mongodbHost" . | quote }} {{- if $secret }} --username root --password $MONGO_PASSWORD {{- end }} --quiet --eval 'db.adminCommand({ getParameter: 1, featureCompatibilityVersion: 1 }).featureCompatibilityVersion.version')
               echo "Current Mongo Feature Compatibility Version: $FCV"
               
               if [[ "$FCV" < "6.0" ]]; then
                 echo "FCV < 6.0, setting to 6.0"
-                mongosh --host {{ include "splunk-connect-for-snmp.mongodbHost" . | quote }}  --eval 'db.adminCommand({ setFeatureCompatibilityVersion: "6.0" })'
+                mongosh --host {{ include "splunk-connect-for-snmp.mongodbHost" . | quote }} {{- if $secret }}  --username root --password $MONGO_PASSWORD {{- end }} --eval 'db.adminCommand({ setFeatureCompatibilityVersion: "6.0" })'
               else
                 echo "FCV >= 6.0, nothing to be changed"
               fi

docs/dockercompose/2-download-package.md

@@ -8,6 +8,39 @@ To configure the deployment, follow the instructions in [Inventory configuration
 [Scheduler configuration](./4-scheduler-configuration.md), [Traps configuration](./5-traps-configuration.md),
 [.env file configuration](./6-env-file-configuration.md), [SNMPv3 secrets](./7-snmpv3-secrets.md).
 
+
+## Protect Mongo and Redis by password
+
+In your `docker-compose.yaml` [specify](https://hub.docker.com/r/bitnami/redis) for Redis container `REDIS_PASSWORD` or `REDIS_PASSWORD_FILE`:
+
+```
+  redis:
+  ...
+    environment:
+      - REDIS_PASSWORD=...
+```
+
+The same thing you to [specify](https://hub.docker.com/r/bitnami/mongodb) for Mongo container using `MONGODB_ROOT_PASSWORD`:
+
+```
+  mongo:
+  ...
+    environment:
+      - MONGODB_ROOT_PASSWORD=...
+```
+
+After that just update connection string:
+
+```
+REDIS_URL: redis://:pass@redis:6379/1
+CELERY_BROKER_URL: redis://:pass@redis:6379/0
+MONGO_URI: mongodb://root:pass@mongo:27017/
+```
+
+!!! Warning
+    If you wanna update the password you need to make it manually using `mongo` and `redis` cli.
+    And only after that you need to update `REDIS_PASSWORD`/ `MONGODB_ROOT_PASSWORD` and connection strings.
+
 ## Deploying the app
 After configuration, application can be deployed by running the
 following command inside the `docker_compose` directory:

docs/microk8s/sc4snmp-installation.md

@@ -67,6 +67,43 @@ rules:
 Configuration above can be found in the `examples` directory in SC4SNMP [GitHub repository](https://github.com/splunk/splunk-connect-for-snmp).
 Next run `yamllint -c <path to custom-config.yamllint> <path to values.yaml>` command. Warnings can be ignored.
 
+
+### Protect Mongo and Redis by password
+
+Create secrets for Mongo and Redis:
+
+```
+kubectl create secret generic redis-auth-secret \
+  --from-literal=redis-password=your_password -n sc4snmp
+
+microk8s kubectl create secret generic mongodb-auth-secret \
+  --from-literal=mongodb-root-password=your_password -n sc4snmp
+```
+
+Reference on this secrets in  `values.yaml`:
+
+```
+redis:
+   auth:
+     enabled: true
+     existingSecret: "redis-auth-secret"
+
+mongodb:
+   auth:
+     enabled: true
+     existingSecret: "mongodb-auth-secret"
+```
+
+And **only after that** you can deploy your SC4SNMP.
+
+!!! warning
+    If you wanna update the password, in case of mongo you need to use [passwordUpdateJob](https://artifacthub.io/packages/helm/bitnami/mongodb#automated-update-using-a-password-update-job) (for that just place it in `mongodb` section) and after that redeploy SC4SNMP.
+    
+    But in case of redis helm charm [it's not supporting that automatically](https://artifacthub.io/packages/helm/bitnami/mongodb#automated-update-using-a-password-update-job), you need upadte the password using `redis-cli` and after that update existing secret and redeploy SC4SNMP.
+
+    For that reason will be good to provide credentials during first deploy.
+    
+
 #### Install SC4SNMP
 
 After the `values.yaml` creation, you can proceed with the SC4SNMP installation:

integration_tests/test_poller_integration.py

@@ -1801,6 +1801,6 @@ def run_retried_single_search(setup_splunk, search_string, retries):
         result_count, metric_count = splunk_single_search(setup_splunk, search_string)
         if result_count or metric_count:
             return result_count, metric_count
-        logger.info("No results returned from search. Retrying in 2 seconds...")
-        time.sleep(2)
+        logger.info("No results returned from search. Retrying in 30 seconds...")
+        time.sleep(30)
     return 0, 0