ES_PASSWORD environmental variable and es.password flag removal

[alkistis500]

Hello,

There is a general security requirement to avoid provisioning a secret as container environment variable.
In jaeger collector and jaeger ingester, environmental variable ES_PASSWORD which is mapped to es.password flag is used to pass the needed elasticsearch password.
Could you please consider removing ES_PASSWORD env variable and es.password flag and pass the elasticsearch password via for example provisioning it with a secret file in a volume which is mounted in order to be compatible with the security requirement?

Thank you in advance!

[jkowall]

Docker doesn't really have this capability (without swarm which you likely don't want to use) are you running on k8s as that has a secret capability.

[yurishkuro]

general security requirement to avoid provisioning a secret as container environment variable

from which authority is this a "general security requirement"?

[alkistis500]

Hello,

we are running on K8s. There is the capability to provision secrets with a secret file in a volume which is mounted.
There are a lot of records defining that provisioning secrets via environmental variables may be insecure:
https://hub.datree.io/built-in-rules/prevent-secrets-as-env-variables
https://blog.arcjet.com/storing-secrets-in-env-vars-considered-harmful/
https://blog.nillsf.com/index.php/2020/02/24/dont-use-environment-variables-in-kubernetes-to-consume-secrets/
https://stackoverflow.com/questions/51365355/kubernetes-secrets-volumes-vs-environment-variables

As far as I know, not to provision secrets as environmental variables is now DfSec requirement and Pen Testcase as well .

[jkowall]

I mean you still have to store the password in the secret, so I'm not sure it's any "less safe" this way. This is how you'd have to do it.

apiVersion: v1
kind: Secret
metadata:
  name: elasticsearch-password
type: Opaque
data:
  password: <base64-encoded-password>

On Jaeger deployment:

volumes:
  - name: elasticsearch-password
    secret:
      secretName: elasticsearch-password
volumeMounts:
  - name: elasticsearch-password
    mountPath: /etc/secrets
    readOnly: true

You'd have to create a PR to change the code to read from that file instead. Something like this:

package main

import (
    "fmt"
    "os"
)

func main() {
    // ... other code ...

    passwordBytes, err := os.ReadFile("/etc/secrets/password")
    if err != nil {
        // Handle error appropriately (log, exit, etc.)
        fmt.Println("Error reading password:", err)
        return
    }
    esPassword := string(passwordBytes)

    // ... use 'esPassword' to connect to Elasticsearch ...
}