TG-193: Security: Remove hardcoded passwords and resolve DB login issues

docker-compose.yml

@@ -11,7 +11,7 @@ services:
       - ./init.sql:/docker-entrypoint-initdb.d/1-init.sql
       - ./init_zabbix_db.sh:/docker-entrypoint-initdb.d/2-init_zabbix.sh
     environment:
-      - MYSQL_ROOT_PASSWORD=root_pass
+      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
     healthcheck:
       test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
       interval: 10s
@@ -75,7 +75,7 @@ services:
     environment:
       - DB_SERVER_HOST=mysql
       - MYSQL_USER=zabbix
-      - MYSQL_PASSWORD=zabbix_pwd
+      - MYSQL_PASSWORD=${MYSQL_ZABBIX_PASSWORD}
       - ZBX_SNMPTRAPPER=1
     depends_on:
       mysql:
@@ -90,7 +90,7 @@ services:
     environment:
       - DB_SERVER_HOST=mysql
       - MYSQL_USER=zabbix
-      - MYSQL_PASSWORD=zabbix_pwd
+      - MYSQL_PASSWORD=${MYSQL_ZABBIX_PASSWORD}
       - ZBX_SERVER_HOST=zabbix-server
       - PHP_TZ=Europe/Paris
     depends_on:

docker/zabbix/docker-compose.yml

@@ -7,7 +7,7 @@ services:
     environment:
       - DB_SERVER_HOST=192.168.130.170 # Use the unified MySQL DB
       - MYSQL_USER=zabbix
-      - MYSQL_PASSWORD=zabbix_pwd
+      - MYSQL_PASSWORD=${MYSQL_ZABBIX_PASSWORD}
       - ZBX_SNMPTRAPPER=1
     restart: always
 
@@ -19,7 +19,7 @@ services:
     environment:
       - DB_SERVER_HOST=192.168.130.170
       - MYSQL_USER=zabbix
-      - MYSQL_PASSWORD=zabbix_pwd
+      - MYSQL_PASSWORD=${MYSQL_ZABBIX_PASSWORD}
       - ZBX_SERVER_HOST=zabbix-server
       - PHP_TZ=Europe/Paris
     depends_on:

k8s/secret.yaml

@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: food-ai-secrets
-  namespace: food-ai
-type: Opaque
-stringData:
-  MYSQL_ROOT_PASSWORD: "BTSai123"
-  DB_OWNER_PASS: "BTSai123"
-  DB_READER_PASS: "BTSai123"
-  DB_LOADER_PASS: "BTSai123"
-  DB_AUTH_PASS: "BTSai123"
-
-  EMAIL_USER: "lanfr1904@outlook.com"
-
-  EMAIL_PASS: "BTSai123"

k8s/secret.yaml.example

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: food-ai-secrets
+  namespace: food-ai
+type: Opaque
+stringData:
+  MYSQL_ROOT_PASSWORD: "placeholder_root_pass"
+  DB_OWNER_PASS: "placeholder_owner_pass"
+  DB_READER_PASS: "placeholder_reader_pass"
+  DB_LOADER_PASS: "placeholder_loader_pass"
+  DB_AUTH_PASS: "placeholder_auth_pass"
+
+  EMAIL_USER: "your_email@example.com"
+
+  EMAIL_PASS: "placeholder_email_pass"

rotate_passwords.py

@@ -3,6 +3,7 @@ import os
 import secrets
 import string
 import subprocess
+from dotenv import load_dotenv
 
 def generate_password(length=16):
     characters = string.ascii_letters + string.digits + "!@#$%^&*"
@@ -27,6 +28,7 @@ def update_env_file(passwords):
     print("✅ .env file updated with new synchronized passwords.")
 
 def main():
+    load_dotenv()
     print("🔄 Starting Password Synchronization Routine...")
     
     # 1. Connect to MySQL as root
@@ -35,7 +37,7 @@ def main():
             host='192.168.130.170',  # Assuming we run this from host to mapped port, or within a container network
             port=3307,
             user='root',
-            password='root_pass',
+            password=os.environ.get('MYSQL_ROOT_PASSWORD', 'root_pass'),
             database='food_db'
         )
     except Exception as e: