0

I have a mongo database and mongo-express running as Docker containers in Kubernetes Cluster. I have enabled mongo-express base authentication by assigning the username and the password to ME_CONFIG_BASICAUTH_USERNAME and ME_CONFIG_BASICAUTH_PASSWORD envs respectively, according to the documentation. https://github.com/mongo-express/mongo-express

After that the base authentication popup works and env credentials are validated correctly.

enter image description here

This approach - passing credentails as a plain text in mongo-express manifest file does not satisfy me. I would like to keep these sensitive credentials in secret Kubernetes object as base64 encoded strings.

The issue is that if I try to store mongo-express basic auth credentials in secret object this credentials are no longer valid so I cannot sign in to mongo-express UI.

I' am currently using secret values for example to storing mongodb credentials and there is no problem.

In mongo-express container the credentails are properly assigned to their envs. From the container point of view, the values ​​of the ME_CONFIG_BASICAUTH_USERNAME and ME_CONFIG_BASICAUTH_PASSWORD env variables are the same regardless of whether they were assigned from a secret or as a value in a mongo-express manifest.

enter image description here

I have reloaded secrets before the mongo-express deployment.

enter image description here

In short, if credentailes are passed as values ​​everything works fine, if as a secret, then sign in fails with no error.

Desired view for signed in users. enter image description here

mongo-express manifest file:

# SERVICE
apiVersion: v1
kind: Service
metadata:
  name: mongo-express-service
  labels:
    app: mongo-express-service
spec:
  selector:
    app: mongo-express
  type: LoadBalancer
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8081
---
# DEPLOYMENT
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mongo-express-deployment
  labels:
    app: mongo-express-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: mongo-express
  template:
    metadata:
      labels:
        app: mongo-express
    spec:
      containers:
        - name: mongo-express
          image: mongo-express
          ports:
            - containerPort: 8081
          env:
            - name: ME_CONFIG_MONGODB_ADMINUSERNAME
              valueFrom:
                secretKeyRef:
                  name: mongo-secret
                  key: mongo-root-username
            - name: ME_CONFIG_MONGODB_ADMINPASSWORD
              valueFrom:
                secretKeyRef:
                  name: mongo-secret
                  key: mongo-root-password
            - name: ME_CONFIG_BASICAUTH_USERNAME
              # value: admin
              valueFrom:
                secretKeyRef:
                  name: mongo-secret
                  key: mongo-basic-auth-username
            - name: ME_CONFIG_BASICAUTH_PASSWORD
              # value: admin
              valueFrom:
                secretKeyRef:
                  name: mongo-secret
                  key: mongo-basic-auth-password
            - name: ME_CONFIG_MONGODB_SERVER
              valueFrom:
                configMapKeyRef:
                  name: mongo-config
                  key: mongo-server

mongo secret mainfest file:

# SECRET
apiVersion: v1
kind: Secret
metadata:
  name: mongo-secret
type: Opaque
data:
  mongo-root-username: XXXXXXXXXXXXXXXXXX
  mongo-root-password: XXXXXXXXXXXXXXXXXX
  mongo-basic-auth-username: YWRtaW4K
  mongo-basic-auth-password: YWRtaW4K
Mikolaj
  • 1,231
  • 1
  • 16
  • 34
  • How did you create a secret? Values should be `base64` encrypted. For testing you can create a secret from command line like `kubectl create secret generic mongo-secret --from-literal=mongo-root-username=admin-mongo --from-literal=mongo-root-password=password` – moonkotte Aug 17 '21 at 13:25
  • @moonkotte I created a secret using manifest file. In the same manifest I typed mongo-root-username and password which works correctly, but mongo-basic-auth-username and password don't, although the are both base64 encoded. After created a secret object and recreated mongo-express deployment then inside mongo-express contianer all of the secret data are decoded properly, moreover, they look the same as if they were passed as plan value text in mongo-express manifest. So my question is why the basic-auth credentials don't work if they comes from secret object even if mongo-root creds works? – Mikolaj Aug 18 '21 at 08:11

1 Answers1

0

I guess the Stored Secret is only accessible during the Deployment Phase. ME Express does not seem to like these values base64 encoded. Try your config with auth files like in the docs. It makes not much sense to base64 encode these values as: a) they are not accessible by a webuser. b) they are easy to decode

ME_CONFIG_MONGODB_AUTH_USERNAME_FILE
ME_CONFIG_MONGODB_AUTH_PASSWORD_FILE
Rob
  • 31
  • 6