java-openliberty: use ENV variables for security credentials

incubator/java-openliberty/README.md

@@ -39,9 +39,9 @@ The `mpMetrics` feature enables MicroProfile Metrics support in Open Liberty. No
 
 Metrics endpoint: http://localhost:9080/metrics
 
-#### Metrics Password
-
-Log in as the `admin` user to see both the system and application metrics in a text format.   The password for this `admin` user will be generated by the container.  
+#### Metrics Credentials
+ 
+For local development, default credentials are provided. Log in as the `admin` user to see both the system and application metrics in a text format.   The password for this `admin` user will be generated by the container.  
 
 To get the generated password for project **my-project**, you can exec in the container like this, for example:
 
@@ -51,6 +51,7 @@ To get the generated password for project **my-project**, you can exec in the co
 
 So in the above example the password value would be: `2r1aquTO3VVUVON7kCDdzno`
 
+
 ### OpenAPI
 
 The `mpOpenAPI` feature provides a set of Java interfaces and programming models that allow Java developers to natively produce OpenAPI v3 documents from their JAX-RS applications. This provides a standard interface for documenting and exposing RESTful APIs.
@@ -115,6 +116,29 @@ The command `appsody test` launches the Open Liberty server, runs integration te
 * At the time of the release of this java-openliberty stack, this problem seems to be getting the active attention of the Docker Desktop for Windows developement team, (e.g. see [this issue](https://github.com/docker/for-win/issues/5530)). Naturally, updating your Docker Desktop for Windows installation might help, however, we can not simply point to a recommended version that is known to work for all users.   
 * **Workaround**: This may be worked around by making the changes from the host, and then doing a `touch` of the corresponding files from within the container.
 
+## Application Deployment 
+
+### Providing security credentials in deployment
+
+Default security credentials are provided for local development. These default values are removed from the official deployment image which simply exposes username and password credentials as environment variables.
+You can set these variables by adding the following to app-deploy.yaml where `mySecret` is the name of a pre-defined Secret in your namespace:
+
+   ```bash
+   env:
+     - name: STACK_USERNAME
+     valueFrom:
+       secretKeyRef:
+         key: username
+         name: mySecret
+     - name: STACK_PASSWORD
+     valueFrom:
+       secretKeyRef:
+         key: password
+         name: mySecret
+   ```
+
+   This will set environment variables in the deployment called `STACK_USERNAME` and `STACK_PASSWORD` which map to the username and password of `mySecret` respectively. 
+
 ## Other externals and usage notes
 
 The stack itself defines an externals worth noting here, which is not apparent from the default template:
@@ -123,10 +147,10 @@ The stack itself defines an externals worth noting here, which is not apparent f
 
 This can be used to abstract over the differences between the install location in each of the local development (`appsody run/debug/test`) vs. image build (`appsody build`) scenarios.
 
-### Config dropin: **quick-start-security.xml**
+### Config dropin: **default-credentials.xml**
 
-The metrics endpoint is secured with a userid and password enabled through the config dropin included in the default template at path:
-**src/main/liberty/config/configDropins/defaults/quick-start-security.xml**.
+The metrics endpoint is secured with a default userid and generated password enabled through the config dropin included in the default template at path:
+**src/main/liberty/config/configDropins/defaults/default-credentials.xml**.
 
 In order to lock down the production image built via `appsody build` this file is deleted during the Docker build of your application production image.  (The same file would be deleted if you happened to create your own file at this location as well).
 

incubator/java-openliberty/image/project/Dockerfile

@@ -43,10 +43,10 @@ COPY --chown=java_user:java_group ./user-app /project/user-app
 
 # Build (and run unit tests) 
 #  also liberty:create copies config from src->target
-#  also remove quick-start-security.xml since it's convenient for local dev mode but should not be in the production image.
+#  also remove default-credentials.xml since it's convenient for local dev mode but should not be in the production image.
 RUN cd /project/user-app && \
-    echo "QUICK START SECURITY IS NOT SECURE FOR PRODUCTION ENVIRONMENTS. IT IS BEING REMOVED" \
-    rm -f src/main/liberty/config/configDropins/defaults/quick-start-security.xml && \
+    echo "DEFAULT CREDENTIALS ARE NOT SECURE FOR PRODUCTION ENVIRONMENTS. THEY ARE BEING REMOVED" && \
+    rm -f src/main/liberty/config/configDropins/defaults/default-credentials.xml && \
     mvn -Pappsody-build -B liberty:create package
 
 # process any resources or shared libraries - if they are present in the dependencies block for this project (there may be none potentially)

incubator/java-openliberty/stack.yaml

@@ -1,5 +1,5 @@
 name: Open Liberty
-version: 0.2.8
+version: 0.2.9
 description: Eclipse MicroProfile & Jakarta EE on Open Liberty & OpenJ9 using Maven
 license: Apache-2.0
 language: java

incubator/java-openliberty/templates/default/src/main/liberty/config/configDropins/defaults/default-credentials.xml

@@ -0,0 +1,6 @@
+<server>
+    <!-- These are default credentials provided for local development.
+         This XML file is removed when the application is deployed. -->        
+    <variable name="stack.username" defaultValue="admin"/>
+    <variable name="stack.password" defaultValue="${keystore_password}"/>
+</server>

incubator/java-openliberty/templates/default/src/main/liberty/config/configDropins/defaults/server.xml

@@ -0,0 +1,5 @@
+<server description="Default security configuration">
+
+    <quickStartSecurity userName="${stack.username}" userPassword="${stack.password}" />
+
+</server>

incubator/java-openliberty/templates/default/src/main/liberty/config/server.xml

@@ -2,7 +2,7 @@
     <featureManager>
         <feature>microProfile-3.2</feature>
     </featureManager>
-
+    
     <httpEndpoint host="*" httpPort="${default.http.port}" 
         httpsPort="${default.https.port}" id="defaultHttpEndpoint"/>