feat: add existing secret functionality to Falcon Integration Gateway #294
Conversation
helm-charts/falcon-integration-gateway/templates/deployment.yaml
Outdated
Show resolved
Hide resolved
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: {{ include "falcon-integration-gateway.fullname" . }}-env | ||
| namespace: {{ .Release.Namespace }} | ||
| labels: | ||
| {{- include "falcon-integration-gateway.labels" . | nindent 4 }} | ||
| data: | ||
| FALCON_CLOUD_REGION: {{ .Values.falcon.cloud_region | quote }} | ||
| {{- if .Values.push.aws_security_hub.enabled }} | ||
| AWS_REGION: {{ .Values.push.aws_security_hub.region | quote }} | ||
| {{- end }} | ||
| {{- if .Values.push.azure_log_analytics.enabled }} | ||
| WORKSPACE_ID: {{ .Values.push.azure_log_analytics.workspace_id | quote }} | ||
| PRIMARY_KEY: {{ .Values.push.azure_log_analytics.primary_key | quote }} | ||
| ARC_AUTODISCOVERY: {{ .Values.push.azure_log_analytics.arc_autodiscovery | toString | quote }} | ||
| {{- end }} | ||
| {{- if .Values.push.chronicle.enabled }} | ||
| CHRONICLE_REGION: {{ .Values.push.chronicle.region | quote }} | ||
| GOOGLE_SECURITY_KEY: {{ .Values.push.chronicle.security_key | quote }} | ||
| {{- end }} | ||
| {{- if .Values.push.cloudtrail_lake.enabled }} | ||
| CLOUDTRAIL_LAKE_CHANNEL_ARN: {{ .Values.push.cloudtrail_lake.channel_arn | quote }} | ||
| CLOUDTRAIL_LAKE_REGION: {{ .Values.push.cloudtrail_lake.region | quote }} | ||
| {{- end }} | ||
| {{- if .Values.push.vmware_workspace_one.enabled }} | ||
| SYSLOG_HOST: {{ .Values.push.vmware_workspace_one.syslog_host | quote }} | ||
| SYSLOG_PORT: {{ .Values.push.vmware_workspace_one.syslog_port }} | ||
| WORKSPACEONE_TOKEN: {{ .Values.push.vmware_workspace_one.token | quote }} | ||
| {{- end }} |
There was a problem hiding this comment.
This should stay where it originally was in a secret since it still contains sensitive data. So please drop this configmap addition as well as the configmap file rename.
There was a problem hiding this comment.
The intent is to move the non-sensitive data out of the secret and into a config map where it belongs. If I set up an existing secret I don't want to be managing SYSLOG_HOST there for example. It should only contain sensitive data so I can keep the config managed in helm.
To be clear my specific situation is for managing the values with a gitops workflow. I need to manage all configuration except secrets within the repo. Simply replacing the secret with an existingSecret does not work for this pattern since I won't be able to manage AWS_REGION in the repo. Looking at the secret almost none of it is actually sensitive so I attempted to be more consistent with every other chart in this repository. However there is already a configmap that is directly mounted to a config file.
Another option is to use an env: key in the values to add additional needed vars that aren't configurable like confirm_instance instead of explicitly listing them out in the template. This might be the most minimal change that would allow the existing logic to remain.
It looks like the only sensitive fields here are GOOGLE_SECURITY_KEY and WORKSPACEONE_TOKEN however. Can you clarify if anything else is sensitive? Maybe the cloudtrail lake ARN
There was a problem hiding this comment.
You'd want to update the config.ini and not create a new configmap. Technically, secrets are not secrets in k8s, and the use of secretRef should be avoided due to secrets as env var exposure, credential dumping, and exporting plaintext via logs. There are other sensitive values like WORKSPACE_ID and PRIMARY_KEY
There was a problem hiding this comment.
The existing chart uses secretRef I just made the name here configurable.
In order to reduce scope of changes I moved to use env instead of attempting to figure out what was correctly a secret or not. This allows me to set AWS_REGION in the vars as well as the other missing env vars. I wasn't sure whether to place it in the global level or under falcon
carlosmmatos
requested review from
redhatrises
and removed request for
carlosmmatos
|
@mkeats-clumio see if #297 fits your needs. Turns out there was a good amount of updating that needed to happen for the config. I have also added your existing secret code there. |
|
@redhatrises that looks perfect. I'll test it out shortly. I'll close this PR after I confirm |
|
#297 Looks good, closing this one |
Fixes #283
This adds a existingSecret value in the same style as the other charts in this repo.
It also adds the option to pass in arbitrary environment variables in order to manage the configurations that are embedded in the secret.