Skip to content

Commit 1d062f1

Browse files
aroberts87gi-erre
aroberts87
and
gi-erre
authored
feat(shield): convert alf config to secret (#2303)
Co-authored-by: Giovanni Recupero <[email protected]>
1 parent de561e8 commit 1d062f1

12 files changed

+139
-70
lines changed

charts/shield/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ maintainers:
1313
- name: mavimo
1414
email: [email protected]
1515
type: application
16-
version: 1.19.3
16+
version: 1.19.4
1717
appVersion: "1.0.0"

charts/shield/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,7 @@ The following table lists the configurable parameters of the `shield` chart and
111111
| features.investigations.event_forwarder.enabled | | <code>false</code> |
112112
| features.investigations.event_forwarder.integrations | | <code>[]</code> |
113113
| features.investigations.event_forwarder.transmit_message_types | | <code>[]</code> |
114+
| features.investigations.event_forwarder.existing_secret | If existing_secret is set to anything different than an empty string the local forwarder secret generation is skipped and the existing secret name is used to mount the secret volume instead of the one defined in the secrets template | <code>""</code> |
114115
| features.respond.rapid_response.enabled | | <code>false</code> |
115116
| features.respond.rapid_response.password | | <code></code> |
116117
| features.respond.rapid_response.password_existing_secret | The name of the existing Rapid Response password secret | <code></code> |

charts/shield/templates/host/_helpers.tpl

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -288,3 +288,8 @@ true
288288
true
289289
{{- end }}
290290
{{- end }}
291+
292+
{{/* Return the name of the local forwarder secret */}}
293+
{{- define "host.local_forwarder_secret_name" }}
294+
{{- include "host.fullname" . | trunc 46 | trimSuffix "-" | printf "%s-local-forwarder" }}
295+
{{- end }}

charts/shield/templates/host/configmap.yaml

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,6 @@ data:
1010
{{- include "host.host_shield_config" . | nindent 4 }}
1111
dragent.yaml: |
1212
{{- include "host.configmap" . | nindent 4 }}
13-
{{- if .Values.features.investigations.event_forwarder.enabled }}
14-
local_forwarder_config.yaml: |
15-
integrations:
16-
{{- toYaml .Values.features.investigations.event_forwarder.integrations | nindent 6 }}
17-
{{- end }}
1813
{{- if (include "host.prometheus_enabled" .Values.features) }}
1914
prometheus.yaml: |
2015
{{- with .Values.features }}

charts/shield/templates/host/daemonset.yaml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -332,8 +332,11 @@ spec:
332332
{{- end }}
333333
{{- if .Values.features.investigations.event_forwarder.enabled }}
334334
- name: local-forwarder-config
335-
configMap:
336-
name: {{ include "host.fullname" . }}
337-
optional: true
335+
secret:
336+
{{- if eq .Values.features.investigations.event_forwarder.existing_secret "" }}
337+
secretName: {{ include "host.local_forwarder_secret_name" . }}
338+
{{- else }}
339+
secretName: {{ .Values.features.investigations.event_forwarder.existing_secret }}
340+
{{- end }}
338341
{{- end }}
339342
{{- include "host.volumes" . | nindent 8 }}

charts/shield/templates/host/secrets.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,3 +11,17 @@ type: Opaque
1111
data:
1212
password: {{ (include "host.rapid_response_password" .) | b64enc | quote }}
1313
{{- end }}
14+
15+
{{- if and .Values.features.investigations.event_forwarder.enabled (eq .Values.features.investigations.event_forwarder.existing_secret "") }}
16+
---
17+
apiVersion: v1
18+
kind: Secret
19+
type: Opaque
20+
metadata:
21+
name: {{ include "host.local_forwarder_secret_name" . }}
22+
namespace: {{ .Release.Namespace }}
23+
labels:
24+
{{- include "host.labels" . | nindent 4 }}
25+
data:
26+
local_forwarder_config.yaml: {{ pick .Values.features.investigations.event_forwarder "integrations" | toYaml | b64enc | quote }}
27+
{{- end }}

charts/shield/tests/host/configmap-host-shield-config_test.yaml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -473,3 +473,29 @@ tests:
473473
in_use:
474474
enabled: false
475475
integration_enabled: false
476+
477+
- it: Ensure Local Forwarder
478+
set:
479+
features:
480+
investigations:
481+
event_forwarder:
482+
enabled: true
483+
integrations:
484+
- channels:
485+
- SECURE_EVENTS_POLICIES
486+
- ACTIVITY_AUDIT
487+
configuration:
488+
output: stdout
489+
type: LOCAL
490+
transmit_message_types:
491+
- POLICY_EVENTS
492+
- SECURE_AUDIT
493+
asserts:
494+
- matchRegex:
495+
path: data['dragent.yaml']
496+
pattern: |
497+
local_forwarder:
498+
enabled: true
499+
transmit_message_types:
500+
- POLICY_EVENTS
501+
- SECURE_AUDIT

charts/shield/tests/host/configmap-local-forwarder_test.yaml

Lines changed: 0 additions & 61 deletions
This file was deleted.

charts/shield/tests/host/daemonset_test.yaml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -847,3 +847,44 @@ tests:
847847
value:
848848
- company.public
849849
- company.internal
850+
851+
- it: No Local Forwarder items if not enabled
852+
asserts:
853+
- notExists:
854+
path: spec.template.spec.volumes[?(@.name == "local-forwarder-config")]
855+
template: host/daemonset.yaml
856+
- notExists:
857+
path: spec.template.spec.containers[0].volumeMounts[?(@.name == "local-forwarder-config")]
858+
template: host/daemonset.yaml
859+
860+
- it: Local Forwarder Configured as needed
861+
set:
862+
features:
863+
investigations:
864+
event_forwarder:
865+
enabled: true
866+
transmit_message_types:
867+
- POLICY_EVENTS
868+
- SECURE_AUDIT
869+
integrations:
870+
- channels:
871+
- SECURE_EVENTS_POLICIES
872+
- ACTIVITY_AUDIT
873+
configuration:
874+
output: stdout
875+
type: LOCAL
876+
asserts:
877+
- contains:
878+
path: spec.template.spec.volumes
879+
content:
880+
name: local-forwarder-config
881+
secret:
882+
secretName: release-name-shield-host-local-forwarder
883+
template: host/daemonset.yaml
884+
- contains:
885+
path: spec.template.spec.containers[0].volumeMounts
886+
content:
887+
name: local-forwarder-config
888+
mountPath: /opt/draios/etc/local_forwarder_config.yaml
889+
subPath: local_forwarder_config.yaml
890+
template: host/daemonset.yaml

charts/shield/tests/host/secrets_test.yaml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,3 +117,39 @@ tests:
117117
name: existing-secret
118118
key: custom-key
119119
template: templates/host/daemonset.yaml
120+
121+
- it: Test Local Forwarder secret is not created when disabled
122+
asserts:
123+
- containsDocument:
124+
kind: Secret
125+
apiVersion: v1
126+
name: release-name-shield-host-local-forwarder
127+
namespace: shield-namespace
128+
not: true
129+
template: host/secrets.yaml
130+
131+
- it: Test Local Forwarder secret is created when enabled
132+
set:
133+
features:
134+
investigations:
135+
event_forwarder:
136+
enabled: true
137+
integrations:
138+
- channels:
139+
- SECURE_EVENTS_POLICIES
140+
- ACTIVITY_AUDIT
141+
configuration:
142+
output: stdout
143+
type: LOCAL
144+
asserts:
145+
- containsDocument:
146+
kind: Secret
147+
apiVersion: v1
148+
name: release-name-shield-host-local-forwarder
149+
namespace: shield-namespace
150+
- exists:
151+
path: data["local_forwarder_config.yaml"]
152+
- matchRegex:
153+
path: data["local_forwarder_config.yaml"]
154+
pattern: aW50ZWdyYXRpb25zOgotIGNoYW5uZWxzOgogIC0gU0VDVVJFX0VWRU5UU19QT0xJQ0lFUwogIC0gQUNUSVZJVFlfQVVESVQKICBjb25maWd1cmF0aW9uOgogICAgb3V0cHV0OiBzdGRvdXQKICB0eXBlOiBMT0NBTA==
155+
template: host/secrets.yaml

0 commit comments

Comments
 (0)