Skip to content

Commit 29d1f1a

Browse files
francesco-furlanfrancesco-furlan
authored
feat(shield): add support for rapid-response password_existing_secret (#2386)
1 parent 29c5da7 commit 29d1f1a

File tree

8 files changed

+103
-7
lines changed

8 files changed

+103
-7
lines changed

charts/shield/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ maintainers:
1313
- name: mavimo
1414
email: [email protected]
1515
type: application
16-
version: 1.19.2
16+
version: 1.19.3
1717
appVersion: "1.0.0"

charts/shield/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,8 @@ The following table lists the configurable parameters of the `shield` chart and
113113
| features.investigations.event_forwarder.transmit_message_types | | <code>[]</code> |
114114
| features.respond.rapid_response.enabled | | <code>false</code> |
115115
| features.respond.rapid_response.password | | <code></code> |
116+
| features.respond.rapid_response.password_existing_secret | The name of the existing Rapid Response password secret | <code></code> |
117+
| features.respond.rapid_response.password_existing_secret_key | The key used in the existing Rapid Response secret for the password (default: password) | <code></code> |
116118
| features.respond.response_actions.enabled | | <code>false</code> |
117119
| features.monitor.app_checks.enabled | | <code>false</code> |
118120
| features.monitor.java_management_extensions.enabled | | <code>false</code> |

charts/shield/templates/host/_configmap_helpers.tpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -142,7 +142,7 @@ true
142142
{{- define "host.dragent_yaml.rapid_response" }}
143143
{{- $config := dict }}
144144
{{- $respond := get .Values.features (include "host.respond_key" .Values.features) }}
145-
{{- $rapid_response := omit (get $respond "rapid_response") "password" }}
145+
{{- $rapid_response := omit (get $respond "rapid_response") "password" "password_existing_secret" "password_existing_secret_key" }}
146146
{{- if and (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }}
147147
{{- $rapid_response = merge $rapid_response (dict "tls_skip_check" true) }}
148148
{{- end }}

charts/shield/templates/host/_secrets.tpl

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,21 @@
1-
{{- define "host.rapid_response_secret" }}
1+
{{- define "host.rapid_response_password_existing_secret" }}
2+
{{- if and (hasKey .Values.features.respond.rapid_response "password_existing_secret") (not (empty .Values.features.respond.rapid_response.password_existing_secret)) }}
3+
{{- .Values.features.respond.rapid_response.password_existing_secret }}
4+
{{- end }}
5+
{{- end }}
6+
7+
{{- define "host.rapid_response_password_secret" }}
8+
{{- if (include "host.rapid_response_password_existing_secret" .) }}
9+
{{- (include "host.rapid_response_password_existing_secret" .) }}
10+
{{- else }}
211
{{- printf "%s-host-rapid-response" (include "shield.fullname" . | trunc 43 | trimSuffix "-") }}
312
{{- end }}
13+
{{- end }}
14+
15+
{{- define "host.rapid_response_password_secret_key" }}
16+
{{- if and (hasKey .Values.features.respond.rapid_response "password_existing_secret_key") (not (empty .Values.features.respond.rapid_response.password_existing_secret_key)) }}
17+
{{- .Values.features.respond.rapid_response.password_existing_secret_key }}
18+
{{- else }}
19+
{{- "password" }}
20+
{{- end }}
21+
{{- end }}

charts/shield/templates/host/daemonset.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -140,8 +140,8 @@ spec:
140140
- name: PASSWORD
141141
valueFrom:
142142
secretKeyRef:
143-
name: {{ include "host.rapid_response_secret" . }}
144-
key: password
143+
name: {{ include "host.rapid_response_password_secret" . }}
144+
key: {{ include "host.rapid_response_password_secret_key" . }}
145145
{{- end }}
146146
{{- include "host.env" . | nindent 12 }}
147147
{{ if or .Values.features.posture.host_posture.enabled (dig "kspm_analyzer" "enabled" false .Values.host.additional_settings) }}

charts/shield/templates/host/secrets.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
1-
{{- if (include "host.rapid_response_enabled" .) }}
1+
{{- if and (include "host.rapid_response_enabled" .) (not (include "host.rapid_response_password_existing_secret" .)) }}
22
---
33
apiVersion: v1
44
kind: Secret
55
metadata:
6-
name: {{ include "host.rapid_response_secret" . }}
6+
name: {{ include "host.rapid_response_password_secret" . }}
77
namespace: {{ .Release.Namespace }}
88
labels:
99
{{- include "host.labels" . | nindent 4 }}

charts/shield/tests/host/secrets_test.yaml

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
suite: Host - Secrets
22
templates:
33
- templates/host/secrets.yaml
4+
- templates/host/daemonset.yaml
45
release:
56
name: release-name
67
namespace: shield-namespace
@@ -23,10 +24,21 @@ tests:
2324
apiVersion: v1
2425
name: release-name-shield-host-rapid-response
2526
namespace: shield-namespace
27+
template: templates/host/secrets.yaml
2628
- equal:
2729
path: data.password
2830
decodeBase64: true
2931
value: "abc123"
32+
template: templates/host/secrets.yaml
33+
- equal:
34+
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
35+
value:
36+
name: PASSWORD
37+
valueFrom:
38+
secretKeyRef:
39+
name: release-name-shield-host-rapid-response
40+
key: password
41+
template: templates/host/daemonset.yaml
3042

3143
- it: Test Rapid Response secret is created with correct password
3244
set:
@@ -41,7 +53,67 @@ tests:
4153
apiVersion: v1
4254
name: release-name-shield-host-rapid-response
4355
namespace: shield-namespace
56+
template: templates/host/secrets.yaml
4457
- equal:
4558
path: data.password
4659
decodeBase64: true
4760
value: "abc123"
61+
template: templates/host/secrets.yaml
62+
- equal:
63+
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
64+
value:
65+
name: PASSWORD
66+
valueFrom:
67+
secretKeyRef:
68+
name: release-name-shield-host-rapid-response
69+
key: password
70+
template: templates/host/daemonset.yaml
71+
72+
- it: Test Rapid Response using existing secret for password
73+
set:
74+
features:
75+
respond:
76+
rapid_response:
77+
enabled: true
78+
password_existing_secret: existing-secret
79+
asserts:
80+
- notExists:
81+
kind: Secret
82+
apiVersion: v1
83+
name: release-name-shield-host-rapid-response
84+
namespace: shield-namespace
85+
template: templates/host/secrets.yaml
86+
- equal:
87+
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
88+
value:
89+
name: PASSWORD
90+
valueFrom:
91+
secretKeyRef:
92+
name: existing-secret
93+
key: password
94+
template: templates/host/daemonset.yaml
95+
96+
- it: Test Rapid Response using existing secret for password with custom key
97+
set:
98+
features:
99+
respond:
100+
rapid_response:
101+
enabled: true
102+
password_existing_secret: existing-secret
103+
password_existing_secret_key: custom-key
104+
asserts:
105+
- notExists:
106+
kind: Secret
107+
apiVersion: v1
108+
name: release-name-shield-host-rapid-response
109+
namespace: shield-namespace
110+
template: templates/host/secrets.yaml
111+
- equal:
112+
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
113+
value:
114+
name: PASSWORD
115+
valueFrom:
116+
secretKeyRef:
117+
name: existing-secret
118+
key: custom-key
119+
template: templates/host/daemonset.yaml

charts/shield/values.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -144,6 +144,10 @@ features:
144144
rapid_response:
145145
enabled: false
146146
password:
147+
# The name of the existing Rapid Response password secret
148+
password_existing_secret:
149+
# The key used in the existing Rapid Response secret for the password (default: password)
150+
password_existing_secret_key:
147151
response_actions:
148152
enabled: false
149153
monitor:

0 commit comments

Comments
 (0)