Skip to content

Commit e2eb985

Browse files
francesco-furlanfrancesco-furlan
committed
chore(shield): add support for rapid-response existing_secret
1 parent bd84e2d commit e2eb985

File tree

6 files changed

+113
-2
lines changed

6 files changed

+113
-2
lines changed

charts/shield/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,8 @@ The following table lists the configurable parameters of the `shield` chart and
113113
| features.investigations.event_forwarder.transmit_message_types | | <code>[]</code> |
114114
| features.respond.rapid_response.enabled | | <code>false</code> |
115115
| features.respond.rapid_response.password | | <code></code> |
116+
| features.respond.rapid_response.existing_secret | The name of the existing Rapid Response secret | <code></code> |
117+
| features.respond.rapid_response.existing_secret_password_key | The key used in the existing Rapid Response secret for the password | <code></code> |
116118
| features.respond.response_actions.enabled | | <code>false</code> |
117119
| features.monitor.app_checks.enabled | | <code>false</code> |
118120
| features.monitor.java_management_extensions.enabled | | <code>false</code> |

charts/shield/templates/host/_secrets.tpl

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,21 @@
1+
{{- define "host.existing_rapid_response_secret" }}
2+
{{- if and (hasKey .Values.features.respond.rapid_response "existing_secret") (not (empty .Values.features.respond.rapid_response.existing_secret)) }}
3+
{{- .Values.features.respond.rapid_response.existing_secret }}
4+
{{- end }}
5+
{{- end }}
6+
17
{{- define "host.rapid_response_secret" }}
8+
{{- if (include "host.existing_rapid_response_secret" .) }}
9+
{{- (include "host.existing_rapid_response_secret" .) }}
10+
{{- else }}
211
{{- printf "%s-host-rapid-response" (include "shield.fullname" . | trunc 43 | trimSuffix "-") }}
312
{{- end }}
13+
{{- end }}
14+
15+
{{- define "host.rapid_response_secret_password_key" }}
16+
{{- if and (hasKey .Values.features.respond.rapid_response "existing_secret_password_key") (not (empty .Values.features.respond.rapid_response.existing_secret_password_key)) }}
17+
{{- .Values.features.respond.rapid_response.existing_secret_password_key }}
18+
{{- else }}
19+
{{- "password" }}
20+
{{- end }}
21+
{{- end }}

charts/shield/templates/host/daemonset.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -141,7 +141,7 @@ spec:
141141
valueFrom:
142142
secretKeyRef:
143143
name: {{ include "host.rapid_response_secret" . }}
144-
key: password
144+
key: {{ include "host.rapid_response_secret_password_key" . }}
145145
{{- end }}
146146
{{- include "host.env" . | nindent 12 }}
147147
{{ if or .Values.features.posture.host_posture.enabled (dig "kspm_analyzer" "enabled" false .Values.host.additional_settings) }}

charts/shield/templates/host/secrets.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
{{- if (include "host.rapid_response_enabled" .) }}
1+
{{- if and (include "host.rapid_response_enabled" .) (not (include "host.existing_rapid_response_secret" .)) }}
22
---
33
apiVersion: v1
44
kind: Secret

charts/shield/tests/host/secrets_test.yaml

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,27 @@
11
suite: Host - Secrets
22
templates:
33
- templates/host/secrets.yaml
4+
- templates/host/daemonset.yaml
45
release:
56
name: release-name
67
namespace: shield-namespace
78
values:
89
- ../values/base.yaml
10+
kubernetesProvider:
11+
scheme:
12+
"v1/Secret":
13+
gvr:
14+
version: "v1"
15+
resource: "secrets"
16+
namespaced: true
17+
objects:
18+
- apiVersion: v1
19+
kind: Secret
20+
metadata:
21+
name: existing-secret
22+
namespace: shield-namespace
23+
data:
24+
password: YWJjMTIzCg== # abc123
925
tests:
1026
- it: Test Rapid Response secret is created when needed
1127
set:
@@ -23,10 +39,21 @@ tests:
2339
apiVersion: v1
2440
name: release-name-shield-host-rapid-response
2541
namespace: shield-namespace
42+
template: templates/host/secrets.yaml
2643
- equal:
2744
path: data.password
2845
decodeBase64: true
2946
value: "abc123"
47+
template: templates/host/secrets.yaml
48+
- equal:
49+
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
50+
value:
51+
name: PASSWORD
52+
valueFrom:
53+
secretKeyRef:
54+
name: release-name-shield-host-rapid-response
55+
key: password
56+
template: templates/host/daemonset.yaml
3057

3158
- it: Test Rapid Response secret is created with correct password
3259
set:
@@ -41,7 +68,67 @@ tests:
4168
apiVersion: v1
4269
name: release-name-shield-host-rapid-response
4370
namespace: shield-namespace
71+
template: templates/host/secrets.yaml
4472
- equal:
4573
path: data.password
4674
decodeBase64: true
4775
value: "abc123"
76+
template: templates/host/secrets.yaml
77+
- equal:
78+
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
79+
value:
80+
name: PASSWORD
81+
valueFrom:
82+
secretKeyRef:
83+
name: release-name-shield-host-rapid-response
84+
key: password
85+
template: templates/host/daemonset.yaml
86+
87+
- it: Test Rapid Response using existing secret for password
88+
set:
89+
features:
90+
respond:
91+
rapid_response:
92+
enabled: true
93+
existing_secret: existing-secret
94+
asserts:
95+
- notExists:
96+
kind: Secret
97+
apiVersion: v1
98+
name: release-name-shield-host-rapid-response
99+
namespace: shield-namespace
100+
template: templates/host/secrets.yaml
101+
- equal:
102+
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
103+
value:
104+
name: PASSWORD
105+
valueFrom:
106+
secretKeyRef:
107+
name: existing-secret
108+
key: password
109+
template: templates/host/daemonset.yaml
110+
111+
- it: Test Rapid Response using existing secret for password with custom key
112+
set:
113+
features:
114+
respond:
115+
rapid_response:
116+
enabled: true
117+
existing_secret: existing-secret
118+
existing_secret_password_key: custom-key
119+
asserts:
120+
- notExists:
121+
kind: Secret
122+
apiVersion: v1
123+
name: release-name-shield-host-rapid-response
124+
namespace: shield-namespace
125+
template: templates/host/secrets.yaml
126+
- equal:
127+
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
128+
value:
129+
name: PASSWORD
130+
valueFrom:
131+
secretKeyRef:
132+
name: existing-secret
133+
key: custom-key
134+
template: templates/host/daemonset.yaml

charts/shield/values.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -144,6 +144,10 @@ features:
144144
rapid_response:
145145
enabled: false
146146
password:
147+
# The name of the existing Rapid Response secret
148+
existing_secret:
149+
# The key used in the existing Rapid Response secret for the password
150+
existing_secret_password_key:
147151
response_actions:
148152
enabled: false
149153
monitor:

0 commit comments

Comments
 (0)