diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml
index fe28bc1c2..f2cd48181 100644
--- a/charts/shield/Chart.yaml
+++ b/charts/shield/Chart.yaml
@@ -13,5 +13,5 @@ maintainers:
- name: mavimo
email: marcovito.moscaritolo@sysdig.com
type: application
-version: 1.19.2
+version: 1.19.3
appVersion: "1.0.0"
diff --git a/charts/shield/README.md b/charts/shield/README.md
index f9ac7c946..600224c40 100644
--- a/charts/shield/README.md
+++ b/charts/shield/README.md
@@ -113,6 +113,8 @@ The following table lists the configurable parameters of the `shield` chart and
| features.investigations.event_forwarder.transmit_message_types | | [] |
| features.respond.rapid_response.enabled | | false |
| features.respond.rapid_response.password | | false |
| features.monitor.app_checks.enabled | | false |
| features.monitor.java_management_extensions.enabled | | false |
diff --git a/charts/shield/templates/host/_configmap_helpers.tpl b/charts/shield/templates/host/_configmap_helpers.tpl
index 79b988b62..0efeeb99e 100644
--- a/charts/shield/templates/host/_configmap_helpers.tpl
+++ b/charts/shield/templates/host/_configmap_helpers.tpl
@@ -142,7 +142,7 @@ true
{{- define "host.dragent_yaml.rapid_response" }}
{{- $config := dict }}
{{- $respond := get .Values.features (include "host.respond_key" .Values.features) }}
- {{- $rapid_response := omit (get $respond "rapid_response") "password" }}
+ {{- $rapid_response := omit (get $respond "rapid_response") "password" "password_existing_secret" "password_existing_secret_key" }}
{{- if and (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }}
{{- $rapid_response = merge $rapid_response (dict "tls_skip_check" true) }}
{{- end }}
diff --git a/charts/shield/templates/host/_secrets.tpl b/charts/shield/templates/host/_secrets.tpl
index a8542928f..e53451353 100644
--- a/charts/shield/templates/host/_secrets.tpl
+++ b/charts/shield/templates/host/_secrets.tpl
@@ -1,3 +1,21 @@
-{{- define "host.rapid_response_secret" }}
+{{- define "host.rapid_response_password_existing_secret" }}
+{{- if and (hasKey .Values.features.respond.rapid_response "password_existing_secret") (not (empty .Values.features.respond.rapid_response.password_existing_secret)) }}
+{{- .Values.features.respond.rapid_response.password_existing_secret }}
+{{- end }}
+{{- end }}
+
+{{- define "host.rapid_response_password_secret" }}
+{{- if (include "host.rapid_response_password_existing_secret" .) }}
+{{- (include "host.rapid_response_password_existing_secret" .) }}
+{{- else }}
{{- printf "%s-host-rapid-response" (include "shield.fullname" . | trunc 43 | trimSuffix "-") }}
{{- end }}
+{{- end }}
+
+{{- define "host.rapid_response_password_secret_key" }}
+{{- if and (hasKey .Values.features.respond.rapid_response "password_existing_secret_key") (not (empty .Values.features.respond.rapid_response.password_existing_secret_key)) }}
+{{- .Values.features.respond.rapid_response.password_existing_secret_key }}
+{{- else }}
+{{- "password" }}
+{{- end }}
+{{- end }}
diff --git a/charts/shield/templates/host/daemonset.yaml b/charts/shield/templates/host/daemonset.yaml
index d030ccf63..d352fe1b2 100644
--- a/charts/shield/templates/host/daemonset.yaml
+++ b/charts/shield/templates/host/daemonset.yaml
@@ -140,8 +140,8 @@ spec:
- name: PASSWORD
valueFrom:
secretKeyRef:
- name: {{ include "host.rapid_response_secret" . }}
- key: password
+ name: {{ include "host.rapid_response_password_secret" . }}
+ key: {{ include "host.rapid_response_password_secret_key" . }}
{{- end }}
{{- include "host.env" . | nindent 12 }}
{{ if or .Values.features.posture.host_posture.enabled (dig "kspm_analyzer" "enabled" false .Values.host.additional_settings) }}
diff --git a/charts/shield/templates/host/secrets.yaml b/charts/shield/templates/host/secrets.yaml
index c34edf423..20d368767 100644
--- a/charts/shield/templates/host/secrets.yaml
+++ b/charts/shield/templates/host/secrets.yaml
@@ -1,9 +1,9 @@
-{{- if (include "host.rapid_response_enabled" .) }}
+{{- if and (include "host.rapid_response_enabled" .) (not (include "host.rapid_response_password_existing_secret" .)) }}
---
apiVersion: v1
kind: Secret
metadata:
- name: {{ include "host.rapid_response_secret" . }}
+ name: {{ include "host.rapid_response_password_secret" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "host.labels" . | nindent 4 }}
diff --git a/charts/shield/tests/host/secrets_test.yaml b/charts/shield/tests/host/secrets_test.yaml
index be50cc49c..8afa128de 100644
--- a/charts/shield/tests/host/secrets_test.yaml
+++ b/charts/shield/tests/host/secrets_test.yaml
@@ -1,6 +1,7 @@
suite: Host - Secrets
templates:
- templates/host/secrets.yaml
+ - templates/host/daemonset.yaml
release:
name: release-name
namespace: shield-namespace
@@ -23,10 +24,21 @@ tests:
apiVersion: v1
name: release-name-shield-host-rapid-response
namespace: shield-namespace
+ template: templates/host/secrets.yaml
- equal:
path: data.password
decodeBase64: true
value: "abc123"
+ template: templates/host/secrets.yaml
+ - equal:
+ path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
+ value:
+ name: PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: release-name-shield-host-rapid-response
+ key: password
+ template: templates/host/daemonset.yaml
- it: Test Rapid Response secret is created with correct password
set:
@@ -41,7 +53,67 @@ tests:
apiVersion: v1
name: release-name-shield-host-rapid-response
namespace: shield-namespace
+ template: templates/host/secrets.yaml
- equal:
path: data.password
decodeBase64: true
value: "abc123"
+ template: templates/host/secrets.yaml
+ - equal:
+ path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
+ value:
+ name: PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: release-name-shield-host-rapid-response
+ key: password
+ template: templates/host/daemonset.yaml
+
+ - it: Test Rapid Response using existing secret for password
+ set:
+ features:
+ respond:
+ rapid_response:
+ enabled: true
+ password_existing_secret: existing-secret
+ asserts:
+ - notExists:
+ kind: Secret
+ apiVersion: v1
+ name: release-name-shield-host-rapid-response
+ namespace: shield-namespace
+ template: templates/host/secrets.yaml
+ - equal:
+ path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
+ value:
+ name: PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: existing-secret
+ key: password
+ template: templates/host/daemonset.yaml
+
+ - it: Test Rapid Response using existing secret for password with custom key
+ set:
+ features:
+ respond:
+ rapid_response:
+ enabled: true
+ password_existing_secret: existing-secret
+ password_existing_secret_key: custom-key
+ asserts:
+ - notExists:
+ kind: Secret
+ apiVersion: v1
+ name: release-name-shield-host-rapid-response
+ namespace: shield-namespace
+ template: templates/host/secrets.yaml
+ - equal:
+ path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
+ value:
+ name: PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: existing-secret
+ key: custom-key
+ template: templates/host/daemonset.yaml
diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml
index 9b2dca390..e06f468b3 100644
--- a/charts/shield/values.yaml
+++ b/charts/shield/values.yaml
@@ -144,6 +144,10 @@ features:
rapid_response:
enabled: false
password:
+ # The name of the existing Rapid Response password secret
+ password_existing_secret:
+ # The key used in the existing Rapid Response secret for the password (default: password)
+ password_existing_secret_key:
response_actions:
enabled: false
monitor: