From e782f694972605e2b928b12753ff0ba5656d91a8 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Fri, 19 Sep 2025 09:26:23 +0200 Subject: [PATCH 1/8] chore(shield): add support for rapid-response existing_secret --- charts/shield/README.md | 2 + charts/shield/templates/host/_secrets.tpl | 18 +++++ charts/shield/templates/host/daemonset.yaml | 2 +- charts/shield/templates/host/secrets.yaml | 2 +- charts/shield/tests/host/secrets_test.yaml | 87 +++++++++++++++++++++ charts/shield/values.yaml | 4 + 6 files changed, 113 insertions(+), 2 deletions(-) diff --git a/charts/shield/README.md b/charts/shield/README.md index f9ac7c946..fd50abc13 100644 --- a/charts/shield/README.md +++ b/charts/shield/README.md @@ -113,6 +113,8 @@ The following table lists the configurable parameters of the `shield` chart and | features.investigations.event_forwarder.transmit_message_types | | [] | | features.respond.rapid_response.enabled | | false | | features.respond.rapid_response.password | | | +| features.respond.rapid_response.existing_secret | The name of the existing Rapid Response secret | | +| features.respond.rapid_response.existing_secret_password_key | The key used in the existing Rapid Response secret for the password | | | features.respond.response_actions.enabled | | false | | features.monitor.app_checks.enabled | | false | | features.monitor.java_management_extensions.enabled | | false | diff --git a/charts/shield/templates/host/_secrets.tpl b/charts/shield/templates/host/_secrets.tpl index a8542928f..9d0643b9c 100644 --- a/charts/shield/templates/host/_secrets.tpl +++ b/charts/shield/templates/host/_secrets.tpl @@ -1,3 +1,21 @@ +{{- define "host.existing_rapid_response_secret" }} +{{- if and (hasKey .Values.features.respond.rapid_response "existing_secret") (not (empty .Values.features.respond.rapid_response.existing_secret)) }} +{{- .Values.features.respond.rapid_response.existing_secret }} +{{- end }} +{{- end }} + {{- define "host.rapid_response_secret" }} +{{- if (include "host.existing_rapid_response_secret" .) }} +{{- (include "host.existing_rapid_response_secret" .) }} +{{- else }} {{- printf "%s-host-rapid-response" (include "shield.fullname" . | trunc 43 | trimSuffix "-") }} {{- end }} +{{- end }} + +{{- define "host.rapid_response_secret_password_key" }} +{{- if and (hasKey .Values.features.respond.rapid_response "existing_secret_password_key") (not (empty .Values.features.respond.rapid_response.existing_secret_password_key)) }} +{{- .Values.features.respond.rapid_response.existing_secret_password_key }} +{{- else }} +{{- "password" }} +{{- end }} +{{- end }} diff --git a/charts/shield/templates/host/daemonset.yaml b/charts/shield/templates/host/daemonset.yaml index d030ccf63..9c9f25500 100644 --- a/charts/shield/templates/host/daemonset.yaml +++ b/charts/shield/templates/host/daemonset.yaml @@ -141,7 +141,7 @@ spec: valueFrom: secretKeyRef: name: {{ include "host.rapid_response_secret" . }} - key: password + key: {{ include "host.rapid_response_secret_password_key" . }} {{- end }} {{- include "host.env" . | nindent 12 }} {{ if or .Values.features.posture.host_posture.enabled (dig "kspm_analyzer" "enabled" false .Values.host.additional_settings) }} diff --git a/charts/shield/templates/host/secrets.yaml b/charts/shield/templates/host/secrets.yaml index c34edf423..0218173b6 100644 --- a/charts/shield/templates/host/secrets.yaml +++ b/charts/shield/templates/host/secrets.yaml @@ -1,4 +1,4 @@ -{{- if (include "host.rapid_response_enabled" .) }} +{{- if and (include "host.rapid_response_enabled" .) (not (include "host.existing_rapid_response_secret" .)) }} --- apiVersion: v1 kind: Secret diff --git a/charts/shield/tests/host/secrets_test.yaml b/charts/shield/tests/host/secrets_test.yaml index be50cc49c..2ed8f48b2 100644 --- a/charts/shield/tests/host/secrets_test.yaml +++ b/charts/shield/tests/host/secrets_test.yaml @@ -1,11 +1,27 @@ suite: Host - Secrets templates: - templates/host/secrets.yaml + - templates/host/daemonset.yaml release: name: release-name namespace: shield-namespace values: - ../values/base.yaml +kubernetesProvider: + scheme: + "v1/Secret": + gvr: + version: "v1" + resource: "secrets" + namespaced: true + objects: + - apiVersion: v1 + kind: Secret + metadata: + name: existing-secret + namespace: shield-namespace + data: + password: YWJjMTIzCg== # abc123 tests: - it: Test Rapid Response secret is created when needed set: @@ -23,10 +39,21 @@ tests: apiVersion: v1 name: release-name-shield-host-rapid-response namespace: shield-namespace + template: templates/host/secrets.yaml - equal: path: data.password decodeBase64: true value: "abc123" + template: templates/host/secrets.yaml + - equal: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")] + value: + name: PASSWORD + valueFrom: + secretKeyRef: + name: release-name-shield-host-rapid-response + key: password + template: templates/host/daemonset.yaml - it: Test Rapid Response secret is created with correct password set: @@ -41,7 +68,67 @@ tests: apiVersion: v1 name: release-name-shield-host-rapid-response namespace: shield-namespace + template: templates/host/secrets.yaml - equal: path: data.password decodeBase64: true value: "abc123" + template: templates/host/secrets.yaml + - equal: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")] + value: + name: PASSWORD + valueFrom: + secretKeyRef: + name: release-name-shield-host-rapid-response + key: password + template: templates/host/daemonset.yaml + + - it: Test Rapid Response using existing secret for password + set: + features: + respond: + rapid_response: + enabled: true + existing_secret: existing-secret + asserts: + - notExists: + kind: Secret + apiVersion: v1 + name: release-name-shield-host-rapid-response + namespace: shield-namespace + template: templates/host/secrets.yaml + - equal: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")] + value: + name: PASSWORD + valueFrom: + secretKeyRef: + name: existing-secret + key: password + template: templates/host/daemonset.yaml + + - it: Test Rapid Response using existing secret for password with custom key + set: + features: + respond: + rapid_response: + enabled: true + existing_secret: existing-secret + existing_secret_password_key: custom-key + asserts: + - notExists: + kind: Secret + apiVersion: v1 + name: release-name-shield-host-rapid-response + namespace: shield-namespace + template: templates/host/secrets.yaml + - equal: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")] + value: + name: PASSWORD + valueFrom: + secretKeyRef: + name: existing-secret + key: custom-key + template: templates/host/daemonset.yaml diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml index 9b2dca390..d47b5b8e1 100644 --- a/charts/shield/values.yaml +++ b/charts/shield/values.yaml @@ -144,6 +144,10 @@ features: rapid_response: enabled: false password: + # The name of the existing Rapid Response secret + existing_secret: + # The key used in the existing Rapid Response secret for the password + existing_secret_password_key: response_actions: enabled: false monitor: From 988a36134f642ba57ccefbeef210c9cc61b70725 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Fri, 19 Sep 2025 09:30:24 +0200 Subject: [PATCH 2/8] chore: omit rapid_response secrets on configmap --- charts/shield/templates/host/_configmap_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/shield/templates/host/_configmap_helpers.tpl b/charts/shield/templates/host/_configmap_helpers.tpl index 79b988b62..84ceff1ec 100644 --- a/charts/shield/templates/host/_configmap_helpers.tpl +++ b/charts/shield/templates/host/_configmap_helpers.tpl @@ -142,7 +142,7 @@ true {{- define "host.dragent_yaml.rapid_response" }} {{- $config := dict }} {{- $respond := get .Values.features (include "host.respond_key" .Values.features) }} - {{- $rapid_response := omit (get $respond "rapid_response") "password" }} + {{- $rapid_response := omit (get $respond "rapid_response") "password" "existing_secret" "existing_secret_password_key" }} {{- if and (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }} {{- $rapid_response = merge $rapid_response (dict "tls_skip_check" true) }} {{- end }} From 9ad5effc09cd39bcf9bfd756de6e4799119cffc3 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Fri, 19 Sep 2025 09:41:36 +0200 Subject: [PATCH 3/8] test: remove useless secret map --- charts/shield/tests/host/secrets_test.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/charts/shield/tests/host/secrets_test.yaml b/charts/shield/tests/host/secrets_test.yaml index 2ed8f48b2..4774c1f40 100644 --- a/charts/shield/tests/host/secrets_test.yaml +++ b/charts/shield/tests/host/secrets_test.yaml @@ -7,21 +7,6 @@ release: namespace: shield-namespace values: - ../values/base.yaml -kubernetesProvider: - scheme: - "v1/Secret": - gvr: - version: "v1" - resource: "secrets" - namespaced: true - objects: - - apiVersion: v1 - kind: Secret - metadata: - name: existing-secret - namespace: shield-namespace - data: - password: YWJjMTIzCg== # abc123 tests: - it: Test Rapid Response secret is created when needed set: From df0a4c9791b3ed75ec392b5e1ed64fb317fedad3 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Fri, 19 Sep 2025 09:43:50 +0200 Subject: [PATCH 4/8] chore: rename existing_rapid_response_secret to rapid_response_existing_secret --- charts/shield/templates/host/_secrets.tpl | 6 +++--- charts/shield/templates/host/secrets.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/shield/templates/host/_secrets.tpl b/charts/shield/templates/host/_secrets.tpl index 9d0643b9c..d1cf2f625 100644 --- a/charts/shield/templates/host/_secrets.tpl +++ b/charts/shield/templates/host/_secrets.tpl @@ -1,12 +1,12 @@ -{{- define "host.existing_rapid_response_secret" }} +{{- define "host.rapid_response_existing_secret" }} {{- if and (hasKey .Values.features.respond.rapid_response "existing_secret") (not (empty .Values.features.respond.rapid_response.existing_secret)) }} {{- .Values.features.respond.rapid_response.existing_secret }} {{- end }} {{- end }} {{- define "host.rapid_response_secret" }} -{{- if (include "host.existing_rapid_response_secret" .) }} -{{- (include "host.existing_rapid_response_secret" .) }} +{{- if (include "host.rapid_response_existing_secret" .) }} +{{- (include "host.rapid_response_existing_secret" .) }} {{- else }} {{- printf "%s-host-rapid-response" (include "shield.fullname" . | trunc 43 | trimSuffix "-") }} {{- end }} diff --git a/charts/shield/templates/host/secrets.yaml b/charts/shield/templates/host/secrets.yaml index 0218173b6..7cedb5d1f 100644 --- a/charts/shield/templates/host/secrets.yaml +++ b/charts/shield/templates/host/secrets.yaml @@ -1,4 +1,4 @@ -{{- if and (include "host.rapid_response_enabled" .) (not (include "host.existing_rapid_response_secret" .)) }} +{{- if and (include "host.rapid_response_enabled" .) (not (include "host.rapid_response_existing_secret" .)) }} --- apiVersion: v1 kind: Secret From b9ec23237889408a24fb987abfb51da41d34f6f6 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Fri, 19 Sep 2025 09:45:26 +0200 Subject: [PATCH 5/8] chore: add default to existing_secret_password_key --- charts/shield/README.md | 2 +- charts/shield/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/shield/README.md b/charts/shield/README.md index fd50abc13..7612b7909 100644 --- a/charts/shield/README.md +++ b/charts/shield/README.md @@ -114,7 +114,7 @@ The following table lists the configurable parameters of the `shield` chart and | features.respond.rapid_response.enabled | | false | | features.respond.rapid_response.password | | | | features.respond.rapid_response.existing_secret | The name of the existing Rapid Response secret | | -| features.respond.rapid_response.existing_secret_password_key | The key used in the existing Rapid Response secret for the password | | +| features.respond.rapid_response.existing_secret_password_key | The key used in the existing Rapid Response secret for the password (default: password) | | | features.respond.response_actions.enabled | | false | | features.monitor.app_checks.enabled | | false | | features.monitor.java_management_extensions.enabled | | false | diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml index d47b5b8e1..7be1cfba9 100644 --- a/charts/shield/values.yaml +++ b/charts/shield/values.yaml @@ -146,7 +146,7 @@ features: password: # The name of the existing Rapid Response secret existing_secret: - # The key used in the existing Rapid Response secret for the password + # The key used in the existing Rapid Response secret for the password (default: password) existing_secret_password_key: response_actions: enabled: false From 3ec75fcd538ced80628e24746a51427349e0829d Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Wed, 24 Sep 2025 15:27:19 +0200 Subject: [PATCH 6/8] chore: bump --- charts/shield/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml index fe28bc1c2..f2cd48181 100644 --- a/charts/shield/Chart.yaml +++ b/charts/shield/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: mavimo email: marcovito.moscaritolo@sysdig.com type: application -version: 1.19.2 +version: 1.19.3 appVersion: "1.0.0" From 881e6fbe208f84f5572d63331dbdea6e8f4dd79b Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Thu, 25 Sep 2025 12:46:07 +0200 Subject: [PATCH 7/8] chore: add password prefix --- charts/shield/README.md | 4 ++-- charts/shield/templates/host/_secrets.tpl | 18 +++++++++--------- charts/shield/templates/host/daemonset.yaml | 4 ++-- charts/shield/templates/host/secrets.yaml | 4 ++-- charts/shield/tests/host/secrets_test.yaml | 6 +++--- charts/shield/values.yaml | 6 +++--- 6 files changed, 21 insertions(+), 21 deletions(-) diff --git a/charts/shield/README.md b/charts/shield/README.md index 7612b7909..600224c40 100644 --- a/charts/shield/README.md +++ b/charts/shield/README.md @@ -113,8 +113,8 @@ The following table lists the configurable parameters of the `shield` chart and | features.investigations.event_forwarder.transmit_message_types | | [] | | features.respond.rapid_response.enabled | | false | | features.respond.rapid_response.password | | | -| features.respond.rapid_response.existing_secret | The name of the existing Rapid Response secret | | -| features.respond.rapid_response.existing_secret_password_key | The key used in the existing Rapid Response secret for the password (default: password) | | +| features.respond.rapid_response.password_existing_secret | The name of the existing Rapid Response password secret | | +| features.respond.rapid_response.password_existing_secret_key | The key used in the existing Rapid Response secret for the password (default: password) | | | features.respond.response_actions.enabled | | false | | features.monitor.app_checks.enabled | | false | | features.monitor.java_management_extensions.enabled | | false | diff --git a/charts/shield/templates/host/_secrets.tpl b/charts/shield/templates/host/_secrets.tpl index d1cf2f625..e53451353 100644 --- a/charts/shield/templates/host/_secrets.tpl +++ b/charts/shield/templates/host/_secrets.tpl @@ -1,20 +1,20 @@ -{{- define "host.rapid_response_existing_secret" }} -{{- if and (hasKey .Values.features.respond.rapid_response "existing_secret") (not (empty .Values.features.respond.rapid_response.existing_secret)) }} -{{- .Values.features.respond.rapid_response.existing_secret }} +{{- define "host.rapid_response_password_existing_secret" }} +{{- if and (hasKey .Values.features.respond.rapid_response "password_existing_secret") (not (empty .Values.features.respond.rapid_response.password_existing_secret)) }} +{{- .Values.features.respond.rapid_response.password_existing_secret }} {{- end }} {{- end }} -{{- define "host.rapid_response_secret" }} -{{- if (include "host.rapid_response_existing_secret" .) }} -{{- (include "host.rapid_response_existing_secret" .) }} +{{- define "host.rapid_response_password_secret" }} +{{- if (include "host.rapid_response_password_existing_secret" .) }} +{{- (include "host.rapid_response_password_existing_secret" .) }} {{- else }} {{- printf "%s-host-rapid-response" (include "shield.fullname" . | trunc 43 | trimSuffix "-") }} {{- end }} {{- end }} -{{- define "host.rapid_response_secret_password_key" }} -{{- if and (hasKey .Values.features.respond.rapid_response "existing_secret_password_key") (not (empty .Values.features.respond.rapid_response.existing_secret_password_key)) }} -{{- .Values.features.respond.rapid_response.existing_secret_password_key }} +{{- define "host.rapid_response_password_secret_key" }} +{{- if and (hasKey .Values.features.respond.rapid_response "password_existing_secret_key") (not (empty .Values.features.respond.rapid_response.password_existing_secret_key)) }} +{{- .Values.features.respond.rapid_response.password_existing_secret_key }} {{- else }} {{- "password" }} {{- end }} diff --git a/charts/shield/templates/host/daemonset.yaml b/charts/shield/templates/host/daemonset.yaml index 9c9f25500..d352fe1b2 100644 --- a/charts/shield/templates/host/daemonset.yaml +++ b/charts/shield/templates/host/daemonset.yaml @@ -140,8 +140,8 @@ spec: - name: PASSWORD valueFrom: secretKeyRef: - name: {{ include "host.rapid_response_secret" . }} - key: {{ include "host.rapid_response_secret_password_key" . }} + name: {{ include "host.rapid_response_password_secret" . }} + key: {{ include "host.rapid_response_password_secret_key" . }} {{- end }} {{- include "host.env" . | nindent 12 }} {{ if or .Values.features.posture.host_posture.enabled (dig "kspm_analyzer" "enabled" false .Values.host.additional_settings) }} diff --git a/charts/shield/templates/host/secrets.yaml b/charts/shield/templates/host/secrets.yaml index 7cedb5d1f..20d368767 100644 --- a/charts/shield/templates/host/secrets.yaml +++ b/charts/shield/templates/host/secrets.yaml @@ -1,9 +1,9 @@ -{{- if and (include "host.rapid_response_enabled" .) (not (include "host.rapid_response_existing_secret" .)) }} +{{- if and (include "host.rapid_response_enabled" .) (not (include "host.rapid_response_password_existing_secret" .)) }} --- apiVersion: v1 kind: Secret metadata: - name: {{ include "host.rapid_response_secret" . }} + name: {{ include "host.rapid_response_password_secret" . }} namespace: {{ .Release.Namespace }} labels: {{- include "host.labels" . | nindent 4 }} diff --git a/charts/shield/tests/host/secrets_test.yaml b/charts/shield/tests/host/secrets_test.yaml index 4774c1f40..8afa128de 100644 --- a/charts/shield/tests/host/secrets_test.yaml +++ b/charts/shield/tests/host/secrets_test.yaml @@ -75,7 +75,7 @@ tests: respond: rapid_response: enabled: true - existing_secret: existing-secret + password_existing_secret: existing-secret asserts: - notExists: kind: Secret @@ -99,8 +99,8 @@ tests: respond: rapid_response: enabled: true - existing_secret: existing-secret - existing_secret_password_key: custom-key + password_existing_secret: existing-secret + password_existing_secret_key: custom-key asserts: - notExists: kind: Secret diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml index 7be1cfba9..e06f468b3 100644 --- a/charts/shield/values.yaml +++ b/charts/shield/values.yaml @@ -144,10 +144,10 @@ features: rapid_response: enabled: false password: - # The name of the existing Rapid Response secret - existing_secret: + # The name of the existing Rapid Response password secret + password_existing_secret: # The key used in the existing Rapid Response secret for the password (default: password) - existing_secret_password_key: + password_existing_secret_key: response_actions: enabled: false monitor: From b56fcfe1a0fd62a2e29d31a0cd3046176951a5b5 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Thu, 25 Sep 2025 12:47:46 +0200 Subject: [PATCH 8/8] chore: fix omit --- charts/shield/templates/host/_configmap_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/shield/templates/host/_configmap_helpers.tpl b/charts/shield/templates/host/_configmap_helpers.tpl index 84ceff1ec..0efeeb99e 100644 --- a/charts/shield/templates/host/_configmap_helpers.tpl +++ b/charts/shield/templates/host/_configmap_helpers.tpl @@ -142,7 +142,7 @@ true {{- define "host.dragent_yaml.rapid_response" }} {{- $config := dict }} {{- $respond := get .Values.features (include "host.respond_key" .Values.features) }} - {{- $rapid_response := omit (get $respond "rapid_response") "password" "existing_secret" "existing_secret_password_key" }} + {{- $rapid_response := omit (get $respond "rapid_response") "password" "password_existing_secret" "password_existing_secret_key" }} {{- if and (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }} {{- $rapid_response = merge $rapid_response (dict "tls_skip_check" true) }} {{- end }}