Skip to content

feat(shield): add support for rapid-response password_existing_secret #2386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Sep 25, 2025
Merged

feat(shield): add support for rapid-response password_existing_secret #2386

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
e782f69
chore(shield): add support for rapid-response existing_secret
francesco-furlan Sep 19, 2025
988a361
chore: omit rapid_response secrets on configmap
francesco-furlan Sep 19, 2025
9ad5eff
test: remove useless secret map
francesco-furlan Sep 19, 2025
df0a4c9
chore: rename existing_rapid_response_secret to rapid_response_existi…
francesco-furlan Sep 19, 2025
b9ec232
chore: add default to existing_secret_password_key
francesco-furlan Sep 19, 2025
3ec75fc
chore: bump
francesco-furlan Sep 24, 2025
881e6fb
chore: add password prefix
francesco-furlan Sep 25, 2025
b56fcfe
chore: fix omit
francesco-furlan Sep 25, 2025
159bb12
Merge branch 'main' into chore/shield-add-rapid-response-password-sec…
francesco-furlan Sep 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/shield/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,5 @@ maintainers:
- name: mavimo
email: [email protected]
type: application
version: 1.19.2
version: 1.19.3
appVersion: "1.0.0"
2 changes: 2 additions & 0 deletions charts/shield/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,8 @@ The following table lists the configurable parameters of the `shield` chart and
| features.investigations.event_forwarder.transmit_message_types | | <code>[]</code> |
| features.respond.rapid_response.enabled | | <code>false</code> |
| features.respond.rapid_response.password | | <code></code> |
| features.respond.rapid_response.password_existing_secret | The name of the existing Rapid Response password secret | <code></code> |
| features.respond.rapid_response.password_existing_secret_key | The key used in the existing Rapid Response secret for the password (default: password) | <code></code> |
| features.respond.response_actions.enabled | | <code>false</code> |
| features.monitor.app_checks.enabled | | <code>false</code> |
| features.monitor.java_management_extensions.enabled | | <code>false</code> |
Expand Down
2 changes: 1 addition & 1 deletion charts/shield/templates/host/_configmap_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ true
{{- define "host.dragent_yaml.rapid_response" }}
{{- $config := dict }}
{{- $respond := get .Values.features (include "host.respond_key" .Values.features) }}
{{- $rapid_response := omit (get $respond "rapid_response") "password" }}
{{- $rapid_response := omit (get $respond "rapid_response") "password" "password_existing_secret" "password_existing_secret_key" }}
{{- if and (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }}
{{- $rapid_response = merge $rapid_response (dict "tls_skip_check" true) }}
{{- end }}
Expand Down
20 changes: 19 additions & 1 deletion charts/shield/templates/host/_secrets.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,21 @@
{{- define "host.rapid_response_secret" }}
{{- define "host.rapid_response_password_existing_secret" }}
{{- if and (hasKey .Values.features.respond.rapid_response "password_existing_secret") (not (empty .Values.features.respond.rapid_response.password_existing_secret)) }}
{{- .Values.features.respond.rapid_response.password_existing_secret }}
{{- end }}
{{- end }}

{{- define "host.rapid_response_password_secret" }}
{{- if (include "host.rapid_response_password_existing_secret" .) }}
{{- (include "host.rapid_response_password_existing_secret" .) }}
{{- else }}
{{- printf "%s-host-rapid-response" (include "shield.fullname" . | trunc 43 | trimSuffix "-") }}
{{- end }}
{{- end }}

{{- define "host.rapid_response_password_secret_key" }}
{{- if and (hasKey .Values.features.respond.rapid_response "password_existing_secret_key") (not (empty .Values.features.respond.rapid_response.password_existing_secret_key)) }}
{{- .Values.features.respond.rapid_response.password_existing_secret_key }}
{{- else }}
{{- "password" }}
{{- end }}
{{- end }}
4 changes: 2 additions & 2 deletions charts/shield/templates/host/daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,8 +140,8 @@ spec:
- name: PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "host.rapid_response_secret" . }}
key: password
name: {{ include "host.rapid_response_password_secret" . }}
key: {{ include "host.rapid_response_password_secret_key" . }}
{{- end }}
{{- include "host.env" . | nindent 12 }}
{{ if or .Values.features.posture.host_posture.enabled (dig "kspm_analyzer" "enabled" false .Values.host.additional_settings) }}
Expand Down
4 changes: 2 additions & 2 deletions charts/shield/templates/host/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
{{- if (include "host.rapid_response_enabled" .) }}
{{- if and (include "host.rapid_response_enabled" .) (not (include "host.rapid_response_password_existing_secret" .)) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "host.rapid_response_secret" . }}
name: {{ include "host.rapid_response_password_secret" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "host.labels" . | nindent 4 }}
Expand Down
72 changes: 72 additions & 0 deletions charts/shield/tests/host/secrets_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
suite: Host - Secrets
templates:
- templates/host/secrets.yaml
- templates/host/daemonset.yaml
release:
name: release-name
namespace: shield-namespace
Expand All @@ -23,10 +24,21 @@ tests:
apiVersion: v1
name: release-name-shield-host-rapid-response
namespace: shield-namespace
template: templates/host/secrets.yaml
- equal:
path: data.password
decodeBase64: true
value: "abc123"
template: templates/host/secrets.yaml
- equal:
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
value:
name: PASSWORD
valueFrom:
secretKeyRef:
name: release-name-shield-host-rapid-response
key: password
template: templates/host/daemonset.yaml

- it: Test Rapid Response secret is created with correct password
set:
Expand All @@ -41,7 +53,67 @@ tests:
apiVersion: v1
name: release-name-shield-host-rapid-response
namespace: shield-namespace
template: templates/host/secrets.yaml
- equal:
path: data.password
decodeBase64: true
value: "abc123"
template: templates/host/secrets.yaml
- equal:
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
value:
name: PASSWORD
valueFrom:
secretKeyRef:
name: release-name-shield-host-rapid-response
key: password
template: templates/host/daemonset.yaml

- it: Test Rapid Response using existing secret for password
set:
features:
respond:
rapid_response:
enabled: true
password_existing_secret: existing-secret
asserts:
- notExists:
kind: Secret
apiVersion: v1
name: release-name-shield-host-rapid-response
namespace: shield-namespace
template: templates/host/secrets.yaml
- equal:
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
value:
name: PASSWORD
valueFrom:
secretKeyRef:
name: existing-secret
key: password
template: templates/host/daemonset.yaml

- it: Test Rapid Response using existing secret for password with custom key
set:
features:
respond:
rapid_response:
enabled: true
password_existing_secret: existing-secret
password_existing_secret_key: custom-key
asserts:
- notExists:
kind: Secret
apiVersion: v1
name: release-name-shield-host-rapid-response
namespace: shield-namespace
template: templates/host/secrets.yaml
- equal:
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")]
value:
name: PASSWORD
valueFrom:
secretKeyRef:
name: existing-secret
key: custom-key
template: templates/host/daemonset.yaml
4 changes: 4 additions & 0 deletions charts/shield/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,10 @@ features:
rapid_response:
enabled: false
password:
# The name of the existing Rapid Response password secret
password_existing_secret:
# The key used in the existing Rapid Response secret for the password (default: password)
password_existing_secret_key:
response_actions:
enabled: false
monitor:
Expand Down
Loading