search

robusta-dev / robusta

Kubernetes observability and automation, with an awesome Prometheus integration
https://home.robusta.dev/
MIT License
2.5k stars 247 forks source link

slack bot api key with secret or extenral secret #1489

Open yuvals41 opened 2 days ago

yuvals41 commented 2 days ago

I'm always frustrated when I have to explicitly type the Slack token in the values.yaml file to integrate Slack with Robusta. This practice poses a security risk as it involves hardcoding sensitive information in a configuration file.

Describe the solution you'd like I would like to see an implementation where the Slack token is managed securely without hardcoding it in the values.yaml file. One possible approach could be to utilize Kubernetes secrets or external secrets to handle the Slack token. This would ensure that the sensitive information is stored securely and is not exposed in plain text within the configuration files.

Describe alternatives you've considered An alternative solution could be to provide a mechanism for users to pass the Slack token through environment variables or a dedicated secrets management tool integrated with Robusta.

Additional context Enhancing the security of handling the Slack token will not only mitigate potential security risks but also align with best practices for managing sensitive information. Below is a screenshot of the current configuration requirement:

[Include a screenshot if available]

Thank you for considering this feature request.

github-actions[bot] commented 2 days ago

Hi 👋, thanks for opening an issue! Please note, it may take some time for us to respond, but we'll get back to you as soon as we can!

arikalon1 commented 2 days ago

thanks for reporting it @yuvals41

We do have a guide for handing values using secrets. https://docs.robusta.dev/master/setup-robusta/configuration-secrets.html#pulling-values-from-kubernetes-secrets

Does this help?

yuvals41 commented 2 days ago

but not when using the slack integration

  sinksConfig:
  - slack_sink:
      name: main_slack_sink
      slack_channel: events
      api_key: ******* 
 I don't see an option here to use a secret

 https://docs.robusta.dev/master/configuration/sinks/slack.html
arikalon1 commented 2 days ago

We need to improve the docs there. You can use the same approach on the Sink parameters.

First, specify the key is taken from an env variable:

  sinksConfig:
  - slack_sink:
      name: main_slack_sink
      slack_channel: events
      api_key: "{{ env.SLACK_API_KEY }}"

Then, add this env variable from a secret:

runner:
  additional_env_vars:
  - name: SLACK_API_KEY
    valueFrom:
      secretKeyRef:
        name: my-robusta-secrets
        key: slack_api_key

Can you try this?

yuvals41 commented 2 days ago

is the runner and the robusta the same?

thanks for the fast response

arikalon1 commented 2 days ago

yeah, Robusta has 2 pods. The runner and forwarder forwarder is responsible for watching api server events, and the runner for doing the enrichments and sending the notifications.

Happy to help