Allow secrets/env vars to be used in assets

[asachs01]

As a user who has security restrictions around using external repositories to provide assets, I'd like to have the ability to provide an asset configuration which specifies header information (like tokens or user/password auth) in the form of a secret or an environment variable. Ideally, this would look something like:

type: Asset
api_version: core/v2
metadata:
  name: check_cpu_linux_amd64
  namespace: default
  labels:
    origin: bitbucket
spec:
  url: https://bitbucket.corp.com/981307deb10ebf1f1433a80da5504c3c53d5c44f/sensu-go-cpu-check_0.0.3_linux_amd64.tar.gz
  sha512: 487ab34b37da8ce76d2657b62d37b35fbbb240c3546dd463fa0c37dc58a72b786ef0ca396a0a12c8d006ac7fa21923e0e9ae63419a4d56aec41fccb574c1a5d3
  filters:
  - entity.system.os == 'linux'
  - entity.system.arch == 'amd64'
  headers:
    Authorization: Bearer $BITBUCKET_TOKEN
  secrets:
  - BITBUCKET_TOKEN
    secret: bitbucket-token-vault

[palourde]

@nikkixdev here's another one for the assets discussion

[nikkictl]

Feature spec:

• [ ] add a template function to retrieve the asset env var via token substitution, ex. SOME_VAR: {{ assetEnv "sensu/ruby:1.1.1" "ENV_VAR_FOO" }}
• [ ] create a new go template function, assetEnv (see defaultFunc as an example)
• [ ] expose the environment variable (ex. ENV_VAR_FOO above) of the asset through this function

Requires https://github.com/sensu/sensu-go/issues/3639 Requires https://github.com/sensu/sensu-go/issues/3492

[echlebek]

I believe the spec on this issue is incorrect. Perhaps it was posted to the wrong issue?

The user story described in this issue can be satisfied by the following feature:

• A template function made available to token substitution called secret.
• Asset downloader would need to be made aware of the fact that secrets have been used, and require TLS when retrieving assets.

Environment variables don't come into play, as these headers are used outside any shell execution context.

[palourde]

@echlebek Thanks for the clarification, that's super useful!

That being said, I'm still not sure how the secret would be transmitted from the backend to the agent, in case the asset is executed on the agent.

Right now, whenever a check requires a secret, the backend (schedulerd) will substitute the secret tokens with the secret value. It means the backend would also need to be aware of the assets required by the agent and somehow provide those secrets too?

[echlebek]

I suppose that we would need to modify the system to also send secrets for the asset to the agent.

[nikkictl]

Sorry for the confusion! I originally filed https://github.com/sensu/sensu-go/issues/3697 based on the technical specifications we swarmed on as a team. At the time I believed that spec would satisfy the user story described in this issue, so I closed it out in favor of this one. If that is not the case, should we re-open https://github.com/sensu/sensu-go/issues/3697 if the spec is still relevant to a desired use case?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jspaleta]

This discussion seems to have gone stale without coming to a conclusion.

Re-opening.

Should #3697 be re-opened as well? As it seems from previous comments the secret template function sounds like its part of the necessary implementation so secrets can be injected via token substitution.