search

terraform-ibm-modules / terraform-ibm-mas

Deploys Maximo Application Suite on an IBM Cloud openshift cluster.
Apache License 2.0
2 stars 1 forks source link

Checkov: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables" #98

Open padmankosalaram opened 5 months ago

padmankosalaram commented 5 months ago

Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"

FAILED for resource: Job.mas-inst1-pipelines.mas-deploy-job
File: /chart/deploy-mas/mas-deploy/templates/01-deploy-mas.yaml:95-327

Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33

padmankosalaram commented 5 months ago

This issue can not be fixed. Please find below the reason.

The helm chart accepts 2 secret variables ( entitlement_key & authorized_entitlement ) from terraform found in this line https://github.com/terraform-ibm-modules/terraform-ibm-mas/blob/6ed2eda03f34bd579c33b1318aa1b935877dbe50/chart/deploy-mas/templates/01-deploy-mas.yaml#L24

These secrets are important for installing MAS. Also their values are already base64 encode in terraform and passed to helm chart. Helm chart will store them as k8s secret and further inject into POD

Hence it is important to have the secret as environment variables in this line

https://github.com/terraform-ibm-modules/terraform-ibm-mas/blob/6ed2eda03f34bd579c33b1318aa1b935877dbe50/chart/deploy-mas/templates/01-deploy-mas.yaml#L24

https://github.com/terraform-ibm-modules/terraform-ibm-mas/blob/6ed2eda03f34bd579c33b1318aa1b935877dbe50/chart/deploy-mas/templates/01-deploy-mas.yaml#L257

https://github.com/terraform-ibm-modules/terraform-ibm-mas/blob/6ed2eda03f34bd579c33b1318aa1b935877dbe50/chart/deploy-mas/templates/01-deploy-mas.yaml#L263