Closed surj-bains closed 2 years ago
holyspectral
commented
2 years ago Hi @surj-bains , if you want to deploy container security using the existing api key, you can use --reuse-values as mentioned in https://github.com/trendmicro/cloudone-container-security-helm#upgrade-a-trend-micro-cloud-one-container-security-deployment
surj-bains
commented
2 years ago Hi @surj-bains , if you want to deploy container security using the existing api key, you can use
--reuse-valuesas mentioned in https://github.com/trendmicro/cloudone-container-security-helm#upgrade-a-trend-micro-cloud-one-container-security-deployment
Hi @holyspectral , this doesn't resolve my issue.
this entry in the values.yaml
## Default value: (none)
apiKey: <apikeyhere>is in the clear I want to be able to save the yaml file in a git repository, But I can't as it currently stands as the key will be apiKey will be visible.
ronchittaro
commented
2 years ago @surj-bains This is a valid point. We have noted this request.
holyspectral
commented
2 years ago Hi @surj-bains , you can do this by supplying secrets from another file using --set-file flag. For example, create a secrets.txt containing apiKey at deployment time using any secret manager. Note that the file should not include eol character.
After that, you can deploy using below command without having the apiKey in your overrides.yaml.
helm upgrade --install trendmicro -n trendmicro-system --values overrides.yaml --set-file cloudOne.apiKey=secret.txt .Hi @surj-bains , you can do this by supplying secrets from another file using
--set-fileflag. For example, create asecrets.txtcontaining apiKey at deployment time using any secret manager. Note that the file should not include eol character.After that, you can deploy using below command without having the apiKey in your overrides.yaml.
helm upgrade --install trendmicro -n trendmicro-system --values overrides.yaml --set-file cloudOne.apiKey=secret.txt .
Hi @holyspectral, what I'm after is an option in your helm chart to be able to use an existing kubernetes secret. I'm not manually running helm but applying using argocd
holyspectral
commented
2 years ago @surj-bains To confirm, is this something you'd like? https://github.com/holyspectral/cloudone-container-security-helm/commit/5b0503075041215e5f1be01a16ac0679123762c8 :-)
Note this is experimental and not ready for production yet.
holyspectral
commented
2 years ago overrides.yaml:
cloudOne:
endpoint: https://container.trend-us-1.cloudone.trendmicro.com
runtimeSecurity:
enabled: true
exclusion:
namespaces: [ kube-system ]
useExistingSecrets: truesecrets.yaml:
apiVersion: v1
kind: Secret
metadata:
name: trendmicro-container-security-auth
namespace: trendmicro-system
type: Opaque
data:
api.key: <base64-encoded secret>
---
apiVersion: v1
kind: Secret
metadata:
name: trendmicro-container-security-outbound-proxy-credentials
namespace: trendmicro-system
type: Opaque
data:
allProxy: ""
password: ""
username: ""
---
apiVersion: v1
kind: Secret
metadata:
name: trendmicro-container-security-telemetry
namespace: trendmicro-system
type: Opaque
data:
apiKey: ""
publicKey: ""
overrides.yaml:
cloudOne: endpoint: https://container.trend-us-1.cloudone.trendmicro.com runtimeSecurity: enabled: true exclusion: namespaces: [ kube-system ] useExistingSecrets: truesecrets.yaml:
apiVersion: v1 kind: Secret metadata: name: trendmicro-container-security-auth namespace: trendmicro-system type: Opaque data: api.key: <base64-encoded secret> --- apiVersion: v1 kind: Secret metadata: name: trendmicro-container-security-outbound-proxy-credentials namespace: trendmicro-system type: Opaque data: allProxy: "" password: "" username: "" --- apiVersion: v1 kind: Secret metadata: name: trendmicro-container-security-telemetry namespace: trendmicro-system type: Opaque data: apiKey: "" publicKey: ""
@holyspectral yes looks good !
surj-bains
commented
2 years ago all looking good now with the following...
---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: trendmicro-container-security-auth
namespace: security
spec:
refreshInterval: 1m
secretStoreRef:
name: cluster-secrets-store
kind: ClusterSecretStore
target:
name: trendmicro-container-security-auth
template:
metadata:
data:
- secretKey: api.key
remoteRef:
key: <secrets manager entry>
---
apiVersion: v1
kind: ConfigMap
metadata:
name: trendmicro-container-security-outbound-tpl
namespace: security
data:
allProxy: ""
password: ""
username: ""
---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: trendmicro-container-security-outbound-proxy-credentials
namespace: security
spec:
refreshInterval: 1m
secretStoreRef:
name: cluster-secrets-store
kind: ClusterSecretStore
target:
name: trendmicro-container-security-outbound-proxy-credentials
template:
metadata:
templateFrom:
- configMap:
# name of the configmap to pull in
name: trendmicro-container-security-outbound-tpl
# here you define the keys that should be used as template
items:
- key: allProxy
- key: password
- key: username
---
apiVersion: v1
kind: ConfigMap
metadata:
name: trendmicro-container-security-telemetry-tpl
namespace: security
data:
apiKey: ""
publicKey: ""
---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: trendmicro-container-security-telemetry
namespace: security
spec:
refreshInterval: 1m
secretStoreRef:
name: cluster-secrets-store
kind: ClusterSecretStore
target:
name: trendmicro-container-security-telemetry
template:
metadata:
templateFrom:
- configMap:
# name of the configmap to pull in
name: trendmicro-container-security-telemetry-tpl
# here you define the keys that should be used as template
items:
- key: apiKey
- key: publicKey
Hi, I wish to deploy the cloud container scanner without including the API_KEY in the clear within the yaml of the values file or override.