Closed surj-bains closed 2 years ago
Hi @surj-bains , if you want to deploy container security using the existing api key, you can use --reuse-values
as mentioned in https://github.com/trendmicro/cloudone-container-security-helm#upgrade-a-trend-micro-cloud-one-container-security-deployment
Hi @surj-bains , if you want to deploy container security using the existing api key, you can use
--reuse-values
as mentioned in https://github.com/trendmicro/cloudone-container-security-helm#upgrade-a-trend-micro-cloud-one-container-security-deployment
Hi @holyspectral , this doesn't resolve my issue.
this entry in the values.yaml
## Default value: (none)
apiKey: <apikeyhere>
is in the clear I want to be able to save the yaml file in a git repository, But I can't as it currently stands as the key will be apiKey will be visible.
@surj-bains This is a valid point. We have noted this request.
Hi @surj-bains , you can do this by supplying secrets from another file using --set-file
flag. For example, create a secrets.txt
containing apiKey at deployment time using any secret manager. Note that the file should not include eol character.
After that, you can deploy using below command without having the apiKey in your overrides.yaml.
helm upgrade --install trendmicro -n trendmicro-system --values overrides.yaml --set-file cloudOne.apiKey=secret.txt .
Hi @surj-bains , you can do this by supplying secrets from another file using
--set-file
flag. For example, create asecrets.txt
containing apiKey at deployment time using any secret manager. Note that the file should not include eol character.After that, you can deploy using below command without having the apiKey in your overrides.yaml.
helm upgrade --install trendmicro -n trendmicro-system --values overrides.yaml --set-file cloudOne.apiKey=secret.txt .
Hi @holyspectral, what I'm after is an option in your helm chart to be able to use an existing kubernetes secret. I'm not manually running helm but applying using argocd
@surj-bains To confirm, is this something you'd like? https://github.com/holyspectral/cloudone-container-security-helm/commit/5b0503075041215e5f1be01a16ac0679123762c8 :-)
Note this is experimental and not ready for production yet.
overrides.yaml:
cloudOne:
endpoint: https://container.trend-us-1.cloudone.trendmicro.com
runtimeSecurity:
enabled: true
exclusion:
namespaces: [ kube-system ]
useExistingSecrets: true
secrets.yaml:
apiVersion: v1
kind: Secret
metadata:
name: trendmicro-container-security-auth
namespace: trendmicro-system
type: Opaque
data:
api.key: <base64-encoded secret>
---
apiVersion: v1
kind: Secret
metadata:
name: trendmicro-container-security-outbound-proxy-credentials
namespace: trendmicro-system
type: Opaque
data:
allProxy: ""
password: ""
username: ""
---
apiVersion: v1
kind: Secret
metadata:
name: trendmicro-container-security-telemetry
namespace: trendmicro-system
type: Opaque
data:
apiKey: ""
publicKey: ""
overrides.yaml:
cloudOne: endpoint: https://container.trend-us-1.cloudone.trendmicro.com runtimeSecurity: enabled: true exclusion: namespaces: [ kube-system ] useExistingSecrets: true
secrets.yaml:
apiVersion: v1 kind: Secret metadata: name: trendmicro-container-security-auth namespace: trendmicro-system type: Opaque data: api.key: <base64-encoded secret> --- apiVersion: v1 kind: Secret metadata: name: trendmicro-container-security-outbound-proxy-credentials namespace: trendmicro-system type: Opaque data: allProxy: "" password: "" username: "" --- apiVersion: v1 kind: Secret metadata: name: trendmicro-container-security-telemetry namespace: trendmicro-system type: Opaque data: apiKey: "" publicKey: ""
@holyspectral yes looks good !
all looking good now with the following...
---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: trendmicro-container-security-auth
namespace: security
spec:
refreshInterval: 1m
secretStoreRef:
name: cluster-secrets-store
kind: ClusterSecretStore
target:
name: trendmicro-container-security-auth
template:
metadata:
data:
- secretKey: api.key
remoteRef:
key: <secrets manager entry>
---
apiVersion: v1
kind: ConfigMap
metadata:
name: trendmicro-container-security-outbound-tpl
namespace: security
data:
allProxy: ""
password: ""
username: ""
---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: trendmicro-container-security-outbound-proxy-credentials
namespace: security
spec:
refreshInterval: 1m
secretStoreRef:
name: cluster-secrets-store
kind: ClusterSecretStore
target:
name: trendmicro-container-security-outbound-proxy-credentials
template:
metadata:
templateFrom:
- configMap:
# name of the configmap to pull in
name: trendmicro-container-security-outbound-tpl
# here you define the keys that should be used as template
items:
- key: allProxy
- key: password
- key: username
---
apiVersion: v1
kind: ConfigMap
metadata:
name: trendmicro-container-security-telemetry-tpl
namespace: security
data:
apiKey: ""
publicKey: ""
---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: trendmicro-container-security-telemetry
namespace: security
spec:
refreshInterval: 1m
secretStoreRef:
name: cluster-secrets-store
kind: ClusterSecretStore
target:
name: trendmicro-container-security-telemetry
template:
metadata:
templateFrom:
- configMap:
# name of the configmap to pull in
name: trendmicro-container-security-telemetry-tpl
# here you define the keys that should be used as template
items:
- key: apiKey
- key: publicKey
Hi, I wish to deploy the cloud container scanner without including the API_KEY in the clear within the yaml of the values file or override.