Allow for not rendering a Kubernetes Secret #454
Comments
|
AFAICT this could be used as a reference as to what is considered a secret: policy-reporter/pkg/config/target_factory.go Lines 803 to 906 in a21564a So only those fields should be rendered as kubernetes secrets (allowed to be provided from the outside instead of rendering it) and the rest should land in a configmap. |
reegnz
added a commit
to reegnz/policy-reporter
that referenced
this issue
Jun 14, 2024
Currently all config is in a kubernetes secret because some of the config keys the helm chart renders might be secrets. This is a problem, as a lot of people don't want to, or don't have the option to manage secrets with helm (eg. secret management is fully decoupled from helm deployments). To fix this, utilize go viper's solution that allows deep-merging multiple config file contents. This allows for splitting out the potentially sensitive keys into a separate config file, and then having viper merge them back together. The helm chart was modified so it retains backward compatibility with the `existingTargetConfig` config option. If that key exists then it is assumed that it is a kubernetes secret (as before), and the separation of config values and secrets is not performed by the chart. This PR should be able fixes kyverno#454
reegnz
added a commit
to reegnz/policy-reporter
that referenced
this issue
Jun 14, 2024
Currently all config is in a kubernetes secret because some of the config keys the helm chart renders might be secrets. This is a problem, as a lot of people don't want to, or don't have the option to manage secrets with helm (eg. secret management is fully decoupled from helm deployments). To fix this, utilize go viper's solution that allows deep-merging multiple config file contents. This allows for splitting out the potentially sensitive keys into a separate config file, and then having viper merge them back together. The helm chart was modified so it retains backward compatibility with the `existingTargetConfig` config option. If that key exists then it is assumed that it is a kubernetes secret (as before), and the separation of config values and secrets is not performed by the chart. This PR should be able fixes kyverno#454 Signed-off-by: Zoltán Reegn <zoltan.reegn@gmail.com>
|
Hey, very sorry for the late response, so would it be an simple solution for you to use the existing secretRef or mounttSecret functionality and decide if the config is applied as ConfigMap instead of secret? Your approach which multiple config filtes can have impact of users who using it without helm, and I would like to avoid breaking changes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
At our company (and I believe other companies as well) we don't allow deploying raw Kubernetes Secrets in our CD systems with helm.
Looking at the helm chart I believe it could be restructured by splitting out the actual secrets (username and password) into kubernetes secrets, and refer to them as a mounted secret.
That way configs can be transparent, and it's also compatible with enterprise secret management practices where a separate secret handling mechanism is used to deploy secrets (be it sealedsecrets, external-secrets, vault CSI, or whatever else corporate policy dictates).
Either way I believe the rendering of Secrets should be made optional, but some configs could still be rendered.
So distinction of what's a secret and what isn't is essential in how the config is loaded.
The text was updated successfully, but these errors were encountered: