feat: use vals for secret decryption #2408
Conversation
There was a problem hiding this comment.
Thank you for this contribution :)
Leaving a couple of comments. One of our main concerns here is having all Helm values sent to an external library, perhaps we could filter values to only pre-process those bearing the known vals pattern.
We are currently assessing possible security implications of this feature.
| @@ -370,6 +373,13 @@ func preprocessHelmValues(opts *fleet.BundleDeploymentOptions, cluster *fleet.Cl | |||
| if err != nil { | |||
| return err | |||
| } | |||
| logrus.Debugf("templating completed for %v", opts.Helm.ReleaseName) | |||
| opts.Helm.Values.Data, err = processSecretValues(opts.Helm.Values.Data) | |||
There was a problem hiding this comment.
Should all Helm values be forwarded to vals? Or would we rather want to filter values based on a known pattern (eg. ref+<provider>://) and send only those to the library?
| t.Fatalf("key %s not found", testCase.Key) | ||
| } else { | ||
| if field != testCase.ExpectedValue { | ||
| t.Fatalf("key %s was not the expected value. Expected: '%s' Actual: '%s'", testCase.Key, field, testCase.ExpectedValue) |
There was a problem hiding this comment.
nit: this would also work:
| t.Fatalf("key %s was not the expected value. Expected: '%s' Actual: '%s'", testCase.Key, field, testCase.ExpectedValue) | |
| t.Fatalf("key %s does not have the expected value. Expected: %q Actual: %q", testCase.Key, field, testCase.ExpectedValue) |
| @@ -81,3 +80,6 @@ propagateDebugSettingsToAgents: true | |||
|
|
|||
| migrations: | |||
| clusterRegistrationCleanup: true | |||
|
|
|||
| ## Additional environment variables to be injected to the fleet-controller container | |||
| additionalEnvs: {} | |||
There was a problem hiding this comment.
I think I would prefer an approach similiar to how nginx handles env vars from secrets:
## @param extraEnvVarsSecret Secret with extra environment variables
##
extraEnvVarsSecret: ""
However, the secret would have to be created manually in this case. Which is not as automatic/user friendly?
Additionally we're adding extraEnvs, like Rancher, to allow users to specify non-secret env vars as helm values.
|
@weyfonk I think you raise a valid concern. I could imagine we introduce a new gotpl helper that wraps the secret ref as an argument?
|
|
@rajiteh Please feel free to reopen this PR to further discuss this. |
That's the first part, to have the credentials used to access the vals provider in a secret, which the original PR did. Second part is to keep the response from vals out of the bundledeployment options and in a secret instead. We want to avoid storing sensitive material in our CRDs. secrets. We are still discussing a possible solution in #2375. That involves creating a secret in the bundledeployment's namespace (see "cluster namespace" in docs) and allowing the downstream agent to fetch it:
We could do the same for sensitive helm values? |
Refers to #2407
Introduces the ability for the
fleet.yamlto specify vals secret strings, which then will be decrypted at bundle processing time by the fleet operator.Fleet operator deployment is responsible for configuring the appropriate environment variables for
valsto decrypt secrets using the correct backend.See #2407 for more context.