Merge pull request #34 from DelusionalOptimist/chore/auth-token-secret

chore(all-jobs): move auth token to K8s secret
accuknox · Sep 11, 2024 · c34e93c · c34e93c
2 parents aaa8ee9 + 8fb5584
commit c34e93c
Show file tree

Hide file tree

Showing 12 changed files with 87 additions and 12 deletions.
diff --git a/cis-k8s-job/templates/cis-corn-job.yaml → cis-k8s-job/templates/cis-cron-job.yaml b/cis-k8s-job/templates/cis-corn-job.yaml → cis-k8s-job/templates/cis-cron-job.yaml
@@ -18,7 +18,14 @@ spec:
             resources: {}
             env:
               - name: AUTH_TOKEN
-                value: {{ .Values.accuknox.authToken }}
+                valueFrom:
+                  secretKeyRef:
+                    key: AUTH_TOKEN
+                    {{- if (.Values.accuknox.secretName | empty) }}
+                    name: cis-k8s-job-auth-token
+                    {{- else }}
+                    name: {{ .Values.accuknox.secretName }}
+                    {{- end }}
               - name: CLUSTER_NAME
                 value: {{ .Values.accuknox.clusterName }}
               - name: LABEL_NAME

diff --git a/cis-k8s-job/templates/cis-job.yaml b/cis-k8s-job/templates/cis-job.yaml
@@ -18,7 +18,14 @@ spec:
         resources: {}
         env:
           - name: AUTH_TOKEN
-            value: {{ .Values.accuknox.authToken }}
+            valueFrom:
+              secretKeyRef:
+                key: AUTH_TOKEN
+                {{- if (.Values.accuknox.secretName | empty) }}
+                name: cis-k8s-job-auth-token
+                {{- else }}
+                name: {{ .Values.accuknox.secretName }}
+                {{- end }}
           - name: CLUSTER_NAME
             value: {{ .Values.accuknox.clusterName }}
           - name: LABEL_NAME
@@ -110,4 +117,4 @@ spec:
           name: etc-cni-netd
         - hostPath:
             path: /opt/cni/bin/
-          name: opt-cni-bin
+          name: opt-cni-bin
diff --git a/cis-k8s-job/templates/secret.yaml b/cis-k8s-job/templates/secret.yaml
@@ -0,0 +1,10 @@
+{{- if (.Values.accuknox.secretName | empty) }}
+# if user didn't specify a secretName, use the default
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cis-k8s-job-auth-token
+  namespace: {{ .Release.Namespace }}
+data:
+  AUTH_TOKEN: {{ .Values.accuknox.authToken | b64enc }}
+{{- end }}
diff --git a/cis-k8s-job/values.yaml b/cis-k8s-job/values.yaml
@@ -10,3 +10,4 @@ accuknox:
   clusterId: ""
   tenantId: ""
   url: "cspm.demo.accuknox.com"
+  secretName: ""
diff --git a/k8tls-job/templates/k8tls-cronjob.yaml b/k8tls-job/templates/k8tls-cronjob.yaml
@@ -46,12 +46,19 @@ spec:
             name: k8tls-job
             resources: {}
             env:
+              - name: AUTH_TOKEN
+                valueFrom:
+                  secretKeyRef:
+                    key: AUTH_TOKEN
+                    {{- if (.Values.accuknox.secretName | empty) }}
+                    name: k8tls-job-auth-token
+                    {{- else }}
+                    name: {{ .Values.accuknox.secretName }}
+                    {{- end }}
               - name: URL
                 value: {{ .Values.accuknox.URL }}
               - name: TENANT_ID
                 value: {{ .Values.accuknox.tenantID | quote }}
-              - name: AUTH_TOKEN
-                value: {{ .Values.accuknox.authToken }}
               - name: CLUSTER_NAME
                 value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }}
               - name: LABEL_NAME

diff --git a/k8tls-job/templates/k8tls-job.yaml b/k8tls-job/templates/k8tls-job.yaml
@@ -16,12 +16,19 @@ spec:
         name: k8tls-job
         resources: {}
         env:
+          - name: AUTH_TOKEN
+            valueFrom:
+              secretKeyRef:
+                key: AUTH_TOKEN
+                {{- if (.Values.accuknox.secretName | empty) }}
+                name: k8tls-job-auth-token
+                {{- else }}
+                name: {{ .Values.accuknox.secretName }}
+                {{- end }}
           - name: URL
             value: {{ .Values.accuknox.URL }}
           - name: TENANT_ID
             value: {{ .Values.accuknox.tenantID | quote }}
-          - name: AUTH_TOKEN
-            value: {{ .Values.accuknox.authToken }}
           - name: CLUSTER_NAME
             value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }}
           - name: LABEL_NAME

diff --git a/k8tls-job/templates/secret.yaml b/k8tls-job/templates/secret.yaml
@@ -0,0 +1,10 @@
+{{- if (.Values.accuknox.secretName | empty) }}
+# if user didn't specify a secretName, use the default
+apiVersion: v1
+kind: Secret
+metadata:
+  name: k8tls-job-auth-token
+  namespace: {{ .Release.Namespace }}
+data:
+  AUTH_TOKEN: {{ .Values.accuknox.authToken | b64enc }}
+{{- end }}
diff --git a/k8tls-job/values.yaml b/k8tls-job/values.yaml
@@ -9,3 +9,4 @@ accuknox:
   clusterName: ""
   label: ""
   URL: "cspm.demo.accuknox.com"
+  secretName: ""
diff --git a/kiem-job/templates/deployment.yaml b/kiem-job/templates/deployment.yaml
@@ -30,12 +30,19 @@ spec:
               name: accuknox-kiem-cronjob
               resources: {}
               env:
+                - name: AUTH_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      key: AUTH_TOKEN
+                      {{- if (.Values.accuknox.secretName | empty) }}
+                      name: kiem-job-auth-token
+                      {{- else }}
+                      name: {{ .Values.accuknox.secretName }}
+                      {{- end }}
                 - name: URL
                   value: {{ .Values.accuknox.URL }}
                 - name: TENANT_ID
                   value: {{ .Values.accuknox.tenantID | quote }}
-                - name: AUTH_TOKEN
-                  value: {{ .Values.accuknox.authToken }}
                 - name: CLUSTER_NAME
                   value: {{ .Values.accuknox.clusterName }}
                 - name: LABEL_NAME

diff --git a/kiem-job/templates/job.yaml b/kiem-job/templates/job.yaml
@@ -25,12 +25,19 @@ spec:
           name: accuknox-kiem-job
           resources: {}
           env:
+            - name: AUTH_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  key: AUTH_TOKEN
+                  {{- if (.Values.accuknox.secretName | empty) }}
+                  name: kiem-job-auth-token
+                  {{- else }}
+                  name: {{ .Values.accuknox.secretName }}
+                  {{- end }}
             - name: URL
               value: {{ .Values.accuknox.URL }}
             - name: TENANT_ID
               value: {{ .Values.accuknox.tenantID | quote }}
-            - name: AUTH_TOKEN
-              value: {{ .Values.accuknox.authToken }}
             - name: CLUSTER_NAME
               value: {{ .Values.accuknox.clusterName }}
             - name: LABEL_NAME
@@ -42,4 +49,4 @@ spec:
         - name: datapath
           emptyDir: {}
       restartPolicy: OnFailure
-      serviceAccount: kiem-service-account
+      serviceAccount: kiem-service-account
diff --git a/kiem-job/templates/secret.yaml b/kiem-job/templates/secret.yaml
@@ -0,0 +1,10 @@
+{{- if (.Values.accuknox.secretName | empty) }}
+# if user didn't specify a secretName, use the default
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kiem-job-auth-token
+  namespace: {{ .Release.Namespace }}
+data:
+  AUTH_TOKEN: {{ .Values.accuknox.authToken | b64enc }}
+{{- end }}
diff --git a/kiem-job/values.yaml b/kiem-job/values.yaml
@@ -11,3 +11,4 @@ accuknox:
   cronTab: "30 9 * * *"
   clusterName: ""
   label: ""
+  secretName: ""