From 23ce559ba9d6da1e1bfa322737f59d9b1c03a9c2 Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Tue, 27 Aug 2024 10:31:47 +0530 Subject: [PATCH 1/3] chore(CIS): move auth token to K8s secret Signed-off-by: Rudraksh Pareek --- .../{cis-corn-job.yaml => cis-cron-job.yaml} | 9 ++++++++- cis-k8s-job/templates/cis-job.yaml | 11 +++++++++-- cis-k8s-job/templates/secret.yaml | 10 ++++++++++ cis-k8s-job/values.yaml | 1 + 4 files changed, 28 insertions(+), 3 deletions(-) rename cis-k8s-job/templates/{cis-corn-job.yaml => cis-cron-job.yaml} (92%) create mode 100644 cis-k8s-job/templates/secret.yaml diff --git a/cis-k8s-job/templates/cis-corn-job.yaml b/cis-k8s-job/templates/cis-cron-job.yaml similarity index 92% rename from cis-k8s-job/templates/cis-corn-job.yaml rename to cis-k8s-job/templates/cis-cron-job.yaml index 7faa87d..559ed67 100644 --- a/cis-k8s-job/templates/cis-corn-job.yaml +++ b/cis-k8s-job/templates/cis-cron-job.yaml @@ -18,7 +18,14 @@ spec: resources: {} env: - name: AUTH_TOKEN - value: {{ .Values.accuknox.authToken }} + valueFrom: + secretKeyRef: + key: AUTH_TOKEN + {{- if (.Values.accuknox.secretName | empty) }} + name: cis-k8s-job-auth-token + {{- else }} + name: {{ .Values.accuknox.secretName }} + {{- end }} - name: CLUSTER_NAME value: {{ .Values.accuknox.clusterName }} - name: LABEL_NAME diff --git a/cis-k8s-job/templates/cis-job.yaml b/cis-k8s-job/templates/cis-job.yaml index 54edf0d..e2a4a27 100644 --- a/cis-k8s-job/templates/cis-job.yaml +++ b/cis-k8s-job/templates/cis-job.yaml @@ -18,7 +18,14 @@ spec: resources: {} env: - name: AUTH_TOKEN - value: {{ .Values.accuknox.authToken }} + valueFrom: + secretKeyRef: + key: AUTH_TOKEN + {{- if (.Values.accuknox.secretName | empty) }} + name: cis-k8s-job-auth-token + {{- else }} + name: {{ .Values.accuknox.secretName }} + {{- end }} - name: CLUSTER_NAME value: {{ .Values.accuknox.clusterName }} - name: LABEL_NAME @@ -110,4 +117,4 @@ spec: name: etc-cni-netd - hostPath: path: /opt/cni/bin/ - name: opt-cni-bin \ No newline at end of file + name: opt-cni-bin diff --git a/cis-k8s-job/templates/secret.yaml b/cis-k8s-job/templates/secret.yaml new file mode 100644 index 0000000..93e9bb5 --- /dev/null +++ b/cis-k8s-job/templates/secret.yaml @@ -0,0 +1,10 @@ +{{- if (.Values.accuknox.secretName | empty) }} +# if user didn't specify a secretName, use the default +apiVersion: v1 +kind: Secret +metadata: + name: cis-k8s-job-auth-token + namespace: {{ .Release.Namespace }} +data: + AUTH_TOKEN: {{ .Values.accuknox.authToken | b64enc }} +{{- end }} diff --git a/cis-k8s-job/values.yaml b/cis-k8s-job/values.yaml index 032aa18..b23112d 100644 --- a/cis-k8s-job/values.yaml +++ b/cis-k8s-job/values.yaml @@ -10,3 +10,4 @@ accuknox: clusterId: "" tenantId: "" url: "cspm.demo.accuknox.com" + secretName: "" From 19edd102445f658628207d7378525a0a27086447 Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Tue, 27 Aug 2024 10:36:44 +0530 Subject: [PATCH 2/3] chore(K8TLS): move auth token to K8s secret Signed-off-by: Rudraksh Pareek --- k8tls-job/templates/k8tls-cronjob.yaml | 11 +++++++++-- k8tls-job/templates/k8tls-job.yaml | 11 +++++++++-- k8tls-job/templates/secret.yaml | 10 ++++++++++ k8tls-job/values.yaml | 1 + 4 files changed, 29 insertions(+), 4 deletions(-) create mode 100644 k8tls-job/templates/secret.yaml diff --git a/k8tls-job/templates/k8tls-cronjob.yaml b/k8tls-job/templates/k8tls-cronjob.yaml index 951c54d..24546a5 100644 --- a/k8tls-job/templates/k8tls-cronjob.yaml +++ b/k8tls-job/templates/k8tls-cronjob.yaml @@ -46,12 +46,19 @@ spec: name: k8tls-job resources: {} env: + - name: AUTH_TOKEN + valueFrom: + secretKeyRef: + key: AUTH_TOKEN + {{- if (.Values.accuknox.secretName | empty) }} + name: k8tls-job-auth-token + {{- else }} + name: {{ .Values.accuknox.secretName }} + {{- end }} - name: URL value: {{ .Values.accuknox.URL }} - name: TENANT_ID value: {{ .Values.accuknox.tenantID | quote }} - - name: AUTH_TOKEN - value: {{ .Values.accuknox.authToken }} - name: CLUSTER_NAME value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }} - name: LABEL_NAME diff --git a/k8tls-job/templates/k8tls-job.yaml b/k8tls-job/templates/k8tls-job.yaml index 3018a0a..ca52785 100644 --- a/k8tls-job/templates/k8tls-job.yaml +++ b/k8tls-job/templates/k8tls-job.yaml @@ -16,12 +16,19 @@ spec: name: k8tls-job resources: {} env: + - name: AUTH_TOKEN + valueFrom: + secretKeyRef: + key: AUTH_TOKEN + {{- if (.Values.accuknox.secretName | empty) }} + name: k8tls-job-auth-token + {{- else }} + name: {{ .Values.accuknox.secretName }} + {{- end }} - name: URL value: {{ .Values.accuknox.URL }} - name: TENANT_ID value: {{ .Values.accuknox.tenantID | quote }} - - name: AUTH_TOKEN - value: {{ .Values.accuknox.authToken }} - name: CLUSTER_NAME value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }} - name: LABEL_NAME diff --git a/k8tls-job/templates/secret.yaml b/k8tls-job/templates/secret.yaml new file mode 100644 index 0000000..4dc3645 --- /dev/null +++ b/k8tls-job/templates/secret.yaml @@ -0,0 +1,10 @@ +{{- if (.Values.accuknox.secretName | empty) }} +# if user didn't specify a secretName, use the default +apiVersion: v1 +kind: Secret +metadata: + name: k8tls-job-auth-token + namespace: {{ .Release.Namespace }} +data: + AUTH_TOKEN: {{ .Values.accuknox.authToken | b64enc }} +{{- end }} diff --git a/k8tls-job/values.yaml b/k8tls-job/values.yaml index 720722e..508e9d5 100644 --- a/k8tls-job/values.yaml +++ b/k8tls-job/values.yaml @@ -9,3 +9,4 @@ accuknox: clusterName: "" label: "" URL: "cspm.demo.accuknox.com" + secretName: "" From 8fb5584fca0a7f7218b1786481c590d7ab7e968e Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Tue, 27 Aug 2024 10:41:38 +0530 Subject: [PATCH 3/3] chore(KIEM): move auth token to K8s secret Signed-off-by: Rudraksh Pareek --- kiem-job/templates/deployment.yaml | 11 +++++++++-- kiem-job/templates/job.yaml | 13 ++++++++++--- kiem-job/templates/secret.yaml | 10 ++++++++++ kiem-job/values.yaml | 1 + 4 files changed, 30 insertions(+), 5 deletions(-) create mode 100644 kiem-job/templates/secret.yaml diff --git a/kiem-job/templates/deployment.yaml b/kiem-job/templates/deployment.yaml index 0737708..c54fa50 100644 --- a/kiem-job/templates/deployment.yaml +++ b/kiem-job/templates/deployment.yaml @@ -30,12 +30,19 @@ spec: name: accuknox-kiem-cronjob resources: {} env: + - name: AUTH_TOKEN + valueFrom: + secretKeyRef: + key: AUTH_TOKEN + {{- if (.Values.accuknox.secretName | empty) }} + name: kiem-job-auth-token + {{- else }} + name: {{ .Values.accuknox.secretName }} + {{- end }} - name: URL value: {{ .Values.accuknox.URL }} - name: TENANT_ID value: {{ .Values.accuknox.tenantID | quote }} - - name: AUTH_TOKEN - value: {{ .Values.accuknox.authToken }} - name: CLUSTER_NAME value: {{ .Values.accuknox.clusterName }} - name: LABEL_NAME diff --git a/kiem-job/templates/job.yaml b/kiem-job/templates/job.yaml index 19906ac..99407ff 100644 --- a/kiem-job/templates/job.yaml +++ b/kiem-job/templates/job.yaml @@ -25,12 +25,19 @@ spec: name: accuknox-kiem-job resources: {} env: + - name: AUTH_TOKEN + valueFrom: + secretKeyRef: + key: AUTH_TOKEN + {{- if (.Values.accuknox.secretName | empty) }} + name: kiem-job-auth-token + {{- else }} + name: {{ .Values.accuknox.secretName }} + {{- end }} - name: URL value: {{ .Values.accuknox.URL }} - name: TENANT_ID value: {{ .Values.accuknox.tenantID | quote }} - - name: AUTH_TOKEN - value: {{ .Values.accuknox.authToken }} - name: CLUSTER_NAME value: {{ .Values.accuknox.clusterName }} - name: LABEL_NAME @@ -42,4 +49,4 @@ spec: - name: datapath emptyDir: {} restartPolicy: OnFailure - serviceAccount: kiem-service-account \ No newline at end of file + serviceAccount: kiem-service-account diff --git a/kiem-job/templates/secret.yaml b/kiem-job/templates/secret.yaml new file mode 100644 index 0000000..9ab9681 --- /dev/null +++ b/kiem-job/templates/secret.yaml @@ -0,0 +1,10 @@ +{{- if (.Values.accuknox.secretName | empty) }} +# if user didn't specify a secretName, use the default +apiVersion: v1 +kind: Secret +metadata: + name: kiem-job-auth-token + namespace: {{ .Release.Namespace }} +data: + AUTH_TOKEN: {{ .Values.accuknox.authToken | b64enc }} +{{- end }} diff --git a/kiem-job/values.yaml b/kiem-job/values.yaml index e979326..72bf6d1 100644 --- a/kiem-job/values.yaml +++ b/kiem-job/values.yaml @@ -11,3 +11,4 @@ accuknox: cronTab: "30 9 * * *" clusterName: "" label: "" + secretName: ""