Skip to content

Commit

Permalink
chore: revert secret management doc
Browse files Browse the repository at this point in the history
  • Loading branch information
adityathebe committed Oct 2, 2024
1 parent b7d98bb commit ac7aee7
Showing 1 changed file with 91 additions and 10 deletions.
101 changes: 91 additions & 10 deletions canary-checker/docs/concepts/secret-management.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,20 @@ Avoid inlining secrets, use `valueFrom` and <CommonLink to="authentication">EnvV

Using a HTTP health check as an example for static values:

```yaml title="http-basic-auth.yaml" file=../../../modules/canary-checker/fixtures/minimal/http_auth_static_pass.yaml

```yaml title="http-basic-auth-static.yaml"
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-basic-auth
spec:
http:
- url: https://httpbin.org/basic-auth/hello/world
responseCodes: [200]
authentication:
username:
value: hello
password:
value: world
```
## Configmaps
Expand All @@ -33,8 +45,26 @@ To use a configmap, we first need to create the configmap:
kubectl create configmap basic-auth --from-literal=user=hello --from-literal=pass=world -n default
```

```yaml title="http-basic-auth.yaml" file=../../../modules/canary-checker/fixtures/minimal/http_auth_from_config_map.yaml

```yaml title="http-basic-auth-configmap.yaml"
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-basic-auth-configmap
spec:
http:
- url: https://httpbin.org/basic-auth/hello/world
responseCodes: [200]
authentication:
username:
valueFrom:
configMapKeyRef:
name: basic-auth
key: user
password:
valueFrom:
configMapKeyRef:
name: basic-auth
key: pass
```
## Secrets
Expand All @@ -45,8 +75,24 @@ To use a secret, first we create the secret:
kubectl create secret generic basic-auth --from-literal=user=hello --from-literal=pass=world -n default
```

```yaml title="http-basic-auth.yaml" file=../../../modules/canary-checker/fixtures/minimal/http_auth_from_secret.yaml

```yaml title="http-basic-auth-secret.yaml"
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-basic-auth-configmap
spec:
http:
- url: https://httpbin.demo.aws.flanksource.com/basic-auth/hello/world
username:
valueFrom:
secretKeyRef:
name: basic-auth
key: user
password:
valueFrom:
secretKeyRef:
name: basic-auth
key: pass
```
## Helm Values
Expand All @@ -57,15 +103,50 @@ To use a secret, first we deploy a helm chart
helm install podinfo podinfo/podinfo -n podinfo --set ingress.enabled=true
```

```yaml title="http-from-helm.yaml" file=../../../modules/canary-checker/fixtures/minimal/http_auth_from_helm_ref.yaml

```yaml title="http-from-helm.yaml"
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-from-helm
spec:
http:
- env:
- name: url
valueFrom:
helmRef:
name: podinfo
key: .ingress.hosts[0].host

url: $(url)
```
## Service Accounts
Checks can use service accounts for authentication with external services that have existing trust established
```yaml title="http-service-accounts.yaml" file=../../../modules/canary-checker/fixtures/minimal/http_auth_from_service_account.yaml
```yaml title="http-service-accounts.yaml"
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-basic-auth-configmap
spec:
http:

interval: 30
http:
- name: vault-example-sre
description: "HashiCorp Vault functionality check."
url: https://vault.example/v1/auth/kubernetes/login
env:
- name: TOKEN
valueFrom:
serviceAccount: default-account
templateBody: true
body: |
{
"jwt": "$(TOKEN)",
"role": "example-role"
}
```
Expand Down Expand Up @@ -113,4 +194,4 @@ You may consider the following for your encryption and security needs:
- [Bitnami Sealed Secrets](https://www.youtube.com/watch?v=xd2QoV6GJlc&ab_channel=DevOpsToolkit)
- [KSOPS](https://blog.oddbit.com/post/2021-03-09-getting-started-with-ksops/)
- [Enable Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/)
- [Enable or configure RBAC rules](https://kubernetes.io/docs/reference/access-authn-authz/authorization/)
- [Enable or configure RBAC rules](https://kubernetes.io/docs/reference/access-authn-authz/authorization/)

0 comments on commit ac7aee7

Please sign in to comment.