diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml index 49221b8d9..b5609f866 100644 --- a/charts/shield/Chart.yaml +++ b/charts/shield/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: mavimo email: marcovito.moscaritolo@sysdig.com type: application -version: 1.37.1 +version: 1.37.2 appVersion: "1.0.0" diff --git a/charts/shield/README.md b/charts/shield/README.md index e157a66d0..f74ce36ed 100644 --- a/charts/shield/README.md +++ b/charts/shield/README.md @@ -73,10 +73,10 @@ The following table lists the configurable parameters of the `shield` chart and | sysdig_endpoint.api_url | The URL of the Sysdig Secure API (required only when region is custom) | | | sysdig_endpoint.collector.host | The hostname of the Sysdig Secure collector (required only when region is custom) | | | sysdig_endpoint.collector.port | The port of the Sysdig Secure collector (required only when region is custom) | | -| sysdig_endpoint.access_key | The access key for the Sysdig Secure instance | | -| sysdig_endpoint.access_key_existing_secret | The access key for the Sysdig Secure instance (existing secret) | | -| sysdig_endpoint.secure_api_token | The API token for the Sysdig Secure instance | | -| sysdig_endpoint.secure_api_token_existing_secret | The API token for the Sysdig Secure instance (existing secret) | | +| sysdig_endpoint.access_key | The access key for the Sysdig Secure instance. ⚠️ Inline credentials persist in Helm release metadata as base64 plaintext; prefer `access_key_existing_secret` for production deployments. | | +| sysdig_endpoint.access_key_existing_secret | Name of a pre-existing Secret with the `access-key` key. When set, the chart skips generating its own Secret and the inline access_key value is ignored. RECOMMENDED for production deployments. | | +| sysdig_endpoint.secure_api_token | The API token for the Sysdig Secure instance. ⚠️ Same trade-off as `access_key` — prefer `secure_api_token_existing_secret` for production deployments. | | +| sysdig_endpoint.secure_api_token_existing_secret | Name of a pre-existing Secret with the `SECURE_API_TOKEN` key. When set, the chart skips generating its own Secret and the inline secure_api_token value is ignored. RECOMMENDED for production deployments. | | | features.admission_control.enabled | Enable the admission control feature | false | | features.admission_control.failure_policy | The policy to apply when a request is denied | Ignore | | features.admission_control.dry_run | Enable the dry run mode | true | diff --git a/charts/shield/templates/NOTES.txt b/charts/shield/templates/NOTES.txt index 0082f0a2d..1a89de544 100644 --- a/charts/shield/templates/NOTES.txt +++ b/charts/shield/templates/NOTES.txt @@ -13,3 +13,30 @@ Host Labels Host Selector Labels {{ include "host.selector_labels" . }} + +{{- if or (and .Values.sysdig_endpoint.access_key (not .Values.sysdig_endpoint.access_key_existing_secret)) (and .Values.sysdig_endpoint.secure_api_token (not .Values.sysdig_endpoint.secure_api_token_existing_secret)) }} + +⚠️ SECURITY NOTICE: Sysdig credentials were supplied inline via values. + +{{- if and .Values.sysdig_endpoint.access_key (not .Values.sysdig_endpoint.access_key_existing_secret) }} + - sysdig_endpoint.access_key +{{- end }} +{{- if and .Values.sysdig_endpoint.secure_api_token (not .Values.sysdig_endpoint.secure_api_token_existing_secret) }} + - sysdig_endpoint.secure_api_token +{{- end }} + +These values are persisted by Helm in its release storage +(`sh.helm.release.v1.{{ .Release.Name }}.v` Secret in `{{ .Release.Namespace }}`) +as base64-encoded plaintext. Anyone with get/list access to that Secret +— or to the output of `helm get values`, `helm get manifest`, or any +GitOps tool that snapshots rendered manifests — can recover them. + +For sensitive environments, pre-create a Secret (e.g. via Vault, External +Secrets, SOPS, or sealed-secrets) and reference it instead: + + sysdig_endpoint: + access_key_existing_secret: my-access-key-secret + secure_api_token_existing_secret: my-api-token-secret + +See https://github.com/sysdiglabs/charts/issues/2622 for context. +{{- end }} diff --git a/charts/shield/tests/common/notes_credentials_warning_test.yaml b/charts/shield/tests/common/notes_credentials_warning_test.yaml new file mode 100644 index 000000000..e0ad00b07 --- /dev/null +++ b/charts/shield/tests/common/notes_credentials_warning_test.yaml @@ -0,0 +1,97 @@ +suite: Common - NOTES.txt credentials warning +templates: + - templates/NOTES.txt +release: + name: release-name + namespace: shield-namespace +tests: + - it: Emits the security notice when access_key is supplied inline + set: + cluster_config: + name: test-cluster + sysdig_endpoint: + region: custom + api_url: https://www.example.com + collector: + host: example.com + port: 6443 + access_key: "fake-access-key" + asserts: + - matchRegexRaw: + pattern: "SECURITY NOTICE" + - matchRegexRaw: + pattern: "sysdig_endpoint\\.access_key" + + - it: Emits the security notice when secure_api_token is supplied inline (with access_key via existing secret) + set: + cluster_config: + name: test-cluster + sysdig_endpoint: + region: custom + api_url: https://www.example.com + collector: + host: example.com + port: 6443 + access_key_existing_secret: external-access-key + secure_api_token: "fake-token" + asserts: + - matchRegexRaw: + pattern: "SECURITY NOTICE" + - matchRegexRaw: + pattern: "sysdig_endpoint\\.secure_api_token" + - notMatchRegexRaw: + pattern: "- sysdig_endpoint\\.access_key" + + - it: Lists both keys when both are supplied inline + set: + cluster_config: + name: test-cluster + sysdig_endpoint: + region: custom + api_url: https://www.example.com + collector: + host: example.com + port: 6443 + access_key: "fake-access-key" + secure_api_token: "fake-token" + asserts: + - matchRegexRaw: + pattern: "sysdig_endpoint\\.access_key" + - matchRegexRaw: + pattern: "sysdig_endpoint\\.secure_api_token" + + - it: Suppresses the notice when access_key uses existing_secret reference + set: + cluster_config: + name: test-cluster + sysdig_endpoint: + region: custom + api_url: https://www.example.com + collector: + host: example.com + port: 6443 + access_key_existing_secret: external-access-key + secure_api_token_existing_secret: external-api-token + asserts: + - notMatchRegexRaw: + pattern: "SECURITY NOTICE" + + - it: Mentions only access_key bullet when access_key is inline and secure_api_token is existing_secret + set: + cluster_config: + name: test-cluster + sysdig_endpoint: + region: custom + api_url: https://www.example.com + collector: + host: example.com + port: 6443 + access_key: "fake-access-key" + secure_api_token_existing_secret: external-api-token + asserts: + - matchRegexRaw: + pattern: "SECURITY NOTICE" + - matchRegexRaw: + pattern: "- sysdig_endpoint\\.access_key" + - notMatchRegexRaw: + pattern: "- sysdig_endpoint\\.secure_api_token" diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml index b51203d0b..26923e423 100644 --- a/charts/shield/values.yaml +++ b/charts/shield/values.yaml @@ -20,13 +20,25 @@ sysdig_endpoint: host: # The port of the Sysdig Secure collector (required only when region is custom) port: - # The access key for the Sysdig Secure instance + # The access key for the Sysdig Secure instance. + # ⚠️ Supplying credentials inline here persists them in Helm release + # metadata (sh.helm.release.v1..v Secret) as base64 + # plaintext, and exposes them through `helm get values` / GitOps + # snapshots. For sensitive environments, prefer pre-creating a Secret + # out-of-band and using `access_key_existing_secret` below. access_key: - # The access key for the Sysdig Secure instance (existing secret) + # Name of a pre-existing Secret with the `access-key` key. When set, + # the chart skips generating its own Secret and the inline access_key + # value above is ignored. RECOMMENDED for production deployments. access_key_existing_secret: - # The API token for the Sysdig Secure instance + # The API token for the Sysdig Secure instance. + # ⚠️ Same trade-off as access_key above — prefer + # secure_api_token_existing_secret for sensitive environments. secure_api_token: - # The API token for the Sysdig Secure instance (existing secret) + # Name of a pre-existing Secret with the `SECURE_API_TOKEN` key. When + # set, the chart skips generating its own Secret and the inline + # secure_api_token value above is ignored. RECOMMENDED for production + # deployments. secure_api_token_existing_secret: # Features