Skip to content

fix(shield): warn when Sysdig credentials are supplied inline (helm release metadata exposure) #2627

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
EdwardArchive wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(shield): warn when Sysdig credentials are supplied inline (helm release metadata exposure) #2627

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/shield/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,5 @@ maintainers:
- name: mavimo
email: marcovito.moscaritolo@sysdig.com
type: application
version: 1.37.1
version: 1.37.2
appVersion: "1.0.0"
8 changes: 4 additions & 4 deletions charts/shield/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,10 +73,10 @@ The following table lists the configurable parameters of the `shield` chart and
| sysdig_endpoint.api_url | The URL of the Sysdig Secure API (required only when region is custom) | <code></code> |
| sysdig_endpoint.collector.host | The hostname of the Sysdig Secure collector (required only when region is custom) | <code></code> |
| sysdig_endpoint.collector.port | The port of the Sysdig Secure collector (required only when region is custom) | <code></code> |
| sysdig_endpoint.access_key | The access key for the Sysdig Secure instance | <code></code> |
| sysdig_endpoint.access_key_existing_secret | The access key for the Sysdig Secure instance (existing secret) | <code></code> |
| sysdig_endpoint.secure_api_token | The API token for the Sysdig Secure instance | <code></code> |
| sysdig_endpoint.secure_api_token_existing_secret | The API token for the Sysdig Secure instance (existing secret) | <code></code> |
| sysdig_endpoint.access_key | The access key for the Sysdig Secure instance. ⚠️ Inline credentials persist in Helm release metadata as base64 plaintext; prefer `access_key_existing_secret` for production deployments. | <code></code> |
| sysdig_endpoint.access_key_existing_secret | Name of a pre-existing Secret with the `access-key` key. When set, the chart skips generating its own Secret and the inline access_key value is ignored. RECOMMENDED for production deployments. | <code></code> |
| sysdig_endpoint.secure_api_token | The API token for the Sysdig Secure instance. ⚠️ Same trade-off as `access_key` — prefer `secure_api_token_existing_secret` for production deployments. | <code></code> |
| sysdig_endpoint.secure_api_token_existing_secret | Name of a pre-existing Secret with the `SECURE_API_TOKEN` key. When set, the chart skips generating its own Secret and the inline secure_api_token value is ignored. RECOMMENDED for production deployments. | <code></code> |
| features.admission_control.enabled | Enable the admission control feature | <code>false</code> |
| features.admission_control.failure_policy | The policy to apply when a request is denied | <code>Ignore</code> |
| features.admission_control.dry_run | Enable the dry run mode | <code>true</code> |
Expand Down
27 changes: 27 additions & 0 deletions charts/shield/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,30 @@ Host Labels
Host Selector Labels

{{ include "host.selector_labels" . }}

{{- if or (and .Values.sysdig_endpoint.access_key (not .Values.sysdig_endpoint.access_key_existing_secret)) (and .Values.sysdig_endpoint.secure_api_token (not .Values.sysdig_endpoint.secure_api_token_existing_secret)) }}

⚠️ SECURITY NOTICE: Sysdig credentials were supplied inline via values.

{{- if and .Values.sysdig_endpoint.access_key (not .Values.sysdig_endpoint.access_key_existing_secret) }}
- sysdig_endpoint.access_key
{{- end }}
{{- if and .Values.sysdig_endpoint.secure_api_token (not .Values.sysdig_endpoint.secure_api_token_existing_secret) }}
- sysdig_endpoint.secure_api_token
{{- end }}

These values are persisted by Helm in its release storage
(`sh.helm.release.v1.{{ .Release.Name }}.v<rev>` Secret in `{{ .Release.Namespace }}`)
as base64-encoded plaintext. Anyone with get/list access to that Secret
— or to the output of `helm get values`, `helm get manifest`, or any
GitOps tool that snapshots rendered manifests — can recover them.

For sensitive environments, pre-create a Secret (e.g. via Vault, External
Secrets, SOPS, or sealed-secrets) and reference it instead:

sysdig_endpoint:
access_key_existing_secret: my-access-key-secret
secure_api_token_existing_secret: my-api-token-secret

See https://github.com/sysdiglabs/charts/issues/2622 for context.
{{- end }}
97 changes: 97 additions & 0 deletions charts/shield/tests/common/notes_credentials_warning_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
suite: Common - NOTES.txt credentials warning
templates:
- templates/NOTES.txt
release:
name: release-name
namespace: shield-namespace
tests:
- it: Emits the security notice when access_key is supplied inline
set:
cluster_config:
name: test-cluster
sysdig_endpoint:
region: custom
api_url: https://www.example.com
collector:
host: example.com
port: 6443
access_key: "fake-access-key"
asserts:
- matchRegexRaw:
pattern: "SECURITY NOTICE"
- matchRegexRaw:
pattern: "sysdig_endpoint\\.access_key"

- it: Emits the security notice when secure_api_token is supplied inline (with access_key via existing secret)
set:
cluster_config:
name: test-cluster
sysdig_endpoint:
region: custom
api_url: https://www.example.com
collector:
host: example.com
port: 6443
access_key_existing_secret: external-access-key
secure_api_token: "fake-token"
asserts:
- matchRegexRaw:
pattern: "SECURITY NOTICE"
- matchRegexRaw:
pattern: "sysdig_endpoint\\.secure_api_token"
- notMatchRegexRaw:
pattern: "- sysdig_endpoint\\.access_key"

- it: Lists both keys when both are supplied inline
set:
cluster_config:
name: test-cluster
sysdig_endpoint:
region: custom
api_url: https://www.example.com
collector:
host: example.com
port: 6443
access_key: "fake-access-key"
secure_api_token: "fake-token"
asserts:
- matchRegexRaw:
pattern: "sysdig_endpoint\\.access_key"
- matchRegexRaw:
pattern: "sysdig_endpoint\\.secure_api_token"

- it: Suppresses the notice when access_key uses existing_secret reference
set:
cluster_config:
name: test-cluster
sysdig_endpoint:
region: custom
api_url: https://www.example.com
collector:
host: example.com
port: 6443
access_key_existing_secret: external-access-key
secure_api_token_existing_secret: external-api-token
asserts:
- notMatchRegexRaw:
pattern: "SECURITY NOTICE"

- it: Mentions only access_key bullet when access_key is inline and secure_api_token is existing_secret
set:
cluster_config:
name: test-cluster
sysdig_endpoint:
region: custom
api_url: https://www.example.com
collector:
host: example.com
port: 6443
access_key: "fake-access-key"
secure_api_token_existing_secret: external-api-token
asserts:
- matchRegexRaw:
pattern: "SECURITY NOTICE"
- matchRegexRaw:
pattern: "- sysdig_endpoint\\.access_key"
- notMatchRegexRaw:
pattern: "- sysdig_endpoint\\.secure_api_token"
20 changes: 16 additions & 4 deletions charts/shield/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,25 @@ sysdig_endpoint:
host:
# The port of the Sysdig Secure collector (required only when region is custom)
port:
# The access key for the Sysdig Secure instance
# The access key for the Sysdig Secure instance.
# ⚠️ Supplying credentials inline here persists them in Helm release
# metadata (sh.helm.release.v1.<release>.v<rev> Secret) as base64
# plaintext, and exposes them through `helm get values` / GitOps
# snapshots. For sensitive environments, prefer pre-creating a Secret
# out-of-band and using `access_key_existing_secret` below.
access_key:
# The access key for the Sysdig Secure instance (existing secret)
# Name of a pre-existing Secret with the `access-key` key. When set,
# the chart skips generating its own Secret and the inline access_key
# value above is ignored. RECOMMENDED for production deployments.
access_key_existing_secret:
# The API token for the Sysdig Secure instance
# The API token for the Sysdig Secure instance.
# ⚠️ Same trade-off as access_key above — prefer
# secure_api_token_existing_secret for sensitive environments.
secure_api_token:
# The API token for the Sysdig Secure instance (existing secret)
# Name of a pre-existing Secret with the `SECURE_API_TOKEN` key. When
# set, the chart skips generating its own Secret and the inline
# secure_api_token value above is ignored. RECOMMENDED for production
# deployments.
secure_api_token_existing_secret:
# Features

Expand Down
Loading