From be31ed1a614fc4dd6572a726d433e95f8faf9d1d Mon Sep 17 00:00:00 2001 From: constanca-m Date: Thu, 21 Dec 2023 11:28:38 +0100 Subject: [PATCH 1/5] Update documentation for kubernetes secret provider. --- .../kubernetes_secrets-provider.asciidoc | 31 +++++++++++++------ 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc index 62d7579da..273306ea7 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc @@ -3,18 +3,34 @@ Provides access to the Kubernetes Secrets API. -The provider needs a `kubeconfig` file to establish connection to the Kubernetes API. -It can automatically reach the API if it's run in an InCluster environment ({agent} runs as pod). +Use the format `${kubernetes_secrets.default.somesecret.value}` to reference a Kubernetes Secrets variable, where `default` is the namespace of the Secret, `somesecret` is the name of the Secret and `value` is the field of the Secret to access. + +To obtain the values for the secrets, a request to the API Server is made. To avoid multiple requests for the same secret and to not overwhelm the API Server, a cache to store the values can be used. This configuration can be set by using the variables `cache_*` (see below). + +The provider needs a `kubeconfig` file to establish connection to the Kubernetes API. It can automatically reach the API if it's run in an InCluster environment ({agent} runs as pod). [source,yaml] ---- providers.kubernetes_secrets: #kube_config: /Users/elastic-agent/.kube/config + #kube_client_options: + # qps: 5 + # burst: 10 + #cache_disable: false + #cache_refresh_interval: 60s + #cache_ttl: 1h + #cache_request_timeout: 5s ---- -Reference the Kubernetes Secrets variable as `${kubernetes_secrets.default.somesecret.value}`, -where `default` is the namespace of the Secret, `somesecret` is the name of the Secret and `value` the field -of the Secret to access. + +`kube_config`:: (Optional) Use the given config file as configuration for the Kubernetes client. If `kube_config` is not set, `KUBECONFIG` environment variable will be checked and will fall back to InCluster if it's not present. +`kube_client_options`:: (Optional) Configure additional options for the Kubernetes client. Supported options are `qps` and `burst`. If not set, the Kubernetes client's default QPS and burst settings are used. +`cache_disable`:: (Optional) To disable the cache for the secrets, and make a request to the API Server every time to obtain the value, set this variable to `true`. To continue using the cache, set the variable to `false`. `false` is the default. +`cache_refresh_interval`:: (Optional) Defines the period to update all secret values kept on cache. Defaults to `60s`. +`cache_ttl`:: (Optional) Defines for how long a secret should be kept on cache if not being requested. The default is `1h`. +`cache_request_timeout`:: (Optional) Defines how long the API Server can take to provide the value for a given secret. Defaults to `5s`. + + If you run agent on Kubernetes, the proper rule in the `ClusterRole` is required to provide access to the {agent} pod in the Secrets API: @@ -26,7 +42,4 @@ If you run agent on Kubernetes, the proper rule in the `ClusterRole` is required verbs: ["get"] ---- -CAUTION: The above rule will give permission to {agent} pod to access Kubernetes Secrets API. -Anyone who has access to the {agent} pod (`kubectl exec` for example) will also have -access to the Kubernetes Secrets API. This allows access to a specific secret, regardless of the namespace that it belongs to. -This option should be carefully considered. \ No newline at end of file +CAUTION: The above rule will give permission to {agent} pod to access Kubernetes Secrets API. Anyone who has access to the {agent} pod (`kubectl exec` for example) will also have access to the Kubernetes Secrets API. This allows access to a specific secret, regardless of the namespace that it belongs to. This option should be carefully considered. \ No newline at end of file From 33962cd8569e99b8f1ee795c21982f941d9dd103 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Constan=C3=A7a=20Manteigas?= <113898685+constanca-m@users.noreply.github.com> Date: Mon, 8 Jan 2024 08:44:58 +0100 Subject: [PATCH 2/5] Update docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc Co-authored-by: Andrew Wilkins --- .../providers/kubernetes_secrets-provider.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc index 273306ea7..f483c9328 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc @@ -26,8 +26,8 @@ providers.kubernetes_secrets: `kube_config`:: (Optional) Use the given config file as configuration for the Kubernetes client. If `kube_config` is not set, `KUBECONFIG` environment variable will be checked and will fall back to InCluster if it's not present. `kube_client_options`:: (Optional) Configure additional options for the Kubernetes client. Supported options are `qps` and `burst`. If not set, the Kubernetes client's default QPS and burst settings are used. `cache_disable`:: (Optional) To disable the cache for the secrets, and make a request to the API Server every time to obtain the value, set this variable to `true`. To continue using the cache, set the variable to `false`. `false` is the default. -`cache_refresh_interval`:: (Optional) Defines the period to update all secret values kept on cache. Defaults to `60s`. -`cache_ttl`:: (Optional) Defines for how long a secret should be kept on cache if not being requested. The default is `1h`. +`cache_refresh_interval`:: (Optional) Defines the period to update all secret values kept in the cache. Defaults to `60s`. +`cache_ttl`:: (Optional) Defines for how long a secret should be kept in the cache if not being requested. The default is `1h`. `cache_request_timeout`:: (Optional) Defines how long the API Server can take to provide the value for a given secret. Defaults to `5s`. From e0e30e5a27a465a2beebb819096159ad8165c05d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Constan=C3=A7a=20Manteigas?= <113898685+constanca-m@users.noreply.github.com> Date: Mon, 8 Jan 2024 14:58:18 +0100 Subject: [PATCH 3/5] Update docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc Co-authored-by: Andrew Gizas --- .../providers/kubernetes_secrets-provider.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc index f483c9328..71b0b68b7 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc @@ -25,7 +25,7 @@ providers.kubernetes_secrets: `kube_config`:: (Optional) Use the given config file as configuration for the Kubernetes client. If `kube_config` is not set, `KUBECONFIG` environment variable will be checked and will fall back to InCluster if it's not present. `kube_client_options`:: (Optional) Configure additional options for the Kubernetes client. Supported options are `qps` and `burst`. If not set, the Kubernetes client's default QPS and burst settings are used. -`cache_disable`:: (Optional) To disable the cache for the secrets, and make a request to the API Server every time to obtain the value, set this variable to `true`. To continue using the cache, set the variable to `false`. `false` is the default. +`cache_disable`:: (Optional) Disables the cache for the secrets. When disabled, thus is set to `true`, code makes a request to the API Server to obtain the value. To continue using the cache, set the variable to `false`. Default is `false`. `cache_refresh_interval`:: (Optional) Defines the period to update all secret values kept in the cache. Defaults to `60s`. `cache_ttl`:: (Optional) Defines for how long a secret should be kept in the cache if not being requested. The default is `1h`. `cache_request_timeout`:: (Optional) Defines how long the API Server can take to provide the value for a given secret. Defaults to `5s`. From 9ba81100ddafc7ac93003e0d8d812453984bb430 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Constan=C3=A7a=20Manteigas?= <113898685+constanca-m@users.noreply.github.com> Date: Mon, 8 Jan 2024 14:58:37 +0100 Subject: [PATCH 4/5] Update docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc Co-authored-by: Andrew Gizas --- .../providers/kubernetes_secrets-provider.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc index 71b0b68b7..a731daef1 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc @@ -5,7 +5,7 @@ Provides access to the Kubernetes Secrets API. Use the format `${kubernetes_secrets.default.somesecret.value}` to reference a Kubernetes Secrets variable, where `default` is the namespace of the Secret, `somesecret` is the name of the Secret and `value` is the field of the Secret to access. -To obtain the values for the secrets, a request to the API Server is made. To avoid multiple requests for the same secret and to not overwhelm the API Server, a cache to store the values can be used. This configuration can be set by using the variables `cache_*` (see below). +To obtain the values for the secrets, a request to the API Server is made. To avoid multiple requests for the same secret and to not overwhelm the API Server, a cache to store the values is used by default. This configuration can be set by using the variables `cache_*` (see below). The provider needs a `kubeconfig` file to establish connection to the Kubernetes API. It can automatically reach the API if it's run in an InCluster environment ({agent} runs as pod). From f2e77000deb8a08e0e2cdd3e6e46a7bc6b4d61b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Constan=C3=A7a=20Manteigas?= <113898685+constanca-m@users.noreply.github.com> Date: Mon, 8 Jan 2024 15:15:14 +0100 Subject: [PATCH 5/5] Update docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc Co-authored-by: Tetiana Kravchenko --- .../providers/kubernetes_secrets-provider.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc index a731daef1..c5180a727 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/providers/kubernetes_secrets-provider.asciidoc @@ -3,7 +3,7 @@ Provides access to the Kubernetes Secrets API. -Use the format `${kubernetes_secrets.default.somesecret.value}` to reference a Kubernetes Secrets variable, where `default` is the namespace of the Secret, `somesecret` is the name of the Secret and `value` is the field of the Secret to access. +Use the format `${kubernetes_secrets...}` to reference a Kubernetes Secrets variable, where `default` is the namespace of the Secret, `somesecret` is the name of the Secret and `value` is the field of the Secret to access. To obtain the values for the secrets, a request to the API Server is made. To avoid multiple requests for the same secret and to not overwhelm the API Server, a cache to store the values is used by default. This configuration can be set by using the variables `cache_*` (see below).