Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Kubernetes secret provider] Update documentation regarding the configuration #782

Merged
merged 5 commits into from
Jan 8, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,34 @@

Provides access to the Kubernetes Secrets API.

The provider needs a `kubeconfig` file to establish connection to the Kubernetes API.
It can automatically reach the API if it's run in an InCluster environment ({agent} runs as pod).
Use the format `${kubernetes_secrets.<default>.<somesecret>.<value>}` to reference a Kubernetes Secrets variable, where `default` is the namespace of the Secret, `somesecret` is the name of the Secret and `value` is the field of the Secret to access.

To obtain the values for the secrets, a request to the API Server is made. To avoid multiple requests for the same secret and to not overwhelm the API Server, a cache to store the values is used by default. This configuration can be set by using the variables `cache_*` (see below).

The provider needs a `kubeconfig` file to establish connection to the Kubernetes API. It can automatically reach the API if it's run in an InCluster environment ({agent} runs as pod).

[source,yaml]
----
providers.kubernetes_secrets:
#kube_config: /Users/elastic-agent/.kube/config
#kube_client_options:
# qps: 5
# burst: 10
#cache_disable: false
#cache_refresh_interval: 60s
#cache_ttl: 1h
#cache_request_timeout: 5s
----

Reference the Kubernetes Secrets variable as `${kubernetes_secrets.default.somesecret.value}`,
where `default` is the namespace of the Secret, `somesecret` is the name of the Secret and `value` the field
of the Secret to access.

`kube_config`:: (Optional) Use the given config file as configuration for the Kubernetes client. If `kube_config` is not set, `KUBECONFIG` environment variable will be checked and will fall back to InCluster if it's not present.
`kube_client_options`:: (Optional) Configure additional options for the Kubernetes client. Supported options are `qps` and `burst`. If not set, the Kubernetes client's default QPS and burst settings are used.
`cache_disable`:: (Optional) Disables the cache for the secrets. When disabled, thus is set to `true`, code makes a request to the API Server to obtain the value. To continue using the cache, set the variable to `false`. Default is `false`.
`cache_refresh_interval`:: (Optional) Defines the period to update all secret values kept in the cache. Defaults to `60s`.
`cache_ttl`:: (Optional) Defines for how long a secret should be kept in the cache if not being requested. The default is `1h`.
`cache_request_timeout`:: (Optional) Defines how long the API Server can take to provide the value for a given secret. Defaults to `5s`.



If you run agent on Kubernetes, the proper rule in the `ClusterRole` is required to provide access to the {agent} pod in the Secrets API:

Expand All @@ -26,7 +42,4 @@ If you run agent on Kubernetes, the proper rule in the `ClusterRole` is required
verbs: ["get"]
----

CAUTION: The above rule will give permission to {agent} pod to access Kubernetes Secrets API.
Anyone who has access to the {agent} pod (`kubectl exec` for example) will also have
access to the Kubernetes Secrets API. This allows access to a specific secret, regardless of the namespace that it belongs to.
This option should be carefully considered.
CAUTION: The above rule will give permission to {agent} pod to access Kubernetes Secrets API. Anyone who has access to the {agent} pod (`kubectl exec` for example) will also have access to the Kubernetes Secrets API. This allows access to a specific secret, regardless of the namespace that it belongs to. This option should be carefully considered.