Skip to content

Commit

Permalink
Merge branch 'main' into FIX-2
Browse files Browse the repository at this point in the history
  • Loading branch information
Rutam21 authored Oct 25, 2024
2 parents 164dd34 + f2c46d2 commit 892f2f3
Show file tree
Hide file tree
Showing 3 changed files with 86 additions and 3 deletions.
3 changes: 3 additions & 0 deletions docs/deployment/kubernetes/installation.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,11 @@ To read about more installation options, see [ingress-nginx installation docs](h
</Info>
```bash
# simplest way to install
# we set snippet-annotations to true to allow rewrites
# see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#allow-snippet-annotations
helm upgrade --install ingress-nginx ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx \
--set controller.config.allow-snippet-annotations=true \
--namespace ingress-nginx --create-namespace
```

Expand Down
1 change: 1 addition & 0 deletions docs/deployment/kubernetes/overview.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@ We maintain an opinionated, batteries-included Helm chart, but you can customize
## Next steps
- Install Keep on [Kubernetes](/deployment/kubernetes/installation).
- Keep's [Helm Chart](https://github.com/keephq/helm-charts).
- Keep with [Kubernetes Secret Manager](/deployment/secret-manager#kubernetes-secret-manager)
- Deep dive to Keep's kubernetes [Architecture](/deployment/kubernetes/architecture).
- Install Keep on [OpenShift](/deployment/kubernetes/openshift).
85 changes: 82 additions & 3 deletions docs/deployment/secret-manager.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -59,18 +59,97 @@ Usage:

## Kubernetes Secret Manager

The `KubernetesSecretManager` interfaces with Kubernetes' native secrets system. It manages secrets within a specified Kubernetes namespace and is designed to operate within a Kubernetes cluster.
### Overview

Configuration:
The `KubernetesSecretManager` interfaces with Kubernetes' native secrets system.

It manages secrets within a specified Kubernetes namespace and is designed to operate within a Kubernetes cluster.

### Configuration

Set `K8S_NAMESPACE` environment variable to specify the Kubernetes namespace. Defaults to default if not set. Assumes Kubernetes configurations (like service account tokens) are properly set up when running within a cluster.
- `SECRET_MANAGER_TYPE=k8s`
- `K8S_NAMESPACE=keep` - environment variable to specify the Kubernetes namespace. Defaults to `.metadata.namespace` if not set. Assumes Kubernetes configurations (like service account tokens) are properly set up when running within a cluster.

Usage:

- Secrets are stored as Kubernetes Secret objects.
- Provides functionalities to create, retrieve, and delete Kubernetes secrets.
- Handles base64 encoding and decoding as required by Kubernetes.

### Environment Variables From Secrets
The Kubernetes Secret Manager integration allows Keep to fetch environment variables from Kubernetes Secrets.

For sensitive environment variables, such as `DATABASE_CONNECTION_STRING`, it is recommended to store as a secret:

#### Creating Database Connection Secret
```bash
# Create the base64 encoded string without newline
CONNECTION_STRING_B64=$(echo -n "mysql+pymysql://user:password@host:3306/dbname" | base64)

# Create the Kubernetes secret
kubectl create secret generic keep-db-secret \
--namespace=keep \
--from-literal=connection_string=$(echo -n "mysql+pymysql://user:password@host:3306/dbname" | base64)

# Or using a YAML file:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: keep-db-secret
namespace: keep
type: Opaque
data:
connection_string: $(echo -n "mysql+pymysql://user:password@host:3306/dbname" | base64)
EOF
```

#### Update the helm Values.yaml

After creating the secret, update the `values.yaml` so the helm chart will inject the secret as env var:
```bash
backend:
enabled: true
waitForDatabase: true
databaseConnectionStringFromSecret:
enabled: true # Enable using secret for database connection
secretName: "keep-db-secret" # Name of the secret we created
secretKey: "connection_string" # Key in the secret containing our connection string
```

#### Apply with Helm

```bash
# If installing for the first time
helm install keep keephq/keep \
-f values.yaml \
--namespace keep

# If updating existing installation
helm upgrade keep keephq/keep \
-f values.yaml \
--namespace keep
```

#### Verify the installation

Check if the secret is properly created:
```bash
kubectl get secret keep-db-secret -n keep
```

Verify the content of the secret is correct:
```bash
kubectl get secret keep-db-secret -n keep -o jsonpath='{.data.connection_string}' | base64 -d
```

Verify the pod using the secret:
```bash
kubectl get pod -n keep -l app.kubernetes.io/component=backend -o yaml | grep DATABASE_CONNECTION_STRING -A 5
```



## GCP Secret Manager

The `GcpSecretManager` utilizes Google Cloud's Secret Manager service for secret management. It requires setting up with Google Cloud credentials and a project ID.
Expand Down

0 comments on commit 892f2f3

Please sign in to comment.