From 9ecfed707ee7b68ba5f81ed4954ebed692810bd7 Mon Sep 17 00:00:00 2001 From: yaraskm <62650344+yaraskm@users.noreply.github.com> Date: Wed, 1 Mar 2023 17:10:31 -0500 Subject: [PATCH] Use a Secret to store S3 keys in K8S deployment - Passing the access and secret keys directly as environment variables can inadvertently leak them in a multitenant system, as anyone with the `view` ClusterRole or higher on the namespace will have the ability to read the spec of the `Job`. - Instead, create a secret with the keys and mount them as environment variables from there. --- k8s/helm/templates/job.yaml | 10 ++++++++-- k8s/helm/templates/secret.yaml | 9 +++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 k8s/helm/templates/secret.yaml diff --git a/k8s/helm/templates/job.yaml b/k8s/helm/templates/job.yaml index d8c00c59..fa98818d 100644 --- a/k8s/helm/templates/job.yaml +++ b/k8s/helm/templates/job.yaml @@ -28,9 +28,15 @@ spec: - name: WARP_REGION value: {{ .Values.warpConfiguration.s3ServerRegion | quote }} - name: WARP_ACCESS_KEY - value: {{ .Values.warpConfiguration.s3AccessKey | quote }} + valueFrom: + secretKeyRef: + name: {{ include "warp.fullname" . }}-credentials + key: access_key - name: WARP_SECRET_KEY - value: {{ .Values.warpConfiguration.s3SecretKey | quote }} + valueFrom: + secretKeyRef: + name: {{ include "warp.fullname" . }}-credentials + key: secret_key {{- if .Values.serverResources }} resources: {{- toYaml .Values.serverResources | nindent 12 }} {{- end }} diff --git a/k8s/helm/templates/secret.yaml b/k8s/helm/templates/secret.yaml new file mode 100644 index 00000000..db9dedbb --- /dev/null +++ b/k8s/helm/templates/secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "warp.fullname" . }}-credentials + labels: + {{- include "warp.labels" . | nindent 4 }} +data: + access_key: {{ .Values.warpConfiguration.s3AccessKey | b64enc }} + secret_key: {{ .Values.warpConfiguration.s3SecretKey | b64enc }}