diff --git a/.gitignore b/.gitignore index 791bd40..5a9365e 100644 --- a/.gitignore +++ b/.gitignore @@ -33,10 +33,8 @@ bin/* Session.vim .netrwhist - - +# Snyk stuff .history - temp accept.json diff --git a/charts/snyk-broker/templates/_helpers.tpl b/charts/snyk-broker/templates/_helpers.tpl index 6b877a0..28662bd 100644 --- a/charts/snyk-broker/templates/_helpers.tpl +++ b/charts/snyk-broker/templates/_helpers.tpl @@ -113,7 +113,7 @@ Create the name of the broker service to use {{- $serviceLength := len $service -}} {{- $releaseNameLength := len .Release.Name -}} {{- $truncatedLength := int (sub 63 (add $serviceLength $releaseNameLength)) -}} -{{- .Values.scmType | trunc $truncatedLength }}{{ $service }}{{ .Release.Name }} +{{- .Values.scmType | trunc $truncatedLength }}{{ $service }}{{ .Release.Name }} {{- else }} {{- .Values.scmType | trunc 47 }}-broker-service {{- end -}} @@ -178,3 +178,55 @@ Validate against RFC 1123 {{- end }} {{- $sanitisedProxyUrls | trimPrefix "," -}} {{- end }} + +{{/* + Secret Handling Configuration +*/}} + +{{- define "brokerTokenSecret" -}} +{{- if .Values.brokerToken }} +{{- printf "%s-%s-%s" .Values.scmType "broker-token" .Release.Name }} +{{- else if .Values.brokerTokenSecret }} +{{- .Values.brokerTokenSecret }} +{{- end}} +{{- end}} + +{{- define "brokerTokenSecretKey" -}} +{{- if .Values.brokerToken }} +{{- printf "%s-%s" .Values.scmType "broker-token-key" }} +{{- else if .Values.brokerTokenSecret }} +{{- .Values.brokerTokenSecretKey }} +{{- end}} +{{- end}} + +{{- define "targetTokenSecret" -}} +{{- if .Values.scmToken }} +{{- printf "%s-%s-%s" .Values.scmType "token" .Release.Name }} +{{- else if .Values.targetTokenSecret }} +{{- .Values.targetTokenSecret }} +{{- end}} +{{- end}} + +{{- define "targetTokenSecretKey" -}} +{{- if .Values.scmToken }} +{{- printf "%s-%s" .Values.scmType "token-key" }} +{{- else if .Values.targetTokenSecretKey }} +{{- .Values.targetTokenSecretKey }} +{{- end}} +{{- end}} + +{{- define "snykTokenSecret" -}} +{{- if .Values.snykToken }} +{{- printf "%s-%s" "snyk-token" ".Release.Name" }} +{{- else if .Values.snykTokenSecret }} +{{- .Values.snykTokenSecret }} +{{- end}} +{{- end}} + +{{- define "snykTokenSecretKey" -}} +{{- if .Values.snykToken }} +{{- "snyk-token-key" }} +{{- else if .Values.snykTokenSecretKey }} +{{- .Values.snykTokenSecretKey }} +{{- end}} +{{- end}} diff --git a/charts/snyk-broker/templates/broker_deployment.yaml b/charts/snyk-broker/templates/broker_deployment.yaml index 4e627b1..19bc59f 100644 --- a/charts/snyk-broker/templates/broker_deployment.yaml +++ b/charts/snyk-broker/templates/broker_deployment.yaml @@ -112,14 +112,14 @@ spec: - name: BROKER_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" + name: {{ include "brokerTokenSecret" . }} + key: {{ include "brokerTokenSecretKey" . }} {{- if not .Values.useExternalSecretScmTokenPool }} - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" + name: {{ include "targetTokenSecret" . }} + key: {{ include "targetTokenSecretKey" . }} {{- end }} {{- if or (.Values.scmTokenPool) (.Values.useExternalSecretScmTokenPool) }} - name: GITHUB_TOKEN_POOL @@ -138,14 +138,14 @@ spec: - name: BROKER_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" + name: {{ include "brokerTokenSecret" . }} + key: {{ include "brokerTokenSecretKey" . }} {{- if not .Values.useExternalSecretScmTokenPool }} - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" + name: {{ include "targetTokenSecret" . }} + key: {{ include "targetTokenSecretKey" . }} {{- end }} {{- if or (.Values.scmTokenPool) (.Values.useExternalSecretScmTokenPool) }} - name: GITHUB_TOKEN_POOL @@ -171,15 +171,15 @@ spec: - name: BROKER_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" + name: {{ include "brokerTokenSecret" . }} + key: {{ include "brokerTokenSecretKey" . }} - name: BITBUCKET_USERNAME value: {{ .Values.bitbucketUsername }} - name: BITBUCKET_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" + name: {{ include "targetTokenSecret" . }} + key: {{ include "targetTokenSecretKey" . }} - name: BITBUCKET value: {{ .Values.bitbucket }} - name: BITBUCKET_API @@ -194,13 +194,13 @@ spec: - name: BROKER_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" + name: {{ include "brokerTokenSecret" . }} + key: {{ include "brokerTokenSecretKey" . }} - name: BITBUCKET_PAT valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" + name: {{ include "targetTokenSecret" . }} + key: {{ include "targetTokenSecretKey" . }} - name: BITBUCKET value: {{ .Values.bitbucket }} - name: BITBUCKET_API @@ -215,14 +215,14 @@ spec: - name: BROKER_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" + name: {{ include "brokerTokenSecret" . }} + key: {{ include "brokerTokenSecretKey" . }} {{- if not .Values.useExternalSecretScmTokenPool }} - name: GITLAB_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" + name: {{ include "targetTokenSecret" . }} + key: {{ include "targetTokenSecretKey" . }} {{- end }} {{- if or (.Values.scmTokenPool) (.Values.useExternalSecretScmTokenPool) }} - name: GITLAB_TOKEN_POOL @@ -243,13 +243,13 @@ spec: - name: BROKER_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" + name: {{ include "brokerTokenSecret" . }} + key: {{ include "brokerTokenSecretKey" . }} - name: AZURE_REPOS_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" + name: {{ include "targetTokenSecret" . }} + key: {{ include "targetTokenSecretKey" . }} - name: AZURE_REPOS_ORG value: {{ .Values.azureReposOrg }} - name: AZURE_REPOS_HOST @@ -264,8 +264,8 @@ spec: - name: BROKER_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" + name: {{ include "brokerTokenSecret" . }} + key: {{ include "brokerTokenSecretKey" . }} - name: ARTIFACTORY_URL valueFrom: secretKeyRef: @@ -288,8 +288,8 @@ spec: - name: BROKER_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType }}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" + name: {{ include "brokerTokenSecret" . }} + key: {{ include "brokerTokenSecretKey" . }} - name: BASE_NEXUS_URL valueFrom: secretKeyRef: @@ -313,15 +313,15 @@ spec: - name: BROKER_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" + name: {{ include "brokerTokenSecret" . }} + key: {{ include "brokerTokenSecretKey" . }} - name: JIRA_USERNAME value: {{ .Values.jiraUsername }} - name: JIRA_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" + name: {{ include "targetTokenSecret" . }} + key: {{ include "targetTokenSecretKey" . }} - name: JIRA_HOSTNAME value: {{ .Values.jiraHostname }} - name: PORT @@ -334,13 +334,13 @@ spec: - name: BROKER_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" + name: {{ include "brokerTokenSecret" . }} + key: {{ include "brokerTokenSecretKey" . }} - name: JIRA_PAT valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" + name: {{ include "targetTokenSecret" . }} + key: {{ include "targetTokenSecretKey" . }} - name: JIRA_HOSTNAME value: {{ .Values.jiraHostname }} - name: PORT @@ -353,8 +353,8 @@ spec: - name: BROKER_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" + name: {{ include "brokerTokenSecret" . }} + key: {{ include "brokerTokenSecretKey" . }} - name: CR_AGENT_URL value: http://cra-service{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}:{{ .Values.deployment.container.crSnykPort | toString }} - name: CR_TYPE @@ -369,15 +369,15 @@ spec: - name: CR_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" + name: {{ include "targetTokenSecret" . }} + key: {{ include "targetTokenSecretKey" . }} {{- end }} {{- if has .Values.crType (list "digitalocean-cr") }} - name: CR_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" + name: {{ include "targetTokenSecret" . }} + key: {{ include "targetTokenSecretKey" . }} {{- end }} {{- if has .Values.crType (list "ecr") }} - name: CR_ROLE_ARN diff --git a/charts/snyk-broker/templates/code_agent_deployment.yaml b/charts/snyk-broker/templates/code_agent_deployment.yaml index 5b50819..9f0d61a 100644 --- a/charts/snyk-broker/templates/code_agent_deployment.yaml +++ b/charts/snyk-broker/templates/code_agent_deployment.yaml @@ -57,8 +57,8 @@ spec: - name: SNYK_TOKEN valueFrom: secretKeyRef: - name: snyk-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: snyk-token-key + name: {{ include "snykTokenSecret" . }} + key: {{ include "snykTokenSecretKey" . }} {{- if $setTlsRejectUnauthorized }} # Troubleshooting - Set to 0 for SSL inspection testing - name: NODE_TLS_REJECT_UNAUTHORIZED diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_apprisk_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_apprisk_test.yaml.snap index 253a846..1a913e0 100644 --- a/charts/snyk-broker/tests/__snapshot__/broker_deployment_apprisk_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/broker_deployment_apprisk_test.yaml.snap @@ -38,8 +38,8 @@ apprisk enabled: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token-RELEASE-NAME + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_customaccept_disablesuffixes_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_customaccept_disablesuffixes_test.yaml.snap index 37b18af..9940f02 100644 --- a/charts/snyk-broker/tests/__snapshot__/broker_deployment_customaccept_disablesuffixes_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/broker_deployment_customaccept_disablesuffixes_test.yaml.snap @@ -47,12 +47,12 @@ customaccept values: valueFrom: secretKeyRef: key: github-com-broker-token-key - name: github-com-broker-token + name: github-com-broker-token-RELEASE-NAME - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_customaccept_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_customaccept_test.yaml.snap index af515d2..3f4a303 100644 --- a/charts/snyk-broker/tests/__snapshot__/broker_deployment_customaccept_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/broker_deployment_customaccept_test.yaml.snap @@ -51,8 +51,8 @@ customaccept values: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token-RELEASE-NAME + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_disablesuffixes_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_disablesuffixes_test.yaml.snap index d07b1cd..fd1a4b4 100644 --- a/charts/snyk-broker/tests/__snapshot__/broker_deployment_disablesuffixes_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/broker_deployment_disablesuffixes_test.yaml.snap @@ -34,12 +34,12 @@ HA mode on: valueFrom: secretKeyRef: key: github-com-broker-token-key - name: github-com-broker-token + name: github-com-broker-token-RELEASE-NAME - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL @@ -181,12 +181,12 @@ HA mode on with 4 replicas: valueFrom: secretKeyRef: key: github-com-broker-token-key - name: github-com-broker-token + name: github-com-broker-token-RELEASE-NAME - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL @@ -328,12 +328,12 @@ default values: valueFrom: secretKeyRef: key: github-com-broker-token-key - name: github-com-broker-token + name: github-com-broker-token-RELEASE-NAME - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL @@ -473,12 +473,12 @@ preflight checks off: valueFrom: secretKeyRef: key: github-com-broker-token-key - name: github-com-broker-token + name: github-com-broker-token-RELEASE-NAME - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_external_secret_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_external_secret_test.yaml.snap new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/charts/snyk-broker/tests/__snapshot__/broker_deployment_external_secret_test.yaml.snap @@ -0,0 +1 @@ +{} diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_ingress_disablesuffixes_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_ingress_disablesuffixes_test.yaml.snap index 7ba21ce..7d073ab 100644 --- a/charts/snyk-broker/tests/__snapshot__/broker_deployment_ingress_disablesuffixes_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/broker_deployment_ingress_disablesuffixes_test.yaml.snap @@ -34,12 +34,12 @@ ingress: valueFrom: secretKeyRef: key: github-com-broker-token-key - name: github-com-broker-token + name: github-com-broker-token-RELEASE-NAME - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_ingress_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_ingress_test.yaml.snap index a71a172..993dcfe 100644 --- a/charts/snyk-broker/tests/__snapshot__/broker_deployment_ingress_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/broker_deployment_ingress_test.yaml.snap @@ -38,8 +38,8 @@ ingress: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token-RELEASE-NAME + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_scm_token_pool_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_scm_token_pool_test.yaml.snap index 217ec69..0f042a6 100644 --- a/charts/snyk-broker/tests/__snapshot__/broker_deployment_scm_token_pool_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/broker_deployment_scm_token_pool_test.yaml.snap @@ -38,8 +38,8 @@ github token pool configured: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token-RELEASE-NAME + key: token-key + name: null - name: GITHUB_TOKEN_POOL valueFrom: secretKeyRef: @@ -341,8 +341,8 @@ gitlab token pool configured: - name: GITLAB_TOKEN valueFrom: secretKeyRef: - key: gitlab-token-key - name: gitlab-token-RELEASE-NAME + key: token-key + name: null - name: GITLAB_TOKEN_POOL valueFrom: secretKeyRef: diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_test.yaml.snap index c36da32..a9a97b2 100644 --- a/charts/snyk-broker/tests/__snapshot__/broker_deployment_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/broker_deployment_test.yaml.snap @@ -38,8 +38,8 @@ HA mode on: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token-RELEASE-NAME + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL @@ -185,8 +185,8 @@ HA mode on with 4 replicas: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token-RELEASE-NAME + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL @@ -332,8 +332,8 @@ HTTPS enabled: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token-RELEASE-NAME + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL @@ -496,8 +496,8 @@ default values: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token-RELEASE-NAME + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL @@ -641,8 +641,8 @@ preflight checks off: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - key: github-com-token-key - name: github-com-token-RELEASE-NAME + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL diff --git a/charts/snyk-broker/tests/__snapshot__/cra_deployment_digitalocean_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/cra_deployment_digitalocean_test.yaml.snap index 7abee19..ba19333 100644 --- a/charts/snyk-broker/tests/__snapshot__/cra_deployment_digitalocean_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/cra_deployment_digitalocean_test.yaml.snap @@ -44,8 +44,8 @@ default values: - name: CR_TOKEN valueFrom: secretKeyRef: - key: container-registry-agent-token-key - name: container-registry-agent-token-RELEASE-NAME + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL diff --git a/charts/snyk-broker/tests/__snapshot__/cra_deployment_disablesuffixes_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/cra_deployment_disablesuffixes_test.yaml.snap index fc8f6c9..fbca410 100644 --- a/charts/snyk-broker/tests/__snapshot__/cra_deployment_disablesuffixes_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/cra_deployment_disablesuffixes_test.yaml.snap @@ -34,7 +34,7 @@ default values: valueFrom: secretKeyRef: key: container-registry-agent-broker-token-key - name: container-registry-agent-broker-token + name: container-registry-agent-broker-token-RELEASE-NAME - name: CR_AGENT_URL value: http://cra-service:8081 - name: CR_TYPE diff --git a/charts/snyk-broker/tests/__snapshot__/cra_deployment_harbor_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/cra_deployment_harbor_test.yaml.snap index 6fb3b05..355bb37 100644 --- a/charts/snyk-broker/tests/__snapshot__/cra_deployment_harbor_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/cra_deployment_harbor_test.yaml.snap @@ -46,8 +46,8 @@ default values: - name: CR_PASSWORD valueFrom: secretKeyRef: - key: container-registry-agent-token-key - name: container-registry-agent-token-RELEASE-NAME + key: token-key + name: null - name: PORT value: "8000" - name: BROKER_CLIENT_URL diff --git a/charts/snyk-broker/tests/broker_deployment_external_secret_test.yaml b/charts/snyk-broker/tests/broker_deployment_external_secret_test.yaml new file mode 100644 index 0000000..9ec9487 --- /dev/null +++ b/charts/snyk-broker/tests/broker_deployment_external_secret_test.yaml @@ -0,0 +1,32 @@ +suite: test broker deployment with external secrets +chart: + version: 0.0.0 +templates: + - broker_deployment.yaml +values: + - ./fixtures/default_values.yaml + - ./fixtures/default_values_external_secret.yaml + +tests: + - it: should set an external GITHUB_TOKEN secret + set: + scmType: github-com + asserts: + - equal: + path: spec.template.spec.containers[0].env[3].name + value: BROKER_TOKEN + - equal: + path: spec.template.spec.containers[0].env[4].name + value: GITHUB_TOKEN + - equal: + path: spec.template.spec.containers[0].env[3].valueFrom.secretKeyRef.name + value: my-broker-token-secret + - equal: + path: spec.template.spec.containers[0].env[3].valueFrom.secretKeyRef.key + value: my-token + - equal: + path: spec.template.spec.containers[0].env[4].valueFrom.secretKeyRef.name + value: my-target-token-secret + - equal: + path: spec.template.spec.containers[0].env[4].valueFrom.secretKeyRef.key + value: my-token diff --git a/charts/snyk-broker/tests/fixtures/default_values_external_secret.yaml b/charts/snyk-broker/tests/fixtures/default_values_external_secret.yaml new file mode 100644 index 0000000..1b23afb --- /dev/null +++ b/charts/snyk-broker/tests/fixtures/default_values_external_secret.yaml @@ -0,0 +1,11 @@ +brokerToken: "" +brokerTokenSecret: my-broker-token-secret +brokerTokenSecretKey: my-token + +scmToken: "" +targetTokenSecret: my-target-token-secret +targetTokenSecretKey: my-token + +snykToken: "" +snykTokenSecret: my-snyk-token-secret +snykTokenSecretKey: my-token diff --git a/charts/snyk-broker/values.schema.json b/charts/snyk-broker/values.schema.json index d50e963..564c7ff 100644 --- a/charts/snyk-broker/values.schema.json +++ b/charts/snyk-broker/values.schema.json @@ -7,16 +7,30 @@ "pattern": "^http(s?):\/\/.*" } }, - "urlWithSchema":{ - "type":"string", + "urlWithSchema": { + "type": "string", "pattern": "^$|^http(s?):\/\/.*" } }, "type": "object", "properties": { + "brokerTokenSecret": { + "type": "string" + }, + "brokerTokenSecretKey": { + "type": "string" + }, "brokerToken": { - "type": "string", - "format": "uuid" + "anyOf": [ + { + "type": "string", + "format": "uuid" + }, + { + "type": "string", + "format": "" + } + ] }, "brokerClientUrl": { "type": "string", @@ -80,16 +94,22 @@ "container-registry-agent" ] }, - "scmToken":{ + "scmToken": { + "type": "string" + }, + "scmTokenSecret": { + "type": "string" + }, + "scmTokenSecretKey": { "type": "string" }, - "scmTokenPool":{ - "type":"string" + "scmTokenPool": { + "type": "string" }, - "useExternalSecretScmTokenPool":{ + "useExternalSecretScmTokenPool": { "type": "boolean" }, - "github":{ + "github": { "$ref": "#/$defs/urlNoSchema" }, "githubApi": { @@ -113,25 +133,25 @@ "bitbucketApi": { "$ref": "#/$defs/urlNoSchema" }, - "gitlab":{ + "gitlab": { "$ref": "#/$defs/urlNoSchema" }, "azureReposOrg": { "type": "string" }, - "azureReposHost":{ + "azureReposHost": { "$ref": "#/$defs/urlNoSchema" }, - "azureReposToken":{ + "azureReposToken": { "type": "string" }, - "artifactoryUrl":{ + "artifactoryUrl": { "$ref": "#/$defs/urlNoSchema" }, - "baseNexusUrl":{ + "baseNexusUrl": { "$ref": "#/$defs/urlWithSchema" }, - "nexusUrl":{ + "nexusUrl": { "$ref": "#/$defs/urlWithSchema" }, "brokerClientValidationUrl": { @@ -151,7 +171,7 @@ }, "crType": { "type": "string", - "enum":[ + "enum": [ "", "artifactory-cr", "harbor-cr", @@ -204,7 +224,7 @@ "" ] }, - "enableCodeAgent":{ + "enableCodeAgent": { "type": [ "boolean", "string" @@ -217,9 +237,14 @@ ] }, "upstreamUrlCodeAgent": { - }, - "snykToken":{ + "snykTokenSecret": { + "type": "string" + }, + "snykTokenSecretKey": { + "type": "string" + }, + "snykToken": { "anyOf": [ { "type": "string", @@ -238,24 +263,24 @@ "gitClientUrl": { "type": "string" }, - "logLevel":{ + "logLevel": { "type": "string", - "enum":[ + "enum": [ "info", "debug" ] }, - "logEnableBody":{ + "logEnableBody": { "type": "string", - "enum":[ + "enum": [ "false", "true" ] }, - "enableBrokerLocalWebserverOverHttps":{ + "enableBrokerLocalWebserverOverHttps": { "type": "boolean" }, - "httpsCert":{ + "httpsCert": { "type": "string" }, "httpsKey": { @@ -271,13 +296,13 @@ "disableCaCertTrust": { "type": "boolean" }, - "tlsRejectUnauthorized":{ + "tlsRejectUnauthorized": { "type": [ "string", "boolean", "integer" ], - "enum":[ + "enum": [ "", 0, "0", @@ -286,32 +311,32 @@ "disable" ] }, - "httpProxy":{ + "httpProxy": { "$ref": "#/$defs/urlWithSchema" }, - "httpsProxy":{ + "httpsProxy": { "$ref": "#/$defs/urlWithSchema" }, "noProxy": { "type": "string" }, - "acceptJson":{ + "acceptJson": { "type": "string" }, "image": { "type": "object", "additionalProperties": false, - "properties":{ - "repository":{ + "properties": { + "repository": { "type": "string" }, - "crRepository":{ + "crRepository": { "type": "string" }, - "caRepository":{ + "caRepository": { "type": "string" }, - "pullPolicy":{ + "pullPolicy": { "type": "string", "enum": [ "Always", @@ -327,7 +352,7 @@ "imagePullSecrets": { "type": "array" }, - "healthCheckPath":{ + "healthCheckPath": { "type": "string" }, "systemCheckPath": { @@ -375,7 +400,7 @@ "deployment": { "type": "object" }, - "serviceAccount":{ + "serviceAccount": { "type": "object", "additionalProperties": false, "properties": { @@ -405,10 +430,10 @@ "securityContextCa": { "type": "object" }, - "service":{ + "service": { "type": "object", "additionalProperties": false, - "properties":{ + "properties": { "brokerType": { "type": "string" }, @@ -422,7 +447,7 @@ "type": "integer" }, "tls": { - "type" :"array" + "type": "array" } } }, @@ -432,7 +457,7 @@ "enabled": { "type": "boolean" }, - "ingressClassName":{ + "ingressClassName": { "type": "string" }, "annotations": { @@ -447,18 +472,18 @@ "pathType": { "type": "string" }, - "hosts":{ + "hosts": { "type": "array" }, - "extraPaths":{ + "extraPaths": { "type": "array" }, - "tls":{ + "tls": { "type": "array" } } }, - "extraObjects":{ + "extraObjects": { "type": "array" }, "extraVolumes": { @@ -473,7 +498,7 @@ "extraPodSpecs": { "nullable": true }, - "extraPodSpecsCr":{ + "extraPodSpecsCr": { "nullable": true } }, diff --git a/charts/snyk-broker/values.yaml b/charts/snyk-broker/values.yaml index de9a420..ddb429a 100644 --- a/charts/snyk-broker/values.yaml +++ b/charts/snyk-broker/values.yaml @@ -6,6 +6,8 @@ # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative brokerToken: "" +brokerTokenSecret: "" +brokerTokenSecretKey: "" # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. # Ex: http://kubernetes-ingress.domain.com:8000 @@ -58,6 +60,10 @@ scmType: "github-com" # scmToken is used for SCMs that require a personal Access Token: GitHub & Gitlab scmToken: "" +# targetTokenSecret is used for: GitHub, GitLab, BitBucket, Azure Repos +targetTokenSecret: "" +targetTokenSecretKey: "token-key" + # scmTokenPool is used by credential pooling for SCMs that require a personal Access Token: GitHub & Gitlab scmTokenPool: "" @@ -82,9 +88,11 @@ githubGraphQl: "" bitbucketUsername: "" # Bitbucket Password (Bitbucket-server type only) +# can also be set via targetTokenSecret + targetTokenSecretKey bitbucketPassword: "" # Bitbucket Pat (Bitbucket-server-bearer-auth type only) +# can also be set via targetTokenSecret + targetTokenSecretKey bitbucketPat: "" # Bitbucket URL - do not prepend HTTPS @@ -109,9 +117,9 @@ azureReposOrg: "" azureReposHost: "" # Azure Repos Token +# can also be set via targetTokenSecret + targetTokenSecretKey azureReposToken: "" - ##### Artifactory ##### # Artifactory URL - do not prepend HTTPS @@ -136,9 +144,11 @@ brokerClientValidationUrl: "" jiraUsername: "" # Jira Password +# can also be set via targetTokenSecret + targetTokenSecretKey jiraPassword: "" #Jira PAT (for Bearer auth): +# can also be set via targetTokenSecret + targetTokenSecretKey jiraPat: "" # Jira Hostname - do not prepend HTTPS @@ -157,6 +167,7 @@ crBase: "" crUsername: "" # Container Registry Password +# can also be set via targetTokenSecret + targetTokenSecretKey crPassword: "" # Container Role ARN (Only for ECR) @@ -169,6 +180,7 @@ crRegion: "" crExternalId: "" # Container Authentication Token (Only for DigitalOcean) +# can also be set via targetTokenSecret + targetTokenSecretKey crToken: "" # CRA Image tag. Do not adjust unless instructed by Snyk Representative @@ -188,6 +200,8 @@ upstreamUrlCodeAgent: "" # Snyk API token. Allows Code Agent to upload source code. Group > Settings > Service Accounts snykToken: "" +snykTokenSecret: "" +snykTokenSecretKey: "" #CA Image Tag. Do not touch unless instructed by Snyk Representative caImage: "latest"