diff --git a/canary-checker/docs/concepts/secret-management.md b/canary-checker/docs/concepts/secret-management.md index 203d7dbd..81bca51f 100644 --- a/canary-checker/docs/concepts/secret-management.md +++ b/canary-checker/docs/concepts/secret-management.md @@ -21,8 +21,20 @@ Avoid inlining secrets, use `valueFrom` and EnvV Using a HTTP health check as an example for static values: -```yaml title="http-basic-auth.yaml" file=../../../modules/canary-checker/fixtures/minimal/http_auth_static_pass.yaml - +```yaml title="http-basic-auth-static.yaml" +apiVersion: canaries.flanksource.com/v1 +kind: Canary +metadata: + name: http-basic-auth +spec: + http: + - url: https://httpbin.org/basic-auth/hello/world + responseCodes: [200] + authentication: + username: + value: hello + password: + value: world ``` ## Configmaps @@ -33,8 +45,26 @@ To use a configmap, we first need to create the configmap: kubectl create configmap basic-auth --from-literal=user=hello --from-literal=pass=world -n default ``` -```yaml title="http-basic-auth.yaml" file=../../../modules/canary-checker/fixtures/minimal/http_auth_from_config_map.yaml - +```yaml title="http-basic-auth-configmap.yaml" +apiVersion: canaries.flanksource.com/v1 +kind: Canary +metadata: + name: http-basic-auth-configmap +spec: + http: + - url: https://httpbin.org/basic-auth/hello/world + responseCodes: [200] + authentication: + username: + valueFrom: + configMapKeyRef: + name: basic-auth + key: user + password: + valueFrom: + configMapKeyRef: + name: basic-auth + key: pass ``` ## Secrets @@ -45,8 +75,24 @@ To use a secret, first we create the secret: kubectl create secret generic basic-auth --from-literal=user=hello --from-literal=pass=world -n default ``` -```yaml title="http-basic-auth.yaml" file=../../../modules/canary-checker/fixtures/minimal/http_auth_from_secret.yaml - +```yaml title="http-basic-auth-secret.yaml" +apiVersion: canaries.flanksource.com/v1 +kind: Canary +metadata: + name: http-basic-auth-configmap +spec: + http: + - url: https://httpbin.demo.aws.flanksource.com/basic-auth/hello/world + username: + valueFrom: + secretKeyRef: + name: basic-auth + key: user + password: + valueFrom: + secretKeyRef: + name: basic-auth + key: pass ``` ## Helm Values @@ -57,15 +103,50 @@ To use a secret, first we deploy a helm chart helm install podinfo podinfo/podinfo -n podinfo --set ingress.enabled=true ``` -```yaml title="http-from-helm.yaml" file=../../../modules/canary-checker/fixtures/minimal/http_auth_from_helm_ref.yaml - +```yaml title="http-from-helm.yaml" +apiVersion: canaries.flanksource.com/v1 +kind: Canary +metadata: + name: http-from-helm +spec: + http: + - env: + - name: url + valueFrom: + helmRef: + name: podinfo + key: .ingress.hosts[0].host + + url: $(url) ``` ## Service Accounts Checks can use service accounts for authentication with external services that have existing trust established -```yaml title="http-service-accounts.yaml" file=../../../modules/canary-checker/fixtures/minimal/http_auth_from_service_account.yaml +```yaml title="http-service-accounts.yaml" +apiVersion: canaries.flanksource.com/v1 +kind: Canary +metadata: + name: http-basic-auth-configmap +spec: + http: + + interval: 30 + http: + - name: vault-example-sre + description: "HashiCorp Vault functionality check." + url: https://vault.example/v1/auth/kubernetes/login + env: + - name: TOKEN + valueFrom: + serviceAccount: default-account + templateBody: true + body: | + { + "jwt": "$(TOKEN)", + "role": "example-role" + } ``` diff --git a/mission-control/docs/config-db/concepts/index.mdx b/mission-control/docs/config-db/concepts/index.mdx index 4b23d5b5..5e8c3db4 100644 --- a/mission-control/docs/config-db/concepts/index.mdx +++ b/mission-control/docs/config-db/concepts/index.mdx @@ -3,7 +3,6 @@ sidebar_position: 3 title: Concepts --- - import DocCardList from '@theme/DocCardList'; diff --git a/mission-control/docs/config-db/scrapers/azure-devops.mdx b/mission-control/docs/config-db/scrapers/azure-devops.mdx index 5d3e7dcb..450aa257 100644 --- a/mission-control/docs/config-db/scrapers/azure-devops.mdx +++ b/mission-control/docs/config-db/scrapers/azure-devops.mdx @@ -25,16 +25,17 @@ Each time the pipeline is run it will create a change for that configuration ite ### AzureDevops -| Field | Description | Scheme | Required | -| --------------------- | --------------------------------------------------------------------- | ------------------------------------------------ | -------- | -| `connection` | Connection to use for azure devops credential | `string` | | -| `organization` | Specifies the name of the Azure DevOps organization to scrape | `string` | | -| `personalAccessToken` | Specifies the personal access token to authenticate with Azure DevOps | []_EnvVar_ | | -| `projects` | Specifies the Azure DevOps projects to scrape | `[]string` | `true` | -| `pipelines` | Specifies the Azure DevOps pipelines to scrape | `[]string` | `true` | -| `properties` | Custom templatable properties for the scraped config items. | [`[]ConfigProperty`](/reference/config-db/properties) | | -| `transform` | Field to transform result | [`Transform`](/config-db/concepts/transform) | | -| `tags` | Set custom tags on the scraped config items | `map[string]string` | | +| Field | Description | Scheme | Required | +| --------------------- | --------------------------------------------------------------------- | ----------------------------------------------------- | -------- | +| `connection` | Connection to use for Azure DevOps credential | `string` | | +| `organization` | Specifies the name of the Azure DevOps organization to scrape | `string` | | +| `personalAccessToken` | Specifies the personal access token to authenticate with Azure DevOps | []_EnvVar_ | | +| `projects` | Specifies the Azure DevOps projects to scrape | `[]string` | `true` | +| `pipelines` | Specifies the Azure DevOps pipelines to scrape | `[]string` | `true` | +| `properties` | Custom templatable properties for the scraped config items. | [`[]ConfigProperty`](/reference/config-db/properties) | | +| `transform` | Field to transform result | [`Transform`](/config-db/concepts/transform) | | +| `tags` | Set custom tags on the scraped config items | `map[string]string` | | + :::note Either the connection name or the credentials (organization & personalAccessToken) are required