Skip to main content

Env Vars

Mission Control uses the Kubernetes ValuesFrom pattern to retrieve sensitive values like usernames, password and access keys.

Whenever a field uses the EnvVar object type you have the option of specifying the value in multiple ways.

  1. Statically in the value
  2. From a Kubernetes Config Map via configMapKeyRef
  3. From a Kubernetes Secret via secretKeyRef
  4. From a Helm chart computed values.yaml via helmRef
  5. From a Kubernetes service account using serviceAccount

Static Values

warning

Avoid in-lining secrets, use valueFrom and EnvVar

Using a HTTP health check as an example for static values:

http-basic-auth-static.yaml
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-basic-auth-static
annotations:
trace2: "true"
log.level: trace6
spec:
http:
- name: "basic auth fail"
url: https://httpbin.flanksource.com/basic-auth/hello/world
responseCodes: [401]
- name: "basic auth pass"
url: https://httpbin.flanksource.com/basic-auth/hello/world
responseCodes: [200]
username:
value: hello
password:
value: world

Kubernetes Config Maps

To use a configmap, we first need to create the configmap:

kubectl create configmap basic-auth --from-literal=user=hello --from-literal=pass=world -n default
http-basic-auth-configmap.yaml
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-basic-auth
spec:
schedule: "@every 1m"
http:
- name: "basic auth fail"
url: https://httpbin.flanksource.com/basic-auth/hello/world
responseCodes: [401]
- name: "basic auth pass"
url: https://httpbin.flanksource.com/basic-auth/hello/world
responseCodes: [200]
username:
valueFrom:
configMapKeyRef:
name: basic-auth
key: username
password:
valueFrom:
configMapKeyRef:
name: basic-auth
key: password

Kubernetes Secrets

To use a secret, first we create the secret:

kubectl create secret generic basic-auth --from-literal=user=hello --from-literal=pass=world -n default
http-basic-auth-secret.yaml
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-basic-auth
spec:
schedule: "@every 1m"
http:
- name: "basic auth fail"
url: https://httpbin.flanksource.com/basic-auth/hello/world
responseCodes: [401]
- name: "basic auth pass"
url: https://httpbin.flanksource.com/basic-auth/hello/world
responseCodes: [200]
username:
valueFrom:
secretKeyRef:
name: httpbin-secret
key: username
password:
valueFrom:
secretKeyRef:
name: httpbin-secret
key: password

Helm Values

To use a secret, first we deploy a helm chart

helm install podinfo podinfo/podinfo -n podinfo --set ingress.enabled=true
http-from-helm.yaml
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-from-helm
spec:
schedule: "@every 1m"
http:
- name: HTTP check
url: $(url)
env:
- name: url
valueFrom:
helmRef:
name: podinfo
key: .ingress.hosts[0].host

Kubernetes Service Accounts

Checks can use service accounts for authentication with external services that have existing trust established

http-service-accounts.yaml
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-basic-auth-service-account
spec:
schedule: "@every 1m"
http:
- name: vault-example-sre
description: "HashiCorp Vault functionality check."
url: https://vault.example/v1/auth/kubernetes/login
env:
- name: TOKEN
valueFrom:
serviceAccount: default-account
templateBody: true
body: |
{
"jwt": "$(TOKEN)",
"role": "example-role"
}
note

To issue service account tokens, grant the canary-checker-sa service account access to serviceaccounts/token:

kubectl create clusterrole canary-checker-sa-issuing \
--verb=create,get \
--resource=serviceaccounts,serviceaccounts/token

kubectl create clusterrolebinding canary-checker-sa-issuing-rolebinding \
--clusterrole=canary-checker-sa-issuing \
--serviceaccount=canary-checker:canary-checker-sa