Env Vars
Mission Control uses the Kubernetes ValuesFrom pattern to retrieve sensitive values like usernames, password and access keys.
Whenever a field uses the EnvVar object type you have the option of specifying the value in multiple ways.
- Statically in the
value - From a Kubernetes Config Map via
configMapKeyRef - From a Kubernetes Secret via
secretKeyRef - From a Helm chart computed
values.yamlviahelmRef - From a Kubernetes service account using
serviceAccount
Static Values
warning
Avoid in-lining secrets, use valueFrom and EnvVar
Using a HTTP health check as an example for static values:
http-basic-auth-static.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-basic-auth-static
annotations:
trace2: "true"
log.level: trace6
spec:
http:
- name: "basic auth fail"
url: https://httpbin.flanksource.com/basic-auth/hello/world
responseCodes: [401]
- name: "basic auth pass"
url: https://httpbin.flanksource.com/basic-auth/hello/world
responseCodes: [200]
username:
value: hello
password:
value: world
Kubernetes Config Maps
To use a configmap, we first need to create the configmap:
kubectl create configmap basic-auth --from-literal=user=hello --from-literal=pass=world -n default
http-basic-auth-configmap.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-basic-auth
spec:
schedule: "@every 1m"
http:
- name: "basic auth fail"
url: https://httpbin.flanksource.com/basic-auth/hello/world
responseCodes: [401]
- name: "basic auth pass"
url: https://httpbin.flanksource.com/basic-auth/hello/world
responseCodes: [200]
username:
valueFrom:
configMapKeyRef:
name: basic-auth
key: username
password:
valueFrom:
configMapKeyRef:
name: basic-auth
key: password
Kubernetes Secrets
To use a secret, first we create the secret:
kubectl create secret generic basic-auth --from-literal=user=hello --from-literal=pass=world -n default
http-basic-auth-secret.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-basic-auth
spec:
schedule: "@every 1m"
http:
- name: "basic auth fail"
url: https://httpbin.flanksource.com/basic-auth/hello/world
responseCodes: [401]
- name: "basic auth pass"
url: https://httpbin.flanksource.com/basic-auth/hello/world
responseCodes: [200]
username:
valueFrom:
secretKeyRef:
name: httpbin-secret
key: username
password:
valueFrom:
secretKeyRef:
name: httpbin-secret
key: password
Helm Values
To use a secret, first we deploy a helm chart
helm install podinfo podinfo/podinfo -n podinfo --set ingress.enabled=true
http-from-helm.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-from-helm
spec:
schedule: "@every 1m"
http:
- name: HTTP check
url: $(url)
env:
- name: url
valueFrom:
helmRef:
name: podinfo
key: .ingress.hosts[0].host
Kubernetes Service Accounts
Checks can use service accounts for authentication with external services that have existing trust established
http-service-accounts.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: http-basic-auth-service-account
spec:
schedule: "@every 1m"
http:
- name: vault-example-sre
description: "HashiCorp Vault functionality check."
url: https://vault.example/v1/auth/kubernetes/login
env:
- name: TOKEN
valueFrom:
serviceAccount: default-account
templateBody: true
body: |
{
"jwt": "$(TOKEN)",
"role": "example-role"
}
note
To issue service account tokens, grant the canary-checker-sa service account access to serviceaccounts/token:
kubectl create clusterrole canary-checker-sa-issuing \
--verb=create,get \
--resource=serviceaccounts,serviceaccounts/token
kubectl create clusterrolebinding canary-checker-sa-issuing-rolebinding \
--clusterrole=canary-checker-sa-issuing \
--serviceaccount=canary-checker:canary-checker-sa