Skip to content

Initial support for short-lived tokens #488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Initial support for short-lived tokens #488

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 22 additions & 1 deletion wiz-kubernetes-connector/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ delete-kubernetes-connector

{{- define "wiz-kubernetes-connector.argsListDeleteConnector" -}}
{{- $args := include "wiz-kubernetes-connector.generate-args-list-delete" . | splitList "\n" -}}
{{- $output := "kuku" }}
{{- $output := "" }}
{{- if .Values.autoCreateConnector.istio.enabled -}}
{{- $first := include "wiz-kubernetes.pre-istio-sidecar" . -}}
{{- $last := include "wiz-kubernetes.post-istio-sidecar" . -}}
Expand All @@ -226,6 +226,27 @@ delete-kubernetes-connector
{{- printf "%s" $output | nindent 2 }}
{{- end }}

{{- define "wiz-kubernetes-connector.generate-args-rotation" -}}
rotate
--service-account-name
{{ .Values.clusterReader.serviceAccount.name }}
{{- end }}

{{- define "wiz-kubernetes-connector.generateArgsRotation" -}}
{{- $args := include "wiz-kubernetes-connector.generate-args-rotation" . | splitList "\n" -}}
{{- if .Values.autoCreateConnector.istio.enabled -}}
{{- $first := include "wiz-kubernetes.pre-istio-sidecar" . -}}
{{- $last := include "wiz-kubernetes.post-istio-sidecar" . -}}
{{- $argsWithIstio := printf "%s &&\nwiz-broker %s &&\n%s" $first (join " \n" $args) $last -}}
- >
{{- printf "%s" $argsWithIstio | nindent 2 }}
{{- else -}}
{{- range $arg := $args }}
- {{ $arg }}
{{- end }}
{{- end -}}
{{- end }}

{{- define "wiz-broker.image" -}}
{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ coalesce .Values.global.image.tag .Values.image.tag | default .Chart.AppVersion }}
{{- end -}}
146 changes: 146 additions & 0 deletions wiz-kubernetes-connector/templates/job-rotation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
{{- if .Values.shortLivedTokens.enabled }}
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ include "wiz-kubernetes-connector.name" . }}-rotation
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "wiz-kubernetes-connector.labels" . | nindent 4 }}
annotations:
rollme.wizApiTokenHash: {{ include "wiz-kubernetes-connector.wizApiTokenHash" . }}
rollme.proxyHash: {{ include "wiz-kubernetes-connector.proxyHash" . }}
rollme.brokerHash: {{ include "wiz-kubernetes-connector.brokerHash" . }}
{{- with (.Values.autoCreateConnector.createJobAnnotations) }}
{{- toYaml . | nindent 4 }}
{{- end }}

spec:
schedule: "{{ .Values.shortLivedTokens.schedule }}"
concurrencyPolicy: Forbid # Ensures only one job instance runs at a time
jobTemplate:
spec:
activeDeadlineSeconds: {{ .Values.shortLivedTokens.timeoutSeconds }}
ttlSecondsAfterFinished: {{ .Values.shortLivedTokens.cleanupJobSeconds }}
template:
metadata:
{{- with (coalesce .Values.global.podAnnotations .Values.podAnnotations) }}
annotations:
{{- toYaml . | nindent 12 }}
{{- end }}
labels:
{{/*
`labels` includes `selectorLabels`
*/}}
{{- include "wiz-kubernetes-connector.labels" . | nindent 12 }}
spec:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 12 }}
{{- end }}
serviceAccountName: {{ .Values.clusterReader.serviceAccount.name }}
restartPolicy: "Never"
securityContext:
{{- if hasKey .Values.global "lowPrivilegePodSecurityPolicy" }}
{{- toYaml .Values.global.lowPrivilegePodSecurityPolicy | nindent 12 }}
{{- else }}
{{- toYaml .Values.global.podSecurityContext | nindent 12 }}
{{- end }}
{{- if or .Values.autoCreateConnector.customVolumes .Values.global.customVolumes}}
volumes:
{{ with .Values.global.customVolumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{ with .Values.autoCreateConnector.customVolumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
containers:
- name: wiz-rotator
securityContext:
{{- if hasKey .Values.global "lowPrivilegeSecurityPolicy" }}
{{- toYaml .Values.global.lowPrivilegeSecurityPolicy | nindent 16 }}
{{- else }}
{{- toYaml .Values.global.securityContext | nindent 16 }}
{{- end }}
image: {{ include "wiz-broker.image" . }}
imagePullPolicy: {{ coalesce .Values.global.image.pullPolicy .Values.image.pullPolicy }}
command:
{{- include "wiz-kubernetes-connector.entrypoint" . | nindent 16 }}
args: {{- include "wiz-kubernetes-connector.generateArgsRotation" . | nindent 16 }}
env:
{{- if .Values.global.logLevel }}
- name: LOG_LEVEL
value: {{ .Values.global.logLevel }}
{{- end }}
{{- with .Values.global.podCustomEnvironmentVariables }}
{{- toYaml . | nindent 16 }}
{{- end }}
{{- with .Values.autoCreateConnector.podCustomEnvironmentVariables }}
{{- toYaml . | nindent 16 }}
{{- end }}
{{- if .Values.autoCreateConnector.podCustomEnvironmentVariablesFile }}
- name: CLI_ENV_FILE
value: {{ .Values.autoCreateConnector.podCustomEnvironmentVariablesFile }}
- name: USE_CLI_ENV_FILE
value: "true"
{{- end }}
{{- if not .Values.wizApiToken.usePodCustomEnvironmentVariablesFile }}
- name: WIZ_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ include "wiz-kubernetes-connector.apiTokenSecretName" . | trim }}
key: clientId
optional: false
- name: WIZ_CLIENT_TOKEN
valueFrom:
secretKeyRef:
name: {{ include "wiz-kubernetes-connector.apiTokenSecretName" . | trim }}
key: clientToken
optional: false
{{- end }}
- name: WIZ_ENV
value: {{ coalesce .Values.global.wizApiToken.clientEndpoint .Values.wizApiToken.clientEndpoint | quote }}
{{- if (or .Values.global.httpProxyConfiguration.enabled .Values.httpProxyConfiguration.enabled) }}
- name: HTTP_PROXY
valueFrom:
secretKeyRef:
name: {{ include "wiz-kubernetes-connector.proxySecretName" . | trim }}
key: httpProxy
optional: false
- name: HTTPS_PROXY
valueFrom:
secretKeyRef:
name: {{ include "wiz-kubernetes-connector.proxySecretName" . | trim }}
key: httpsProxy
optional: false
- name: NO_PROXY
valueFrom:
secretKeyRef:
name: {{ include "wiz-kubernetes-connector.proxySecretName" . | trim }}
key: noProxyAddress
optional: false
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 16 }}
{{- if or .Values.autoCreateConnector.customVolumeMounts .Values.global.customVolumeMounts }}
volumeMounts:
{{- with .Values.autoCreateConnector.customVolumeMounts }}
{{- toYaml . | nindent 16 }}
{{- end -}}
{{- with .Values.global.customVolumeMounts }}
{{- toYaml . | nindent 16 }}
{{- end }}
{{- end }}
{{- with (coalesce .Values.global.nodeSelector .Values.nodeSelector) }}
nodeSelector:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with (coalesce .Values.global.affinity .Values.affinity) }}
affinity:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with (coalesce .Values.global.tolerations .Values.tolerations) }}
tolerations:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
6 changes: 6 additions & 0 deletions wiz-kubernetes-connector/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,3 +245,9 @@ global:
enabled: false # Should the components use a proxy.
create: false # Secret created by wiz-kubernetes-connector.
secretName: "" # The name of the proxy Secret.

shortLivedTokens:
enabled: false
schedule: "0 * * * *" # Every 1 hour
timeoutSeconds: 300 # The timeout for the manager job in seconds.
cleanupJobSeconds: 300 # The time in seconds after which the job should be deleted.
Loading