Kubernetes secrets and Helm Chart installation
Beginning with version 2.8.0
of the Snyk Broker Helm Chart, external secrets are supported.
To enable this functionality, set useExternalSecrets
to true
in values.yaml
or --set externalSecrets=true
.
To obtain a list of required secrets, perform a dry run of a Helm installation. This will not make any changes to your Kubernetes environment, but does require the following:
A list of secrets with their expected names and values will be generated. The following example uses scmType=nexus
:
In this example, four secrets must exist within the same namespace to which the Broker will be installed, each containing one key-value pair. Any values that are shown in <>
characters are indicators to add your own secret data.
Renaming secrets and keys
Each of the following Helm values supports name
and key
, to allow the Snyk Broker Helm Chart to reference a specific secret name and key within that secret:
externalCredentialSecret
(used for any Broker type that is notartifactory
,nexus
ornexus2
for the required password or PAT associated with the Broker type)brokerTokenSecret
(used for your Broker token)scmTokenPoolSecret
(used if Credential Pooling is enabled)artifactoryUrlSecret
(required forartifactory
only)baseNexusUrlSecret
(required fornexus
andnexus2
only)nexusUrlSecret
(required fornexus
andnexus2
only)brokerClientValidationUrlSecret
(required fornexus
andnexus2
only, optionally set forartifactory
)
For example, if your Kubernetes cluster has a secret with a Broker token in the following form:
Set the following:
The Helm Chart will reference the contents under the org-x-broker-token
key in Secret snyk-broker-secrets
for the Broker token.
Partial external secrets
When useExternalSecrets
is true, the Broker Helm Chart will check whether a value is provided for a secret (for example, brokerToken=<your-broker-token>
)
If a value exists, create a secret as usual.
If no value exists, look for an external secret.
By this means, some secrets may be controlled by the Broker Helm chart, and others controlled externally:
This set of values will:
Create a secret for the provided Broker token
Reference an external secret for the required GitHub token
Performing a dry run of a Helm installation will provide the required secret names and keys:
Note the Broker token secret is excluded from this list as a value is directly provided to the Broker Helm Chart.
Using a single external secret with multiple keys
A single Kubernetes secret may contain all required credentials for the Snyk Broker to operate. Using a Broker of type nexus
as an example, assume this secret is present in Kubernetes:
To specify this secret for all required values for scmType=nexus
, set:
Last updated