idaholab#189; kubernetes - use Secrets for some environment variables…

… instead of ConfigMaps
mmguero-dev · Apr 27, 2023 · 15d9365 · 15d9365
1 parent 2abc485
commit 15d9365
Show file tree

Hide file tree

Showing 40 changed files with 342 additions and 297 deletions.
diff --git a/config/arkime-secret.env.example b/config/arkime-secret.env.example
@@ -0,0 +1,4 @@
+# MaxMind GeoIP database update API key (see
+#   https://support.maxmind.com/hc/en-us/articles/4407116112539-Using-License-Keys)
+MAXMIND_GEOIP_DB_LICENSE_KEY=0
+K8S_SECRET=True
diff --git a/config/arkime.env.example b/config/arkime.env.example
@@ -3,8 +3,5 @@
 MANAGE_PCAP_FILES=false
 # The number of Arkime capture processes allowed to run concurrently
 ARKIME_ANALYZE_PCAP_THREADS=1
-# MaxMind GeoIP database update API key (see
-#   https://support.maxmind.com/hc/en-us/articles/4407116112539-Using-License-Keys)
-MAXMIND_GEOIP_DB_LICENSE_KEY=0
 
 OPENSEARCH_MAX_SHARDS_PER_NODE=2500
diff --git a/config/auth.env.example b/config/auth.env.example
@@ -1,3 +1,4 @@
 # Malcolm Administrator username and encrypted password for nginx reverse proxy (and upload server's SFTP access)
 MALCOLM_USERNAME=admin
 MALCOLM_PASSWORD=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==
+K8S_SECRET=True
diff --git a/config/netbox-postgres.env.example b/config/netbox-postgres.env.example
@@ -1,3 +1,4 @@
 POSTGRES_DB=netbox
 POSTGRES_PASSWORD=XXXXXXXXXXXXXXXXXXXXXXXX
 POSTGRES_USER=netbox
+K8S_SECRET=True
diff --git a/config/netbox-redis-cache.env.example b/config/netbox-redis-cache.env.example
@@ -1 +1,2 @@
 REDIS_PASSWORD=XXXXXXXXXXXXXXXXXXXXXXXX
+K8S_SECRET=True
diff --git a/config/netbox-redis.env.example b/config/netbox-redis.env.example
@@ -1 +1,2 @@
 REDIS_PASSWORD=XXXXXXXXXXXXXXXXXXXXXXXX
+K8S_SECRET=True
diff --git a/config/netbox-secret.env.example b/config/netbox-secret.env.example
@@ -0,0 +1,14 @@
+DB_PASSWORD=xxxxxxxxxxxxxxxx
+DB_USER=netbox
+EMAIL_PASSWORD=
+EMAIL_USERNAME=netbox
+NAPALM_PASSWORD=
+NAPALM_USERNAME=
+REDIS_CACHE_PASSWORD=xxxxxxxxxxxxxxxx
+REDIS_PASSWORD=xxxxxxxxxxxxxxxx
+SECRET_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+SUPERUSER_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+SUPERUSER_NAME=admin
+SUPERUSER_PASSWORD=admin
+
+K8S_SECRET=True
diff --git a/config/netbox.env.example b/config/netbox.env.example
@@ -14,16 +14,12 @@ REMOTE_AUTH_SUPERUSERS=
 EXEMPT_VIEW_PERMISSIONS=*
 DB_HOST=netbox-postgres
 DB_NAME=netbox
-DB_PASSWORD=xxxxxxxxxxxxxxxx
-DB_USER=netbox
 [email protected]
-EMAIL_PASSWORD=
 EMAIL_PORT=25
 EMAIL_SERVER=localhost
 EMAIL_SSL_CERTFILE=
 EMAIL_SSL_KEYFILE=
 EMAIL_TIMEOUT=5
-EMAIL_USERNAME=netbox
 # EMAIL_USE_SSL and EMAIL_USE_TLS are mutually exclusive, i.e. they can't both be `true`!
 EMAIL_USE_SSL=false
 EMAIL_USE_TLS=false
@@ -32,25 +28,17 @@ HOUSEKEEPING_INTERVAL=86400
 MAX_PAGE_SIZE=1000
 MEDIA_ROOT=/opt/netbox/netbox/media
 METRICS_ENABLED=false
-NAPALM_PASSWORD=
 NAPALM_TIMEOUT=10
-NAPALM_USERNAME=
 REDIS_CACHE_DATABASE=1
 REDIS_CACHE_HOST=netbox-redis-cache
 REDIS_CACHE_INSECURE_SKIP_TLS_VERIFY=false
-REDIS_CACHE_PASSWORD=xxxxxxxxxxxxxxxx
 REDIS_CACHE_SSL=false
 REDIS_DATABASE=0
 REDIS_HOST=netbox-redis
 REDIS_INSECURE_SKIP_TLS_VERIFY=false
-REDIS_PASSWORD=xxxxxxxxxxxxxxxx
 REDIS_SSL=false
 RELEASE_CHECK_URL=https://api.github.com/repos/netbox-community/netbox/releases
-SECRET_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 SKIP_STARTUP_SCRIPTS=true
 SKIP_SUPERUSER=false
-SUPERUSER_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 [email protected]
-SUPERUSER_NAME=admin
-SUPERUSER_PASSWORD=admin
-WEBHOOKS_ENABLED=true
+WEBHOOKS_ENABLED=true
diff --git a/config/process.env.example b/config/process.env.example
@@ -3,5 +3,5 @@ PUID=1000
 PGID=1000
 # for debugging container init via tini (https://github.com/krallin/tini)
 TINI_VERBOSITY=1
-# for handling configmap files/directories
-CONFIG_MAP_DIR=configmap
+# for handling configmap/secrets files/directories
+CONFIG_MAP_DIR=configmap;secretmap
diff --git a/config/zeek-secret.env.example b/config/zeek-secret.env.example
@@ -0,0 +1,5 @@
+# A VirusTotal Public API v.20 used to submit hashes of Zeek-extracted files
+VTOT_API2_KEY=0
+# Specifies the AES-256-CBC decryption password for encrypted Zeek-extracted files served over HTTP
+EXTRACTED_FILE_HTTP_SERVER_KEY=quarantined
+K8S_SECRET=True
diff --git a/config/zeek.env.example b/config/zeek.env.example
@@ -21,8 +21,6 @@ EXTRACTED_FILE_PRESERVATION=quarantined
 EXTRACTED_FILE_MIN_BYTES=64
 # The maximum size (in bytes) for files to be extracted by Zeek
 EXTRACTED_FILE_MAX_BYTES=134217728
-# A VirusTotal Public API v.20 used to submit hashes of Zeek-extracted files
-VTOT_API2_KEY=0
 # Rate limiting for VirusTotal, ClamAV, YARA and capa with Zeek-extracted files
 VTOT_REQUESTS_PER_MINUTE=4
 CLAMD_MAX_REQUESTS=8
@@ -46,8 +44,6 @@ EXTRACTED_FILE_PIPELINE_VERBOSITY=
 EXTRACTED_FILE_HTTP_SERVER_ENABLE=false
 # Whether or not Zeek-extracted files served over HTTP will be AES-256-CBC-encrypted
 EXTRACTED_FILE_HTTP_SERVER_ENCRYPT=true
-# Specifies the AES-256-CBC decryption password for encrypted Zeek-extracted files served over HTTP
-EXTRACTED_FILE_HTTP_SERVER_KEY=quarantined
 # Environment variables for tweaking Zeek at runtime (see local.zeek)
 #   Set to any non-blank value to disable the corresponding feature
 ZEEK_DISABLE_HASH_ALL_FILES=

diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
@@ -109,6 +109,7 @@ services:
       - ./config/opensearch.env
       - ./config/netbox-common.env
       - ./config/netbox.env
+      - ./config/netbox-secret.env
       - ./config/beats-common.env
       - ./config/lookup-common.env
       - ./config/logstash.env
@@ -180,6 +181,7 @@ services:
       - ./config/upload-common.env
       - ./config/auth.env
       - ./config/arkime.env
+      - ./config/arkime-secret.env
     environment:
       VIRTUAL_HOST : 'arkime.malcolm.local'
     ulimits:
@@ -222,6 +224,7 @@ services:
       - ./config/ssl.env
       - ./config/upload-common.env
       - ./config/zeek.env
+      - ./config/zeek-secret.env
       - ./config/zeek-offline.env
     depends_on:
       - opensearch
@@ -258,6 +261,7 @@ services:
       - ./config/upload-common.env
       - ./config/pcap-capture.env
       - ./config/zeek.env
+      - ./config/zeek-secret.env
       - ./config/zeek-live.env
     volumes:
       - ./nginx/ca-trust:/var/local/ca-trust:ro
@@ -338,6 +342,7 @@ services:
       - ./config/process.env
       - ./config/ssl.env
       - ./config/zeek.env
+      - ./config/zeek-secret.env
     environment:
       VIRTUAL_HOST : 'file-monitor.malcolm.local'
     volumes:
@@ -487,6 +492,7 @@ services:
       - ./config/ssl.env
       - ./config/netbox-common.env
       - ./config/netbox.env
+      - ./config/netbox-secret.env
     environment:
       VIRTUAL_HOST : 'netbox.malcolm.local'
     depends_on:

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -121,6 +121,7 @@ services:
       - ./config/opensearch.env
       - ./config/netbox-common.env
       - ./config/netbox.env
+      - ./config/netbox-secret.env
       - ./config/beats-common.env
       - ./config/lookup-common.env
       - ./config/logstash.env
@@ -202,6 +203,7 @@ services:
       - ./config/upload-common.env
       - ./config/auth.env
       - ./config/arkime.env
+      - ./config/arkime-secret.env
     environment:
       VIRTUAL_HOST : 'arkime.malcolm.local'
     ulimits:
@@ -250,6 +252,7 @@ services:
       - ./config/ssl.env
       - ./config/upload-common.env
       - ./config/zeek.env
+      - ./config/zeek-secret.env
       - ./config/zeek-offline.env
     depends_on:
       - opensearch
@@ -290,6 +293,7 @@ services:
       - ./config/upload-common.env
       - ./config/pcap-capture.env
       - ./config/zeek.env
+      - ./config/zeek-secret.env
       - ./config/zeek-live.env
     volumes:
       - ./nginx/ca-trust:/var/local/ca-trust:ro
@@ -380,6 +384,7 @@ services:
       - ./config/process.env
       - ./config/ssl.env
       - ./config/zeek.env
+      - ./config/zeek-secret.env
     environment:
       VIRTUAL_HOST : 'file-monitor.malcolm.local'
     volumes:
@@ -547,6 +552,7 @@ services:
       - ./config/ssl.env
       - ./config/netbox-common.env
       - ./config/netbox.env
+      - ./config/netbox-secret.env
     environment:
       VIRTUAL_HOST : 'netbox.malcolm.local'
     depends_on:

diff --git a/docs/asset-interaction-analysis.md b/docs/asset-interaction-analysis.md
@@ -97,4 +97,4 @@ To clear the existing NetBox database and restore a previous backup, run the fol
 
 ```
 
-Note that some of the data in the NetBox database is cryptographically signed with the value of the `SECRET_KEY` environment variable in the `./netbox/env/netbox.env` environment file. A restored NetBox backup **will not work** if this value is different from when it was created.
+Note that some of the data in the NetBox database is cryptographically signed with the value of the `SECRET_KEY` environment variable in the `./netbox/env/netbox-secret.env` environment file. A restored NetBox backup **will not work** if this value is different from when it was created.
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		REDIS_PASSWORD=XXXXXXXXXXXXXXXXXXXXXXXX
		K8S_SECRET=True
Original file line number	Diff line number	Diff line change
Expand Up		@@ -97,4 +97,4 @@ To clear the existing NetBox database and restore a previous backup, run the fol

		```

		Note that some of the data in the NetBox database is cryptographically signed with the value of the `SECRET_KEY` environment variable in the `./netbox/env/netbox.env` environment file. A restored NetBox backup will not work if this value is different from when it was created.
		Note that some of the data in the NetBox database is cryptographically signed with the value of the `SECRET_KEY` environment variable in the `./netbox/env/netbox-secret.env` environment file. A restored NetBox backup will not work if this value is different from when it was created.