From 749afaebf749bab58f042b86238dd0ee5acc7e08 Mon Sep 17 00:00:00 2001 From: ada Date: Mon, 20 Apr 2026 21:09:45 -0600 Subject: [PATCH] putting s3 secrets in one object --- README.md | 2 +- helm/templates/_scan-pulumi-crossguard.yaml | 14 ++--------- helm/templates/_upload-defectdojo.yaml | 15 +++--------- helm/templates/_upload-storage.yaml | 27 +++++---------------- helm/templates/infisical-secret.yaml | 14 +++-------- 5 files changed, 17 insertions(+), 55 deletions(-) diff --git a/README.md b/README.md index 6379f96..cc1d480 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,7 @@ defectdojo: Keep `storage.enabled` and `defectdojo.enabled` disabled until those services are actually installed and reachable. Keep `infisical.enabled` disabled until the operator is installed and your project identifiers are ready. -If you do not use Infisical, create the `amp-security-pipeline-secrets` secret yourself before running the workflow. +If you do not use Infisical, create the `amp-security-pipeline-secrets` secret yourself before running the workflow. For storage uploads, the secret should contain `S3_ACCESS_KEY_ID` and `S3_SECRET_ACCESS_KEY`. ### 3. Deploy the chart diff --git a/helm/templates/_scan-pulumi-crossguard.yaml b/helm/templates/_scan-pulumi-crossguard.yaml index 35fa511..a566c2e 100644 --- a/helm/templates/_scan-pulumi-crossguard.yaml +++ b/helm/templates/_scan-pulumi-crossguard.yaml @@ -4,23 +4,13 @@ parameters: - name: working-dir container: - image: {{ .Values.images.pulumiCrossguard | quote }} + image: {{ .Values.images.pulumiCrossguard }} env: - name: PULUMI_ACCESS_TOKEN valueFrom: secretKeyRef: name: amp-security-pipeline-secrets key: PULUMI_ACCESS_TOKEN - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: amp-security-pipeline-secrets - key: AWS_ACCESS_KEY_ID - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: amp-security-pipeline-secrets - key: AWS_SECRET_ACCESS_KEY command: - sh - -c @@ -29,7 +19,7 @@ set -eu mkdir -p /workspace/reports cd "/workspace/{{ `{{inputs.parameters.working-dir}}` }}" - pulumi preview --policy-pack "{{ .Values.pulumi.policyPackPath }}" > /workspace/reports/pulumi-crossguard.json 2>&1 || true + pulumi preview --policy-pack {{ .Values.pulumi.policyPackPath | quote }} > /workspace/reports/pulumi-crossguard.json 2>&1 || true volumeMounts: - name: workspace mountPath: /workspace diff --git a/helm/templates/_upload-defectdojo.yaml b/helm/templates/_upload-defectdojo.yaml index f3f93d8..1957d6e 100644 --- a/helm/templates/_upload-defectdojo.yaml +++ b/helm/templates/_upload-defectdojo.yaml @@ -1,19 +1,12 @@ {{- define "template.upload-defectdojo" -}} - name: upload-defectdojo container: - image: "{{ .Values.pipeline.toolsImage.repository }}:{{ .Values.pipeline.toolsImage.tag }}" + image: {{ include "template.tools-image" . | quote }} imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }} + envFrom: + - secretRef: + name: amp-security-pipeline-secrets env: - - name: DEFECTDOJO_URL - valueFrom: - secretKeyRef: - name: amp-security-pipeline-secrets - key: DEFECTDOJO_URL - - name: DEFECTDOJO_API_TOKEN - valueFrom: - secretKeyRef: - name: amp-security-pipeline-secrets - key: DEFECTDOJO_API_TOKEN - name: DEFECTDOJO_PRODUCT_TYPE_NAME value: {{ .Values.defectdojo.productTypeName | quote }} - name: DEFECTDOJO_PRODUCT_NAME diff --git a/helm/templates/_upload-storage.yaml b/helm/templates/_upload-storage.yaml index fa9bb6e..4c62585 100644 --- a/helm/templates/_upload-storage.yaml +++ b/helm/templates/_upload-storage.yaml @@ -1,28 +1,11 @@ {{- define "template.upload-storage" -}} - name: upload-storage container: - image: {{ .Values.images.awsCli | quote }} + image: {{ .Values.images.awsCli }} + envFrom: + - secretRef: + name: amp-security-pipeline-secrets env: - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: amp-security-pipeline-secrets - key: AWS_ACCESS_KEY_ID - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: amp-security-pipeline-secrets - key: AWS_SECRET_ACCESS_KEY - - name: MINIO_ROOT_USER - valueFrom: - secretKeyRef: - name: amp-security-pipeline-secrets - key: MINIO_ROOT_USER - - name: MINIO_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: amp-security-pipeline-secrets - key: MINIO_ROOT_PASSWORD - name: REPORTS_BUCKET value: {{ .Values.storage.reportsBucket | quote }} - name: REPO_NAME @@ -35,6 +18,8 @@ args: - | set -eu + export AWS_ACCESS_KEY_ID="${S3_ACCESS_KEY_ID:-}" + export AWS_SECRET_ACCESS_KEY="${S3_SECRET_ACCESS_KEY:-}" commit_sha="${GIT_COMMIT_SHA:-unknown}" report_date="$(date -u +%F)" sync_target="s3://${REPORTS_BUCKET}/${REPO_NAME}/${report_date}/${commit_sha}/" diff --git a/helm/templates/infisical-secret.yaml b/helm/templates/infisical-secret.yaml index 2601a87..d9a0bff 100644 --- a/helm/templates/infisical-secret.yaml +++ b/helm/templates/infisical-secret.yaml @@ -16,18 +16,12 @@ spec: - secretKey: PULUMI_ACCESS_TOKEN remoteRef: key: PULUMI_ACCESS_TOKEN - - secretKey: AWS_ACCESS_KEY_ID + - secretKey: S3_ACCESS_KEY_ID remoteRef: - key: AWS_ACCESS_KEY_ID - - secretKey: AWS_SECRET_ACCESS_KEY + key: S3_ACCESS_KEY_ID + - secretKey: S3_SECRET_ACCESS_KEY remoteRef: - key: AWS_SECRET_ACCESS_KEY - - secretKey: MINIO_ROOT_USER - remoteRef: - key: MINIO_ROOT_USER - - secretKey: MINIO_ROOT_PASSWORD - remoteRef: - key: MINIO_ROOT_PASSWORD + key: S3_SECRET_ACCESS_KEY - secretKey: DEFECTDOJO_URL remoteRef: key: DEFECTDOJO_URL