putting s3 secrets in one object

README.md

@@ -84,7 +84,7 @@ defectdojo:
 
 Keep `storage.enabled` and `defectdojo.enabled` disabled until those services are actually installed and reachable. Keep `infisical.enabled` disabled until the operator is installed and your project identifiers are ready.
 
-If you do not use Infisical, create the `amp-security-pipeline-secrets` secret yourself before running the workflow.
+If you do not use Infisical, create the `amp-security-pipeline-secrets` secret yourself before running the workflow. For storage uploads, the secret should contain `S3_ACCESS_KEY_ID` and `S3_SECRET_ACCESS_KEY`.
 
 ### 3. Deploy the chart
 

helm/templates/_scan-pulumi-crossguard.yaml

@@ -4,23 +4,13 @@
     parameters:
       - name: working-dir
   container:
-    image: {{ .Values.images.pulumiCrossguard | quote }}
+    image: {{ .Values.images.pulumiCrossguard }}
     env:
       - name: PULUMI_ACCESS_TOKEN
         valueFrom:
           secretKeyRef:
             name: amp-security-pipeline-secrets
             key: PULUMI_ACCESS_TOKEN
-      - name: AWS_ACCESS_KEY_ID
-        valueFrom:
-          secretKeyRef:
-            name: amp-security-pipeline-secrets
-            key: AWS_ACCESS_KEY_ID
-      - name: AWS_SECRET_ACCESS_KEY
-        valueFrom:
-          secretKeyRef:
-            name: amp-security-pipeline-secrets
-            key: AWS_SECRET_ACCESS_KEY
     command:
       - sh
       - -c
@@ -29,7 +19,7 @@
         set -eu
         mkdir -p /workspace/reports
         cd "/workspace/{{ `{{inputs.parameters.working-dir}}` }}"
-        pulumi preview --policy-pack "{{ .Values.pulumi.policyPackPath }}" > /workspace/reports/pulumi-crossguard.json 2>&1 || true
+        pulumi preview --policy-pack {{ .Values.pulumi.policyPackPath | quote }} > /workspace/reports/pulumi-crossguard.json 2>&1 || true
     volumeMounts:
       - name: workspace
         mountPath: /workspace

helm/templates/_upload-defectdojo.yaml

@@ -1,19 +1,12 @@
 {{- define "template.upload-defectdojo" -}}
 - name: upload-defectdojo
   container:
-    image: "{{ .Values.pipeline.toolsImage.repository }}:{{ .Values.pipeline.toolsImage.tag }}"
+    image: {{ include "template.tools-image" . | quote }}
     imagePullPolicy: {{ .Values.pipeline.toolsImage.pullPolicy }}
+    envFrom:
+      - secretRef:
+          name: amp-security-pipeline-secrets
     env:
-      - name: DEFECTDOJO_URL
-        valueFrom:
-          secretKeyRef:
-            name: amp-security-pipeline-secrets
-            key: DEFECTDOJO_URL
-      - name: DEFECTDOJO_API_TOKEN
-        valueFrom:
-          secretKeyRef:
-            name: amp-security-pipeline-secrets
-            key: DEFECTDOJO_API_TOKEN
       - name: DEFECTDOJO_PRODUCT_TYPE_NAME
         value: {{ .Values.defectdojo.productTypeName | quote }}
       - name: DEFECTDOJO_PRODUCT_NAME

helm/templates/_upload-storage.yaml

@@ -1,28 +1,11 @@
 {{- define "template.upload-storage" -}}
 - name: upload-storage
   container:
-    image: {{ .Values.images.awsCli | quote }}
+    image: {{ .Values.images.awsCli }}
+    envFrom:
+      - secretRef:
+          name: amp-security-pipeline-secrets
     env:
-      - name: AWS_ACCESS_KEY_ID
-        valueFrom:
-          secretKeyRef:
-            name: amp-security-pipeline-secrets
-            key: AWS_ACCESS_KEY_ID
-      - name: AWS_SECRET_ACCESS_KEY
-        valueFrom:
-          secretKeyRef:
-            name: amp-security-pipeline-secrets
-            key: AWS_SECRET_ACCESS_KEY
-      - name: MINIO_ROOT_USER
-        valueFrom:
-          secretKeyRef:
-            name: amp-security-pipeline-secrets
-            key: MINIO_ROOT_USER
-      - name: MINIO_ROOT_PASSWORD
-        valueFrom:
-          secretKeyRef:
-            name: amp-security-pipeline-secrets
-            key: MINIO_ROOT_PASSWORD
       - name: REPORTS_BUCKET
         value: {{ .Values.storage.reportsBucket | quote }}
       - name: REPO_NAME
@@ -35,6 +18,8 @@
     args:
       - |
         set -eu
+        export AWS_ACCESS_KEY_ID="${S3_ACCESS_KEY_ID:-}"
+        export AWS_SECRET_ACCESS_KEY="${S3_SECRET_ACCESS_KEY:-}"
         commit_sha="${GIT_COMMIT_SHA:-unknown}"
         report_date="$(date -u +%F)"
         sync_target="s3://${REPORTS_BUCKET}/${REPO_NAME}/${report_date}/${commit_sha}/"

helm/templates/infisical-secret.yaml

@@ -16,18 +16,12 @@ spec:
     - secretKey: PULUMI_ACCESS_TOKEN
       remoteRef:
         key: PULUMI_ACCESS_TOKEN
-    - secretKey: AWS_ACCESS_KEY_ID
+    - secretKey: S3_ACCESS_KEY_ID
       remoteRef:
-        key: AWS_ACCESS_KEY_ID
+        key: S3_ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
+    - secretKey: S3_SECRET_ACCESS_KEY
       remoteRef:
-        key: AWS_SECRET_ACCESS_KEY
+        key: S3_SECRET_ACCESS_KEY
-    - secretKey: MINIO_ROOT_USER
-      remoteRef:
-        key: MINIO_ROOT_USER
-    - secretKey: MINIO_ROOT_PASSWORD
-      remoteRef:
-        key: MINIO_ROOT_PASSWORD
     - secretKey: DEFECTDOJO_URL
       remoteRef:
         key: DEFECTDOJO_URL