Latest chart does not support apiKey with parameter store

Question

Latest chart does not support apiKey with parameter store

cpetestewart opened this issue 2 years ago · 8 comments

I recently set about upgrading our old scalyr chart which we had manually downloaded and modified because at the time serviceAccount annotations were not supported.

While serviceAccount annotations are now working, obtaining the apiKey from parameter store is not. We are used to our old manual deployment having this environment variable value:

    - name: SCALYR_API_KEY
      value: arn:aws:ssm:us-east-1:<account-id-redacted>:parameter/<path-to-key-redacted>

Then a mutating webhook for kube-secrets-init changes this to the actual parameter store value. However, there appears to be no way to do this in practice. The templates are hardcoded to use a secret, even though the README talks about using parameter store instead of a secret. I don't see a way to do this with the current chart.

Answer 1 · 2023-08-10T18:25:30.000Z

@Kami Could you help look at this? This should be supported per instruction on README.

It looks like the serviceAccount was added here from v0.2.13, but the exact syntax to apply the apiKey from the parameter store isn't documented.

Answer 2 · 2023-08-15T07:50:30.000Z

@cpetestewart Is there a specific reason why you can't utilize existingSecretRef parameter (https://github.com/scalyr/helm-scalyr/blob/main/charts/scalyr-agent/templates/daemonset.yaml#L94) in combination with defining a custom Secret resource?

That seems to be a preferred (and more secure) approach in situations like that.

To be able to support a very specific use case and scenario you mentioned, we would need to make additional changes to the chart. Something along the lines of adding useRawApiKeyEnvValue or similar which would tell chart to use the environment variable value as is, instead of referencing a secret.

So this is possible, but I'm also trying to understand your use case better.

Answer 3 · 2023-08-15T08:26:21.000Z

@cpetestewart Here is a quick prototype which should likely satisfy this specific use case - #64.

When you get a chance, can you please test it and verify it indeed satisfies your use case?

Also keep in mind that it's just a quick prototype without the corresponding tests and documentation.

Answer 4 · 2023-08-21T12:54:31.000Z

@cpetestewart Did you happen to have a chance yet to test the changes in #64?

Answer 5 · 2023-08-21T15:07:01.000Z

I will be looking into this shortly. Apologies, I got pulled onto other projects.

Answer 6 · 2023-08-21T15:40:28.000Z

This worked perfectly and is exactly what I needed. I was able to get it up and running in my test cluster. Great work.

Please let me know what release this will be in so I can plan our upgrade appropriately. Thanks for the help!

Answer 7 · 2023-08-21T19:05:10.000Z

@cpetestewart Great, thanks for confirming.

In the mean time I already had a chance to add some basic tests and docs to that PR so hopefully it doesn't need much more work besides a review to get it merged.

Answer 8 · 2023-08-23T12:03:44.000Z

@cpetestewart #64 has been merged and a new chart version with those change (v0.2.34) is now available - https://scalyr.github.io/helm-scalyr/.