-
Notifications
You must be signed in to change notification settings - Fork 292
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support for cfg via env vars and define external volumes #601
##### ISSUE TYPE
- Feature Pull Request
##### SUMMARY
- Allows providing communicator configuration via env variables
- Env variables have higher priority that config from file
- Helm chart has:
- `extraEnv`
- `extraVolumeMounts`
- `extraVolumes`
Fixes #480
Related documentation: kubeshop/botkube-docs#82
##### TESTING
Unit test proves that the reading configuration works as expected. However, below you will find an e2e tutorial.
**BotKube with Vault via CSI driver**
1. Create K8s cluster, e.g. k3s via `lima-vm`: `limactl start template://k3s`
> **NOTE:** The CSI needs to be supported, on k3d is problematic: k3d-io/k3d#206. Alternative is to just not play with the CSI driver and create your own volume that will be mounted, e.g. with predefined secret.
2. Install Vault:
```bash
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
helm install vault hashicorp/vault \
--set "server.dev.enabled=true" \
--set "injector.enabled=false" \
--set "csi.enabled=true"
```
3. Set Slack token:
```bash
kubectl exec -it vault-0 -- /bin/sh
```
```bash
vault kv put secret/slack token={token}
```
4. Configure Kubernetes authentication:
```bash
vault auth enable kubernetes
vault write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
```
```bash
vault policy write internal-app - <<EOF
path "secret/data/slack" {
capabilities = ["read"]
}
EOF
```
```bash
vault write auth/kubernetes/role/database \
bound_service_account_names=botkube-sa \
bound_service_account_namespaces=default \
policies=internal-app \
ttl=20m
```
5. Install the secrets store CSI driver:
```bash
helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
helm install csi secrets-store-csi-driver/secrets-store-csi-driver --set syncSecret.enabled=true
```
6. Create install parameters:
```bash
cat > /tmp/values.yaml << ENDOFFILE
extraObjects:
- apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: vault-database
spec:
provider: vault
secretObjects:
- data:
- key: token
objectName: "slack-token"
secretName: communication-slack
type: Opaque
parameters:
vaultAddress: "http://vault.default:8200"
roleName: "database"
objects: |
- objectName: "slack-token"
secretPath: "secret/data/slack"
secretKey: "token"
communications:
# Settings for Slack
slack:
enabled: true
channel: 'random'
notiftype: short
# token - specified via env
extraEnv:
- name: COMMUNICATION_SLACK_TOKEN
valueFrom:
secretKeyRef:
name: communication-slack
key: token
extraVolumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
extraVolumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "vault-database"
image:
registry: mszostok
repository: botkube
tag: env-test-v2
ENDOFFILE
```
7. Checkout this PR: `gh pr checkout 601`
8. Install BotKube:
```bash
helm install botkube -f /tmp/values.yaml ./helm/botkube
```- Loading branch information
Showing
8 changed files
with
259 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| package config | ||
|
|
||
| import ( | ||
| "fmt" | ||
| "os" | ||
| "path/filepath" | ||
| "testing" | ||
| "time" | ||
|
|
||
| "github.com/stretchr/testify/assert" | ||
| "github.com/stretchr/testify/require" | ||
| "gopkg.in/yaml.v3" | ||
| ) | ||
|
|
||
| const sampleCommunicationConfig = "testdata/comm_config.yaml" | ||
|
|
||
| func TestCommunicationConfigSuccess(t *testing.T) { | ||
| t.Run("Load from file", func(t *testing.T) { | ||
| // given | ||
| t.Setenv("CONFIG_PATH", "testdata") | ||
|
|
||
| var expConfig Communications | ||
| loadYAMLFile(t, sampleCommunicationConfig, &expConfig) | ||
|
|
||
| // when | ||
| gotCfg, err := NewCommunicationsConfig() | ||
|
|
||
| //then | ||
| require.NoError(t, err) | ||
| require.NotNil(t, gotCfg) | ||
| assert.Equal(t, expConfig, *gotCfg) | ||
| }) | ||
|
|
||
| t.Run("Load from file and override with environment variables", func(t *testing.T) { | ||
| // given | ||
| t.Setenv("CONFIG_PATH", "testdata") | ||
|
|
||
| fixToken := fmt.Sprintf("TOKEN_FROM_ENV_%d", time.Now().Unix()) | ||
| t.Setenv("COMMUNICATIONS_SLACK_TOKEN", fixToken) | ||
| var expConfig Communications | ||
| loadYAMLFile(t, sampleCommunicationConfig, &expConfig) | ||
| expConfig.Communications.Slack.Token = fixToken | ||
|
|
||
| // when | ||
| gotCfg, err := NewCommunicationsConfig() | ||
|
|
||
| //then | ||
| require.NoError(t, err) | ||
| require.NotNil(t, gotCfg) | ||
| assert.Equal(t, expConfig, *gotCfg) | ||
| }) | ||
| } | ||
|
|
||
| func loadYAMLFile(t *testing.T, path string, out interface{}) { | ||
| t.Helper() | ||
|
|
||
| raw, err := os.ReadFile(filepath.Clean(path)) | ||
| require.NoError(t, err) | ||
|
|
||
| err = yaml.Unmarshal(raw, out) | ||
| require.NoError(t, err) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| # Channels configuration | ||
| communications: | ||
| # Settings for Slack | ||
| slack: | ||
| enabled: false | ||
| channel: 'SLACK_CHANNEL' | ||
| token: 'SLACK_API_TOKEN' | ||
| notiftype: short # Change notification type short/long you want to receive. notiftype is optional and Default notification type is short (if not specified) | ||
|
|
||
| # Settings for Mattermost | ||
| mattermost: | ||
| enabled: false | ||
| url: 'MATTERMOST_SERVER_URL' # URL where Mattermost is running. e.g https://example.com:9243 | ||
| token: 'MATTERMOST_TOKEN' # Personal Access token generated by BotKube user | ||
| team: 'MATTERMOST_TEAM' # Mattermost Team to configure with BotKube | ||
| channel: 'MATTERMOST_CHANNEL' # Mattermost Channel for receiving BotKube alerts | ||
| notiftype: short # Change notification type short/long you want to receive. notiftype is optional and Default notification type is short (if not specified) | ||
|
|
||
| # Settings for MS Teams | ||
| teams: | ||
| enabled: false | ||
| appID: 'APPLICATION_ID' | ||
| appPassword: 'APPLICATION_PASSWORD' | ||
| notiftype: short | ||
| port: 3978 | ||
|
|
||
| # Settings for Discord | ||
| discord: | ||
| enabled: false | ||
| token: 'DISCORD_TOKEN' # BotKube Bot Token | ||
| botid: 'DISCORD_BOT_ID' # BotKube Application Client ID | ||
| channel: 'DISCORD_CHANNEL_ID' # Discord Channel id for receiving BotKube alerts | ||
| notiftype: short # Change notification type short/long you want to receive. notiftype is optional and Default notification type is short (if not specified) | ||
|
|
||
|
|
||
| # Settings for ELS | ||
| elasticsearch: | ||
| enabled: false | ||
| awsSigning: | ||
| enabled: false # enable awsSigning using IAM for Elastisearch hosted on AWS, if true make sure AWS environment variables are set. Refer https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html | ||
| awsRegion: 'us-east-1' # AWS region where Elasticsearch is deployed | ||
| roleArn: '' # AWS IAM Role arn to assume for credentials, use this only if you dont want to use the EC2 instance role or not running on AWS instance | ||
| server: 'ELASTICSEARCH_ADDRESS' # e.g https://example.com:9243 | ||
| username: 'ELASTICSEARCH_USERNAME' # Basic Auth | ||
| password: 'ELASTICSEARCH_PASSWORD' | ||
| skipTLSVerify: false # toggle verification of TLS certificate of the Elastic nodes. Verification is skipped when option is true. Enable to connect to clusters with self-signed certs | ||
| # ELS index settings | ||
| index: | ||
| name: botkube | ||
| type: botkube-event | ||
| shards: 1 | ||
| replicas: 0 | ||
|
|
||
| # Settings for Webhook | ||
| webhook: | ||
| enabled: false | ||
| url: 'WEBHOOK_URL' # e.g https://example.com:80 |