Add support for agent token in helm chart

gamingrobot · gamingrobot · commit ff4d02c36ab1 · 2025-02-20T11:58:09.000-06:00
diff --git a/manifests/helm/templates/NOTES.txt b/manifests/helm/templates/NOTES.txt
@@ -30,7 +30,15 @@
 
 {{ if .Values.clusterDefaults.enabled }}
 ✅ Cluster agent defaults deployed
-{{- if .Values.clusterDefaults.existingSecret }}
+{{- if .Values.clusterDefaults.existingTokenSecret }}
+🔐 Agent token will be retrieved from a secret named {{ .Values.namespace }}/{{ .Values.clusterDefaults.existingTokenSecret }}
+  The secret can be created with a command like the following:
+    ⎈ kubectl create secret generic {{ .Values.clusterDefaults.existingTokenSecret }} --namespace {{ .Values.namespace }} \
+       --from-literal=token=YOUR_AGENT_TOKEN
+  ⚠️  Injection will not work until this secret is created.
+
+  Refer to documentation on how to find the agent token: https://docs.contrastsecurity.com/en/find-the-agent-keys.html
+{{- else if .Values.clusterDefaults.existingSecret }}
 🔐 Agent credentials will be retrieved from a secret named {{ .Values.namespace }}/{{ .Values.clusterDefaults.existingSecret }}
   The secret can be created with a command like the following:
     ⎈ kubectl create secret generic {{ .Values.clusterDefaults.existingSecret }} --namespace {{ .Values.namespace }} \
@@ -51,4 +59,4 @@
 
 📄 More documentation: https://docs.contrastsecurity.com/en/agent-operator.html
 
-🙋 Get support: https://support.contrastsecurity.com / support@contrastsecurity.com
+🙋 Get support: https://support.contrastsecurity.com / support@contrastsecurity.com
diff --git a/manifests/helm/templates/cluster-defaults.yaml.tpl b/manifests/helm/templates/cluster-defaults.yaml.tpl
@@ -23,6 +23,11 @@ metadata:
 spec:
   template:
     spec:
+{{if or .Values.clusterDefaults.existingTokenSecret .Values.clusterDefaults.tokenValue }}
+      token:
+        secretName: {{ .Values.clusterDefaults.existingTokenSecret | default "default-agent-connection-token-secret" }}
+        secretKey: token
+{{ else }}
       url: >-
         {{ required "The key clusterDefaults.clusterDefaults must be set if clusterDefaults.enabled is true" .Values.clusterDefaults.url }}
       apiKey:
@@ -34,8 +39,20 @@ spec:
       userName:
         secretName: {{ .Values.clusterDefaults.existingSecret | default "default-agent-connection-secret" }}
         secretKey: userName
+{{ end }}
 ---
-{{if not .Values.clusterDefaults.existingSecret }}
+{{if and (not .Values.clusterDefaults.existingTokenSecret) .Values.clusterDefaults.tokenValue  }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: default-agent-connection-token-secret
+  namespace: >-
+    {{ .Values.namespace }}
+type: Opaque
+stringData:
+  token: >-
+    {{ required "The key clusterDefaults.tokenValue must be set if clusterDefaults.enabled is true and clusterDefaults.existingTokenSecret is not set" .Values.clusterDefaults.tokenValue }}
+{{else if not .Values.clusterDefaults.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/manifests/helm/values.yaml b/manifests/helm/values.yaml
@@ -57,18 +57,6 @@ operator:
 clusterDefaults:
   # If enabled, configure cluster-wide defaults.
   enabled: false
-  # Required. The Contrast UI instance to use. Defaults at the general SAAS instance.
-  url: https://app.contrastsecurity.com/Contrast
-  # Name of a secret to retrieve the cluster-wide connection details from.
-  # The secret should contain keys named apiKey, serviceKey and userName.
-  # Leave blank if you want the chart to create a secret using the subsequent apiKeyValue, serviceKeyValue and userNameValue values.
-  existingSecret: 
-  # Required if existingSecret is not set. The API Key from the Contrast UI.
-  apiKeyValue:
-  # Required if existingSecret is not set. The Service Key from the Contrast UI.
-  serviceKeyValue:
-  # Required if existingSecret is not set. The User Name from the Contrast UI.
-  userNameValue:
   #If true, parse and replace %variables% in the yaml.
   enableYamlVariableReplacement: false
   #If false, automatically set the Contrast application name on injected workloads (the workload name), rather than use the default (generated by the agent).
@@ -78,6 +66,26 @@ clusterDefaults:
   # Optional. Any custom configuration to use. Must be in the format of the standard YAML file.
   yaml: |-
     enable: true
+  ### Token Authentication ##
+  # Name of a secret to retrieve the cluster-wide connection token from.
+  # The secret should contain a key named 'token' (the agent token from the Contrast UI).
+  # Leave blank if you want the chart to create a secret using the subsequent tokenValue.
+  existingTokenSecret:
+  # Required if existingTokenSecret is not set. The Agent Token from the Contrast UI.
+  tokenValue:
+  ### Legacy Authentication ###
+  # Name of a secret to retrieve the cluster-wide connection details from.
+  # The secret should contain keys named 'apiKey', 'serviceKey' and 'userName'.
+  # Leave blank if you want the chart to create a secret using the subsequent apiKeyValue, serviceKeyValue and userNameValue values.
+  existingSecret:
+  # Required. The Contrast UI instance to use. Defaults at the general SAAS instance.
+  url: https://app-agents.contrastsecurity.com/Contrast
+  # Required if existingSecret is not set. The API Key from the Contrast UI.
+  apiKeyValue:
+  # Required if existingSecret is not set. The Service Key from the Contrast UI.
+  serviceKeyValue:
+  # Required if existingSecret  is not set. The User Name from the Contrast UI.
+  userNameValue:
 
 agentInjectors:
   enabled: true
