Skip to content

Commit f4ba799

Browse files
Merge pull request #36 from GitGuardian/ctourriere/NHI-605/add_rancher_fleet_notice
docs: add notice about rancher fleet templates
2 parents 29f7cd1 + ea33a5e commit f4ba799

File tree

1 file changed

+103
-2
lines changed

1 file changed

+103
-2
lines changed

README.md

Lines changed: 103 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -80,14 +80,115 @@ stringData:
8080
8181
To apply the secrets to your cluster/namespace, run the following command: `kubectl apply -f secrets.yaml`
8282
83-
If you want to only fetch the identities without sending them, please see this [example](charts/ggscout/examples/fetch_only)
84-
8583
Other examples can be found in [charts/ggscout/examples](charts/ggscout/examples).
8684
85+
> [!IMPORTANT]
86+
> If you want to only fetch the identities without sending them, please see this [example](charts/ggscout/examples/fetch_only)
87+
88+
89+
> [!CAUTION]
90+
> If you are using Rancher fleet to deploy ggscout, please refer to this [section](#rancher-fleet)
91+
92+
8793
## Development
8894
8995
Install [mise](https://mise.jdx.dev/), then run the following command to run tests:
9096
9197
```shell
9298
$ mise run test
9399
```
100+
101+
## Rancher fleet
102+
103+
Rancher fleet uses its own [templating language](https://fleet.rancher.io/ref-fleet-yaml#templating).
104+
If you have created a bundle from this charts repository, make sure to properly escape environment variables.
105+
106+
For example in your values.yml:
107+
```
108+
api_token: ${GG_API_TOKEN}
109+
```
110+
111+
must be declared instead as:
112+
```
113+
api_token: ${` ${GG_API_TOKEN} `}
114+
```
115+
116+
### Full example with Rancher fleet
117+
118+
The previous values example must be changed to:
119+
120+
```yaml
121+
inventory:
122+
config:
123+
sources:
124+
vault-secrets:
125+
type: hashicorpvault
126+
vault_address: "https://your-vault-address-here"
127+
# If auth is not set, the env variable `VAULT_TOKEN` is used with a `token` auth_mode
128+
auth:
129+
auth_mode: "token"
130+
# Token configuration can be read from environment variables like so:
131+
token: "${`${HASHICORP_VAULT_TOKEN}`}"
132+
fetch_all_versions: true
133+
path: "secret/"
134+
gitlabci:
135+
type: gitlabci
136+
token: "${`${GITLAB_TOKEN}`}"
137+
url: "https://gitlab.gitguardian.ovh"
138+
# To upload, set the gitguardian URL and tokens. Ensure the endpoint path ends with /v1
139+
# This is optional: omit this to prevent uploading and to only test collection.
140+
gitguardian:
141+
endpoint: "https://my-gg-instance/v1"
142+
api_token: "${`${GITGUARDIAN_API_KEY}`}"
143+
jobs:
144+
# Job to fetch defined sources
145+
fetch:
146+
# Set to `false` to disable the job
147+
enabled: true
148+
# Run every 15 minutes
149+
schedule: '*/15 * * * *'
150+
# If set to `false`, see the fetch-only configuration example in charts/ggscout/examples/fetch_only
151+
send: true
152+
# Job to be able to sync/write secrets from GitGuardian into you vault
153+
sync:
154+
# Set to `false` to disable the job
155+
enabled: true
156+
# Run every minute
157+
schedule: '* * * * *'
158+
159+
# This needs to be created separately (read instructions below), and contain the following keys:
160+
# - `HASHICORP_VAULT_TOKEN` - the hashicorp vault token to use
161+
# - `GITLAB_TOKEN` - the GitLab access token to use
162+
# - `GITGUARDIAN_API_KEY` - the GitGuardian token to send results with
163+
envFrom:
164+
- secretRef:
165+
name: gitguardian-ggscout-secrets
166+
```
167+
168+
If you save this config as `values.yaml` and you declare the following `fleet.yaml` config file:
169+
170+
```yaml
171+
name: ggscout
172+
helm:
173+
releaseName: ggscout
174+
repo: https://gitguardian.github.io/ggscout-helm-charts
175+
branch: main
176+
chart: ggscout
177+
valuesFiles:
178+
- values.yaml
179+
```
180+
181+
You can create a bundle with the following [rancher cli](https://formulae.brew.sh/formula/fleet-cli) command:
182+
183+
```
184+
fleet apply fleet.yaml -o - > ggscout.bdl
185+
```
186+
187+
Then test that the created bundle is correctly parsed by fleet:
188+
189+
```
190+
fleet target --bundle-file ggscout.bdl
191+
```
192+
193+
If you have any error, it probably means you have some variables that are not properly escaped in you `values.yaml` file
194+

0 commit comments

Comments
 (0)