@@ -80,14 +80,115 @@ stringData:
80
80
81
81
To apply the secrets to your cluster/namespace, run the following command: `kubectl apply -f secrets.yaml`
82
82
83
- If you want to only fetch the identities without sending them, please see this [example](charts/ggscout/examples/fetch_only)
84
-
85
83
Other examples can be found in [charts/ggscout/examples](charts/ggscout/examples).
86
84
85
+ > [!IMPORTANT]
86
+ > If you want to only fetch the identities without sending them, please see this [example](charts/ggscout/examples/fetch_only)
87
+
88
+
89
+ > [!CAUTION]
90
+ > If you are using Rancher fleet to deploy ggscout, please refer to this [section](#rancher-fleet)
91
+
92
+
87
93
## Development
88
94
89
95
Install [mise](https://mise.jdx.dev/), then run the following command to run tests:
90
96
91
97
```shell
92
98
$ mise run test
93
99
```
100
+
101
+ ## Rancher fleet
102
+
103
+ Rancher fleet uses its own [ templating language] ( https://fleet.rancher.io/ref-fleet-yaml#templating ) .
104
+ If you have created a bundle from this charts repository, make sure to properly escape environment variables.
105
+
106
+ For example in your values.yml:
107
+ ```
108
+ api_token: ${GG_API_TOKEN}
109
+ ```
110
+
111
+ must be declared instead as:
112
+ ```
113
+ api_token: ${` ${GG_API_TOKEN} `}
114
+ ```
115
+
116
+ ### Full example with Rancher fleet
117
+
118
+ The previous values example must be changed to:
119
+
120
+ ``` yaml
121
+ inventory :
122
+ config :
123
+ sources :
124
+ vault-secrets :
125
+ type : hashicorpvault
126
+ vault_address : " https://your-vault-address-here"
127
+ # If auth is not set, the env variable `VAULT_TOKEN` is used with a `token` auth_mode
128
+ auth :
129
+ auth_mode : " token"
130
+ # Token configuration can be read from environment variables like so:
131
+ token : " ${`${HASHICORP_VAULT_TOKEN}`}"
132
+ fetch_all_versions : true
133
+ path : " secret/"
134
+ gitlabci :
135
+ type : gitlabci
136
+ token : " ${`${GITLAB_TOKEN}`}"
137
+ url : " https://gitlab.gitguardian.ovh"
138
+ # To upload, set the gitguardian URL and tokens. Ensure the endpoint path ends with /v1
139
+ # This is optional: omit this to prevent uploading and to only test collection.
140
+ gitguardian :
141
+ endpoint : " https://my-gg-instance/v1"
142
+ api_token : " ${`${GITGUARDIAN_API_KEY}`}"
143
+ jobs :
144
+ # Job to fetch defined sources
145
+ fetch :
146
+ # Set to `false` to disable the job
147
+ enabled : true
148
+ # Run every 15 minutes
149
+ schedule : ' */15 * * * *'
150
+ # If set to `false`, see the fetch-only configuration example in charts/ggscout/examples/fetch_only
151
+ send : true
152
+ # Job to be able to sync/write secrets from GitGuardian into you vault
153
+ sync :
154
+ # Set to `false` to disable the job
155
+ enabled : true
156
+ # Run every minute
157
+ schedule : ' * * * * *'
158
+
159
+ # This needs to be created separately (read instructions below), and contain the following keys:
160
+ # - `HASHICORP_VAULT_TOKEN` - the hashicorp vault token to use
161
+ # - `GITLAB_TOKEN` - the GitLab access token to use
162
+ # - `GITGUARDIAN_API_KEY` - the GitGuardian token to send results with
163
+ envFrom :
164
+ - secretRef :
165
+ name : gitguardian-ggscout-secrets
166
+ ` ` `
167
+
168
+ If you save this config as ` values.yaml` and you declare the following `fleet.yaml` config file:
169
+
170
+ ` ` ` yaml
171
+ name: ggscout
172
+ helm:
173
+ releaseName: ggscout
174
+ repo: https://gitguardian.github.io/ggscout-helm-charts
175
+ branch: main
176
+ chart: ggscout
177
+ valuesFiles:
178
+ - values.yaml
179
+ ` ` `
180
+
181
+ You can create a bundle with the following [rancher cli](https://formulae.brew.sh/formula/fleet-cli) command :
182
+
183
+ ` ` `
184
+ fleet apply fleet.yaml -o - > ggscout.bdl
185
+ ` ` `
186
+
187
+ Then test that the created bundle is correctly parsed by fleet :
188
+
189
+ ` ` `
190
+ fleet target --bundle-file ggscout.bdl
191
+ ` ` `
192
+
193
+ If you have any error, it probably means you have some variables that are not properly escaped in you `values.yaml` file
194
+
0 commit comments