Support proxy URL via Kubernetes Secret #253
Description
Problem:
Currently, in the SentinelOne Helm chart's values.yaml, proxy settings are configured using the configuration.proxy and configuration.dv_proxy fields, which accept plaintext URL strings. In secure environments (especially when using GitOps tools like ArgoCD), this will lead to a security concern. Proxies often require credentials, such as: http://username:[email protected]:8080. Storing such sensitive data in plaintext (e.g., in Git) violates best practices for secrets management.
Proposed Solution:
Please add support for reading the proxy URL from a Kubernetes Secret. For example, extend the values.yaml structure as follows:
configuration:
proxy: "" # URL in plaintext
dv_proxy: "" # URL in plaintext
proxyFromSecret:
name: "" # Name of the secret
key: "proxy" # Key in the secret
dv_proxyFromSecret:
name: "" # Name of the secret
key: "proxy" # Key in the secretThe Helper Template could look like this:
{{- if .Values.configuration.proxyFromSecret.name }}
- name: S1_MANAGEMENT_PROXY
valueFrom:
secretKeyRef:
name: {{ .Values.configuration.proxyFromSecret.name }}
key: {{ default "proxy" .Values.configuration.proxyFromSecret.key }}
{{- else if .Values.configuration.proxy }}
- name: S1_MANAGEMENT_PROXY
value: {{ default "" .Values.configuration.proxy }}
{{- end }}
{{- if .Values.configuration.dv_proxyFromSecret.name }}
- name: S1_DV_PROXY
valueFrom:
secretKeyRef:
name: {{ .Values.configuration.dv_proxyFromSecret.name }}
key: {{ default "proxy" .Values.configuration.dv_proxyFromSecret.key }}
{{- else if .Values.configuration.dv_proxy }}
- name: S1_DV_PROXY
value: {{ default "" .Values.configuration.dv_proxy }}
{{- end }}With this approach it could keep proxy credentials out of Git and makes it more secure for GitOps workflows.