diff --git a/docs/configuration/sinks/DataDog.rst b/docs/configuration/sinks/DataDog.rst index eafb712b7..8e8ca60d7 100644 --- a/docs/configuration/sinks/DataDog.rst +++ b/docs/configuration/sinks/DataDog.rst @@ -29,3 +29,23 @@ Save the file and run :name: cb-add-discord-sink helm upgrade robusta robusta/robusta --values=generated_values.yaml + +Using Environment Variables for API Keys +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: yaml + + runner: + additional_env_vars: + - name: DATADOG_API_KEY + valueFrom: + secretKeyRef: + name: robusta-secrets + key: datadog_key + + sinksConfig: + - datadog_sink: + name: datadog_sink + api_key: "{{ env.DATADOG_API_KEY }}" + +For more information, see :ref:`Managing Secrets`. diff --git a/docs/configuration/sinks/Opsgenie.rst b/docs/configuration/sinks/Opsgenie.rst index 170e01ed3..f853302d4 100644 --- a/docs/configuration/sinks/Opsgenie.rst +++ b/docs/configuration/sinks/Opsgenie.rst @@ -59,6 +59,29 @@ Save the file and apply the configuration: helm upgrade robusta robusta/robusta --values=generated_values.yaml +Using Environment Variables for API Keys +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To secure your Opsgenie API key, load it from a Kubernetes Secret: + +.. code-block:: yaml + + runner: + additional_env_vars: + - name: OPSGENIE_API_KEY + valueFrom: + secretKeyRef: + name: robusta-secrets + key: opsgenie_key + + sinksConfig: + - opsgenie_sink: + name: ops_genie_sink + api_key: "{{ env.OPSGENIE_API_KEY }}" + teams: ["noc"] + +See :ref:`Managing Secrets` for more information. + **Example Output:** .. admonition:: Typically you'll send alerts from Robusta to OpsGenie and not deployment changes. We're showing a non-typical example with deployment changes because it helps compare the format with other sinks. diff --git a/docs/configuration/sinks/PagerDuty.rst b/docs/configuration/sinks/PagerDuty.rst index 6b3bd991b..e31643441 100644 --- a/docs/configuration/sinks/PagerDuty.rst +++ b/docs/configuration/sinks/PagerDuty.rst @@ -59,6 +59,28 @@ Save the file and run helm upgrade robusta robusta/robusta --values=generated_values.yaml +Securing API Keys with Environment Variables +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To keep your PagerDuty integration key secure: + +.. code-block:: yaml + + runner: + additional_env_vars: + - name: PAGERDUTY_KEY + valueFrom: + secretKeyRef: + name: robusta-secrets + key: pagerduty_key + + sinksConfig: + - pagerduty_sink: + name: main_pagerduty_sink + api_key: "{{ env.PAGERDUTY_KEY }}" + +See :ref:`Managing Secrets` for complete documentation. + Example Output: .. admonition:: To view the Alerts, on PagerDuty's dashboard navigate to `Incidents` > `Alerts` diff --git a/docs/configuration/sinks/RobustaUI.rst b/docs/configuration/sinks/RobustaUI.rst index 440840712..13dbc4138 100644 --- a/docs/configuration/sinks/RobustaUI.rst +++ b/docs/configuration/sinks/RobustaUI.rst @@ -42,6 +42,10 @@ Add a new sink to your Helm values (``generated_values.yaml``), under ``sinksCon Perform a :ref:`Helm Upgrade `. +.. note:: + + To secure your token using Kubernetes Secrets, see :ref:`Managing Secrets`. + Handling Short-Lived Clusters in the UI ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/configuration/sinks/ServiceNow.rst b/docs/configuration/sinks/ServiceNow.rst index e70d8f557..c1e956d99 100644 --- a/docs/configuration/sinks/ServiceNow.rst +++ b/docs/configuration/sinks/ServiceNow.rst @@ -28,3 +28,7 @@ Configuring the ServiceNow Sink Then perform a :ref:`Helm Upgrade `. + +.. note:: + + To secure your username and password using Kubernetes Secrets, see :ref:`Managing Secrets`. diff --git a/docs/configuration/sinks/VictorOps.rst b/docs/configuration/sinks/VictorOps.rst index 3ea05c902..aa8683bd9 100644 --- a/docs/configuration/sinks/VictorOps.rst +++ b/docs/configuration/sinks/VictorOps.rst @@ -25,6 +25,10 @@ Save the file and run helm upgrade robusta robusta/robusta --values=generated_values.yaml +.. note:: + + To secure your REST endpoint URL using Kubernetes Secrets, see :ref:`Managing Secrets`. + **Example Output:** .. admonition:: Typically you'll send alerts from Robusta to VictorOps and not deployment changes. We're showing a non-typical example with deployment changes because it helps compare the format with other sinks. diff --git a/docs/configuration/sinks/YandexMessenger.rst b/docs/configuration/sinks/YandexMessenger.rst index b99f346f2..cf1bf7747 100644 --- a/docs/configuration/sinks/YandexMessenger.rst +++ b/docs/configuration/sinks/YandexMessenger.rst @@ -59,4 +59,8 @@ After you have configured the sink in your ``generated_values.yaml`` save the fi helm upgrade robusta robusta/robusta --values=generated_values.yaml +.. note:: + + To secure your bot token using Kubernetes Secrets, see :ref:`Managing Secrets`. + You should now get playbooks results in Yandex Messenger! diff --git a/docs/configuration/sinks/discord.rst b/docs/configuration/sinks/discord.rst index b28b3ed7f..32d70ecc1 100644 --- a/docs/configuration/sinks/discord.rst +++ b/docs/configuration/sinks/discord.rst @@ -58,6 +58,10 @@ Save the file and run helm upgrade robusta robusta/robusta --values=generated_values.yaml +.. note:: + + To secure your webhook URL using Kubernetes Secrets, see :ref:`Managing Secrets`. + You should now get playbooks results in Discord! diff --git a/docs/configuration/sinks/google_chat.rst b/docs/configuration/sinks/google_chat.rst index 1344a2f24..ae7484605 100644 --- a/docs/configuration/sinks/google_chat.rst +++ b/docs/configuration/sinks/google_chat.rst @@ -27,3 +27,7 @@ Configuring the Google Chat sink in Robusta Then do a :ref:`Helm Upgrade `. + +.. note:: + + To secure your webhook URL using Kubernetes Secrets, see :ref:`Managing Secrets`. diff --git a/docs/configuration/sinks/index.rst b/docs/configuration/sinks/index.rst index 388da2f63..7c6106ce7 100644 --- a/docs/configuration/sinks/index.rst +++ b/docs/configuration/sinks/index.rst @@ -13,6 +13,11 @@ Robusta can send notifications to various destinations, known as sinks. * :ref:`sinks-overview` * :ref:`sink-scope-matching` +.. tip:: + + To secure API keys and tokens in sink configurations, use Kubernetes Secrets with the + ``{{ env.VARIABLE_NAME }}`` syntax. See :ref:`Managing Secrets` for details and examples. + Available sinks ^^^^^^^^^^^^^^^^^^^^^ Click a sink for setup instructions. diff --git a/docs/configuration/sinks/jira.rst b/docs/configuration/sinks/jira.rst index 77c9f9679..b43297694 100644 --- a/docs/configuration/sinks/jira.rst +++ b/docs/configuration/sinks/jira.rst @@ -82,6 +82,10 @@ Save the file and run helm upgrade robusta robusta/robusta --values=generated_values.yaml +.. note:: + + To secure your API key and credentials using Kubernetes Secrets, see :ref:`Managing Secrets`. + Try the example below to recieve an alert notification in Jira. diff --git a/docs/configuration/sinks/kafka.rst b/docs/configuration/sinks/kafka.rst index 634378b70..054a5aaf7 100644 --- a/docs/configuration/sinks/kafka.rst +++ b/docs/configuration/sinks/kafka.rst @@ -40,6 +40,9 @@ Save the file and run helm upgrade robusta robusta/robusta --values=generated_values.yaml +.. note:: + + To secure your Kafka credentials using Kubernetes Secrets, see :ref:`Managing Secrets`. **Example Output:** diff --git a/docs/configuration/sinks/mail.rst b/docs/configuration/sinks/mail.rst index 046796699..8aaa4b8fd 100644 --- a/docs/configuration/sinks/mail.rst +++ b/docs/configuration/sinks/mail.rst @@ -192,4 +192,8 @@ Troubleshooting We highly recommend using quotes around "mailto" to ensure special characters are handled correctly. -Then do a :ref:`Helm Upgrade `. \ No newline at end of file +Then do a :ref:`Helm Upgrade `. + +.. note:: + + To secure your email credentials and AWS credentials using Kubernetes Secrets, see :ref:`Managing Secrets`. \ No newline at end of file diff --git a/docs/configuration/sinks/mattermost.rst b/docs/configuration/sinks/mattermost.rst index 5bd3866e6..35d35b06f 100644 --- a/docs/configuration/sinks/mattermost.rst +++ b/docs/configuration/sinks/mattermost.rst @@ -83,6 +83,10 @@ Save the file and run helm upgrade robusta robusta/robusta --values=generated_values.yaml +.. note:: + + To secure your bot token using Kubernetes Secrets, see :ref:`Managing Secrets`. + You should now get playbooks results in Mattermost! diff --git a/docs/configuration/sinks/ms-teams.rst b/docs/configuration/sinks/ms-teams.rst index 8e5747ed3..70be3e608 100644 --- a/docs/configuration/sinks/ms-teams.rst +++ b/docs/configuration/sinks/ms-teams.rst @@ -24,6 +24,28 @@ Configuring the MS Teams sink Then do a :ref:`Helm Upgrade `. +Securing Webhook URLs with Environment Variables +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Webhook URLs can contain sensitive information. Store them securely using Kubernetes Secrets: + +.. code-block:: yaml + + runner: + additional_env_vars: + - name: MSTEAMS_WEBHOOK + valueFrom: + secretKeyRef: + name: robusta-secrets + key: msteams_webhook + + sinksConfig: + - ms_teams_sink: + name: main_ms_teams_sink + webhook_url: "{{ env.MSTEAMS_WEBHOOK }}" + +For more details, see :ref:`Managing Secrets`. + Obtaining a webhook URL ----------------------------------- diff --git a/docs/configuration/sinks/pushover.rst b/docs/configuration/sinks/pushover.rst index 4496c2e3e..1698d8d50 100644 --- a/docs/configuration/sinks/pushover.rst +++ b/docs/configuration/sinks/pushover.rst @@ -46,4 +46,8 @@ Save the file and run helm upgrade robusta robusta/robusta --values=generated_values.yaml +.. note:: + + To secure your API token and user key using Kubernetes Secrets, see :ref:`Managing Secrets`. + You should now get playbook results in Pushover! diff --git a/docs/configuration/sinks/rocketchat.rst b/docs/configuration/sinks/rocketchat.rst index 4c5feb78e..4a5af9c0a 100644 --- a/docs/configuration/sinks/rocketchat.rst +++ b/docs/configuration/sinks/rocketchat.rst @@ -66,3 +66,7 @@ Save the file and run helm upgrade robusta robusta/robusta --values=generated_values.yaml +.. note:: + + To secure your personal access token using Kubernetes Secrets, see :ref:`Managing Secrets`. + diff --git a/docs/configuration/sinks/slack.rst b/docs/configuration/sinks/slack.rst index 60a231e02..3b3c44b01 100644 --- a/docs/configuration/sinks/slack.rst +++ b/docs/configuration/sinks/slack.rst @@ -41,9 +41,29 @@ Generate a Slack API key by running ``robusta integrations slack``, then add to channel_override: DYNAMIC SLACK CHANNEL OVERRIDE (Optional) investigate_link: true/false # optional, if false no investigate links/buttons will be included in Slack messages -.. warning:: +.. tip:: + + **Recommended: Load API keys from Kubernetes Secrets** + + Instead of hardcoding your Slack API key, load it from a Kubernetes Secret: + + .. code-block:: yaml + + runner: + additional_env_vars: + - name: SLACK_API_KEY + valueFrom: + secretKeyRef: + name: robusta-slack-secrets + key: api_key + + sinksConfig: + - slack_sink: + name: main_slack_sink + api_key: "{{ env.SLACK_API_KEY }}" + slack_channel: alerts - If you don't want to put your Slack key in Helm values, you can use a secret. See the :ref:`Managing Secrets ` section for more information. + For complete details, see :ref:`Managing Secrets`. Then do a :ref:`Helm Upgrade ` to apply the new configuration. diff --git a/docs/configuration/sinks/telegram.rst b/docs/configuration/sinks/telegram.rst index a759e85a4..bfcdde1c5 100644 --- a/docs/configuration/sinks/telegram.rst +++ b/docs/configuration/sinks/telegram.rst @@ -53,4 +53,8 @@ Save the file and run helm upgrade robusta robusta/robusta --values=generated_values.yaml +.. note:: + + To secure your bot token using Kubernetes Secrets, see :ref:`Managing Secrets`. + You should now get playbooks results in Telegram! diff --git a/docs/configuration/sinks/webex.rst b/docs/configuration/sinks/webex.rst index fb9a0a21f..4be4eb0ad 100644 --- a/docs/configuration/sinks/webex.rst +++ b/docs/configuration/sinks/webex.rst @@ -63,4 +63,8 @@ Now we're ready to configure the webex sink. bot_access_token: room_id: +.. note:: + + To secure your bot access token using Kubernetes Secrets, see :ref:`Managing Secrets`. + You should now get playbooks results in Webex! diff --git a/docs/configuration/sinks/webhook.rst b/docs/configuration/sinks/webhook.rst index 1c796d6f4..85ac8f535 100644 --- a/docs/configuration/sinks/webhook.rst +++ b/docs/configuration/sinks/webhook.rst @@ -19,6 +19,10 @@ Save the file and run helm upgrade robusta robusta/robusta --values=generated_values.yaml +.. note:: + + To secure your webhook URL using Kubernetes Secrets, see :ref:`Managing Secrets`. + **Example Output:** .. admonition:: This example is sending Robusta notifications to ntfy.sh, push notification service diff --git a/docs/configuration/sinks/zulip.rst b/docs/configuration/sinks/zulip.rst index 478931106..70cfea4f2 100644 --- a/docs/configuration/sinks/zulip.rst +++ b/docs/configuration/sinks/zulip.rst @@ -54,4 +54,8 @@ Save the file and run helm upgrade robusta robusta/robusta -f generated_values.yaml +.. note:: + + To secure your bot API key using Kubernetes Secrets, see :ref:`Managing Secrets`. + You should now get alerts in Zulip!