ROB-2395: docs for secrets sinks config

docs/configuration/sinks/DataDog.rst

@@ -29,3 +29,23 @@ Save the file and run
    :name: cb-add-discord-sink
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
+
+Using Environment Variables for API Keys
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. code-block:: yaml
+
+   runner:
+     additional_env_vars:
+       - name: DATADOG_API_KEY
+         valueFrom:
+           secretKeyRef:
+             name: robusta-secrets
+             key: datadog_key
+
+   sinksConfig:
+     - datadog_sink:
+         name: datadog_sink
+         api_key: "{{ env.DATADOG_API_KEY }}"
+
+For more information, see :ref:`Managing Secrets`.

docs/configuration/sinks/Opsgenie.rst

@@ -59,6 +59,29 @@ Save the file and apply the configuration:
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+Using Environment Variables for API Keys
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To secure your Opsgenie API key, load it from a Kubernetes Secret:
+
+.. code-block:: yaml
+
+   runner:
+     additional_env_vars:
+       - name: OPSGENIE_API_KEY
+         valueFrom:
+           secretKeyRef:
+             name: robusta-secrets
+             key: opsgenie_key
+
+   sinksConfig:
+     - opsgenie_sink:
+         name: ops_genie_sink
+         api_key: "{{ env.OPSGENIE_API_KEY }}"
+         teams: ["noc"]
+
+See :ref:`Managing Secrets` for more information.
+
 **Example Output:**
 
 .. admonition:: Typically you'll send alerts from Robusta to OpsGenie and not deployment changes. We're showing a non-typical example with deployment changes because it helps compare the format with other sinks.

docs/configuration/sinks/PagerDuty.rst

@@ -59,6 +59,28 @@ Save the file and run
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+Securing API Keys with Environment Variables
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To keep your PagerDuty integration key secure:
+
+.. code-block:: yaml
+
+   runner:
+     additional_env_vars:
+       - name: PAGERDUTY_KEY
+         valueFrom:
+           secretKeyRef:
+             name: robusta-secrets
+             key: pagerduty_key
+
+   sinksConfig:
+     - pagerduty_sink:
+         name: main_pagerduty_sink
+         api_key: "{{ env.PAGERDUTY_KEY }}"
+
+See :ref:`Managing Secrets` for complete documentation.
+
 Example Output:
 
 .. admonition:: To view the Alerts, on PagerDuty's dashboard navigate to `Incidents` > `Alerts`

docs/configuration/sinks/RobustaUI.rst

@@ -42,6 +42,10 @@ Add a new sink to your Helm values (``generated_values.yaml``), under ``sinksCon
 
 Perform a :ref:`Helm Upgrade <Simple Upgrade>`.
 
+.. note::
+
+   To secure your token using Kubernetes Secrets, see :ref:`Managing Secrets`.
+
 Handling Short-Lived Clusters in the UI
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

docs/configuration/sinks/ServiceNow.rst

@@ -28,3 +28,7 @@ Configuring the ServiceNow Sink
 
 
 Then perform a :ref:`Helm Upgrade <Simple Upgrade>`.
+
+.. note::
+
+   To secure your username and password using Kubernetes Secrets, see :ref:`Managing Secrets`.

docs/configuration/sinks/VictorOps.rst

@@ -25,6 +25,10 @@ Save the file and run
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+.. note::
+
+   To secure your REST endpoint URL using Kubernetes Secrets, see :ref:`Managing Secrets`.
+
 **Example Output:**
 
 .. admonition:: Typically you'll send alerts from Robusta to VictorOps and not deployment changes. We're showing a non-typical example with deployment changes because it helps compare the format with other sinks.

docs/configuration/sinks/YandexMessenger.rst

@@ -59,4 +59,8 @@ After you have configured the sink in your ``generated_values.yaml`` save the fi
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+.. note::
+
+   To secure your bot token using Kubernetes Secrets, see :ref:`Managing Secrets`.
+
 You should now get playbooks results in Yandex Messenger!

docs/configuration/sinks/discord.rst

@@ -58,6 +58,10 @@ Save the file and run
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+.. note::
+
+   To secure your webhook URL using Kubernetes Secrets, see :ref:`Managing Secrets`.
+
 You should now get playbooks results in Discord!
 
 

docs/configuration/sinks/google_chat.rst

@@ -27,3 +27,7 @@ Configuring the Google Chat sink in Robusta
 
 
 Then do a :ref:`Helm Upgrade <Simple Upgrade>`.
+
+.. note::
+
+   To secure your webhook URL using Kubernetes Secrets, see :ref:`Managing Secrets`.

docs/configuration/sinks/index.rst

@@ -13,6 +13,11 @@ Robusta can send notifications to various destinations, known as sinks.
 * :ref:`sinks-overview`
 * :ref:`sink-scope-matching`
 
+.. tip::
+
+   To secure API keys and tokens in sink configurations, use Kubernetes Secrets with the
+   ``{{ env.VARIABLE_NAME }}`` syntax. See :ref:`Managing Secrets` for details and examples.
+
 Available sinks
 ^^^^^^^^^^^^^^^^^^^^^
 Click a sink for setup instructions.

docs/configuration/sinks/jira.rst

@@ -82,6 +82,10 @@ Save the file and run
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+.. note::
+
+   To secure your API key and credentials using Kubernetes Secrets, see :ref:`Managing Secrets`.
+
 Try the example below to recieve an alert notification in Jira.
 
 

docs/configuration/sinks/kafka.rst

@@ -40,6 +40,9 @@ Save the file and run
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+.. note::
+
+   To secure your Kafka credentials using Kubernetes Secrets, see :ref:`Managing Secrets`.
 
 **Example Output:**
 

docs/configuration/sinks/mail.rst

@@ -192,4 +192,8 @@ Troubleshooting
 
     We highly recommend using quotes around "mailto" to ensure special characters are handled correctly.
 
-Then do a :ref:`Helm Upgrade <Simple Upgrade>`.
+Then do a :ref:`Helm Upgrade <Simple Upgrade>`.
+
+.. note::
+
+   To secure your email credentials and AWS credentials using Kubernetes Secrets, see :ref:`Managing Secrets`.

docs/configuration/sinks/mattermost.rst

@@ -83,6 +83,10 @@ Save the file and run
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+.. note::
+
+   To secure your bot token using Kubernetes Secrets, see :ref:`Managing Secrets`.
+
 You should now get playbooks results in Mattermost!
 
 

docs/configuration/sinks/ms-teams.rst

@@ -24,6 +24,28 @@ Configuring the MS Teams sink
 
 Then do a :ref:`Helm Upgrade <Simple Upgrade>`.
 
+Securing Webhook URLs with Environment Variables
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Webhook URLs can contain sensitive information. Store them securely using Kubernetes Secrets:
+
+.. code-block:: yaml
+
+   runner:
+     additional_env_vars:
+       - name: MSTEAMS_WEBHOOK
+         valueFrom:
+           secretKeyRef:
+             name: robusta-secrets
+             key: msteams_webhook
+
+   sinksConfig:
+     - ms_teams_sink:
+         name: main_ms_teams_sink
+         webhook_url: "{{ env.MSTEAMS_WEBHOOK }}"
+
+For more details, see :ref:`Managing Secrets`.
+
 Obtaining a webhook URL
 -----------------------------------
 

docs/configuration/sinks/pushover.rst

@@ -46,4 +46,8 @@ Save the file and run
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+.. note::
+
+   To secure your API token and user key using Kubernetes Secrets, see :ref:`Managing Secrets`.
+
 You should now get playbook results in Pushover!

docs/configuration/sinks/rocketchat.rst

@@ -66,3 +66,7 @@ Save the file and run
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+.. note::
+
+   To secure your personal access token using Kubernetes Secrets, see :ref:`Managing Secrets`.
+

docs/configuration/sinks/slack.rst

@@ -41,9 +41,29 @@ Generate a Slack API key by running ``robusta integrations slack``, then add to
          channel_override: DYNAMIC SLACK CHANNEL OVERRIDE (Optional)
          investigate_link: true/false # optional, if false no investigate links/buttons will be included in Slack messages
 
-.. warning::
+.. tip::
+
+    **Recommended: Load API keys from Kubernetes Secrets**
+
+    Instead of hardcoding your Slack API key, load it from a Kubernetes Secret:
+
+    .. code-block:: yaml
+
+       runner:
+         additional_env_vars:
+           - name: SLACK_API_KEY
+             valueFrom:
+               secretKeyRef:
+                 name: robusta-slack-secrets
+                 key: api_key
+
+       sinksConfig:
+         - slack_sink:
+             name: main_slack_sink
+             api_key: "{{ env.SLACK_API_KEY }}"
+             slack_channel: alerts
 
-    If you don't want to put your Slack key in Helm values, you can use a secret. See the :ref:`Managing Secrets <Managing Secrets>` section for more information.
+    For complete details, see :ref:`Managing Secrets`.
 
 Then do a :ref:`Helm Upgrade <Simple Upgrade>` to apply the new configuration.
 

docs/configuration/sinks/telegram.rst

@@ -53,4 +53,8 @@ Save the file and run
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+.. note::
+
+   To secure your bot token using Kubernetes Secrets, see :ref:`Managing Secrets`.
+
 You should now get playbooks results in Telegram!

docs/configuration/sinks/webex.rst

@@ -63,4 +63,8 @@ Now we're ready to configure the webex sink.
             bot_access_token: <YOUR BOT ACCESS TOKEN>
             room_id: <YOUR ROOM ID>
 
+.. note::
+
+   To secure your bot access token using Kubernetes Secrets, see :ref:`Managing Secrets`.
+
 You should now get playbooks results in Webex!

docs/configuration/sinks/webhook.rst

@@ -19,6 +19,10 @@ Save the file and run
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+.. note::
+
+   To secure your webhook URL using Kubernetes Secrets, see :ref:`Managing Secrets`.
+
 **Example Output:**
 
 .. admonition:: This example is sending Robusta notifications to ntfy.sh, push notification service

docs/configuration/sinks/zulip.rst

@@ -54,4 +54,8 @@ Save the file and run
 
    helm upgrade robusta robusta/robusta -f generated_values.yaml
 
+.. note::
+
+   To secure your bot API key using Kubernetes Secrets, see :ref:`Managing Secrets`.
+
 You should now get alerts in Zulip!