diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index b51c4296..e53f815d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -36,22 +36,7 @@ jobs: npm run build - name: Check for broken file references - run: | - cd "${{ matrix.repo }}/build" - echo "Checking for broken files in $(pwd)" - - echo "Total files: $(ls -alh . | wc -l)" - echo "Total HTML files: $(find . -type f -name "*.html" | wc -l)" - - echo "Ripgrep" - if rg 'file=../../../modules' -g '*.html' | grep -q .; then - echo "Matches found. Exiting with code 0." - rg 'file=../../../modules' -g '*.html' - exit 1 - else - echo "No matches found" - exit 0 - fi + run: make file-ref-check prettier: name: prettier diff --git a/Makefile b/Makefile index d2caf459..cf1a6ec9 100644 --- a/Makefile +++ b/Makefile @@ -46,6 +46,26 @@ fmt: fmt-check: npx prettier --check --log-level=debug "**/*.md" +.PHONY: build +build: + @echo "Building mission-control documentation..." + @cd modules && make all + @cd mission-control && npm ci && npm run build + +.PHONY: file-ref-check +file-ref-check: ## Check for broken file references in build output + @echo "Checking for broken files in mission-control/build" + @cd mission-control/build && \ + echo "Total files: $$(ls -alh . | wc -l)" && \ + echo "Total HTML files: $$(find . -type f -name "*.html" | wc -l)" && \ + if rg 'file=../../../modules' -g '*.html' | grep -q .; then \ + echo "ERROR: Found broken file references:" && \ + rg 'file=../../../modules' -g '*.html' && \ + exit 1; \ + else \ + echo "No broken file references found"; \ + fi + .PHONY: sync: git submodule update --init --recursive diff --git a/common/src/components/Fields.jsx b/common/src/components/Fields.jsx index 0606e698..103c18e1 100644 --- a/common/src/components/Fields.jsx +++ b/common/src/components/Fields.jsx @@ -118,6 +118,89 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio return a.field.localeCompare(b.field) } + // Common AWS connection fields + const awsFields = [ + { + field: oss ? null : "connection", + description: "The connection url to use, mutually exclusive with `accessKey` and `secretKey`", + scheme: "Connection", + }, + { + field: "accessKey", + description: "Access Key ID", + scheme: "EnvVar" + }, + { + field: "secretKey", + description: "Secret Access Key", + scheme: "EnvVar" + }, + { + field: "region", + description: "The AWS region", + scheme: "string" + }, + { + field: "endpoint", + scheme: "string", + description: "Custom AWS Endpoint to use", + }, + { + field: "skipTLSVerify", + description: "Skip TLS verify when connecting to AWS", + scheme: 'bool' + } + ] + + // Common GCP connection fields + const gcpFields = [ + { + field: oss ? null : 'connection', + description: + 'The connection url to use, mutually exclusive with `credentials`', + scheme: 'Connection' + }, + { + field: 'credentials', + description: 'The credentials to use for authentication', + scheme: 'EnvVar' + }, + { + field: 'endpoint', + description: 'Custom GCP Endpoint to use', + scheme: 'string' + }, + { + field: 'skipTLSVerify', + description: 'Skip TLS verification when connecting to GCP', + scheme: 'bool' + } + ] + + // Common Azure connection fields + const azureFields = [ + { + field: oss ? null : "connection", + description: "The connection url to use, mutually exclusive with `tenantId`, `clientId`, and `clientSecret`", + scheme: "Connection", + }, + { + field: "tenantId", + description: "The Azure Active Directory tenant ID", + required: true + }, + { + field: "clientId", + description: "The Azure client/application ID", + scheme: "EnvVar" + }, + { + field: "clientSecret", + description: "The Azure client/application secret", + scheme: "EnvVar" + } + ] + if (connection == "url") { rows = rows.concat([ { @@ -200,62 +283,9 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio } ]) } else if (connection == "aws") { - rows = rows.concat([ - { - field: oss ? null : "connection", - description: "The connection url to use, mutually exclusive with `accessKey` and `secretKey`", - scheme: "Connection", - }, - { - field: "accessKey", - description: "Access Key ID", - scheme: "EnvVar" - }, - { - field: "secretKey", - description: "Secret Access Key", - scheme: "EnvVar" - }, - { - field: "region", - description: "The AWS region", - scheme: "string" - }, - { - field: "endpoint", - scheme: "string", - description: "Custom AWS Endpoint to use", - }, - { - field: "skipTLSVerify", - description: "Skip TLS verify when connecting to AWS", - scheme: 'bool' - } - ]) + rows = rows.concat(awsFields) } else if (connection == "gcp") { - rows = rows.concat([ - { - field: oss ? null : 'connection', - description: - 'The connection url to use, mutually exclusive with `credentials`', - scheme: 'Connection' - }, - { - field: 'credentials', - description: 'The credentials to use for authentication', - scheme: 'EnvVar' - }, - { - field: 'endpoint', - description: 'Custom GCP Endpoint to use', - scheme: 'string' - }, - { - field: 'skipTLSVerify', - description: 'Skip TLS verification when connecting to GCP', - scheme: 'bool' - } - ]) + rows = rows.concat(gcpFields) } else if (connection == "sftp") { rows = rows.concat([ { @@ -347,34 +377,7 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio scheme: "[CNRM](/reference/connections/kubernetes/#cnrm-connection)", }]) } else if (connection == "azure") { - rows = rows.concat([ - { - field: oss ? null : "connection", - description: "The connection url to use, mutually exclusive with `tenantId`, `subscriptionId`, `clientId`, and `clientSecret`", - scheme: "Connection", - }, - { - field: "tenantId", - description: "The Azure Active Directory tenant ID", - required: true - }, - { - field: "subscriptionId", - description: "The Azure subscription ID", - required: true, - scheme: "EnvVar" - }, - { - field: "clientId", - description: "The Azure client/application ID", - scheme: "EnvVar" - }, - { - field: "clientSecret", - description: "The Azure client/application secret", - scheme: "EnvVar" - } - ]) + rows = rows.concat(azureFields) } else if (connection == "openai") { rows = rows.concat([ { @@ -618,6 +621,33 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio } else if (connection == "prometheus") { // Prometheus extends HTTP connection, so HTTP fields will be included rows = rows.concat([]) + } else if (connection == "aws_kms") { + rows = rows.concat(awsFields.concat([ + { + field: "keyID", + description: "KMS key ID, alias, or ARN. Can include region specification for aliases (e.g., alias/ExampleAlias?region=us-east-1)", + scheme: "string", + required: true + } + ])) + } else if (connection == "gcp_kms") { + rows = rows.concat(gcpFields.concat([ + { + field: "keyID", + description: "KMS key resource path in the format: projects/PROJECT/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY", + scheme: "string", + required: true + } + ])) + } else if (connection == "azure_key_vault") { + rows = rows.concat(azureFields.concat([ + { + field: "keyID", + description: "Key Vault key URL in the format: https://vault-name.vault.azure.net/keys/key-name", + scheme: "string", + required: true + } + ])) } rows = rows.concat(common.filter(row => row.required)).filter(i => i.field != null) diff --git a/mission-control-chart b/mission-control-chart index 3710fad5..482220c7 160000 --- a/mission-control-chart +++ b/mission-control-chart @@ -1 +1 @@ -Subproject commit 3710fad5bb8408aaf37129f0272d7aa4da1f3c77 +Subproject commit 482220c75fb5e3ddbd52c9820c10159577b8030f diff --git a/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx b/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx new file mode 100644 index 00000000..7fde7caa --- /dev/null +++ b/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx @@ -0,0 +1,43 @@ +--- +title: Sensitive Data +sidebar_custom_props: + icon: material-symbols-light:security +--- + +Sensitive data includes passwords, API keys, tokens, and other confidential information that requires protection from unauthorized access or exposure. Mission Control provides comprehensive protection for sensitive data throughout the entire playbook lifecycle. + +## Secret Parameters + +Use `secret` type parameters to handle sensitive data in playbooks: + +```yaml +parameters: + - name: database_password + type: secret + label: "Database Password" + description: "Password for database connection" + required: true +``` + +## KMS Connection + +:::info +Your Mission Control instance **must** have a KMS connection configured to use secret parameters. +::: + +Configure this using the `--secret-keeper-connection` flag: + +```bash +mission-control serve --secret-keeper-connection "connection://default/my-kms-key" +``` + +or in the helm chart: + +```yaml +kmsConnection: "connection://default/my-kms-key" +``` + +Supported connection types: +- AWS KMS +- Azure Key Vault +- GCP KMS diff --git a/mission-control/docs/installation/_aws_iam.mdx b/mission-control/docs/installation/_aws_iam.mdx index 23ef277b..2eaf0803 100644 --- a/mission-control/docs/installation/_aws_iam.mdx +++ b/mission-control/docs/installation/_aws_iam.mdx @@ -8,6 +8,7 @@ Depending on how you want to use Mission Control you need to create an IAM role | -------------------------------------------- | ----------------------------------------- | | Read Only Scraping | `arn:aws:iam::aws:policy/ReadOnlyAccess` | | Playbooks to create and update AWS Resources | `arn:aws:iam::aws:policy/PowerUserAccess` | +| Secret Management (optional) | Custom KMS policy (see below) |
@@ -107,6 +108,9 @@ You can also create a new policy with only the permissions required by Mission C roleName: MissionControlRole roleOnly: true attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" - metadata: name: canary-checker-sa @@ -114,6 +118,9 @@ You can also create a new policy with only the permissions required by Mission C roleName: CanaryCheckerRole roleOnly: true attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" - metadata: name: config-db-sa @@ -121,6 +128,9 @@ You can also create a new policy with only the permissions required by Mission C roleName: ConfigDBRole roleOnly: true attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" ``` @@ -168,15 +178,27 @@ You can also create a new policy with only the permissions required by Mission C podIdentityAssociations: - namespace: mission-control serviceAccountName: mission-control-sa - permissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess + permissionPolicyARNs: + # Add additional policies as needed: + # - arn:aws:iam::aws:policy/PowerUserAccess + # - Custom KMS policy ARN for secret management + - arn:aws:iam::aws:policy/ReadOnlyAccess - namespace: mission-control serviceAccountName: config-db-sa - permissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess + permissionPolicyARNs: + # Add additional policies as needed: + # - arn:aws:iam::aws:policy/PowerUserAccess + # - Custom KMS policy ARN for secret management + - arn:aws:iam::aws:policy/ReadOnlyAccess - namespace: mission-control serviceAccountName: canary-checker-sa - permissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess + permissionPolicyARNs: + # Add additional policies as needed: + # - arn:aws:iam::aws:policy/PowerUserAccess + # - Custom KMS policy ARN for secret management + - arn:aws:iam::aws:policy/ReadOnlyAccess iam: # note withOIDC is not required for Pod Identity serviceAccounts: @@ -185,18 +207,27 @@ You can also create a new policy with only the permissions required by Mission C name: mission-control-sa namespace: mission-control attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" # used for cloudwatch, S3 and other AWS health checks - metadata: name: canary-checker-sa namespace: mission-control attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" # used to scrape resources, AWS CloudTrail and AWS Cost & Usage Reports - metadata: name: config-db-sa namespace: mission-control attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" ```

@@ -312,9 +343,20 @@ First we create a secret called `aws` containing the access key and secret. USER_NAME="mission-control-sa" aws iam create-user --user-name $USER_NAME + + # Add policies based on your use case (see table above) aws iam attach-user-policy \ --user-name $USER_NAME \ --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess + + # Add additional policies as needed: + # aws iam attach-user-policy \ + # --user-name $USER_NAME \ + # --policy-arn arn:aws:iam::aws:policy/PowerUserAccess + # aws iam attach-user-policy \ + # --user-name $USER_NAME \ + # --policy-arn arn:aws:iam:::policy/MissionControlKMSPolicy + key=$(aws iam create-access-key --user-name $USER_NAME) ```

@@ -356,3 +398,117 @@ First we create a secret called `aws` containing the access key and secret. +## Optional: KMS Setup for Secret Management + +If you plan to use secret parameters in playbooks, create a KMS key and IAM policy to encrypt and manage sensitive data: + +### Create a KMS Key + +```bash +# Set your AWS region and account ID +export AWS_REGION=us-west-2 +export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) + +# Create a KMS key for Mission Control +aws kms create-key \ + --description "Mission Control Secret Management Key" \ + --region $AWS_REGION \ + --query 'KeyMetadata.KeyId' \ + --output text > mission-control-key-id.txt + +export KEY_ID=$(cat mission-control-key-id.txt) + +# Create an alias for easier reference +aws kms create-alias \ + --alias-name alias/mission-control-secrets \ + --target-key-id $KEY_ID \ + --region $AWS_REGION +``` + +### Create KMS IAM Policy + +```bash +# Create a custom KMS policy +cat > mission-control-kms-policy.json << EOF +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "MissionControlKMSAccess", + "Effect": "Allow", + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ], + "Resource": "arn:aws:kms:${AWS_REGION}:${ACCOUNT_ID}:key/${KEY_ID}" + } + ] +} +EOF + +# Create the IAM policy +aws iam create-policy \ + --policy-name MissionControlKMSPolicy \ + --policy-document file://mission-control-kms-policy.json \ + --query 'Policy.Arn' \ + --output text > mission-control-kms-policy-arn.txt + +export KMS_POLICY_ARN=$(cat mission-control-kms-policy-arn.txt) +``` + +After creating the key and policy, make sure to include the KMS policy ARN in your service account configurations above. + +### Create a Mission Control Connection + +```yaml title="aws-kms-connection.yaml" +apiVersion: mission-control.flanksource.com/v1 +kind: Connection +metadata: + name: aws-kms + namespace: mission-control +spec: + aws: + region: us-west-2 + # Use the same authentication method as your main AWS connection + awsKms: + keyID: alias/mission-control-secrets +``` + +### Update Mission Control Helm Chart + + + + ```bash + helm upgrade mission-control flanksource/mission-control \ + --set kmsConnection='connection://mission-control/aws-kms' \ + -n mission-control \ + --wait + ``` + + + + ```yaml + --- + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: mission-control + namespace: mission-control + spec: + chart: + spec: + chart: mission-control + sourceRef: + kind: HelmRepository + name: flanksource + namespace: mission-control + interval: 5m + values: + kmsConnection: 'connection://mission-control/aws-kms' + ``` + + + diff --git a/mission-control/docs/installation/_gke_iam.mdx b/mission-control/docs/installation/_gke_iam.mdx index b9fab654..12c20a39 100644 --- a/mission-control/docs/installation/_gke_iam.mdx +++ b/mission-control/docs/installation/_gke_iam.mdx @@ -4,10 +4,11 @@ import Domain from '@site/docs/partials/_domain.mdx' Depending on usecase, Mission Control can be associated with the following GCP IAM roles: -| Use Case | Role Name | -| -------------------------------------------- | ---------------| -| Read Only Scraping | `roles/viewer` | -| Playbooks to create and update GCP Resources | `roles/editor` | +| Use Case | Role Name | +| -------------------------------------------- | -----------------------------| +| Read Only Scraping | `roles/viewer` | +| Playbooks to create and update GCP Resources | `roles/editor` | +| Secret Management (optional) | `roles/cloudkms.cryptoKeyEncrypterDecrypter` | ## Configure IAM Roles for Mission Control @@ -21,14 +22,18 @@ Depending on usecase, Mission Control can be associated with the following GCP I 1. Enable workload identity ```bash - # The name of the GKE cluster mission control is being deployed to - export CLUSTER= + # The name of your existing GKE cluster where mission control is to be deployed to + export CLUSTER=cluster-name + # GCP Project ID export PROJECT_ID=gcp-project-id + # GCP Project Number export PROJECT_NUMBER=gcp-project-number + # Location of GKE Cluster - LOCATION=us-east1 + export LOCATION=us-east1 + # the default namespace the mission-control helm chart uses export NAMESPACE=mission-control @@ -44,6 +49,8 @@ Depending on usecase, Mission Control can be associated with the following GCP I `$KSA_NAME` refers to the Kubernetes service account name. In our case, we need to bind to 3 service accounts: `mission-control-sa`, `canary-checker-sa` and `config-db-sa` ```bash + export ROLE_NAME=roles/viewer + for KSA_NAME in "mission-control-sa" "canary-checker-sa" "config-db-sa"; do gcloud projects add-iam-policy-binding projects/$PROJECT_ID \ --role=$ROLE_NAME \ @@ -68,13 +75,17 @@ You can also refer the official docs: https://cloud.google.com/kubernetes-engine 1. Enable workload identity in the host cluster ```bash # The name of the GKE cluster mission control is being deployed to - export CLUSTER= + export CLUSTER=cluster-name + # GCP Project ID export PROJECT_ID=gcp-project-id + # Location of GKE Cluster - LOCATION=us-east1 + export LOCATION=us-east1 + # the default namespace the mission-control helm chart uses export NAMESPACE=mission-control + # IAM service account name export IAM_SA_NAME=mission-control @@ -137,3 +148,92 @@ You can also refer the official docs: https://cloud.google.com/kubernetes-engine + +## KMS Setup for Secret Management + +If you plan to use secret parameters in playbooks, create a KMS key to encrypt and manage sensitive data. +This requires creating a new mission control connection and updating the helm chart to point mission control to the KMS connection. + +### Create a KMS Key + +```bash +# Set your project ID (if not already set) +export PROJECT_ID=gcp-project-id + +# Create a key ring +gcloud kms keyrings create mission-control-keyring \ + --location=global \ + --project=$PROJECT_ID + +# Create a KMS key for Mission Control +gcloud kms keys create mission-control-key \ + --keyring=mission-control-keyring \ + --location=global \ + --purpose=encryption \ + --project=$PROJECT_ID +``` + +### Bind GCP Service Account to IAM Role + +```bash +gcloud projects add-iam-policy-binding projects/$PROJECT_ID \ + --role=roles/cloudkms.cryptoKeyEncrypterDecrypter \ + --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/$KSA_NAME \ + --condition=None +``` + +### Create a Mission Control connection + + +```yaml title="gcpkms.yaml" +apiVersion: mission-control.flanksource.com/v1 +kind: Connection +metadata: + name: flanksource-gcpkms +spec: + gcpkms: + keyID: projects//locations/global/keyRings/mission-control-keyring/cryptoKeys/mission-control-key +``` + +### Update Mission Control helm chart + + + + ```bash + helm upgrade mission-control-agent flanksource/mission-control-agent \ + --set upstream.agent= \ + --set upstream.username='token' \ + --set upstream.password= \ + --set upstream.host= \ + --set kmsConnection='connection://mission-control/flanksource-gcpkms' \ + -n mission-control \ + --wait + ``` + + + + ```yaml + --- + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: mission-control-agent + namespace: mission-control + spec: + chart: + spec: + chart: mission-control-agent + sourceRef: + kind: HelmRepository + name: flanksource + namespace: mission-control + interval: 5m + values: + upstream.agent: YOUR_LOCAL_NAME + upstream.username: token + upstream.password: + upstream.host: + kmsConnection: 'connection://mission-control/flanksource-gcpkms' + ``` + + \ No newline at end of file diff --git a/mission-control/docs/installation/_properties_mission_control.mdx b/mission-control/docs/installation/_properties_mission_control.mdx index c15c0330..efd80cf5 100644 --- a/mission-control/docs/installation/_properties_mission_control.mdx +++ b/mission-control/docs/installation/_properties_mission_control.mdx @@ -12,6 +12,7 @@ import Container from './_properties_container.mdx' | otel.serviceName | Defaults to `mission-control` | | properties.incidents.disable | Defaults to `{}` | | properties.logs.disable | Defaults to `true` | +| kmsConnection | Provide the KMS connection string to use for secret parameters. See [KMS connection documentation](/reference/connections/KMS/) for details. | | | replicas | Defaults to `1` | | resources.limits.cpu | Defaults to `500m` | | resources.limits.memory | Defaults to `1024Mi` | diff --git a/mission-control/docs/reference/connections/KMS/aws-kms.mdx b/mission-control/docs/reference/connections/KMS/aws-kms.mdx new file mode 100644 index 00000000..227fc2f6 --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/aws-kms.mdx @@ -0,0 +1,15 @@ +--- +title: AWS KMS +sidebar_custom_props: + icon: aws +--- + + + + + +## Example + +```yaml title="awskms.yaml" file=/modules/mission-control/fixtures/connections/awskms.yaml + +``` \ No newline at end of file diff --git a/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx b/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx new file mode 100644 index 00000000..baa14145 --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx @@ -0,0 +1,33 @@ +--- +title: Azure Key Vault +sidebar_custom_props: + icon: azure +--- + + + + + +## Example + +```yaml title="azure-key-vault-connection.yaml" +apiVersion: v1 +kind: Connection +metadata: + name: azure-key-vault-connection +spec: + type: azure_key_vault + clientID: + valueFrom: + secretKeyRef: + name: azure-credentials + key: AZURE_CLIENT_ID + clientSecret: + valueFrom: + secretKeyRef: + name: azure-credentials + key: AZURE_CLIENT_SECRET + tenantID: your-tenant-id + properties: + keyID: https://your-vault.vault.azure.net/keys/mission-control-key +``` \ No newline at end of file diff --git a/mission-control/docs/reference/connections/KMS/gcp-kms.mdx b/mission-control/docs/reference/connections/KMS/gcp-kms.mdx new file mode 100644 index 00000000..0ff6f9db --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/gcp-kms.mdx @@ -0,0 +1,15 @@ +--- +title: GCP KMS +sidebar_custom_props: + icon: gcp +--- + + + + + +## Example + +```yaml title="gcpkms.yaml" file=/modules/mission-control/fixtures/connections/gcpkms.yaml + +``` \ No newline at end of file diff --git a/mission-control/docs/reference/connections/KMS/index.mdx b/mission-control/docs/reference/connections/KMS/index.mdx new file mode 100644 index 00000000..1bc8838a --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/index.mdx @@ -0,0 +1,9 @@ +--- +title: KMS +sidebar_custom_props: + icon: material-symbols-light:security +--- + +import DocCardList from '@theme/DocCardList'; + + \ No newline at end of file diff --git a/mission-control/docs/reference/connections/Notifications/index.mdx b/mission-control/docs/reference/connections/Notifications/index.mdx new file mode 100644 index 00000000..e663455f --- /dev/null +++ b/mission-control/docs/reference/connections/Notifications/index.mdx @@ -0,0 +1,11 @@ +--- +title: Notifications +sidebar_position: 2 + +sidebar_custom_props: + icon: ix:alarm-bell +--- + +import DocCardList from '@theme/DocCardList'; + + \ No newline at end of file diff --git a/mission-control/docs/reference/playbooks/parameters.mdx b/mission-control/docs/reference/playbooks/parameters.mdx index ff7e599e..b708907e 100644 --- a/mission-control/docs/reference/playbooks/parameters.mdx +++ b/mission-control/docs/reference/playbooks/parameters.mdx @@ -88,6 +88,7 @@ When running the playbook on a `Deployment` named `mysql` the following is pre-p | `text` | Text input | Text Input | `string` | [`Text`](#text) | | `millicores` | CPU resource | Number | `string` | - | | `bytes` | Memory resource | Number | `string` | - | +| `secret` | Encrypted sensitive data | Password | `string` | - | ```yaml title='params-sink.yaml' file=/modules/mission-control/fixtures/playbooks/params.yaml {20,24,27,32,39,46,51,56,61,72} showLineNumbers @@ -135,3 +136,36 @@ When running the playbook on a `Deployment` named `mysql` the following is pre-p | ----------------- | -------------------------------- | -------- | | `options[].label` | Specify label of the list option | `string` | | `options[].value` | Specify value of the list option | `string` | + +### secret + +Secret parameters handle sensitive data like passwords, API keys, and tokens. Values are encrypted at rest using the configured KMS connection and are automatically redacted in logs, UI displays, and database queries. + +:::info Requirements +Your Mission Control instance must have a [KMS connection configured](/installation/saas/authentication#kms) to use secret parameters. +::: + +Secret parameters are rendered as password input fields in the UI and their values are: +- **Encrypted** using the configured KMS (AWS KMS, Azure Key Vault, or GCP KMS) +- **Redacted** in all logs and audit trails +- **Hidden** in the UI after initial input +- **Protected** in database storage + +```yaml +parameters: + - name: api_key + type: secret + label: "API Key" + description: "Your service API key" + required: true +``` + +When referencing secret parameters in playbook actions, use them like any other parameter: + +```yaml +actions: + - name: "Call external API" + exec: + script: | + curl -H "Authorization: Bearer {{.params.api_key}}" https://api.example.com/data +``` diff --git a/modules/canary-checker b/modules/canary-checker index bff5cca8..eb73ef65 160000 --- a/modules/canary-checker +++ b/modules/canary-checker @@ -1 +1 @@ -Subproject commit bff5cca8f2fec464eed099c01f0b15f3602c802f +Subproject commit eb73ef6518c38f2d2e7a7fb1be532a97ace41995 diff --git a/modules/config-db b/modules/config-db index 81e26eb1..18c43eb9 160000 --- a/modules/config-db +++ b/modules/config-db @@ -1 +1 @@ -Subproject commit 81e26eb1be71ea84a5b22261980eae58e82d9080 +Subproject commit 18c43eb9ab0eabd51365160626ffffbf257aa44e diff --git a/modules/duty b/modules/duty index 4a1e4765..4f2fbf21 160000 --- a/modules/duty +++ b/modules/duty @@ -1 +1 @@ -Subproject commit 4a1e4765072ce2ea1bea21298d85571fd3d91224 +Subproject commit 4f2fbf2114c943578bd45a6a63a7694b7afd61d1 diff --git a/modules/mission-control b/modules/mission-control index 60cfeb20..2d68719c 160000 --- a/modules/mission-control +++ b/modules/mission-control @@ -1 +1 @@ -Subproject commit 60cfeb200bec5b6d3be4e6598654f79c326d966e +Subproject commit 2d68719c0276912a80a9e191a455e7b2209e2d0e diff --git a/modules/mission-control-chart b/modules/mission-control-chart index 6ed80b8a..482220c7 160000 --- a/modules/mission-control-chart +++ b/modules/mission-control-chart @@ -1 +1 @@ -Subproject commit 6ed80b8a9bf48cec7bb7bf720186cfa94cffaa89 +Subproject commit 482220c75fb5e3ddbd52c9820c10159577b8030f diff --git a/modules/mission-control-registry b/modules/mission-control-registry index 9586d3b9..5cbc5bf2 160000 --- a/modules/mission-control-registry +++ b/modules/mission-control-registry @@ -1 +1 @@ -Subproject commit 9586d3b94e8e6ea38e8dc11fa245cf339d113fb4 +Subproject commit 5cbc5bf25223f7ec9a5c417c41996cdaa5a26301 diff --git a/styles/ignore/words-with-suggestions.txt b/styles/ignore/words-with-suggestions.txt index e7ab9d95..5d746903 100644 --- a/styles/ignore/words-with-suggestions.txt +++ b/styles/ignore/words-with-suggestions.txt @@ -242,6 +242,7 @@ Junit JUnit keypair keypairs +kmsConnection knowledgebase knowledgebases Kratos