Skip to content

Commit

Permalink
update latest changes
Browse files Browse the repository at this point in the history 
Signed-off-by: Frank Jogeleit <[email protected]>
  • Loading branch information
@fjogeleit
fjogeleit committed Sep 20, 2024
1 parent 9f94f18 commit 3dff5fc
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 19 deletions.
32 changes: 16 additions & 16 deletions docs/policy-reporter/integrations.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -211,7 +211,7 @@ target:

Instead of defining your credentials or webhooks directly, you can also use the `secretRef` configuration to reference an already existing **Secret** by name. If the secret does not exist, the target is skipped.

The **Secret** should contain the related configuration as key. Supported keys are `host`, `webhook`, `channel`, `apiKey`, `accountID`, `typelessApi`, `kmsKeyId`, `username`, `password`, `token`, `credentials`, `accessKeyID` and `secretAccessKey` - depending on the related target. Only exception is token, which is dedicated for webhook targets and is added as Authorization header.
The **Secret** should contain the related configuration as key. Supported keys are `host`, `webhook`, `channel`, `apiKey`, `accountId`, `typelessApi`, `kmsKeyId`, `username`, `password`, `token`, `credentials`, `accessKeyId` and `secretAccessKey` - depending on the related target. Only exception is token, which is dedicated for webhook targets and is added as Authorization header.

The secretRef is also supported for channels, so you can use different secrets for different channels.

Expand Down Expand Up @@ -687,7 +687,7 @@ The S3 integration supports `WebIdentidy`, `PodIdentity` and `Credentials` as au
| ---------------------- | ----------------------------------------- | ----------------- |
| `bucket` | S3 Bucket | _(required)_ |
| `endpoint` | S3 API Endpoint | _(optional)_ |
| `accessKeyID` | For Credentials authentication | _(optional)_ |
| `accessKeyId` | For Credentials authentication | _(optional)_ |
| `secretAccessKey` | For Credentials authentication | _(optional)_ |
| `kmsKeyID` | Used for Bucket Encryption | _(optional)_ |
| `bucketKeyEnabled` | Should use Bucket Key for Encryption | `false` |
Expand All @@ -707,7 +707,7 @@ target:
region: 'ru-central1'
bucket: 'dev-cluster'
secretAccessKey: 'secretAccessKey'
accessKeyID: 'accessKeyID'
accessKeyId: 'accessKeyId'
skipExistingOnStartup: true
```
Expand All @@ -719,7 +719,7 @@ target:
region: 'ru-central1'
bucket: 'dev-cluster'
secretAccessKey: 'secretAccessKey'
accessKeyID: 'accessKeyID'
accessKeyId: 'accessKeyId'
skipExistingOnStartup: true
```
Expand All @@ -739,7 +739,7 @@ The AWS integration supports `WebIdentidy`, `PodIdentity` and `Credentials` as a
| ---------------------- | ----------------------------------------- | ----------------- |
| `streamName` | Kinesis Streamname | _(required)_ |
| `endpoint` | Kinesis API Endpoint | _(optional)_ |
| `accessKeyID` | For Credentials authentication | _(optional)_ |
| `accessKeyId` | For Credentials authentication | _(optional)_ |
| `secretAccessKey` | For Credentials authentication | _(optional)_ |
| `region` | Region | `AWS_REGION` ENV |

Expand All @@ -754,7 +754,7 @@ target:
region: 'eu-central-1'
streamName: 'dev-cluster'
secretAccessKey: 'secretAccessKey'
accessKeyID: 'accessKeyID'
accessKeyId: 'accessKeyId'
skipExistingOnStartup: true
```

Expand All @@ -766,7 +766,7 @@ target:
region: 'eu-central-1'
streamName: 'dev-cluster'
secretAccessKey: 'secretAccessKey'
accessKeyID: 'accessKeyID'
accessKeyId: 'accessKeyId'
skipExistingOnStartup: true
```

Expand All @@ -784,9 +784,9 @@ AWS SecurityHub supports `WebIdentidy`, `PodIdentity` and `Credentials` as authe

| Option | Description | Default |
| ---------------------- | ----------------------------------------- | ----------------- |
| `accountID` | AWS AccoundID | _(required)_ |
| `accountId` | AWS Accound ID | _(required)_ |
| `endpoint` | API Endpoint | _(optional)_ |
| `accessKeyID` | For Credentials authentication | _(optional)_ |
| `accessKeyId` | For Credentials authentication | _(optional)_ |
| `secretAccessKey` | For Credentials authentication | _(optional)_ |
| `productName` | Used product name in SH Findings | `Policy Reporter` |
| `companyName` | Used company name in SH Findings | `Kyverno` |
Expand All @@ -802,19 +802,19 @@ AWS SecurityHub supports `WebIdentidy`, `PodIdentity` and `Credentials` as authe
target:
securityHub:
region: 'eu-central-1'
accountID: 'accountID'
accountId: 'accountId'
secretAccessKey: 'secretAccessKey'
accessKeyID: 'accessKeyID'
accessKeyId: 'accessKeyId'
```

```yaml [config.yaml]
target:
securityHub:
config:
region: 'eu-central-1'
accountID: 'accountID'
accountId: 'accountId'
secretAccessKey: 'secretAccessKey'
accessKeyID: 'accessKeyID'
accessKeyId: 'accessKeyId'
```

:::
Expand Down Expand Up @@ -865,7 +865,7 @@ Sends notifications about new violations with all available information over the
| ------------- | -------------------------------- | ------------ |
| `webhook` | Webhook Endpoint | _(optional)_ |
| `token` | Telegram Token | _(required)_ |
| `chatID` | Telegram ChatID | _(required)_ |
| `chatId` | Telegram ChatID | _(required)_ |
| `skipTLS` | skip server cert verification | `false` |
| `certificate` | path to a root CA in PEM format | _(optional)_ |
| `headers` | map of additional static headers | _(optional)_ |
Expand All @@ -879,7 +879,7 @@ The minimal configuration for Discord requires a valid and accessible webhook ap
```yaml [values.yaml]
target:
telegram:
chatID: "XXX"
chatId: "XXX"
token: "XXXX"
skipExistingOnStartup: true
```
Expand All @@ -888,7 +888,7 @@ target:
target:
telegram:
config:
chatID: "XXX"
chatId: "XXX"
token: "XXXX"
skipExistingOnStartup: true
```
Expand Down
18 changes: 15 additions & 3 deletions docs/upgrade-guide/helm.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,21 +68,34 @@ target:

In the new Policy Reporter UI v2, the Log page function has been removed as it was of little use, so the related `ui` push target was also dropped.

### Telegram Target

To unify naming conventions the `chatID` option was renamed to `chatId`.

### AWS Targets

To unify naming conventions the `accessKeyID` option for all AWS targets (S3, Kinesis, SecurityHub) was renamed to `accessKeyId`.

Same applies for the `accessKeyID` key in Secrets used via `secretRef` or `mountedSecret`.

### SecurityHub Target

The **SecurityHub** integration has been completely redesigned. Instead of only pushing new violations without synchronizing removed resources or resolved policies, the new integration synchronizes all existing violations with SecurityHub and automatically resolves them once the associated resource or policy has been removed or the violation has been resolved.

```yaml
securityHub:
accessKeyID: ""
accessKeyID: "" # [!code --]
accessKeyId: "" # [!code ++]
secretAccessKey: ""
secretRef: ""
mountedSecret: ""
region: ""
endpoint: ""
accountID: ""
accountId: "" # [!code --]
accountId: "" # [!code ++]
productName: ""
minimumPriority: "" # [!code --]
minimumSeverity: "" # [!code ++]
sources: []
skipExistingOnStartup: true # [!code --]
# Takes only effect when `cleanup` is disabled.
Expand All @@ -92,7 +105,6 @@ The **SecurityHub** integration has been completely redesigned. Instead of only
synchronize: true # [!code ++]
# Delay between AWS GetFindings API calls, to avoid hitting the API RequestLimit
delayInSeconds: 2 # [!code ++]
minimumSeverity: "" # [!code ++]
```
### Loki Target
Expand Down

0 comments on commit 3dff5fc

Please sign in to comment.