securely store S3 credentials for S3Boto3Storage

[gclawes]

Proposed functionality

Currently STORAGE_CONFIG is stored in the config ConfigMap, which prevents it from being encrypted with cluster secret encyrption:

netbox-chart/charts/netbox/templates/configmap.yaml

Line 83 in 0ab927e

STORAGE_CONFIG: {{ toJson .Values.storageConfig }}

In particular, this can contain the AWS_SECRET_ACCESS_KEY value when using STORAGE_BACKEND: storages.backends.s3boto3.S3Boto3Storage.

The S3Boto3Storage backend supports reading S3 credentials from environment variables instead of the config file, it would be useful to store these in a secret that can be exposed as environment variables

Use case

Securely storing S3 credentials would prevent unauthorized leaking of these secrets.

[LeoColomb]

Thanks for filing this issue, @gclawes.
If the S3 package can read environment variables, have you tried to define these environment variables using extraEnvVarsSecret value?

[gclawes]

That's the approach that I'm currently taking (though I haven't gotten my instance to the point of using the S3 storage yet, so I haven't validate it).

I'm currently creating the secret with with extraDeploy, it might be good to have a dedicated secret for this, to guide users to securely storing these secrets, instead of the current example with storageConfig

[LeoColomb]

Thanks for your reply.
If this approach works, may I ask you to clarify the request?
I'm not sure documenting how to use Kubernetes in general (storing secrets in Secrets is fairly generic) would be relevant within the chart, to be honest.

[gclawes]

At a minimum for documentation, putting a note here in the recommendation for S3 configs that secrets here are stored insecurely I think would guide users away from it:

netbox-chart/charts/netbox/values.yaml

Lines 318 to 323 in 0ab927e

	# storageConfig:
	# AWS_ACCESS_KEY_ID: 'Key ID'
	# AWS_SECRET_ACCESS_KEY: 'Secret'
	# AWS_STORAGE_BUCKET_NAME: 'netbox'
	# AWS_S3_ENDPOINT_URL: 'endpoint URL of S3 provider'
	# AWS_S3_REGION_NAME: 'eu-west-1'

As for functional changes, I think having a dedicated Secret configured under.Values.storageBackend (with .Values.storageBackend.existingSecret as an alternative) for S3 credentials would be an improvement:

https://github.com/netbox-community/netbox-chart/blob/main/charts/netbox/templates/secret.yaml

Would you like me to edit the original post in this issue with this request?

[LeoColomb]

putting a note here in the recommendation for S3 configs that secrets here are stored insecurely I think would guide users away from it

Alright, this sounds good, it's a good idea. 👍
Would you like to open a pull request for this edit?

I think having a dedicated Secret configured under.Values.storageBackend

This addition would match a too specific use case to be included.
Keep in mind that additional values, secrets, or any resources complicate the chart.
As of now, unless it does not work, the suggested approach is perfectly good enough, and pretty generic.
I'd stick to it 😊

Would you like me to edit the original post in this issue with this request?

As you wish, but this is not necessary 😊