diff --git a/common/src/components/Fields.jsx b/common/src/components/Fields.jsx index b26a18fb..0bdf1bb7 100644 --- a/common/src/components/Fields.jsx +++ b/common/src/components/Fields.jsx @@ -118,6 +118,90 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio return a.field.localeCompare(b.field) } + // Common AWS connection fields + const awsFields = [ + { + field: oss ? null : "connection", + description: "The connection url to use, mutually exclusive with `accessKey` and `secretKey`", + scheme: "Connection", + }, + { + field: "accessKey", + description: "Access Key ID", + scheme: "EnvVar" + }, + { + field: "secretKey", + description: "Secret Access Key", + scheme: "EnvVar" + }, + { + field: "region", + description: "The AWS region", + scheme: "string" + }, + { + field: "endpoint", + scheme: "string", + description: "Custom AWS Endpoint to use", + }, + { + field: "skipTLSVerify", + description: "Skip TLS verify when connecting to AWS", + scheme: 'bool' + } + ] + + // Common GCP connection fields + const gcpFields = [ + { + field: oss ? null : 'connection', + description: + 'The connection url to use, mutually exclusive with `credentials`', + scheme: 'Connection' + }, + { + field: 'credentials', + description: 'The credentials to use for authentication', + scheme: 'EnvVar' + }, + { + field: 'endpoint', + description: 'Custom GCP Endpoint to use', + scheme: 'string' + }, + { + field: 'skipTLSVerify', + description: 'Skip TLS verification when connecting to GCP', + scheme: 'bool' + } + ] + + // Common Azure connection fields + const azureFields = [ + { + field: oss ? null : "connection", + description: "The connection url to use, mutually exclusive with `tenantId`, `clientId`, and `clientSecret`", + scheme: "Connection", + }, + { + field: "tenantId", + description: "The Azure Active Directory tenant ID", + scheme: "EnvVar", + required: true + }, + { + field: "clientId", + description: "The Azure client/application ID", + scheme: "EnvVar" + }, + { + field: "clientSecret", + description: "The Azure client/application secret", + scheme: "EnvVar" + } + ] + if (connection == "url") { rows = rows.concat([ { @@ -200,62 +284,9 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio } ]) } else if (connection == "aws") { - rows = rows.concat([ - { - field: oss ? null : "connection", - description: "The connection url to use, mutually exclusive with `accessKey` and `secretKey`", - scheme: "Connection", - }, - { - field: "accessKey", - description: "Access Key ID", - scheme: "EnvVar" - }, - { - field: "secretKey", - description: "Secret Access Key", - scheme: "EnvVar" - }, - { - field: "region", - description: "The AWS region", - scheme: "string" - }, - { - field: "endpoint", - scheme: "string", - description: "Custom AWS Endpoint to use", - }, - { - field: "skipTLSVerify", - description: "Skip TLS verify when connecting to AWS", - scheme: 'bool' - } - ]) + rows = rows.concat(awsFields) } else if (connection == "gcp") { - rows = rows.concat([ - { - field: oss ? null : 'connection', - description: - 'The connection url to use, mutually exclusive with `credentials`', - scheme: 'Connection' - }, - { - field: 'credentials', - description: 'The credentials to use for authentication', - scheme: 'EnvVar' - }, - { - field: 'endpoint', - description: 'Custom GCP Endpoint to use', - scheme: 'string' - }, - { - field: 'skipTLSVerify', - description: 'Skip TLS verification when connecting to GCP', - scheme: 'bool' - } - ]) + rows = rows.concat(gcpFields) } else if (connection == "sftp") { rows = rows.concat([ { @@ -347,34 +378,7 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio scheme: "[CNRM](/docs/reference/connections/kubernetes/#cnrm-connection)", }]) } else if (connection == "azure") { - rows = rows.concat([ - { - field: oss ? null : "connection", - description: "The connection url to use, mutually exclusive with `tenantId`, `subscriptionId`, `clientId`, and `clientSecret`", - scheme: "Connection", - }, - { - field: "tenantId", - description: "The Azure Active Directory tenant ID", - required: true - }, - { - field: "subscriptionId", - description: "The Azure subscription ID", - required: true, - scheme: "EnvVar" - }, - { - field: "clientId", - description: "The Azure client/application ID", - scheme: "EnvVar" - }, - { - field: "clientSecret", - description: "The Azure client/application secret", - scheme: "EnvVar" - } - ]) + rows = rows.concat(azureFields) } else if (connection == "openai") { rows = rows.concat([ { @@ -618,6 +622,33 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio } else if (connection == "prometheus") { // Prometheus extends HTTP connection, so HTTP fields will be included rows = rows.concat([]) + } else if (connection == "aws_kms") { + rows = rows.concat(awsFields.concat([ + { + field: "keyID", + description: "KMS key ID, alias, or ARN. Can include region specification for aliases (e.g., alias/ExampleAlias?region=us-east-1)", + scheme: "string", + required: true + } + ])) + } else if (connection == "gcp_kms") { + rows = rows.concat(gcpFields.concat([ + { + field: "keyID", + description: "KMS key resource path in the format: projects/PROJECT/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY", + scheme: "string", + required: true + } + ])) + } else if (connection == "azure_key_vault") { + rows = rows.concat(azureFields.concat([ + { + field: "keyID", + description: "Key Vault key URL in the format: https://vault-name.vault.azure.net/keys/key-name", + scheme: "string", + required: true + } + ])) } rows = rows.concat(common.filter(row => row.required)).filter(i => i.field != null) diff --git a/mission-control-chart b/mission-control-chart index 8f4628d1..201b29dc 160000 --- a/mission-control-chart +++ b/mission-control-chart @@ -1 +1 @@ -Subproject commit 8f4628d124d7e6f3a3e190167d19589f521ce514 +Subproject commit 201b29dce9be9f145bc4c3c24317c4d723ccd2ee diff --git a/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx b/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx new file mode 100644 index 00000000..8ce8cfab --- /dev/null +++ b/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx @@ -0,0 +1,37 @@ +--- +title: Sensitive Data +sidebar_custom_props: + icon: material-symbols-light:security +--- + +Sensitive data includes passwords, API keys, tokens, and other confidential information that requires protection from unauthorized access or exposure. Mission Control provides comprehensive protection for sensitive data throughout the entire playbook lifecycle. + +## Secret Parameters + +Use `secret` type parameters to handle sensitive data in playbooks: + +```yaml title="http-secret-parameter.yaml" file=/modules/mission-control/fixtures/playbooks/http-secret-parameter.yaml + +``` + +## KMS Connection + +:::info +Your Mission Control instance **must** have a KMS connection configured to use secret parameters. +::: + +Configure this using the `--secret-keeper-connection` flag: + +```bash +mission-control serve --secret-keeper-connection "connection://default/my-kms-key" +``` + +Or set `kmsConnection` in your Helm values file. + +Supported connection types: + +- AWS KMS +- Azure Key Vault +- GCP KMS + +For field-level schema details, see [KMS connection reference](/docs/reference/connections/KMS/). diff --git a/mission-control/docs/installation/_aws_iam.mdx b/mission-control/docs/installation/_aws_iam.mdx index acc7060f..6a47b696 100644 --- a/mission-control/docs/installation/_aws_iam.mdx +++ b/mission-control/docs/installation/_aws_iam.mdx @@ -8,6 +8,7 @@ Depending on how you want to use Mission Control you need to create an IAM role | -------------------------------------------- | ----------------------------------------- | | Read Only Scraping | `arn:aws:iam::aws:policy/ReadOnlyAccess` | | Playbooks to create and update AWS Resources | `arn:aws:iam::aws:policy/PowerUserAccess` | +| Secret Management (optional) | Custom KMS policy (see below) |
@@ -107,6 +108,9 @@ You can also create a new policy with only the permissions required by Mission C roleName: MissionControlRole roleOnly: true attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" - metadata: name: canary-checker-sa @@ -114,6 +118,9 @@ You can also create a new policy with only the permissions required by Mission C roleName: CanaryCheckerRole roleOnly: true attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" - metadata: name: config-db-sa @@ -121,6 +128,9 @@ You can also create a new policy with only the permissions required by Mission C roleName: ConfigDBRole roleOnly: true attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" ``` @@ -168,15 +178,27 @@ You can also create a new policy with only the permissions required by Mission C podIdentityAssociations: - namespace: mission-control serviceAccountName: mission-control-sa - permissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess + permissionPolicyARNs: + # Add additional policies as needed: + # - arn:aws:iam::aws:policy/PowerUserAccess + # - Custom KMS policy ARN for secret management + - arn:aws:iam::aws:policy/ReadOnlyAccess - namespace: mission-control serviceAccountName: config-db-sa - permissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess + permissionPolicyARNs: + # Add additional policies as needed: + # - arn:aws:iam::aws:policy/PowerUserAccess + # - Custom KMS policy ARN for secret management + - arn:aws:iam::aws:policy/ReadOnlyAccess - namespace: mission-control serviceAccountName: canary-checker-sa - permissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess + permissionPolicyARNs: + # Add additional policies as needed: + # - arn:aws:iam::aws:policy/PowerUserAccess + # - Custom KMS policy ARN for secret management + - arn:aws:iam::aws:policy/ReadOnlyAccess iam: # note withOIDC is not required for Pod Identity serviceAccounts: @@ -185,18 +207,27 @@ You can also create a new policy with only the permissions required by Mission C name: mission-control-sa namespace: mission-control attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" # used for cloudwatch, S3 and other AWS health checks - metadata: name: canary-checker-sa namespace: mission-control attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" # used to scrape resources, AWS CloudTrail and AWS Cost & Usage Reports - metadata: name: config-db-sa namespace: mission-control attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" ```

@@ -258,7 +289,7 @@ You can also create a new policy with only the permissions required by Mission C - + 1. Setup variables ```bash @@ -269,7 +300,7 @@ You can also create a new policy with only the permissions required by Mission C ```

-1. Create a cloudformation template +1. Create a CloudFormation template ```yaml title="mission-control-iam-cloudformation.yaml" file=/docs/partials/_pod_identity.yaml ``` @@ -312,9 +343,20 @@ First we create a secret called `aws` containing the access key and secret. USER_NAME="mission-control-sa" aws iam create-user --user-name $USER_NAME + + # Add policies based on your use case (see table above) aws iam attach-user-policy \ --user-name $USER_NAME \ --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess + + # Add additional policies as needed: + # aws iam attach-user-policy \ + # --user-name $USER_NAME \ + # --policy-arn arn:aws:iam::aws:policy/PowerUserAccess + # aws iam attach-user-policy \ + # --user-name $USER_NAME \ + # --policy-arn arn:aws:iam:::policy/MissionControlKMSPolicy + key=$(aws iam create-access-key --user-name $USER_NAME) ```

@@ -356,3 +398,80 @@ First we create a secret called `aws` containing the access key and secret. +## Optional: KMS Setup for Secret Management + +If you plan to use secret parameters in playbooks, create a KMS key and IAM policy to encrypt and manage sensitive data: + +### Create a KMS Key + +```bash +# Set your AWS region and account ID +export AWS_REGION=us-west-2 +export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) + +# Create a KMS key for Mission Control +aws kms create-key \ + --description "Mission Control Secret Management Key" \ + --region $AWS_REGION \ + --query 'KeyMetadata.KeyId' \ + --output text > mission-control-key-id.txt + +export KEY_ID=$(cat mission-control-key-id.txt) + +# Create an alias for easier reference +aws kms create-alias \ + --alias-name alias/mission-control-secrets \ + --target-key-id $KEY_ID \ + --region $AWS_REGION +``` + +### Create KMS IAM Policy + +```bash +# Create a custom KMS policy +cat > mission-control-kms-policy.json << EOF +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "MissionControlKMSAccess", + "Effect": "Allow", + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ], + "Resource": "arn:aws:kms:${AWS_REGION}:${ACCOUNT_ID}:key/${KEY_ID}" + } + ] +} +EOF + +# Create the IAM policy +aws iam create-policy \ + --policy-name MissionControlKMSPolicy \ + --policy-document file://mission-control-kms-policy.json \ + --query 'Policy.Arn' \ + --output text > mission-control-kms-policy-arn.txt + +export KMS_POLICY_ARN=$(cat mission-control-kms-policy-arn.txt) +``` + +After creating the key and policy, make sure to include the KMS policy ARN in your service account configurations above. + +### Create a Mission Control Connection + +```yaml title="awskms.yaml" file=/modules/mission-control/fixtures/connections/awskms.yaml + +``` + +### Update Mission Control Helm Values + +Set `kmsConnection` to the KMS connection reference used by your installation: + +/" +`}/> + diff --git a/mission-control/docs/installation/_gke_iam.mdx b/mission-control/docs/installation/_gke_iam.mdx index b9fab654..5d6e502b 100644 --- a/mission-control/docs/installation/_gke_iam.mdx +++ b/mission-control/docs/installation/_gke_iam.mdx @@ -2,12 +2,13 @@ import Domain from '@site/docs/partials/_domain.mdx' ## Choosing an IAM Role -Depending on usecase, Mission Control can be associated with the following GCP IAM roles: +Depending on use case, Mission Control can be associated with the following GCP IAM roles: -| Use Case | Role Name | -| -------------------------------------------- | ---------------| -| Read Only Scraping | `roles/viewer` | -| Playbooks to create and update GCP Resources | `roles/editor` | +| Use Case | Role Name | +| -------------------------------------------- | -----------------------------| +| Read Only Scraping | `roles/viewer` | +| Playbooks to create and update GCP Resources | `roles/editor` | +| Secret Management (optional) | `roles/cloudkms.cryptoKeyEncrypterDecrypter` | ## Configure IAM Roles for Mission Control @@ -21,14 +22,18 @@ Depending on usecase, Mission Control can be associated with the following GCP I 1. Enable workload identity ```bash - # The name of the GKE cluster mission control is being deployed to - export CLUSTER= + # The name of your existing GKE cluster where mission control is to be deployed to + export CLUSTER=cluster-name + # GCP Project ID export PROJECT_ID=gcp-project-id + # GCP Project Number export PROJECT_NUMBER=gcp-project-number + # Location of GKE Cluster - LOCATION=us-east1 + export LOCATION=us-east1 + # the default namespace the mission-control helm chart uses export NAMESPACE=mission-control @@ -44,6 +49,8 @@ Depending on usecase, Mission Control can be associated with the following GCP I `$KSA_NAME` refers to the Kubernetes service account name. In our case, we need to bind to 3 service accounts: `mission-control-sa`, `canary-checker-sa` and `config-db-sa` ```bash + export ROLE_NAME=roles/viewer + for KSA_NAME in "mission-control-sa" "canary-checker-sa" "config-db-sa"; do gcloud projects add-iam-policy-binding projects/$PROJECT_ID \ --role=$ROLE_NAME \ @@ -68,13 +75,17 @@ You can also refer the official docs: https://cloud.google.com/kubernetes-engine 1. Enable workload identity in the host cluster ```bash # The name of the GKE cluster mission control is being deployed to - export CLUSTER= + export CLUSTER=cluster-name + # GCP Project ID export PROJECT_ID=gcp-project-id + # Location of GKE Cluster - LOCATION=us-east1 + export LOCATION=us-east1 + # the default namespace the mission-control helm chart uses export NAMESPACE=mission-control + # IAM service account name export IAM_SA_NAME=mission-control @@ -137,3 +148,50 @@ You can also refer the official docs: https://cloud.google.com/kubernetes-engine + +## KMS Setup for Secret Management + +If you plan to use secret parameters in playbooks, create a KMS key to encrypt and manage sensitive data. +This requires creating a new Mission Control connection and updating the Helm chart to point Mission Control to the KMS connection. + +### Create a KMS Key + +```bash +# Set your project ID (if not already set) +export PROJECT_ID=gcp-project-id + +# Create a key ring +gcloud kms keyrings create mission-control-keyring \ + --location=global \ + --project=$PROJECT_ID + +# Create a KMS key for Mission Control +gcloud kms keys create mission-control-key \ + --keyring=mission-control-keyring \ + --location=global \ + --purpose=encryption \ + --project=$PROJECT_ID +``` + +### Bind GCP Service Account to IAM Role + +```bash +gcloud projects add-iam-policy-binding projects/$PROJECT_ID \ + --role=roles/cloudkms.cryptoKeyEncrypterDecrypter \ + --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/$KSA_NAME \ + --condition=None +``` + +### Create a Mission Control connection + +```yaml title="gcpkms.yaml" file=/modules/mission-control/fixtures/connections/gcpkms.yaml + +``` + +### Update Mission Control Helm Values + +Set `kmsConnection` to the KMS connection reference used by your installation: + +/" +`}/> diff --git a/mission-control/docs/installation/_properties_mission_control.mdx b/mission-control/docs/installation/_properties_mission_control.mdx index c15c0330..361e0cfb 100644 --- a/mission-control/docs/installation/_properties_mission_control.mdx +++ b/mission-control/docs/installation/_properties_mission_control.mdx @@ -1,5 +1,4 @@ -import Container from './_properties_container.mdx' - +import Container from './_properties_container.mdx' | Value | Description | | -------------------------------------------- | -------------------------------------------------- | @@ -12,6 +11,7 @@ import Container from './_properties_container.mdx' | otel.serviceName | Defaults to `mission-control` | | properties.incidents.disable | Defaults to `{}` | | properties.logs.disable | Defaults to `true` | +| kmsConnection | Provide the KMS connection string to use for secret parameters. See [KMS connection documentation](/docs/reference/connections/KMS/) for details. | | replicas | Defaults to `1` | | resources.limits.cpu | Defaults to `500m` | | resources.limits.memory | Defaults to `1024Mi` | @@ -19,9 +19,10 @@ import Container from './_properties_container.mdx' | resources.requests.memory | Defaults to `768Mi` | +### Canary Checker -### Canary Checker ### Config DB + diff --git a/mission-control/docs/reference/connections/KMS/aws-kms.mdx b/mission-control/docs/reference/connections/KMS/aws-kms.mdx new file mode 100644 index 00000000..a2dcce03 --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/aws-kms.mdx @@ -0,0 +1,15 @@ +--- +title: AWS KMS +sidebar_custom_props: + icon: aws +--- + + + + + +## Example + +```yaml title="awskms.yaml" file=/modules/mission-control/fixtures/connections/awskms.yaml + +``` diff --git a/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx b/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx new file mode 100644 index 00000000..3401cd2f --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx @@ -0,0 +1,15 @@ +--- +title: Azure Key Vault +sidebar_custom_props: + icon: azure +--- + + + + + +## Example + +```yaml title="azurekeyvault.yaml" file=/modules/mission-control/fixtures/connections/azurekeyvault.yaml + +``` diff --git a/mission-control/docs/reference/connections/KMS/gcp-kms.mdx b/mission-control/docs/reference/connections/KMS/gcp-kms.mdx new file mode 100644 index 00000000..7c8fe0b1 --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/gcp-kms.mdx @@ -0,0 +1,15 @@ +--- +title: GCP KMS +sidebar_custom_props: + icon: gcp +--- + + + + + +## Example + +```yaml title="gcpkms.yaml" file=/modules/mission-control/fixtures/connections/gcpkms.yaml + +``` diff --git a/mission-control/docs/reference/connections/KMS/index.mdx b/mission-control/docs/reference/connections/KMS/index.mdx new file mode 100644 index 00000000..1d75269b --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/index.mdx @@ -0,0 +1,9 @@ +--- +title: KMS +sidebar_custom_props: + icon: material-symbols-light:security +--- + +import DocCardList from '@theme/DocCardList'; + + diff --git a/mission-control/docs/reference/connections/Notifications/index.mdx b/mission-control/docs/reference/connections/Notifications/index.mdx new file mode 100644 index 00000000..c0127195 --- /dev/null +++ b/mission-control/docs/reference/connections/Notifications/index.mdx @@ -0,0 +1,17 @@ +--- +title: Notifications +sidebar_position: 2 + +sidebar_custom_props: + icon: ix:alarm-bell +--- + +Notification connection docs are available under the main Connections section: + +- [Slack](/docs/reference/connections/slack) +- [Discord](/docs/reference/connections/discord) +- [Telegram](/docs/reference/connections/telegram) +- [SMTP](/docs/reference/connections/smtp) +- [Ntfy](/docs/reference/connections/ntfy) +- [Pushbullet](/docs/reference/connections/pushbullet) +- [Pushover](/docs/reference/connections/pushover) diff --git a/mission-control/docs/reference/connections/index.mdx b/mission-control/docs/reference/connections/index.mdx index e852f44f..4041742d 100644 --- a/mission-control/docs/reference/connections/index.mdx +++ b/mission-control/docs/reference/connections/index.mdx @@ -11,22 +11,23 @@ Connections provide a secure, reusable way to authenticate against external syst ## Benefits - **Security**: Credentials are stored securely in Kubernetes secrets, not in plain text -- **Reusability**: Define once, use across multiple resources +- **Reuse**: Define once, use across multiple resources - **Maintainability**: Update credentials in one place when they change - **Auditability**: Track which resources use which connections ## Connection Types -| Category | Connections | -|----------|-------------| -| **Cloud Providers** | [AWS](./aws), [Azure](./azure), [GCP](./gcp) | -| **Kubernetes** | [Kubernetes](./kubernetes) | -| **Source Control** | [Git](./git), [GitHub](./github), [GitLab](./gitlab), [Azure DevOps](./azure-devops) | -| **Databases** | [Postgres](./postgres), [OpenSearch](./opensearch) | -| **File Storage** | [SFTP](./sftp), [SMB](./smb) | -| **AI Providers** | [OpenAI](./openai), [Anthropic](./anthropic), [Ollama](./ollama) | -| **Notifications** | [Slack](./slack), [Discord](./discord), [Telegram](./telegram), [SMTP](./smtp), [ntfy](./ntfy), [Pushbullet](./pushbullet), [Pushover](./pushover) | -| **Generic** | [HTTP](./http) | +| Category | Connections | +| --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | +| **Cloud Providers** | [AWS](./aws), [Azure](./azure), [GCP](./gcp) | +| **Key Management** | [KMS](./KMS), [AWS KMS](./KMS/aws-kms), [Azure Key Vault](./KMS/azure-key-vault), [GCP KMS](./KMS/gcp-kms) | +| **Kubernetes** | [Kubernetes](./kubernetes) | +| **Source Control** | [Git](./git), [GitHub](./github), [GitLab](./gitlab), [Azure DevOps](./azure-devops) | +| **Databases** | [Postgres](./postgres), [OpenSearch](./opensearch) | +| **File Storage** | [SFTP](./sftp), [SMB](./smb) | +| **AI Providers** | [OpenAI](./openai), [Anthropic](./anthropic), [Ollama](./ollama) | +| **Notifications** | [Slack](./slack), [Discord](./discord), [Telegram](./telegram), [SMTP](./smtp), [Ntfy](./ntfy), [Pushbullet](./pushbullet), [Pushover](./pushover) | +| **Generic** | [HTTP](./http) | ## Creating Connections diff --git a/mission-control/docs/reference/playbooks/parameters.mdx b/mission-control/docs/reference/playbooks/parameters.mdx index ba571c66..eeece252 100644 --- a/mission-control/docs/reference/playbooks/parameters.mdx +++ b/mission-control/docs/reference/playbooks/parameters.mdx @@ -87,6 +87,7 @@ When running the playbook on a `Deployment` named `mysql` the following is pre-p | `text` | Text input | Text Input | `string` | [`Text`](#text) | | `millicores` | CPU resource | Number | `string` | - | | `bytes` | Memory resource | Number | `string` | - | +| `secret` | Encrypted sensitive data | Password | `string` | - | ```yaml title='params-sink.yaml' file=/modules/mission-control/fixtures/playbooks/params.yaml {20,24,27,32,39,46,51,56,61,72} showLineNumbers @@ -128,3 +129,24 @@ When running the playbook on a `Deployment` named `mysql` the following is pre-p | ----------------- | -------------------------------- | -------- | | `options[].label` | Specify label of the list option | `string` | | `options[].value` | Specify value of the list option | `string` | + +### secret + +Secret parameters handle sensitive data like passwords, API keys, and tokens. Values are encrypted at rest using the configured KMS connection and are automatically redacted in logs, UI displays, and database queries. + +:::info Requirements +Your Mission Control instance must have a [KMS connection configured](/docs/reference/connections/KMS/) to use secret parameters. +::: + +Secret parameters are rendered as password input fields in the UI and their values are: + +- **Encrypted** using the configured KMS (AWS KMS, Azure Key Vault, or GCP KMS) +- **Redacted** in all logs and audit trails +- **Hidden** in the UI after initial input +- **Protected** in database storage + +Use the following fixture as a reference implementation: + +```yaml title="http-secret-parameter.yaml" file=/modules/mission-control/fixtures/playbooks/http-secret-parameter.yaml + +``` diff --git a/modules/config-db b/modules/config-db index 8754d68a..f0d0fb82 160000 --- a/modules/config-db +++ b/modules/config-db @@ -1 +1 @@ -Subproject commit 8754d68a74bfdf2c7bf32d522dc14ca4b597ae53 +Subproject commit f0d0fb8228cfc73145bdc3909e311c78f8e0d9a8 diff --git a/modules/mission-control b/modules/mission-control index 007756b5..6a1dc093 160000 --- a/modules/mission-control +++ b/modules/mission-control @@ -1 +1 @@ -Subproject commit 007756b56daed4e22dd4aa8394741248a3ceae56 +Subproject commit 6a1dc093cbf96b7a18895f92d986a533b91a6b1a diff --git a/modules/mission-control-chart b/modules/mission-control-chart index 8f4628d1..201b29dc 160000 --- a/modules/mission-control-chart +++ b/modules/mission-control-chart @@ -1 +1 @@ -Subproject commit 8f4628d124d7e6f3a3e190167d19589f521ce514 +Subproject commit 201b29dce9be9f145bc4c3c24317c4d723ccd2ee diff --git a/styles/ignore/words-with-suggestions.txt b/styles/ignore/words-with-suggestions.txt index 7dce03cc..b269cf78 100644 --- a/styles/ignore/words-with-suggestions.txt +++ b/styles/ignore/words-with-suggestions.txt @@ -262,6 +262,7 @@ JUnit kafka keypair keypairs +kmsConnection knowledgebase knowledgebases Kratos @@ -389,6 +390,7 @@ searchPath securityContext Semver serviceMonitor +serviceAccount SFTPConnection shoutrrr Shoutrrr @@ -484,5 +486,6 @@ Helm LLM MCP OpenAI +Ollama Slack WebSocket