From 204204a97fc2da2b0f23e71ddaba366ee6a845d5 Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Tue, 26 Aug 2025 19:21:58 +0545 Subject: [PATCH 1/7] feat(Playbook): Secret parameter * KMS connections --- common/src/components/Fields.jsx | 196 ++++++++++-------- .../playbooks/concepts/sensitive-data.mdx | 43 ++++ .../_properties_mission_control.mdx | 1 + .../reference/connections/KMS/aws-kms.mdx | 15 ++ .../connections/KMS/azure-key-vault.mdx | 33 +++ .../reference/connections/KMS/gcp-kms.mdx | 15 ++ .../docs/reference/connections/KMS/index.mdx | 9 + .../connections/Notifications/index.mdx | 11 + .../docs/reference/playbooks/parameters.mdx | 34 +++ 9 files changed, 274 insertions(+), 83 deletions(-) create mode 100644 mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx create mode 100644 mission-control/docs/reference/connections/KMS/aws-kms.mdx create mode 100644 mission-control/docs/reference/connections/KMS/azure-key-vault.mdx create mode 100644 mission-control/docs/reference/connections/KMS/gcp-kms.mdx create mode 100644 mission-control/docs/reference/connections/KMS/index.mdx create mode 100644 mission-control/docs/reference/connections/Notifications/index.mdx diff --git a/common/src/components/Fields.jsx b/common/src/components/Fields.jsx index b26a18fb..25a299b4 100644 --- a/common/src/components/Fields.jsx +++ b/common/src/components/Fields.jsx @@ -118,6 +118,89 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio return a.field.localeCompare(b.field) } + // Common AWS connection fields + const awsFields = [ + { + field: oss ? null : "connection", + description: "The connection url to use, mutually exclusive with `accessKey` and `secretKey`", + scheme: "Connection", + }, + { + field: "accessKey", + description: "Access Key ID", + scheme: "EnvVar" + }, + { + field: "secretKey", + description: "Secret Access Key", + scheme: "EnvVar" + }, + { + field: "region", + description: "The AWS region", + scheme: "string" + }, + { + field: "endpoint", + scheme: "string", + description: "Custom AWS Endpoint to use", + }, + { + field: "skipTLSVerify", + description: "Skip TLS verify when connecting to AWS", + scheme: 'bool' + } + ] + + // Common GCP connection fields + const gcpFields = [ + { + field: oss ? null : 'connection', + description: + 'The connection url to use, mutually exclusive with `credentials`', + scheme: 'Connection' + }, + { + field: 'credentials', + description: 'The credentials to use for authentication', + scheme: 'EnvVar' + }, + { + field: 'endpoint', + description: 'Custom GCP Endpoint to use', + scheme: 'string' + }, + { + field: 'skipTLSVerify', + description: 'Skip TLS verification when connecting to GCP', + scheme: 'bool' + } + ] + + // Common Azure connection fields + const azureFields = [ + { + field: oss ? null : "connection", + description: "The connection url to use, mutually exclusive with `tenantId`, `clientId`, and `clientSecret`", + scheme: "Connection", + }, + { + field: "tenantId", + description: "The Azure Active Directory tenant ID", + required: true + }, + { + field: "clientId", + description: "The Azure client/application ID", + scheme: "EnvVar" + }, + { + field: "clientSecret", + description: "The Azure client/application secret", + scheme: "EnvVar" + } + ] + if (connection == "url") { rows = rows.concat([ { @@ -200,62 +283,9 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio } ]) } else if (connection == "aws") { - rows = rows.concat([ - { - field: oss ? null : "connection", - description: "The connection url to use, mutually exclusive with `accessKey` and `secretKey`", - scheme: "Connection", - }, - { - field: "accessKey", - description: "Access Key ID", - scheme: "EnvVar" - }, - { - field: "secretKey", - description: "Secret Access Key", - scheme: "EnvVar" - }, - { - field: "region", - description: "The AWS region", - scheme: "string" - }, - { - field: "endpoint", - scheme: "string", - description: "Custom AWS Endpoint to use", - }, - { - field: "skipTLSVerify", - description: "Skip TLS verify when connecting to AWS", - scheme: 'bool' - } - ]) + rows = rows.concat(awsFields) } else if (connection == "gcp") { - rows = rows.concat([ - { - field: oss ? null : 'connection', - description: - 'The connection url to use, mutually exclusive with `credentials`', - scheme: 'Connection' - }, - { - field: 'credentials', - description: 'The credentials to use for authentication', - scheme: 'EnvVar' - }, - { - field: 'endpoint', - description: 'Custom GCP Endpoint to use', - scheme: 'string' - }, - { - field: 'skipTLSVerify', - description: 'Skip TLS verification when connecting to GCP', - scheme: 'bool' - } - ]) + rows = rows.concat(gcpFields) } else if (connection == "sftp") { rows = rows.concat([ { @@ -347,34 +377,7 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio scheme: "[CNRM](/docs/reference/connections/kubernetes/#cnrm-connection)", }]) } else if (connection == "azure") { - rows = rows.concat([ - { - field: oss ? null : "connection", - description: "The connection url to use, mutually exclusive with `tenantId`, `subscriptionId`, `clientId`, and `clientSecret`", - scheme: "Connection", - }, - { - field: "tenantId", - description: "The Azure Active Directory tenant ID", - required: true - }, - { - field: "subscriptionId", - description: "The Azure subscription ID", - required: true, - scheme: "EnvVar" - }, - { - field: "clientId", - description: "The Azure client/application ID", - scheme: "EnvVar" - }, - { - field: "clientSecret", - description: "The Azure client/application secret", - scheme: "EnvVar" - } - ]) + rows = rows.concat(azureFields) } else if (connection == "openai") { rows = rows.concat([ { @@ -618,6 +621,33 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio } else if (connection == "prometheus") { // Prometheus extends HTTP connection, so HTTP fields will be included rows = rows.concat([]) + } else if (connection == "aws_kms") { + rows = rows.concat(awsFields.concat([ + { + field: "keyID", + description: "KMS key ID, alias, or ARN. Can include region specification for aliases (e.g., alias/ExampleAlias?region=us-east-1)", + scheme: "string", + required: true + } + ])) + } else if (connection == "gcp_kms") { + rows = rows.concat(gcpFields.concat([ + { + field: "keyID", + description: "KMS key resource path in the format: projects/PROJECT/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY", + scheme: "string", + required: true + } + ])) + } else if (connection == "azure_key_vault") { + rows = rows.concat(azureFields.concat([ + { + field: "keyID", + description: "Key Vault key URL in the format: https://vault-name.vault.azure.net/keys/key-name", + scheme: "string", + required: true + } + ])) } rows = rows.concat(common.filter(row => row.required)).filter(i => i.field != null) diff --git a/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx b/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx new file mode 100644 index 00000000..7fde7caa --- /dev/null +++ b/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx @@ -0,0 +1,43 @@ +--- +title: Sensitive Data +sidebar_custom_props: + icon: material-symbols-light:security +--- + +Sensitive data includes passwords, API keys, tokens, and other confidential information that requires protection from unauthorized access or exposure. Mission Control provides comprehensive protection for sensitive data throughout the entire playbook lifecycle. + +## Secret Parameters + +Use `secret` type parameters to handle sensitive data in playbooks: + +```yaml +parameters: + - name: database_password + type: secret + label: "Database Password" + description: "Password for database connection" + required: true +``` + +## KMS Connection + +:::info +Your Mission Control instance **must** have a KMS connection configured to use secret parameters. +::: + +Configure this using the `--secret-keeper-connection` flag: + +```bash +mission-control serve --secret-keeper-connection "connection://default/my-kms-key" +``` + +or in the helm chart: + +```yaml +kmsConnection: "connection://default/my-kms-key" +``` + +Supported connection types: +- AWS KMS +- Azure Key Vault +- GCP KMS diff --git a/mission-control/docs/installation/_properties_mission_control.mdx b/mission-control/docs/installation/_properties_mission_control.mdx index c15c0330..efd80cf5 100644 --- a/mission-control/docs/installation/_properties_mission_control.mdx +++ b/mission-control/docs/installation/_properties_mission_control.mdx @@ -12,6 +12,7 @@ import Container from './_properties_container.mdx' | otel.serviceName | Defaults to `mission-control` | | properties.incidents.disable | Defaults to `{}` | | properties.logs.disable | Defaults to `true` | +| kmsConnection | Provide the KMS connection string to use for secret parameters. See [KMS connection documentation](/reference/connections/KMS/) for details. | | | replicas | Defaults to `1` | | resources.limits.cpu | Defaults to `500m` | | resources.limits.memory | Defaults to `1024Mi` | diff --git a/mission-control/docs/reference/connections/KMS/aws-kms.mdx b/mission-control/docs/reference/connections/KMS/aws-kms.mdx new file mode 100644 index 00000000..227fc2f6 --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/aws-kms.mdx @@ -0,0 +1,15 @@ +--- +title: AWS KMS +sidebar_custom_props: + icon: aws +--- + + + + + +## Example + +```yaml title="awskms.yaml" file=/modules/mission-control/fixtures/connections/awskms.yaml + +``` \ No newline at end of file diff --git a/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx b/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx new file mode 100644 index 00000000..baa14145 --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx @@ -0,0 +1,33 @@ +--- +title: Azure Key Vault +sidebar_custom_props: + icon: azure +--- + + + + + +## Example + +```yaml title="azure-key-vault-connection.yaml" +apiVersion: v1 +kind: Connection +metadata: + name: azure-key-vault-connection +spec: + type: azure_key_vault + clientID: + valueFrom: + secretKeyRef: + name: azure-credentials + key: AZURE_CLIENT_ID + clientSecret: + valueFrom: + secretKeyRef: + name: azure-credentials + key: AZURE_CLIENT_SECRET + tenantID: your-tenant-id + properties: + keyID: https://your-vault.vault.azure.net/keys/mission-control-key +``` \ No newline at end of file diff --git a/mission-control/docs/reference/connections/KMS/gcp-kms.mdx b/mission-control/docs/reference/connections/KMS/gcp-kms.mdx new file mode 100644 index 00000000..0ff6f9db --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/gcp-kms.mdx @@ -0,0 +1,15 @@ +--- +title: GCP KMS +sidebar_custom_props: + icon: gcp +--- + + + + + +## Example + +```yaml title="gcpkms.yaml" file=/modules/mission-control/fixtures/connections/gcpkms.yaml + +``` \ No newline at end of file diff --git a/mission-control/docs/reference/connections/KMS/index.mdx b/mission-control/docs/reference/connections/KMS/index.mdx new file mode 100644 index 00000000..1bc8838a --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/index.mdx @@ -0,0 +1,9 @@ +--- +title: KMS +sidebar_custom_props: + icon: material-symbols-light:security +--- + +import DocCardList from '@theme/DocCardList'; + + \ No newline at end of file diff --git a/mission-control/docs/reference/connections/Notifications/index.mdx b/mission-control/docs/reference/connections/Notifications/index.mdx new file mode 100644 index 00000000..e663455f --- /dev/null +++ b/mission-control/docs/reference/connections/Notifications/index.mdx @@ -0,0 +1,11 @@ +--- +title: Notifications +sidebar_position: 2 + +sidebar_custom_props: + icon: ix:alarm-bell +--- + +import DocCardList from '@theme/DocCardList'; + + \ No newline at end of file diff --git a/mission-control/docs/reference/playbooks/parameters.mdx b/mission-control/docs/reference/playbooks/parameters.mdx index ba571c66..dfe880e2 100644 --- a/mission-control/docs/reference/playbooks/parameters.mdx +++ b/mission-control/docs/reference/playbooks/parameters.mdx @@ -87,6 +87,7 @@ When running the playbook on a `Deployment` named `mysql` the following is pre-p | `text` | Text input | Text Input | `string` | [`Text`](#text) | | `millicores` | CPU resource | Number | `string` | - | | `bytes` | Memory resource | Number | `string` | - | +| `secret` | Encrypted sensitive data | Password | `string` | - | ```yaml title='params-sink.yaml' file=/modules/mission-control/fixtures/playbooks/params.yaml {20,24,27,32,39,46,51,56,61,72} showLineNumbers @@ -128,3 +129,36 @@ When running the playbook on a `Deployment` named `mysql` the following is pre-p | ----------------- | -------------------------------- | -------- | | `options[].label` | Specify label of the list option | `string` | | `options[].value` | Specify value of the list option | `string` | + +### secret + +Secret parameters handle sensitive data like passwords, API keys, and tokens. Values are encrypted at rest using the configured KMS connection and are automatically redacted in logs, UI displays, and database queries. + +:::info Requirements +Your Mission Control instance must have a [KMS connection configured](/installation/saas/authentication#kms) to use secret parameters. +::: + +Secret parameters are rendered as password input fields in the UI and their values are: +- **Encrypted** using the configured KMS (AWS KMS, Azure Key Vault, or GCP KMS) +- **Redacted** in all logs and audit trails +- **Hidden** in the UI after initial input +- **Protected** in database storage + +```yaml +parameters: + - name: api_key + type: secret + label: "API Key" + description: "Your service API key" + required: true +``` + +When referencing secret parameters in playbook actions, use them like any other parameter: + +```yaml +actions: + - name: "Call external API" + exec: + script: | + curl -H "Authorization: Bearer {{.params.api_key}}" https://api.example.com/data +``` From 08a09ef3c9ed0ee6f539c7bb8f4368d54f7fb764 Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Tue, 26 Aug 2025 19:41:50 +0545 Subject: [PATCH 2/7] feat: make file-ref-check --- Makefile | 20 ++++++++++++++++++++ styles/ignore/words-with-suggestions.txt | 1 + 2 files changed, 21 insertions(+) diff --git a/Makefile b/Makefile index 180d8660..8f56d27b 100644 --- a/Makefile +++ b/Makefile @@ -30,6 +30,26 @@ fmt-check: ## Check markdown formatting without making changes check: ## Run all checks (lint + formatting + file references) task check +.PHONY: build +build: + @echo "Building mission-control documentation..." + @cd modules && make all + @cd mission-control && npm ci && npm run build + +.PHONY: file-ref-check +file-ref-check: ## Check for broken file references in build output + @echo "Checking for broken files in mission-control/build" + @cd mission-control/build && \ + echo "Total files: $$(ls -alh . | wc -l)" && \ + echo "Total HTML files: $$(find . -type f -name "*.html" | wc -l)" && \ + if rg 'file=../../../modules' -g '*.html' | grep -q .; then \ + echo "ERROR: Found broken file references:" && \ + rg 'file=../../../modules' -g '*.html' && \ + exit 1; \ + else \ + echo "No broken file references found"; \ + fi + .PHONY: sync: git submodule update --init --recursive diff --git a/styles/ignore/words-with-suggestions.txt b/styles/ignore/words-with-suggestions.txt index 7dce03cc..46772964 100644 --- a/styles/ignore/words-with-suggestions.txt +++ b/styles/ignore/words-with-suggestions.txt @@ -262,6 +262,7 @@ JUnit kafka keypair keypairs +kmsConnection knowledgebase knowledgebases Kratos From c4d2065e92d931436ac85cfe1237957229d8825a Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Wed, 27 Aug 2025 22:02:37 +0545 Subject: [PATCH 3/7] feat: GCP KMS setup tutorial --- .../docs/installation/_gke_iam.mdx | 118 ++++++++++++++++-- 1 file changed, 109 insertions(+), 9 deletions(-) diff --git a/mission-control/docs/installation/_gke_iam.mdx b/mission-control/docs/installation/_gke_iam.mdx index b9fab654..12c20a39 100644 --- a/mission-control/docs/installation/_gke_iam.mdx +++ b/mission-control/docs/installation/_gke_iam.mdx @@ -4,10 +4,11 @@ import Domain from '@site/docs/partials/_domain.mdx' Depending on usecase, Mission Control can be associated with the following GCP IAM roles: -| Use Case | Role Name | -| -------------------------------------------- | ---------------| -| Read Only Scraping | `roles/viewer` | -| Playbooks to create and update GCP Resources | `roles/editor` | +| Use Case | Role Name | +| -------------------------------------------- | -----------------------------| +| Read Only Scraping | `roles/viewer` | +| Playbooks to create and update GCP Resources | `roles/editor` | +| Secret Management (optional) | `roles/cloudkms.cryptoKeyEncrypterDecrypter` | ## Configure IAM Roles for Mission Control @@ -21,14 +22,18 @@ Depending on usecase, Mission Control can be associated with the following GCP I 1. Enable workload identity ```bash - # The name of the GKE cluster mission control is being deployed to - export CLUSTER= + # The name of your existing GKE cluster where mission control is to be deployed to + export CLUSTER=cluster-name + # GCP Project ID export PROJECT_ID=gcp-project-id + # GCP Project Number export PROJECT_NUMBER=gcp-project-number + # Location of GKE Cluster - LOCATION=us-east1 + export LOCATION=us-east1 + # the default namespace the mission-control helm chart uses export NAMESPACE=mission-control @@ -44,6 +49,8 @@ Depending on usecase, Mission Control can be associated with the following GCP I `$KSA_NAME` refers to the Kubernetes service account name. In our case, we need to bind to 3 service accounts: `mission-control-sa`, `canary-checker-sa` and `config-db-sa` ```bash + export ROLE_NAME=roles/viewer + for KSA_NAME in "mission-control-sa" "canary-checker-sa" "config-db-sa"; do gcloud projects add-iam-policy-binding projects/$PROJECT_ID \ --role=$ROLE_NAME \ @@ -68,13 +75,17 @@ You can also refer the official docs: https://cloud.google.com/kubernetes-engine 1. Enable workload identity in the host cluster ```bash # The name of the GKE cluster mission control is being deployed to - export CLUSTER= + export CLUSTER=cluster-name + # GCP Project ID export PROJECT_ID=gcp-project-id + # Location of GKE Cluster - LOCATION=us-east1 + export LOCATION=us-east1 + # the default namespace the mission-control helm chart uses export NAMESPACE=mission-control + # IAM service account name export IAM_SA_NAME=mission-control @@ -137,3 +148,92 @@ You can also refer the official docs: https://cloud.google.com/kubernetes-engine + +## KMS Setup for Secret Management + +If you plan to use secret parameters in playbooks, create a KMS key to encrypt and manage sensitive data. +This requires creating a new mission control connection and updating the helm chart to point mission control to the KMS connection. + +### Create a KMS Key + +```bash +# Set your project ID (if not already set) +export PROJECT_ID=gcp-project-id + +# Create a key ring +gcloud kms keyrings create mission-control-keyring \ + --location=global \ + --project=$PROJECT_ID + +# Create a KMS key for Mission Control +gcloud kms keys create mission-control-key \ + --keyring=mission-control-keyring \ + --location=global \ + --purpose=encryption \ + --project=$PROJECT_ID +``` + +### Bind GCP Service Account to IAM Role + +```bash +gcloud projects add-iam-policy-binding projects/$PROJECT_ID \ + --role=roles/cloudkms.cryptoKeyEncrypterDecrypter \ + --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/$KSA_NAME \ + --condition=None +``` + +### Create a Mission Control connection + + +```yaml title="gcpkms.yaml" +apiVersion: mission-control.flanksource.com/v1 +kind: Connection +metadata: + name: flanksource-gcpkms +spec: + gcpkms: + keyID: projects//locations/global/keyRings/mission-control-keyring/cryptoKeys/mission-control-key +``` + +### Update Mission Control helm chart + + + + ```bash + helm upgrade mission-control-agent flanksource/mission-control-agent \ + --set upstream.agent= \ + --set upstream.username='token' \ + --set upstream.password= \ + --set upstream.host= \ + --set kmsConnection='connection://mission-control/flanksource-gcpkms' \ + -n mission-control \ + --wait + ``` + + + + ```yaml + --- + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: mission-control-agent + namespace: mission-control + spec: + chart: + spec: + chart: mission-control-agent + sourceRef: + kind: HelmRepository + name: flanksource + namespace: mission-control + interval: 5m + values: + upstream.agent: YOUR_LOCAL_NAME + upstream.username: token + upstream.password: + upstream.host: + kmsConnection: 'connection://mission-control/flanksource-gcpkms' + ``` + + \ No newline at end of file From 687aad6461ef15f8f9556f463b8d8f7964c5daf6 Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Mon, 15 Sep 2025 11:04:59 +0545 Subject: [PATCH 4/7] aws iam for KMS --- Makefile | 20 --- .../docs/installation/_aws_iam.mdx | 162 +++++++++++++++++- 2 files changed, 159 insertions(+), 23 deletions(-) diff --git a/Makefile b/Makefile index 8f56d27b..180d8660 100644 --- a/Makefile +++ b/Makefile @@ -30,26 +30,6 @@ fmt-check: ## Check markdown formatting without making changes check: ## Run all checks (lint + formatting + file references) task check -.PHONY: build -build: - @echo "Building mission-control documentation..." - @cd modules && make all - @cd mission-control && npm ci && npm run build - -.PHONY: file-ref-check -file-ref-check: ## Check for broken file references in build output - @echo "Checking for broken files in mission-control/build" - @cd mission-control/build && \ - echo "Total files: $$(ls -alh . | wc -l)" && \ - echo "Total HTML files: $$(find . -type f -name "*.html" | wc -l)" && \ - if rg 'file=../../../modules' -g '*.html' | grep -q .; then \ - echo "ERROR: Found broken file references:" && \ - rg 'file=../../../modules' -g '*.html' && \ - exit 1; \ - else \ - echo "No broken file references found"; \ - fi - .PHONY: sync: git submodule update --init --recursive diff --git a/mission-control/docs/installation/_aws_iam.mdx b/mission-control/docs/installation/_aws_iam.mdx index acc7060f..e765b490 100644 --- a/mission-control/docs/installation/_aws_iam.mdx +++ b/mission-control/docs/installation/_aws_iam.mdx @@ -8,6 +8,7 @@ Depending on how you want to use Mission Control you need to create an IAM role | -------------------------------------------- | ----------------------------------------- | | Read Only Scraping | `arn:aws:iam::aws:policy/ReadOnlyAccess` | | Playbooks to create and update AWS Resources | `arn:aws:iam::aws:policy/PowerUserAccess` | +| Secret Management (optional) | Custom KMS policy (see below) |
@@ -107,6 +108,9 @@ You can also create a new policy with only the permissions required by Mission C roleName: MissionControlRole roleOnly: true attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" - metadata: name: canary-checker-sa @@ -114,6 +118,9 @@ You can also create a new policy with only the permissions required by Mission C roleName: CanaryCheckerRole roleOnly: true attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" - metadata: name: config-db-sa @@ -121,6 +128,9 @@ You can also create a new policy with only the permissions required by Mission C roleName: ConfigDBRole roleOnly: true attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" ``` @@ -168,15 +178,27 @@ You can also create a new policy with only the permissions required by Mission C podIdentityAssociations: - namespace: mission-control serviceAccountName: mission-control-sa - permissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess + permissionPolicyARNs: + # Add additional policies as needed: + # - arn:aws:iam::aws:policy/PowerUserAccess + # - Custom KMS policy ARN for secret management + - arn:aws:iam::aws:policy/ReadOnlyAccess - namespace: mission-control serviceAccountName: config-db-sa - permissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess + permissionPolicyARNs: + # Add additional policies as needed: + # - arn:aws:iam::aws:policy/PowerUserAccess + # - Custom KMS policy ARN for secret management + - arn:aws:iam::aws:policy/ReadOnlyAccess - namespace: mission-control serviceAccountName: canary-checker-sa - permissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess + permissionPolicyARNs: + # Add additional policies as needed: + # - arn:aws:iam::aws:policy/PowerUserAccess + # - Custom KMS policy ARN for secret management + - arn:aws:iam::aws:policy/ReadOnlyAccess iam: # note withOIDC is not required for Pod Identity serviceAccounts: @@ -185,18 +207,27 @@ You can also create a new policy with only the permissions required by Mission C name: mission-control-sa namespace: mission-control attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" # used for cloudwatch, S3 and other AWS health checks - metadata: name: canary-checker-sa namespace: mission-control attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" # used to scrape resources, AWS CloudTrail and AWS Cost & Usage Reports - metadata: name: config-db-sa namespace: mission-control attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" ```

@@ -312,9 +343,20 @@ First we create a secret called `aws` containing the access key and secret. USER_NAME="mission-control-sa" aws iam create-user --user-name $USER_NAME + + # Add policies based on your use case (see table above) aws iam attach-user-policy \ --user-name $USER_NAME \ --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess + + # Add additional policies as needed: + # aws iam attach-user-policy \ + # --user-name $USER_NAME \ + # --policy-arn arn:aws:iam::aws:policy/PowerUserAccess + # aws iam attach-user-policy \ + # --user-name $USER_NAME \ + # --policy-arn arn:aws:iam:::policy/MissionControlKMSPolicy + key=$(aws iam create-access-key --user-name $USER_NAME) ```

@@ -356,3 +398,117 @@ First we create a secret called `aws` containing the access key and secret. +## Optional: KMS Setup for Secret Management + +If you plan to use secret parameters in playbooks, create a KMS key and IAM policy to encrypt and manage sensitive data: + +### Create a KMS Key + +```bash +# Set your AWS region and account ID +export AWS_REGION=us-west-2 +export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) + +# Create a KMS key for Mission Control +aws kms create-key \ + --description "Mission Control Secret Management Key" \ + --region $AWS_REGION \ + --query 'KeyMetadata.KeyId' \ + --output text > mission-control-key-id.txt + +export KEY_ID=$(cat mission-control-key-id.txt) + +# Create an alias for easier reference +aws kms create-alias \ + --alias-name alias/mission-control-secrets \ + --target-key-id $KEY_ID \ + --region $AWS_REGION +``` + +### Create KMS IAM Policy + +```bash +# Create a custom KMS policy +cat > mission-control-kms-policy.json << EOF +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "MissionControlKMSAccess", + "Effect": "Allow", + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ], + "Resource": "arn:aws:kms:${AWS_REGION}:${ACCOUNT_ID}:key/${KEY_ID}" + } + ] +} +EOF + +# Create the IAM policy +aws iam create-policy \ + --policy-name MissionControlKMSPolicy \ + --policy-document file://mission-control-kms-policy.json \ + --query 'Policy.Arn' \ + --output text > mission-control-kms-policy-arn.txt + +export KMS_POLICY_ARN=$(cat mission-control-kms-policy-arn.txt) +``` + +After creating the key and policy, make sure to include the KMS policy ARN in your service account configurations above. + +### Create a Mission Control Connection + +```yaml title="aws-kms-connection.yaml" +apiVersion: mission-control.flanksource.com/v1 +kind: Connection +metadata: + name: aws-kms + namespace: mission-control +spec: + aws: + region: us-west-2 + # Use the same authentication method as your main AWS connection + awsKms: + keyID: alias/mission-control-secrets +``` + +### Update Mission Control Helm Chart + + + + ```bash + helm upgrade mission-control flanksource/mission-control \ + --set kmsConnection='connection://mission-control/aws-kms' \ + -n mission-control \ + --wait + ``` + + + + ```yaml + --- + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: mission-control + namespace: mission-control + spec: + chart: + spec: + chart: mission-control + sourceRef: + kind: HelmRepository + name: flanksource + namespace: mission-control + interval: 5m + values: + kmsConnection: 'connection://mission-control/aws-kms' + ``` + + + From 820b6da9329b2a49c25a8cf5ad898a20c808a7f3 Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Tue, 17 Feb 2026 23:21:09 +0545 Subject: [PATCH 5/7] docs(mission-control): improve secret parameter and KMS docs --- .../playbooks/concepts/sensitive-data.mdx | 22 +++---- .../docs/installation/_aws_iam.mdx | 57 ++++-------------- .../docs/installation/_gke_iam.mdx | 60 +++---------------- .../_properties_mission_control.mdx | 8 +-- .../reference/connections/KMS/aws-kms.mdx | 2 +- .../connections/KMS/azure-key-vault.mdx | 24 +------- .../reference/connections/KMS/gcp-kms.mdx | 2 +- .../docs/reference/connections/KMS/index.mdx | 2 +- .../connections/Notifications/index.mdx | 10 +++- .../docs/reference/connections/index.mdx | 23 +++---- .../docs/reference/playbooks/parameters.mdx | 20 ++----- styles/ignore/words-with-suggestions.txt | 2 + 12 files changed, 63 insertions(+), 169 deletions(-) diff --git a/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx b/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx index 7fde7caa..8ce8cfab 100644 --- a/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx +++ b/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx @@ -10,19 +10,14 @@ Sensitive data includes passwords, API keys, tokens, and other confidential info Use `secret` type parameters to handle sensitive data in playbooks: -```yaml -parameters: - - name: database_password - type: secret - label: "Database Password" - description: "Password for database connection" - required: true +```yaml title="http-secret-parameter.yaml" file=/modules/mission-control/fixtures/playbooks/http-secret-parameter.yaml + ``` ## KMS Connection :::info -Your Mission Control instance **must** have a KMS connection configured to use secret parameters. +Your Mission Control instance **must** have a KMS connection configured to use secret parameters. ::: Configure this using the `--secret-keeper-connection` flag: @@ -31,13 +26,12 @@ Configure this using the `--secret-keeper-connection` flag: mission-control serve --secret-keeper-connection "connection://default/my-kms-key" ``` -or in the helm chart: - -```yaml -kmsConnection: "connection://default/my-kms-key" -``` +Or set `kmsConnection` in your Helm values file. Supported connection types: + - AWS KMS -- Azure Key Vault +- Azure Key Vault - GCP KMS + +For field-level schema details, see [KMS connection reference](/docs/reference/connections/KMS/). diff --git a/mission-control/docs/installation/_aws_iam.mdx b/mission-control/docs/installation/_aws_iam.mdx index e765b490..6a47b696 100644 --- a/mission-control/docs/installation/_aws_iam.mdx +++ b/mission-control/docs/installation/_aws_iam.mdx @@ -289,7 +289,7 @@ You can also create a new policy with only the permissions required by Mission C - + 1. Setup variables ```bash @@ -300,7 +300,7 @@ You can also create a new policy with only the permissions required by Mission C ```

-1. Create a cloudformation template +1. Create a CloudFormation template ```yaml title="mission-control-iam-cloudformation.yaml" file=/docs/partials/_pod_identity.yaml ``` @@ -463,52 +463,15 @@ After creating the key and policy, make sure to include the KMS policy ARN in yo ### Create a Mission Control Connection -```yaml title="aws-kms-connection.yaml" -apiVersion: mission-control.flanksource.com/v1 -kind: Connection -metadata: - name: aws-kms - namespace: mission-control -spec: - aws: - region: us-west-2 - # Use the same authentication method as your main AWS connection - awsKms: - keyID: alias/mission-control-secrets +```yaml title="awskms.yaml" file=/modules/mission-control/fixtures/connections/awskms.yaml + ``` -### Update Mission Control Helm Chart +### Update Mission Control Helm Values - - - ```bash - helm upgrade mission-control flanksource/mission-control \ - --set kmsConnection='connection://mission-control/aws-kms' \ - -n mission-control \ - --wait - ``` - - - - ```yaml - --- - apiVersion: helm.toolkit.fluxcd.io/v2 - kind: HelmRelease - metadata: - name: mission-control - namespace: mission-control - spec: - chart: - spec: - chart: mission-control - sourceRef: - kind: HelmRepository - name: flanksource - namespace: mission-control - interval: 5m - values: - kmsConnection: 'connection://mission-control/aws-kms' - ``` - - +Set `kmsConnection` to the KMS connection reference used by your installation: + +/" +`}/> diff --git a/mission-control/docs/installation/_gke_iam.mdx b/mission-control/docs/installation/_gke_iam.mdx index 12c20a39..5d6e502b 100644 --- a/mission-control/docs/installation/_gke_iam.mdx +++ b/mission-control/docs/installation/_gke_iam.mdx @@ -2,7 +2,7 @@ import Domain from '@site/docs/partials/_domain.mdx' ## Choosing an IAM Role -Depending on usecase, Mission Control can be associated with the following GCP IAM roles: +Depending on use case, Mission Control can be associated with the following GCP IAM roles: | Use Case | Role Name | | -------------------------------------------- | -----------------------------| @@ -152,7 +152,7 @@ You can also refer the official docs: https://cloud.google.com/kubernetes-engine ## KMS Setup for Secret Management If you plan to use secret parameters in playbooks, create a KMS key to encrypt and manage sensitive data. -This requires creating a new mission control connection and updating the helm chart to point mission control to the KMS connection. +This requires creating a new Mission Control connection and updating the Helm chart to point Mission Control to the KMS connection. ### Create a KMS Key @@ -184,56 +184,14 @@ gcloud projects add-iam-policy-binding projects/$PROJECT_ID \ ### Create a Mission Control connection +```yaml title="gcpkms.yaml" file=/modules/mission-control/fixtures/connections/gcpkms.yaml -```yaml title="gcpkms.yaml" -apiVersion: mission-control.flanksource.com/v1 -kind: Connection -metadata: - name: flanksource-gcpkms -spec: - gcpkms: - keyID: projects//locations/global/keyRings/mission-control-keyring/cryptoKeys/mission-control-key ``` -### Update Mission Control helm chart +### Update Mission Control Helm Values - - - ```bash - helm upgrade mission-control-agent flanksource/mission-control-agent \ - --set upstream.agent= \ - --set upstream.username='token' \ - --set upstream.password= \ - --set upstream.host= \ - --set kmsConnection='connection://mission-control/flanksource-gcpkms' \ - -n mission-control \ - --wait - ``` - - - - ```yaml - --- - apiVersion: helm.toolkit.fluxcd.io/v2 - kind: HelmRelease - metadata: - name: mission-control-agent - namespace: mission-control - spec: - chart: - spec: - chart: mission-control-agent - sourceRef: - kind: HelmRepository - name: flanksource - namespace: mission-control - interval: 5m - values: - upstream.agent: YOUR_LOCAL_NAME - upstream.username: token - upstream.password: - upstream.host: - kmsConnection: 'connection://mission-control/flanksource-gcpkms' - ``` - - \ No newline at end of file +Set `kmsConnection` to the KMS connection reference used by your installation: + +/" +`}/> diff --git a/mission-control/docs/installation/_properties_mission_control.mdx b/mission-control/docs/installation/_properties_mission_control.mdx index efd80cf5..361e0cfb 100644 --- a/mission-control/docs/installation/_properties_mission_control.mdx +++ b/mission-control/docs/installation/_properties_mission_control.mdx @@ -1,5 +1,4 @@ -import Container from './_properties_container.mdx' - +import Container from './_properties_container.mdx' | Value | Description | | -------------------------------------------- | -------------------------------------------------- | @@ -12,7 +11,7 @@ import Container from './_properties_container.mdx' | otel.serviceName | Defaults to `mission-control` | | properties.incidents.disable | Defaults to `{}` | | properties.logs.disable | Defaults to `true` | -| kmsConnection | Provide the KMS connection string to use for secret parameters. See [KMS connection documentation](/reference/connections/KMS/) for details. | | +| kmsConnection | Provide the KMS connection string to use for secret parameters. See [KMS connection documentation](/docs/reference/connections/KMS/) for details. | | replicas | Defaults to `1` | | resources.limits.cpu | Defaults to `500m` | | resources.limits.memory | Defaults to `1024Mi` | @@ -20,9 +19,10 @@ import Container from './_properties_container.mdx' | resources.requests.memory | Defaults to `768Mi` | +### Canary Checker -### Canary Checker ### Config DB + diff --git a/mission-control/docs/reference/connections/KMS/aws-kms.mdx b/mission-control/docs/reference/connections/KMS/aws-kms.mdx index 227fc2f6..a2dcce03 100644 --- a/mission-control/docs/reference/connections/KMS/aws-kms.mdx +++ b/mission-control/docs/reference/connections/KMS/aws-kms.mdx @@ -12,4 +12,4 @@ sidebar_custom_props: ```yaml title="awskms.yaml" file=/modules/mission-control/fixtures/connections/awskms.yaml -``` \ No newline at end of file +``` diff --git a/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx b/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx index baa14145..3401cd2f 100644 --- a/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx +++ b/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx @@ -10,24 +10,6 @@ sidebar_custom_props: ## Example -```yaml title="azure-key-vault-connection.yaml" -apiVersion: v1 -kind: Connection -metadata: - name: azure-key-vault-connection -spec: - type: azure_key_vault - clientID: - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_CLIENT_ID - clientSecret: - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_CLIENT_SECRET - tenantID: your-tenant-id - properties: - keyID: https://your-vault.vault.azure.net/keys/mission-control-key -``` \ No newline at end of file +```yaml title="azurekeyvault.yaml" file=/modules/mission-control/fixtures/connections/azurekeyvault.yaml + +``` diff --git a/mission-control/docs/reference/connections/KMS/gcp-kms.mdx b/mission-control/docs/reference/connections/KMS/gcp-kms.mdx index 0ff6f9db..7c8fe0b1 100644 --- a/mission-control/docs/reference/connections/KMS/gcp-kms.mdx +++ b/mission-control/docs/reference/connections/KMS/gcp-kms.mdx @@ -12,4 +12,4 @@ sidebar_custom_props: ```yaml title="gcpkms.yaml" file=/modules/mission-control/fixtures/connections/gcpkms.yaml -``` \ No newline at end of file +``` diff --git a/mission-control/docs/reference/connections/KMS/index.mdx b/mission-control/docs/reference/connections/KMS/index.mdx index 1bc8838a..1d75269b 100644 --- a/mission-control/docs/reference/connections/KMS/index.mdx +++ b/mission-control/docs/reference/connections/KMS/index.mdx @@ -6,4 +6,4 @@ sidebar_custom_props: import DocCardList from '@theme/DocCardList'; - \ No newline at end of file + diff --git a/mission-control/docs/reference/connections/Notifications/index.mdx b/mission-control/docs/reference/connections/Notifications/index.mdx index e663455f..c0127195 100644 --- a/mission-control/docs/reference/connections/Notifications/index.mdx +++ b/mission-control/docs/reference/connections/Notifications/index.mdx @@ -6,6 +6,12 @@ sidebar_custom_props: icon: ix:alarm-bell --- -import DocCardList from '@theme/DocCardList'; +Notification connection docs are available under the main Connections section: - \ No newline at end of file +- [Slack](/docs/reference/connections/slack) +- [Discord](/docs/reference/connections/discord) +- [Telegram](/docs/reference/connections/telegram) +- [SMTP](/docs/reference/connections/smtp) +- [Ntfy](/docs/reference/connections/ntfy) +- [Pushbullet](/docs/reference/connections/pushbullet) +- [Pushover](/docs/reference/connections/pushover) diff --git a/mission-control/docs/reference/connections/index.mdx b/mission-control/docs/reference/connections/index.mdx index e852f44f..4041742d 100644 --- a/mission-control/docs/reference/connections/index.mdx +++ b/mission-control/docs/reference/connections/index.mdx @@ -11,22 +11,23 @@ Connections provide a secure, reusable way to authenticate against external syst ## Benefits - **Security**: Credentials are stored securely in Kubernetes secrets, not in plain text -- **Reusability**: Define once, use across multiple resources +- **Reuse**: Define once, use across multiple resources - **Maintainability**: Update credentials in one place when they change - **Auditability**: Track which resources use which connections ## Connection Types -| Category | Connections | -|----------|-------------| -| **Cloud Providers** | [AWS](./aws), [Azure](./azure), [GCP](./gcp) | -| **Kubernetes** | [Kubernetes](./kubernetes) | -| **Source Control** | [Git](./git), [GitHub](./github), [GitLab](./gitlab), [Azure DevOps](./azure-devops) | -| **Databases** | [Postgres](./postgres), [OpenSearch](./opensearch) | -| **File Storage** | [SFTP](./sftp), [SMB](./smb) | -| **AI Providers** | [OpenAI](./openai), [Anthropic](./anthropic), [Ollama](./ollama) | -| **Notifications** | [Slack](./slack), [Discord](./discord), [Telegram](./telegram), [SMTP](./smtp), [ntfy](./ntfy), [Pushbullet](./pushbullet), [Pushover](./pushover) | -| **Generic** | [HTTP](./http) | +| Category | Connections | +| --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | +| **Cloud Providers** | [AWS](./aws), [Azure](./azure), [GCP](./gcp) | +| **Key Management** | [KMS](./KMS), [AWS KMS](./KMS/aws-kms), [Azure Key Vault](./KMS/azure-key-vault), [GCP KMS](./KMS/gcp-kms) | +| **Kubernetes** | [Kubernetes](./kubernetes) | +| **Source Control** | [Git](./git), [GitHub](./github), [GitLab](./gitlab), [Azure DevOps](./azure-devops) | +| **Databases** | [Postgres](./postgres), [OpenSearch](./opensearch) | +| **File Storage** | [SFTP](./sftp), [SMB](./smb) | +| **AI Providers** | [OpenAI](./openai), [Anthropic](./anthropic), [Ollama](./ollama) | +| **Notifications** | [Slack](./slack), [Discord](./discord), [Telegram](./telegram), [SMTP](./smtp), [Ntfy](./ntfy), [Pushbullet](./pushbullet), [Pushover](./pushover) | +| **Generic** | [HTTP](./http) | ## Creating Connections diff --git a/mission-control/docs/reference/playbooks/parameters.mdx b/mission-control/docs/reference/playbooks/parameters.mdx index dfe880e2..eeece252 100644 --- a/mission-control/docs/reference/playbooks/parameters.mdx +++ b/mission-control/docs/reference/playbooks/parameters.mdx @@ -135,30 +135,18 @@ When running the playbook on a `Deployment` named `mysql` the following is pre-p Secret parameters handle sensitive data like passwords, API keys, and tokens. Values are encrypted at rest using the configured KMS connection and are automatically redacted in logs, UI displays, and database queries. :::info Requirements -Your Mission Control instance must have a [KMS connection configured](/installation/saas/authentication#kms) to use secret parameters. +Your Mission Control instance must have a [KMS connection configured](/docs/reference/connections/KMS/) to use secret parameters. ::: Secret parameters are rendered as password input fields in the UI and their values are: + - **Encrypted** using the configured KMS (AWS KMS, Azure Key Vault, or GCP KMS) - **Redacted** in all logs and audit trails - **Hidden** in the UI after initial input - **Protected** in database storage -```yaml -parameters: - - name: api_key - type: secret - label: "API Key" - description: "Your service API key" - required: true -``` +Use the following fixture as a reference implementation: -When referencing secret parameters in playbook actions, use them like any other parameter: +```yaml title="http-secret-parameter.yaml" file=/modules/mission-control/fixtures/playbooks/http-secret-parameter.yaml -```yaml -actions: - - name: "Call external API" - exec: - script: | - curl -H "Authorization: Bearer {{.params.api_key}}" https://api.example.com/data ``` diff --git a/styles/ignore/words-with-suggestions.txt b/styles/ignore/words-with-suggestions.txt index 46772964..b269cf78 100644 --- a/styles/ignore/words-with-suggestions.txt +++ b/styles/ignore/words-with-suggestions.txt @@ -390,6 +390,7 @@ searchPath securityContext Semver serviceMonitor +serviceAccount SFTPConnection shoutrrr Shoutrrr @@ -485,5 +486,6 @@ Helm LLM MCP OpenAI +Ollama Slack WebSocket From 8d2480c53aa2fcb451e9d927b792ed839b7387e6 Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Wed, 18 Feb 2026 13:34:28 +0545 Subject: [PATCH 6/7] fix --- common/src/components/Fields.jsx | 1 + 1 file changed, 1 insertion(+) diff --git a/common/src/components/Fields.jsx b/common/src/components/Fields.jsx index 25a299b4..0bdf1bb7 100644 --- a/common/src/components/Fields.jsx +++ b/common/src/components/Fields.jsx @@ -187,6 +187,7 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio { field: "tenantId", description: "The Azure Active Directory tenant ID", + scheme: "EnvVar", required: true }, { From bdfb2973855f97c686a36543fa3b8f84f2979cec Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Thu, 19 Feb 2026 13:14:19 +0545 Subject: [PATCH 7/7] make sync --- mission-control-chart | 2 +- modules/config-db | 2 +- modules/mission-control | 2 +- modules/mission-control-chart | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/mission-control-chart b/mission-control-chart index 8f4628d1..201b29dc 160000 --- a/mission-control-chart +++ b/mission-control-chart @@ -1 +1 @@ -Subproject commit 8f4628d124d7e6f3a3e190167d19589f521ce514 +Subproject commit 201b29dce9be9f145bc4c3c24317c4d723ccd2ee diff --git a/modules/config-db b/modules/config-db index 8754d68a..f0d0fb82 160000 --- a/modules/config-db +++ b/modules/config-db @@ -1 +1 @@ -Subproject commit 8754d68a74bfdf2c7bf32d522dc14ca4b597ae53 +Subproject commit f0d0fb8228cfc73145bdc3909e311c78f8e0d9a8 diff --git a/modules/mission-control b/modules/mission-control index 007756b5..6a1dc093 160000 --- a/modules/mission-control +++ b/modules/mission-control @@ -1 +1 @@ -Subproject commit 007756b56daed4e22dd4aa8394741248a3ceae56 +Subproject commit 6a1dc093cbf96b7a18895f92d986a533b91a6b1a diff --git a/modules/mission-control-chart b/modules/mission-control-chart index 8f4628d1..201b29dc 160000 --- a/modules/mission-control-chart +++ b/modules/mission-control-chart @@ -1 +1 @@ -Subproject commit 8f4628d124d7e6f3a3e190167d19589f521ce514 +Subproject commit 201b29dce9be9f145bc4c3c24317c4d723ccd2ee