snyk
diff --git a/‎.circleci/config.yml‎
Lines changed: 3 additions & 1 deletion b/‎.circleci/config.yml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 78 additions & 5 deletions b/‎README.md‎
Lines changed: 78 additions & 5 deletions
diff --git a/‎snyk-universal-broker/templates/_helpers.tpl‎
Lines changed: 34 additions & 1 deletion b/‎snyk-universal-broker/templates/_helpers.tpl‎
Lines changed: 34 additions & 1 deletion
diff --git a/‎snyk-universal-broker/templates/secret.yaml‎
Lines changed: 17 additions & 6 deletions b/‎snyk-universal-broker/templates/secret.yaml‎
Lines changed: 17 additions & 6 deletions
diff --git a/‎snyk-universal-broker/templates/statefulset.yaml‎
Lines changed: 8 additions & 1 deletion b/‎snyk-universal-broker/templates/statefulset.yaml‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎snyk-universal-broker/tests/__snapshot__/secret_test.yaml.snap‎
Lines changed: 0 additions & 6 deletions b/‎snyk-universal-broker/tests/__snapshot__/secret_test.yaml.snap‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎snyk-universal-broker/tests/credential_test.yaml‎
Lines changed: 0 additions & 35 deletions b/‎snyk-universal-broker/tests/credential_test.yaml‎
Lines changed: 0 additions & 35 deletions
diff --git a/‎snyk-universal-broker/tests/fixtures/default_values.yaml‎
Lines changed: 5 additions & 5 deletions b/‎snyk-universal-broker/tests/fixtures/default_values.yaml‎
Lines changed: 5 additions & 5 deletions
@@ -173,12 +173,14 @@ workflows:
       # - deploy_and_test:
       #     context:
       #       - snyk-universal-broker-helm-chart
+      #     requires:
+      #       - validate_charts
       - publish:
           context:
             - team-broker-docker-hub
           requires:
-            - validate_charts
             - validate_documentation
+            # - deploy_and_test
           filters:
             branches:
               only:
 
@@ -31,6 +31,71 @@ If required, specify your [Snyk Region](https://docs.snyk.io/working-with-snyk/r
 region: "eu"
 ```
 
+### Credential References
+
+Any Credential References (refer to the example provided on [docs.snyk.io](https://docs.snyk.io/enterprise-setup/snyk-broker/universal-broker/set-up-a-github-connection-using-the-api#id-3-create-your-credentials-references)) must be provided to the Universal Broker. This can be achieved directly through Helm, or via an external Kubernetes Secret.
+
+For the following example, assume three credential references are created of the following `deployment_credential` types:
+- `github`
+- `gitlab`
+- `azure-repos`
+
+An example data object is shown for the `github` type.
+```json
+{
+  ...
+  "data":{
+    "id": "uuidv4",
+    "type": "deployment_credential",
+    "attributes": {
+      "comment": "",
+      "deployment_id": "uuidv4",
+      "environment_variable_name": "MY_GITHUB_TOKEN",
+      "type": "github"
+    }
+  }
+}
+```
+The number of credential references will depend on the `type` of the `deployment_credential`; `github` holds just one (the GitHub PAT), whilst `azure-repos` holds three (the Azure Repos Org, Username and Password)
+
+#### Via Helm
+
+Provide the environment variable used when creating the credential reference, and the actual value of your credential.
+
+For example, providing the Universal Broker with a GitHub, GitLab and Azure Repos credential:
+
+```yaml
+credentialReferences:
+  MY_GITHUB_TOKEN: <your-github-token>
+  MY_GITLAB_TOKEN: <your-gitlab-token>
+  AZURE_REPOS_PRODSEC_ORG: prodsec
+  AZURE_REPOS_PRODSEC_USERNAME: <your-azure-repos-username>
+  AZURE_REPOS_PRODSEC_PASSWORD: <your-azure-repos-password>
+```
+
+The Universal Broker Helm Chart creates this secret for you.
+
+#### Via External Secret
+
+First create or otherwise ensure the secret exists:
+
+```yaml
+kind: Secret
+apiVersion: v1
+metadata:
+  name: my-universal-broker-secrets
+data:
+  MY_GITHUB_TOKEN: <your-github-token>
+  ...
+```
+
+Then set values within `.Values.credentialReferencesSecret` that match your external Secret:
+
+```yaml
+credentialReferencesSecret:
+  name: my-universal-broker-secrets
+```
+
 ## Advanced Configuration
 
 ### Certificate Trust
@@ -102,16 +167,24 @@ image:
 
 ### Snyk Broker parameters
 
+Refer to documentation via [docs.snyk.io](https://docs.snyk.io/enterprise-setup/snyk-broker/universal-broker/initial-configuration-of-the-universal-broker) to obtain `deploymentId`, `clientId`, `clientSecret` values.
+
+Credential References should contain one or more key/value pairs where each key matches the `environment_variable_name` of a `deployment_credential`, and the value provides the secret. For example:
+```bash
+helm install ... --set credentialReferences.MY_GITHUB_TOKEN=<gh-pat>
+```
+
 | Name                                        | Description                                                                                                                                                                      | Value                 |
 | ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
 | `brokerClientUrl`                           | is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. | `""`                  |
 | `region`                                    | Optionally specify a Snyk Region - e.g. "eu" for "SNYK-EU-01". Defaults to "SNYK-US-01", app.snyk.io                                                                             | `""`                  |
 | `preflightChecks.enabled`                   | broker client preflight checks                                                                                                                                                   | `true`                |
-| `deploymentId`                              | is obtained by installing the Broker App at the Organization level                                                                                                               | `""`                  |
-| `clientId`                                  | is obtained by installing the Broker App at the Organization level                                                                                                               | `""`                  |
-| `clientSecret`                              | is obtained by installing the Broker App at the Organization level                                                                                                               | `""`                  |
-| `existingAuthSecret`                        | Name of existing secret with Snyk platform auth and scm credential reference data                                                                                                | `""`                  |
-| `credentialReferences`                      | SCM token credential reference                                                                                                                                                   | `{}`                  |
+| `deploymentId`                              | Obtained by installing the Broker App                                                                                                                                            | `""`                  |
+| `clientId`                                  | Obtained by installing the Broker App                                                                                                                                            | `""`                  |
+| `clientSecret`                              | Obtained by installing the Broker App                                                                                                                                            | `""`                  |
+| `platformAuthSecret.name`                   | Optionally provide an external secret containing three keys: `DEPLOYMENT_ID`, `CLIENT_ID` and `CLIENT_SECRET`                                                                    | `""`                  |
+| `credentialReferences`                      | Credential References to pass to Broker                                                                                                                                          | `{}`                  |
+| `credentialReferencesSecret.name`           | Optionally provide a pre-existing secret with SCM credential reference data                                                                                                      | `""`                  |
 | `acceptCode`                                | Set to false to block Broker rules relating to Snyk Code analysis                                                                                                                | `true`                |
 | `acceptAppRisk`                             | Set to false to block Broker rules relating to AppRisk                                                                                                                           | `true`                |
 | `acceptIaC`                                 | Defaults to "tf,yaml,yml,json,tpl". Optionally remove any extensions not required. Must be comma separated. Set to "" to block Broker rules relating to Snyk IaC analysis        | `""`                  |
 
@@ -67,7 +67,40 @@ Create a name for the CA Cert secret, using a provided override if present
 {{- .Values.caCertSecret.name | default ( include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "cacert-secret" ) ) -}}
 {{- end }}
 
-{{/*}}
+{{/*
+Create a name for the Credentials Reference secret, using a provided override if present
+*/}}
+{{- define "snyk-broker.credentialReferencesSecretName" -}}
+{{- .Values.credentialReferencesSecret.name | default ( include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "creds-secret" ) ) -}}
+{{- end }}
+
+{{/*
+Create a name for the Platform Auth secret, using a provided override if present
+*/}}
+{{- define "snyk-broker.snykPlatformSecretName" -}}
+{{- .Values.platformAuthSecret.name | default ( include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "platform-secret" ) ) -}}
+{{- end }}
+
+{{/*
+Credential References
+
+Each credential must be a valid env var, with associated string value
+*/}}
+{{- define "snyk-broker.credentialReferences" -}}
+{{- $failedKeys := list -}}
+{{- with .Values.credentialReferences -}}
+{{- range ( . | keys ) }}
+{{- if not (regexMatch "^[a-zA-Z_]{1,}[a-zA-Z0-9_]{0,}$" .) -}}
+{{- $failedKeys = append $failedKeys . -}}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if gt ($failedKeys | len) 0 -}}
+{{- fail (printf "Key(s) \"%s\" in .Values.credentialReferences are unsupported. All keys must be valid environment variable names." ($failedKeys | sortAlpha | join ", ") ) -}}
+{{- end }}
+{{- end }}
+
+{{/*
 Snyk Broker ACCEPT_ vars
 */}}
 {{- define "snyk-broker.accepts" -}}
 
@@ -1,17 +1,28 @@
-{{- if not .Values.existingAuthSecret }}
+{{- if not .Values.credentialReferencesSecret.name }}
+{{- include "snyk-broker.credentialReferences" . }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ printf "%s-platform-auth" (include "common.names.fullname" .) }}
+  name: {{ include "snyk-broker.credentialReferencesSecretName" . }}
   namespace: {{ .Release.Namespace }}
   labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }}
 type: Opaque
 stringData:
-  deploymentId: {{ .Values.deploymentId | quote }}
-  clientId: {{ .Values.clientId | quote }}
-  clientSecret: {{ .Values.clientSecret | quote }}
   {{- range $key, $value := .Values.credentialReferences }}
   {{ $key }}: {{ $value | quote }}
 {{- end }}
 {{- end }}
----
+---
+{{- if not .Values.platformAuthSecret.name }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "snyk-broker.snykPlatformSecretName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }}
+type: Opaque
+stringData:
+  DEPLOYMENT_ID: {{ .Values.deploymentId | quote }}
+  CLIENT_ID: {{ .Values.clientId | quote }}
+  CLIENT_SECRET: {{ .Values.clientSecret | quote }}
+{{- end }}
@@ -82,8 +82,15 @@ spec:
             {{- toYaml .Values.readinessProbe.config | nindent 12 }}
           {{- end }}
           envFrom:
+          {{- if eq (include "snyk-broker.snykPlatformSecretName" . ) (include "snyk-broker.credentialReferencesSecretName" . ) }}
             - secretRef:
-                name: {{ ternary .Values.existingAuthSecret (printf "%s-platform-auth" (include "common.names.fullname" .)) (not (empty .Values.existingAuthSecret)) }}
+                name: {{ include "snyk-broker.snykPlatformSecretName" . }}
+          {{- else }}
+            - secretRef:
+                name: {{ include "snyk-broker.snykPlatformSecretName" . }}
+            - secretRef:
+                name: {{ include "snyk-broker.credentialReferencesSecretName" . }}
+          {{- end }}
           volumeMounts:
               {{- if or .Values.caCert .Values.caCertSecret.name }}
               - name: {{ .Release.Name }}-cacert-volume
 
@@ -9,10 +9,10 @@ highAvailabilityMode:
   enabled: false
 
 ##### Snyk Platform Server Auth #####
-deploymentId: 8B338A3B-424A-497E-836E-5E0F9486605A
-clientId: 8B338A3B-424A-497E-836E-5E0F9486605A
-clientSecret: 8B338A3B-424A-497E-836E-5E0F9486605A
+deploymentId: 8b338a3b-424a-497e-836e-5e0f9486605a
+clientId: 8b338a3b-424a-497e-836e-5e0f9486605a
+clientSecret: super-secret-secret
 
 ##### SCM Tokens #####
-credentialReferences: 
-  mygithubtoken: "8B338A3B-424A-497E-836E-5E0F9486605A"
+credentialReferences:
+  MY_GITHUB_TOKEN: "not_a_real_token"