From 2ce7ad1e22811315db2800b974cc4ba31c1be9da Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Tue, 26 Aug 2025 19:21:58 +0545 Subject: [PATCH 1/9] feat(Playbook): Secret parameter * KMS connections --- common/src/components/Fields.jsx | 196 ++++++++++-------- .../playbooks/concepts/sensitive-data.mdx | 43 ++++ .../_properties_mission_control.mdx | 1 + .../reference/connections/KMS/aws-kms.mdx | 15 ++ .../connections/KMS/azure-key-vault.mdx | 33 +++ .../reference/connections/KMS/gcp-kms.mdx | 15 ++ .../docs/reference/connections/KMS/index.mdx | 9 + .../connections/Notifications/index.mdx | 11 + .../docs/reference/playbooks/parameters.mdx | 34 +++ 9 files changed, 274 insertions(+), 83 deletions(-) create mode 100644 mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx create mode 100644 mission-control/docs/reference/connections/KMS/aws-kms.mdx create mode 100644 mission-control/docs/reference/connections/KMS/azure-key-vault.mdx create mode 100644 mission-control/docs/reference/connections/KMS/gcp-kms.mdx create mode 100644 mission-control/docs/reference/connections/KMS/index.mdx create mode 100644 mission-control/docs/reference/connections/Notifications/index.mdx diff --git a/common/src/components/Fields.jsx b/common/src/components/Fields.jsx index b26a18fb..25a299b4 100644 --- a/common/src/components/Fields.jsx +++ b/common/src/components/Fields.jsx @@ -118,6 +118,89 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio return a.field.localeCompare(b.field) } + // Common AWS connection fields + const awsFields = [ + { + field: oss ? null : "connection", + description: "The connection url to use, mutually exclusive with `accessKey` and `secretKey`", + scheme: "Connection", + }, + { + field: "accessKey", + description: "Access Key ID", + scheme: "EnvVar" + }, + { + field: "secretKey", + description: "Secret Access Key", + scheme: "EnvVar" + }, + { + field: "region", + description: "The AWS region", + scheme: "string" + }, + { + field: "endpoint", + scheme: "string", + description: "Custom AWS Endpoint to use", + }, + { + field: "skipTLSVerify", + description: "Skip TLS verify when connecting to AWS", + scheme: 'bool' + } + ] + + // Common GCP connection fields + const gcpFields = [ + { + field: oss ? null : 'connection', + description: + 'The connection url to use, mutually exclusive with `credentials`', + scheme: 'Connection' + }, + { + field: 'credentials', + description: 'The credentials to use for authentication', + scheme: 'EnvVar' + }, + { + field: 'endpoint', + description: 'Custom GCP Endpoint to use', + scheme: 'string' + }, + { + field: 'skipTLSVerify', + description: 'Skip TLS verification when connecting to GCP', + scheme: 'bool' + } + ] + + // Common Azure connection fields + const azureFields = [ + { + field: oss ? null : "connection", + description: "The connection url to use, mutually exclusive with `tenantId`, `clientId`, and `clientSecret`", + scheme: "Connection", + }, + { + field: "tenantId", + description: "The Azure Active Directory tenant ID", + required: true + }, + { + field: "clientId", + description: "The Azure client/application ID", + scheme: "EnvVar" + }, + { + field: "clientSecret", + description: "The Azure client/application secret", + scheme: "EnvVar" + } + ] + if (connection == "url") { rows = rows.concat([ { @@ -200,62 +283,9 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio } ]) } else if (connection == "aws") { - rows = rows.concat([ - { - field: oss ? null : "connection", - description: "The connection url to use, mutually exclusive with `accessKey` and `secretKey`", - scheme: "Connection", - }, - { - field: "accessKey", - description: "Access Key ID", - scheme: "EnvVar" - }, - { - field: "secretKey", - description: "Secret Access Key", - scheme: "EnvVar" - }, - { - field: "region", - description: "The AWS region", - scheme: "string" - }, - { - field: "endpoint", - scheme: "string", - description: "Custom AWS Endpoint to use", - }, - { - field: "skipTLSVerify", - description: "Skip TLS verify when connecting to AWS", - scheme: 'bool' - } - ]) + rows = rows.concat(awsFields) } else if (connection == "gcp") { - rows = rows.concat([ - { - field: oss ? null : 'connection', - description: - 'The connection url to use, mutually exclusive with `credentials`', - scheme: 'Connection' - }, - { - field: 'credentials', - description: 'The credentials to use for authentication', - scheme: 'EnvVar' - }, - { - field: 'endpoint', - description: 'Custom GCP Endpoint to use', - scheme: 'string' - }, - { - field: 'skipTLSVerify', - description: 'Skip TLS verification when connecting to GCP', - scheme: 'bool' - } - ]) + rows = rows.concat(gcpFields) } else if (connection == "sftp") { rows = rows.concat([ { @@ -347,34 +377,7 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio scheme: "[CNRM](/docs/reference/connections/kubernetes/#cnrm-connection)", }]) } else if (connection == "azure") { - rows = rows.concat([ - { - field: oss ? null : "connection", - description: "The connection url to use, mutually exclusive with `tenantId`, `subscriptionId`, `clientId`, and `clientSecret`", - scheme: "Connection", - }, - { - field: "tenantId", - description: "The Azure Active Directory tenant ID", - required: true - }, - { - field: "subscriptionId", - description: "The Azure subscription ID", - required: true, - scheme: "EnvVar" - }, - { - field: "clientId", - description: "The Azure client/application ID", - scheme: "EnvVar" - }, - { - field: "clientSecret", - description: "The Azure client/application secret", - scheme: "EnvVar" - } - ]) + rows = rows.concat(azureFields) } else if (connection == "openai") { rows = rows.concat([ { @@ -618,6 +621,33 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio } else if (connection == "prometheus") { // Prometheus extends HTTP connection, so HTTP fields will be included rows = rows.concat([]) + } else if (connection == "aws_kms") { + rows = rows.concat(awsFields.concat([ + { + field: "keyID", + description: "KMS key ID, alias, or ARN. Can include region specification for aliases (e.g., alias/ExampleAlias?region=us-east-1)", + scheme: "string", + required: true + } + ])) + } else if (connection == "gcp_kms") { + rows = rows.concat(gcpFields.concat([ + { + field: "keyID", + description: "KMS key resource path in the format: projects/PROJECT/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY", + scheme: "string", + required: true + } + ])) + } else if (connection == "azure_key_vault") { + rows = rows.concat(azureFields.concat([ + { + field: "keyID", + description: "Key Vault key URL in the format: https://vault-name.vault.azure.net/keys/key-name", + scheme: "string", + required: true + } + ])) } rows = rows.concat(common.filter(row => row.required)).filter(i => i.field != null) diff --git a/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx b/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx new file mode 100644 index 00000000..7fde7caa --- /dev/null +++ b/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx @@ -0,0 +1,43 @@ +--- +title: Sensitive Data +sidebar_custom_props: + icon: material-symbols-light:security +--- + +Sensitive data includes passwords, API keys, tokens, and other confidential information that requires protection from unauthorized access or exposure. Mission Control provides comprehensive protection for sensitive data throughout the entire playbook lifecycle. + +## Secret Parameters + +Use `secret` type parameters to handle sensitive data in playbooks: + +```yaml +parameters: + - name: database_password + type: secret + label: "Database Password" + description: "Password for database connection" + required: true +``` + +## KMS Connection + +:::info +Your Mission Control instance **must** have a KMS connection configured to use secret parameters. +::: + +Configure this using the `--secret-keeper-connection` flag: + +```bash +mission-control serve --secret-keeper-connection "connection://default/my-kms-key" +``` + +or in the helm chart: + +```yaml +kmsConnection: "connection://default/my-kms-key" +``` + +Supported connection types: +- AWS KMS +- Azure Key Vault +- GCP KMS diff --git a/mission-control/docs/installation/_properties_mission_control.mdx b/mission-control/docs/installation/_properties_mission_control.mdx index c15c0330..efd80cf5 100644 --- a/mission-control/docs/installation/_properties_mission_control.mdx +++ b/mission-control/docs/installation/_properties_mission_control.mdx @@ -12,6 +12,7 @@ import Container from './_properties_container.mdx' | otel.serviceName | Defaults to `mission-control` | | properties.incidents.disable | Defaults to `{}` | | properties.logs.disable | Defaults to `true` | +| kmsConnection | Provide the KMS connection string to use for secret parameters. See [KMS connection documentation](/reference/connections/KMS/) for details. | | | replicas | Defaults to `1` | | resources.limits.cpu | Defaults to `500m` | | resources.limits.memory | Defaults to `1024Mi` | diff --git a/mission-control/docs/reference/connections/KMS/aws-kms.mdx b/mission-control/docs/reference/connections/KMS/aws-kms.mdx new file mode 100644 index 00000000..227fc2f6 --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/aws-kms.mdx @@ -0,0 +1,15 @@ +--- +title: AWS KMS +sidebar_custom_props: + icon: aws +--- + + + + + +## Example + +```yaml title="awskms.yaml" file=/modules/mission-control/fixtures/connections/awskms.yaml + +``` \ No newline at end of file diff --git a/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx b/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx new file mode 100644 index 00000000..baa14145 --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx @@ -0,0 +1,33 @@ +--- +title: Azure Key Vault +sidebar_custom_props: + icon: azure +--- + + + + + +## Example + +```yaml title="azure-key-vault-connection.yaml" +apiVersion: v1 +kind: Connection +metadata: + name: azure-key-vault-connection +spec: + type: azure_key_vault + clientID: + valueFrom: + secretKeyRef: + name: azure-credentials + key: AZURE_CLIENT_ID + clientSecret: + valueFrom: + secretKeyRef: + name: azure-credentials + key: AZURE_CLIENT_SECRET + tenantID: your-tenant-id + properties: + keyID: https://your-vault.vault.azure.net/keys/mission-control-key +``` \ No newline at end of file diff --git a/mission-control/docs/reference/connections/KMS/gcp-kms.mdx b/mission-control/docs/reference/connections/KMS/gcp-kms.mdx new file mode 100644 index 00000000..0ff6f9db --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/gcp-kms.mdx @@ -0,0 +1,15 @@ +--- +title: GCP KMS +sidebar_custom_props: + icon: gcp +--- + + + + + +## Example + +```yaml title="gcpkms.yaml" file=/modules/mission-control/fixtures/connections/gcpkms.yaml + +``` \ No newline at end of file diff --git a/mission-control/docs/reference/connections/KMS/index.mdx b/mission-control/docs/reference/connections/KMS/index.mdx new file mode 100644 index 00000000..1bc8838a --- /dev/null +++ b/mission-control/docs/reference/connections/KMS/index.mdx @@ -0,0 +1,9 @@ +--- +title: KMS +sidebar_custom_props: + icon: material-symbols-light:security +--- + +import DocCardList from '@theme/DocCardList'; + + \ No newline at end of file diff --git a/mission-control/docs/reference/connections/Notifications/index.mdx b/mission-control/docs/reference/connections/Notifications/index.mdx new file mode 100644 index 00000000..e663455f --- /dev/null +++ b/mission-control/docs/reference/connections/Notifications/index.mdx @@ -0,0 +1,11 @@ +--- +title: Notifications +sidebar_position: 2 + +sidebar_custom_props: + icon: ix:alarm-bell +--- + +import DocCardList from '@theme/DocCardList'; + + \ No newline at end of file diff --git a/mission-control/docs/reference/playbooks/parameters.mdx b/mission-control/docs/reference/playbooks/parameters.mdx index ba571c66..dfe880e2 100644 --- a/mission-control/docs/reference/playbooks/parameters.mdx +++ b/mission-control/docs/reference/playbooks/parameters.mdx @@ -87,6 +87,7 @@ When running the playbook on a `Deployment` named `mysql` the following is pre-p | `text` | Text input | Text Input | `string` | [`Text`](#text) | | `millicores` | CPU resource | Number | `string` | - | | `bytes` | Memory resource | Number | `string` | - | +| `secret` | Encrypted sensitive data | Password | `string` | - | ```yaml title='params-sink.yaml' file=/modules/mission-control/fixtures/playbooks/params.yaml {20,24,27,32,39,46,51,56,61,72} showLineNumbers @@ -128,3 +129,36 @@ When running the playbook on a `Deployment` named `mysql` the following is pre-p | ----------------- | -------------------------------- | -------- | | `options[].label` | Specify label of the list option | `string` | | `options[].value` | Specify value of the list option | `string` | + +### secret + +Secret parameters handle sensitive data like passwords, API keys, and tokens. Values are encrypted at rest using the configured KMS connection and are automatically redacted in logs, UI displays, and database queries. + +:::info Requirements +Your Mission Control instance must have a [KMS connection configured](/installation/saas/authentication#kms) to use secret parameters. +::: + +Secret parameters are rendered as password input fields in the UI and their values are: +- **Encrypted** using the configured KMS (AWS KMS, Azure Key Vault, or GCP KMS) +- **Redacted** in all logs and audit trails +- **Hidden** in the UI after initial input +- **Protected** in database storage + +```yaml +parameters: + - name: api_key + type: secret + label: "API Key" + description: "Your service API key" + required: true +``` + +When referencing secret parameters in playbook actions, use them like any other parameter: + +```yaml +actions: + - name: "Call external API" + exec: + script: | + curl -H "Authorization: Bearer {{.params.api_key}}" https://api.example.com/data +``` From d6934b4b9eebd5b987a562167bb63e768e54bc28 Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Tue, 26 Aug 2025 19:41:50 +0545 Subject: [PATCH 2/9] feat: make file-ref-check --- Makefile | 20 ++++++++++++++++++++ styles/ignore/words-with-suggestions.txt | 1 + 2 files changed, 21 insertions(+) diff --git a/Makefile b/Makefile index 180d8660..8f56d27b 100644 --- a/Makefile +++ b/Makefile @@ -30,6 +30,26 @@ fmt-check: ## Check markdown formatting without making changes check: ## Run all checks (lint + formatting + file references) task check +.PHONY: build +build: + @echo "Building mission-control documentation..." + @cd modules && make all + @cd mission-control && npm ci && npm run build + +.PHONY: file-ref-check +file-ref-check: ## Check for broken file references in build output + @echo "Checking for broken files in mission-control/build" + @cd mission-control/build && \ + echo "Total files: $$(ls -alh . | wc -l)" && \ + echo "Total HTML files: $$(find . -type f -name "*.html" | wc -l)" && \ + if rg 'file=../../../modules' -g '*.html' | grep -q .; then \ + echo "ERROR: Found broken file references:" && \ + rg 'file=../../../modules' -g '*.html' && \ + exit 1; \ + else \ + echo "No broken file references found"; \ + fi + .PHONY: sync: git submodule update --init --recursive diff --git a/styles/ignore/words-with-suggestions.txt b/styles/ignore/words-with-suggestions.txt index 7dce03cc..46772964 100644 --- a/styles/ignore/words-with-suggestions.txt +++ b/styles/ignore/words-with-suggestions.txt @@ -262,6 +262,7 @@ JUnit kafka keypair keypairs +kmsConnection knowledgebase knowledgebases Kratos From c4e934953e46ea53a32729cad0b5bdf1aa97d6b7 Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Wed, 27 Aug 2025 22:02:37 +0545 Subject: [PATCH 3/9] feat: GCP KMS setup tutorial --- .../docs/installation/_gke_iam.mdx | 118 ++++++++++++++++-- 1 file changed, 109 insertions(+), 9 deletions(-) diff --git a/mission-control/docs/installation/_gke_iam.mdx b/mission-control/docs/installation/_gke_iam.mdx index b9fab654..12c20a39 100644 --- a/mission-control/docs/installation/_gke_iam.mdx +++ b/mission-control/docs/installation/_gke_iam.mdx @@ -4,10 +4,11 @@ import Domain from '@site/docs/partials/_domain.mdx' Depending on usecase, Mission Control can be associated with the following GCP IAM roles: -| Use Case | Role Name | -| -------------------------------------------- | ---------------| -| Read Only Scraping | `roles/viewer` | -| Playbooks to create and update GCP Resources | `roles/editor` | +| Use Case | Role Name | +| -------------------------------------------- | -----------------------------| +| Read Only Scraping | `roles/viewer` | +| Playbooks to create and update GCP Resources | `roles/editor` | +| Secret Management (optional) | `roles/cloudkms.cryptoKeyEncrypterDecrypter` | ## Configure IAM Roles for Mission Control @@ -21,14 +22,18 @@ Depending on usecase, Mission Control can be associated with the following GCP I 1. Enable workload identity ```bash - # The name of the GKE cluster mission control is being deployed to - export CLUSTER= + # The name of your existing GKE cluster where mission control is to be deployed to + export CLUSTER=cluster-name + # GCP Project ID export PROJECT_ID=gcp-project-id + # GCP Project Number export PROJECT_NUMBER=gcp-project-number + # Location of GKE Cluster - LOCATION=us-east1 + export LOCATION=us-east1 + # the default namespace the mission-control helm chart uses export NAMESPACE=mission-control @@ -44,6 +49,8 @@ Depending on usecase, Mission Control can be associated with the following GCP I `$KSA_NAME` refers to the Kubernetes service account name. In our case, we need to bind to 3 service accounts: `mission-control-sa`, `canary-checker-sa` and `config-db-sa` ```bash + export ROLE_NAME=roles/viewer + for KSA_NAME in "mission-control-sa" "canary-checker-sa" "config-db-sa"; do gcloud projects add-iam-policy-binding projects/$PROJECT_ID \ --role=$ROLE_NAME \ @@ -68,13 +75,17 @@ You can also refer the official docs: https://cloud.google.com/kubernetes-engine 1. Enable workload identity in the host cluster ```bash # The name of the GKE cluster mission control is being deployed to - export CLUSTER= + export CLUSTER=cluster-name + # GCP Project ID export PROJECT_ID=gcp-project-id + # Location of GKE Cluster - LOCATION=us-east1 + export LOCATION=us-east1 + # the default namespace the mission-control helm chart uses export NAMESPACE=mission-control + # IAM service account name export IAM_SA_NAME=mission-control @@ -137,3 +148,92 @@ You can also refer the official docs: https://cloud.google.com/kubernetes-engine + +## KMS Setup for Secret Management + +If you plan to use secret parameters in playbooks, create a KMS key to encrypt and manage sensitive data. +This requires creating a new mission control connection and updating the helm chart to point mission control to the KMS connection. + +### Create a KMS Key + +```bash +# Set your project ID (if not already set) +export PROJECT_ID=gcp-project-id + +# Create a key ring +gcloud kms keyrings create mission-control-keyring \ + --location=global \ + --project=$PROJECT_ID + +# Create a KMS key for Mission Control +gcloud kms keys create mission-control-key \ + --keyring=mission-control-keyring \ + --location=global \ + --purpose=encryption \ + --project=$PROJECT_ID +``` + +### Bind GCP Service Account to IAM Role + +```bash +gcloud projects add-iam-policy-binding projects/$PROJECT_ID \ + --role=roles/cloudkms.cryptoKeyEncrypterDecrypter \ + --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/$KSA_NAME \ + --condition=None +``` + +### Create a Mission Control connection + + +```yaml title="gcpkms.yaml" +apiVersion: mission-control.flanksource.com/v1 +kind: Connection +metadata: + name: flanksource-gcpkms +spec: + gcpkms: + keyID: projects//locations/global/keyRings/mission-control-keyring/cryptoKeys/mission-control-key +``` + +### Update Mission Control helm chart + + + + ```bash + helm upgrade mission-control-agent flanksource/mission-control-agent \ + --set upstream.agent= \ + --set upstream.username='token' \ + --set upstream.password= \ + --set upstream.host= \ + --set kmsConnection='connection://mission-control/flanksource-gcpkms' \ + -n mission-control \ + --wait + ``` + + + + ```yaml + --- + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: mission-control-agent + namespace: mission-control + spec: + chart: + spec: + chart: mission-control-agent + sourceRef: + kind: HelmRepository + name: flanksource + namespace: mission-control + interval: 5m + values: + upstream.agent: YOUR_LOCAL_NAME + upstream.username: token + upstream.password: + upstream.host: + kmsConnection: 'connection://mission-control/flanksource-gcpkms' + ``` + + \ No newline at end of file From a3603056a4c876e7ac6f1f9e8414d495ed0cdb1f Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Mon, 15 Sep 2025 11:04:59 +0545 Subject: [PATCH 4/9] aws iam for KMS --- Makefile | 20 --- .../docs/installation/_aws_iam.mdx | 162 +++++++++++++++++- 2 files changed, 159 insertions(+), 23 deletions(-) diff --git a/Makefile b/Makefile index 8f56d27b..180d8660 100644 --- a/Makefile +++ b/Makefile @@ -30,26 +30,6 @@ fmt-check: ## Check markdown formatting without making changes check: ## Run all checks (lint + formatting + file references) task check -.PHONY: build -build: - @echo "Building mission-control documentation..." - @cd modules && make all - @cd mission-control && npm ci && npm run build - -.PHONY: file-ref-check -file-ref-check: ## Check for broken file references in build output - @echo "Checking for broken files in mission-control/build" - @cd mission-control/build && \ - echo "Total files: $$(ls -alh . | wc -l)" && \ - echo "Total HTML files: $$(find . -type f -name "*.html" | wc -l)" && \ - if rg 'file=../../../modules' -g '*.html' | grep -q .; then \ - echo "ERROR: Found broken file references:" && \ - rg 'file=../../../modules' -g '*.html' && \ - exit 1; \ - else \ - echo "No broken file references found"; \ - fi - .PHONY: sync: git submodule update --init --recursive diff --git a/mission-control/docs/installation/_aws_iam.mdx b/mission-control/docs/installation/_aws_iam.mdx index acc7060f..e765b490 100644 --- a/mission-control/docs/installation/_aws_iam.mdx +++ b/mission-control/docs/installation/_aws_iam.mdx @@ -8,6 +8,7 @@ Depending on how you want to use Mission Control you need to create an IAM role | -------------------------------------------- | ----------------------------------------- | | Read Only Scraping | `arn:aws:iam::aws:policy/ReadOnlyAccess` | | Playbooks to create and update AWS Resources | `arn:aws:iam::aws:policy/PowerUserAccess` | +| Secret Management (optional) | Custom KMS policy (see below) |
@@ -107,6 +108,9 @@ You can also create a new policy with only the permissions required by Mission C roleName: MissionControlRole roleOnly: true attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" - metadata: name: canary-checker-sa @@ -114,6 +118,9 @@ You can also create a new policy with only the permissions required by Mission C roleName: CanaryCheckerRole roleOnly: true attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" - metadata: name: config-db-sa @@ -121,6 +128,9 @@ You can also create a new policy with only the permissions required by Mission C roleName: ConfigDBRole roleOnly: true attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" ``` @@ -168,15 +178,27 @@ You can also create a new policy with only the permissions required by Mission C podIdentityAssociations: - namespace: mission-control serviceAccountName: mission-control-sa - permissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess + permissionPolicyARNs: + # Add additional policies as needed: + # - arn:aws:iam::aws:policy/PowerUserAccess + # - Custom KMS policy ARN for secret management + - arn:aws:iam::aws:policy/ReadOnlyAccess - namespace: mission-control serviceAccountName: config-db-sa - permissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess + permissionPolicyARNs: + # Add additional policies as needed: + # - arn:aws:iam::aws:policy/PowerUserAccess + # - Custom KMS policy ARN for secret management + - arn:aws:iam::aws:policy/ReadOnlyAccess - namespace: mission-control serviceAccountName: canary-checker-sa - permissionPolicyARNs: arn:aws:iam::aws:policy/ReadOnlyAccess + permissionPolicyARNs: + # Add additional policies as needed: + # - arn:aws:iam::aws:policy/PowerUserAccess + # - Custom KMS policy ARN for secret management + - arn:aws:iam::aws:policy/ReadOnlyAccess iam: # note withOIDC is not required for Pod Identity serviceAccounts: @@ -185,18 +207,27 @@ You can also create a new policy with only the permissions required by Mission C name: mission-control-sa namespace: mission-control attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" # used for cloudwatch, S3 and other AWS health checks - metadata: name: canary-checker-sa namespace: mission-control attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" # used to scrape resources, AWS CloudTrail and AWS Cost & Usage Reports - metadata: name: config-db-sa namespace: mission-control attachPolicyARNs: + # Add additional policies as needed: + # - "arn:aws:iam::aws:policy/PowerUserAccess" + # - Custom KMS policy ARN for secret management - "arn:aws:iam::aws:policy/ReadOnlyAccess" ```

@@ -312,9 +343,20 @@ First we create a secret called `aws` containing the access key and secret. USER_NAME="mission-control-sa" aws iam create-user --user-name $USER_NAME + + # Add policies based on your use case (see table above) aws iam attach-user-policy \ --user-name $USER_NAME \ --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess + + # Add additional policies as needed: + # aws iam attach-user-policy \ + # --user-name $USER_NAME \ + # --policy-arn arn:aws:iam::aws:policy/PowerUserAccess + # aws iam attach-user-policy \ + # --user-name $USER_NAME \ + # --policy-arn arn:aws:iam:::policy/MissionControlKMSPolicy + key=$(aws iam create-access-key --user-name $USER_NAME) ```

@@ -356,3 +398,117 @@ First we create a secret called `aws` containing the access key and secret. +## Optional: KMS Setup for Secret Management + +If you plan to use secret parameters in playbooks, create a KMS key and IAM policy to encrypt and manage sensitive data: + +### Create a KMS Key + +```bash +# Set your AWS region and account ID +export AWS_REGION=us-west-2 +export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) + +# Create a KMS key for Mission Control +aws kms create-key \ + --description "Mission Control Secret Management Key" \ + --region $AWS_REGION \ + --query 'KeyMetadata.KeyId' \ + --output text > mission-control-key-id.txt + +export KEY_ID=$(cat mission-control-key-id.txt) + +# Create an alias for easier reference +aws kms create-alias \ + --alias-name alias/mission-control-secrets \ + --target-key-id $KEY_ID \ + --region $AWS_REGION +``` + +### Create KMS IAM Policy + +```bash +# Create a custom KMS policy +cat > mission-control-kms-policy.json << EOF +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "MissionControlKMSAccess", + "Effect": "Allow", + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ], + "Resource": "arn:aws:kms:${AWS_REGION}:${ACCOUNT_ID}:key/${KEY_ID}" + } + ] +} +EOF + +# Create the IAM policy +aws iam create-policy \ + --policy-name MissionControlKMSPolicy \ + --policy-document file://mission-control-kms-policy.json \ + --query 'Policy.Arn' \ + --output text > mission-control-kms-policy-arn.txt + +export KMS_POLICY_ARN=$(cat mission-control-kms-policy-arn.txt) +``` + +After creating the key and policy, make sure to include the KMS policy ARN in your service account configurations above. + +### Create a Mission Control Connection + +```yaml title="aws-kms-connection.yaml" +apiVersion: mission-control.flanksource.com/v1 +kind: Connection +metadata: + name: aws-kms + namespace: mission-control +spec: + aws: + region: us-west-2 + # Use the same authentication method as your main AWS connection + awsKms: + keyID: alias/mission-control-secrets +``` + +### Update Mission Control Helm Chart + + + + ```bash + helm upgrade mission-control flanksource/mission-control \ + --set kmsConnection='connection://mission-control/aws-kms' \ + -n mission-control \ + --wait + ``` + + + + ```yaml + --- + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: mission-control + namespace: mission-control + spec: + chart: + spec: + chart: mission-control + sourceRef: + kind: HelmRepository + name: flanksource + namespace: mission-control + interval: 5m + values: + kmsConnection: 'connection://mission-control/aws-kms' + ``` + + + From 835de36582a2a04e12307dbc58c9323743a8f18e Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Tue, 17 Feb 2026 23:21:09 +0545 Subject: [PATCH 5/9] docs(mission-control): improve secret parameter and KMS docs --- .../playbooks/concepts/sensitive-data.mdx | 22 +++---- .../docs/installation/_aws_iam.mdx | 57 ++++-------------- .../docs/installation/_gke_iam.mdx | 60 +++---------------- .../_properties_mission_control.mdx | 8 +-- .../reference/connections/KMS/aws-kms.mdx | 2 +- .../connections/KMS/azure-key-vault.mdx | 24 +------- .../reference/connections/KMS/gcp-kms.mdx | 2 +- .../docs/reference/connections/KMS/index.mdx | 2 +- .../connections/Notifications/index.mdx | 10 +++- .../docs/reference/connections/index.mdx | 23 +++---- .../docs/reference/playbooks/parameters.mdx | 20 ++----- modules/mission-control | 2 +- styles/ignore/words-with-suggestions.txt | 2 + 13 files changed, 64 insertions(+), 170 deletions(-) diff --git a/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx b/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx index 7fde7caa..8ce8cfab 100644 --- a/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx +++ b/mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx @@ -10,19 +10,14 @@ Sensitive data includes passwords, API keys, tokens, and other confidential info Use `secret` type parameters to handle sensitive data in playbooks: -```yaml -parameters: - - name: database_password - type: secret - label: "Database Password" - description: "Password for database connection" - required: true +```yaml title="http-secret-parameter.yaml" file=/modules/mission-control/fixtures/playbooks/http-secret-parameter.yaml + ``` ## KMS Connection :::info -Your Mission Control instance **must** have a KMS connection configured to use secret parameters. +Your Mission Control instance **must** have a KMS connection configured to use secret parameters. ::: Configure this using the `--secret-keeper-connection` flag: @@ -31,13 +26,12 @@ Configure this using the `--secret-keeper-connection` flag: mission-control serve --secret-keeper-connection "connection://default/my-kms-key" ``` -or in the helm chart: - -```yaml -kmsConnection: "connection://default/my-kms-key" -``` +Or set `kmsConnection` in your Helm values file. Supported connection types: + - AWS KMS -- Azure Key Vault +- Azure Key Vault - GCP KMS + +For field-level schema details, see [KMS connection reference](/docs/reference/connections/KMS/). diff --git a/mission-control/docs/installation/_aws_iam.mdx b/mission-control/docs/installation/_aws_iam.mdx index e765b490..6a47b696 100644 --- a/mission-control/docs/installation/_aws_iam.mdx +++ b/mission-control/docs/installation/_aws_iam.mdx @@ -289,7 +289,7 @@ You can also create a new policy with only the permissions required by Mission C - + 1. Setup variables ```bash @@ -300,7 +300,7 @@ You can also create a new policy with only the permissions required by Mission C ```

-1. Create a cloudformation template +1. Create a CloudFormation template ```yaml title="mission-control-iam-cloudformation.yaml" file=/docs/partials/_pod_identity.yaml ``` @@ -463,52 +463,15 @@ After creating the key and policy, make sure to include the KMS policy ARN in yo ### Create a Mission Control Connection -```yaml title="aws-kms-connection.yaml" -apiVersion: mission-control.flanksource.com/v1 -kind: Connection -metadata: - name: aws-kms - namespace: mission-control -spec: - aws: - region: us-west-2 - # Use the same authentication method as your main AWS connection - awsKms: - keyID: alias/mission-control-secrets +```yaml title="awskms.yaml" file=/modules/mission-control/fixtures/connections/awskms.yaml + ``` -### Update Mission Control Helm Chart +### Update Mission Control Helm Values - - - ```bash - helm upgrade mission-control flanksource/mission-control \ - --set kmsConnection='connection://mission-control/aws-kms' \ - -n mission-control \ - --wait - ``` - - - - ```yaml - --- - apiVersion: helm.toolkit.fluxcd.io/v2 - kind: HelmRelease - metadata: - name: mission-control - namespace: mission-control - spec: - chart: - spec: - chart: mission-control - sourceRef: - kind: HelmRepository - name: flanksource - namespace: mission-control - interval: 5m - values: - kmsConnection: 'connection://mission-control/aws-kms' - ``` - - +Set `kmsConnection` to the KMS connection reference used by your installation: + +/" +`}/> diff --git a/mission-control/docs/installation/_gke_iam.mdx b/mission-control/docs/installation/_gke_iam.mdx index 12c20a39..5d6e502b 100644 --- a/mission-control/docs/installation/_gke_iam.mdx +++ b/mission-control/docs/installation/_gke_iam.mdx @@ -2,7 +2,7 @@ import Domain from '@site/docs/partials/_domain.mdx' ## Choosing an IAM Role -Depending on usecase, Mission Control can be associated with the following GCP IAM roles: +Depending on use case, Mission Control can be associated with the following GCP IAM roles: | Use Case | Role Name | | -------------------------------------------- | -----------------------------| @@ -152,7 +152,7 @@ You can also refer the official docs: https://cloud.google.com/kubernetes-engine ## KMS Setup for Secret Management If you plan to use secret parameters in playbooks, create a KMS key to encrypt and manage sensitive data. -This requires creating a new mission control connection and updating the helm chart to point mission control to the KMS connection. +This requires creating a new Mission Control connection and updating the Helm chart to point Mission Control to the KMS connection. ### Create a KMS Key @@ -184,56 +184,14 @@ gcloud projects add-iam-policy-binding projects/$PROJECT_ID \ ### Create a Mission Control connection +```yaml title="gcpkms.yaml" file=/modules/mission-control/fixtures/connections/gcpkms.yaml -```yaml title="gcpkms.yaml" -apiVersion: mission-control.flanksource.com/v1 -kind: Connection -metadata: - name: flanksource-gcpkms -spec: - gcpkms: - keyID: projects//locations/global/keyRings/mission-control-keyring/cryptoKeys/mission-control-key ``` -### Update Mission Control helm chart +### Update Mission Control Helm Values - - - ```bash - helm upgrade mission-control-agent flanksource/mission-control-agent \ - --set upstream.agent= \ - --set upstream.username='token' \ - --set upstream.password= \ - --set upstream.host= \ - --set kmsConnection='connection://mission-control/flanksource-gcpkms' \ - -n mission-control \ - --wait - ``` - - - - ```yaml - --- - apiVersion: helm.toolkit.fluxcd.io/v2 - kind: HelmRelease - metadata: - name: mission-control-agent - namespace: mission-control - spec: - chart: - spec: - chart: mission-control-agent - sourceRef: - kind: HelmRepository - name: flanksource - namespace: mission-control - interval: 5m - values: - upstream.agent: YOUR_LOCAL_NAME - upstream.username: token - upstream.password: - upstream.host: - kmsConnection: 'connection://mission-control/flanksource-gcpkms' - ``` - - \ No newline at end of file +Set `kmsConnection` to the KMS connection reference used by your installation: + +/" +`}/> diff --git a/mission-control/docs/installation/_properties_mission_control.mdx b/mission-control/docs/installation/_properties_mission_control.mdx index efd80cf5..361e0cfb 100644 --- a/mission-control/docs/installation/_properties_mission_control.mdx +++ b/mission-control/docs/installation/_properties_mission_control.mdx @@ -1,5 +1,4 @@ -import Container from './_properties_container.mdx' - +import Container from './_properties_container.mdx' | Value | Description | | -------------------------------------------- | -------------------------------------------------- | @@ -12,7 +11,7 @@ import Container from './_properties_container.mdx' | otel.serviceName | Defaults to `mission-control` | | properties.incidents.disable | Defaults to `{}` | | properties.logs.disable | Defaults to `true` | -| kmsConnection | Provide the KMS connection string to use for secret parameters. See [KMS connection documentation](/reference/connections/KMS/) for details. | | +| kmsConnection | Provide the KMS connection string to use for secret parameters. See [KMS connection documentation](/docs/reference/connections/KMS/) for details. | | replicas | Defaults to `1` | | resources.limits.cpu | Defaults to `500m` | | resources.limits.memory | Defaults to `1024Mi` | @@ -20,9 +19,10 @@ import Container from './_properties_container.mdx' | resources.requests.memory | Defaults to `768Mi` | +### Canary Checker -### Canary Checker ### Config DB + diff --git a/mission-control/docs/reference/connections/KMS/aws-kms.mdx b/mission-control/docs/reference/connections/KMS/aws-kms.mdx index 227fc2f6..a2dcce03 100644 --- a/mission-control/docs/reference/connections/KMS/aws-kms.mdx +++ b/mission-control/docs/reference/connections/KMS/aws-kms.mdx @@ -12,4 +12,4 @@ sidebar_custom_props: ```yaml title="awskms.yaml" file=/modules/mission-control/fixtures/connections/awskms.yaml -``` \ No newline at end of file +``` diff --git a/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx b/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx index baa14145..3401cd2f 100644 --- a/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx +++ b/mission-control/docs/reference/connections/KMS/azure-key-vault.mdx @@ -10,24 +10,6 @@ sidebar_custom_props: ## Example -```yaml title="azure-key-vault-connection.yaml" -apiVersion: v1 -kind: Connection -metadata: - name: azure-key-vault-connection -spec: - type: azure_key_vault - clientID: - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_CLIENT_ID - clientSecret: - valueFrom: - secretKeyRef: - name: azure-credentials - key: AZURE_CLIENT_SECRET - tenantID: your-tenant-id - properties: - keyID: https://your-vault.vault.azure.net/keys/mission-control-key -``` \ No newline at end of file +```yaml title="azurekeyvault.yaml" file=/modules/mission-control/fixtures/connections/azurekeyvault.yaml + +``` diff --git a/mission-control/docs/reference/connections/KMS/gcp-kms.mdx b/mission-control/docs/reference/connections/KMS/gcp-kms.mdx index 0ff6f9db..7c8fe0b1 100644 --- a/mission-control/docs/reference/connections/KMS/gcp-kms.mdx +++ b/mission-control/docs/reference/connections/KMS/gcp-kms.mdx @@ -12,4 +12,4 @@ sidebar_custom_props: ```yaml title="gcpkms.yaml" file=/modules/mission-control/fixtures/connections/gcpkms.yaml -``` \ No newline at end of file +``` diff --git a/mission-control/docs/reference/connections/KMS/index.mdx b/mission-control/docs/reference/connections/KMS/index.mdx index 1bc8838a..1d75269b 100644 --- a/mission-control/docs/reference/connections/KMS/index.mdx +++ b/mission-control/docs/reference/connections/KMS/index.mdx @@ -6,4 +6,4 @@ sidebar_custom_props: import DocCardList from '@theme/DocCardList'; - \ No newline at end of file + diff --git a/mission-control/docs/reference/connections/Notifications/index.mdx b/mission-control/docs/reference/connections/Notifications/index.mdx index e663455f..c0127195 100644 --- a/mission-control/docs/reference/connections/Notifications/index.mdx +++ b/mission-control/docs/reference/connections/Notifications/index.mdx @@ -6,6 +6,12 @@ sidebar_custom_props: icon: ix:alarm-bell --- -import DocCardList from '@theme/DocCardList'; +Notification connection docs are available under the main Connections section: - \ No newline at end of file +- [Slack](/docs/reference/connections/slack) +- [Discord](/docs/reference/connections/discord) +- [Telegram](/docs/reference/connections/telegram) +- [SMTP](/docs/reference/connections/smtp) +- [Ntfy](/docs/reference/connections/ntfy) +- [Pushbullet](/docs/reference/connections/pushbullet) +- [Pushover](/docs/reference/connections/pushover) diff --git a/mission-control/docs/reference/connections/index.mdx b/mission-control/docs/reference/connections/index.mdx index e852f44f..4041742d 100644 --- a/mission-control/docs/reference/connections/index.mdx +++ b/mission-control/docs/reference/connections/index.mdx @@ -11,22 +11,23 @@ Connections provide a secure, reusable way to authenticate against external syst ## Benefits - **Security**: Credentials are stored securely in Kubernetes secrets, not in plain text -- **Reusability**: Define once, use across multiple resources +- **Reuse**: Define once, use across multiple resources - **Maintainability**: Update credentials in one place when they change - **Auditability**: Track which resources use which connections ## Connection Types -| Category | Connections | -|----------|-------------| -| **Cloud Providers** | [AWS](./aws), [Azure](./azure), [GCP](./gcp) | -| **Kubernetes** | [Kubernetes](./kubernetes) | -| **Source Control** | [Git](./git), [GitHub](./github), [GitLab](./gitlab), [Azure DevOps](./azure-devops) | -| **Databases** | [Postgres](./postgres), [OpenSearch](./opensearch) | -| **File Storage** | [SFTP](./sftp), [SMB](./smb) | -| **AI Providers** | [OpenAI](./openai), [Anthropic](./anthropic), [Ollama](./ollama) | -| **Notifications** | [Slack](./slack), [Discord](./discord), [Telegram](./telegram), [SMTP](./smtp), [ntfy](./ntfy), [Pushbullet](./pushbullet), [Pushover](./pushover) | -| **Generic** | [HTTP](./http) | +| Category | Connections | +| --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | +| **Cloud Providers** | [AWS](./aws), [Azure](./azure), [GCP](./gcp) | +| **Key Management** | [KMS](./KMS), [AWS KMS](./KMS/aws-kms), [Azure Key Vault](./KMS/azure-key-vault), [GCP KMS](./KMS/gcp-kms) | +| **Kubernetes** | [Kubernetes](./kubernetes) | +| **Source Control** | [Git](./git), [GitHub](./github), [GitLab](./gitlab), [Azure DevOps](./azure-devops) | +| **Databases** | [Postgres](./postgres), [OpenSearch](./opensearch) | +| **File Storage** | [SFTP](./sftp), [SMB](./smb) | +| **AI Providers** | [OpenAI](./openai), [Anthropic](./anthropic), [Ollama](./ollama) | +| **Notifications** | [Slack](./slack), [Discord](./discord), [Telegram](./telegram), [SMTP](./smtp), [Ntfy](./ntfy), [Pushbullet](./pushbullet), [Pushover](./pushover) | +| **Generic** | [HTTP](./http) | ## Creating Connections diff --git a/mission-control/docs/reference/playbooks/parameters.mdx b/mission-control/docs/reference/playbooks/parameters.mdx index dfe880e2..eeece252 100644 --- a/mission-control/docs/reference/playbooks/parameters.mdx +++ b/mission-control/docs/reference/playbooks/parameters.mdx @@ -135,30 +135,18 @@ When running the playbook on a `Deployment` named `mysql` the following is pre-p Secret parameters handle sensitive data like passwords, API keys, and tokens. Values are encrypted at rest using the configured KMS connection and are automatically redacted in logs, UI displays, and database queries. :::info Requirements -Your Mission Control instance must have a [KMS connection configured](/installation/saas/authentication#kms) to use secret parameters. +Your Mission Control instance must have a [KMS connection configured](/docs/reference/connections/KMS/) to use secret parameters. ::: Secret parameters are rendered as password input fields in the UI and their values are: + - **Encrypted** using the configured KMS (AWS KMS, Azure Key Vault, or GCP KMS) - **Redacted** in all logs and audit trails - **Hidden** in the UI after initial input - **Protected** in database storage -```yaml -parameters: - - name: api_key - type: secret - label: "API Key" - description: "Your service API key" - required: true -``` +Use the following fixture as a reference implementation: -When referencing secret parameters in playbook actions, use them like any other parameter: +```yaml title="http-secret-parameter.yaml" file=/modules/mission-control/fixtures/playbooks/http-secret-parameter.yaml -```yaml -actions: - - name: "Call external API" - exec: - script: | - curl -H "Authorization: Bearer {{.params.api_key}}" https://api.example.com/data ``` diff --git a/modules/mission-control b/modules/mission-control index e08095f2..82900895 160000 --- a/modules/mission-control +++ b/modules/mission-control @@ -1 +1 @@ -Subproject commit e08095f2e08b0a1703a432752a1dceb78a1cab6b +Subproject commit 8290089576c4f20579eacbf124138904b33b97ab diff --git a/styles/ignore/words-with-suggestions.txt b/styles/ignore/words-with-suggestions.txt index 46772964..b269cf78 100644 --- a/styles/ignore/words-with-suggestions.txt +++ b/styles/ignore/words-with-suggestions.txt @@ -390,6 +390,7 @@ searchPath securityContext Semver serviceMonitor +serviceAccount SFTPConnection shoutrrr Shoutrrr @@ -485,5 +486,6 @@ Helm LLM MCP OpenAI +Ollama Slack WebSocket From a92c479879b3e13a8fd368d224628c8adac64140 Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Wed, 18 Feb 2026 13:34:28 +0545 Subject: [PATCH 6/9] fix --- common/src/components/Fields.jsx | 1 + mission-control-chart | 2 +- modules/mission-control-chart | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/common/src/components/Fields.jsx b/common/src/components/Fields.jsx index 25a299b4..0bdf1bb7 100644 --- a/common/src/components/Fields.jsx +++ b/common/src/components/Fields.jsx @@ -187,6 +187,7 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio { field: "tenantId", description: "The Azure Active Directory tenant ID", + scheme: "EnvVar", required: true }, { diff --git a/mission-control-chart b/mission-control-chart index ae4789b9..65e84d19 160000 --- a/mission-control-chart +++ b/mission-control-chart @@ -1 +1 @@ -Subproject commit ae4789b9aaf27a9f448ec80fabddc78763810e23 +Subproject commit 65e84d195cc1aa597f79138d218d20c453fe7ca9 diff --git a/modules/mission-control-chart b/modules/mission-control-chart index ae4789b9..65e84d19 160000 --- a/modules/mission-control-chart +++ b/modules/mission-control-chart @@ -1 +1 @@ -Subproject commit ae4789b9aaf27a9f448ec80fabddc78763810e23 +Subproject commit 65e84d195cc1aa597f79138d218d20c453fe7ca9 From 2f2bf8dc25169be6e28bc8d538f262d515ef1eb6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 07:14:16 +0000 Subject: [PATCH 7/9] Initial plan From 090f8f3d3a1769823160f4dd4651119012a5fb01 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 07:17:22 +0000 Subject: [PATCH 8/9] chore: update submodules to latest versions Co-authored-by: moshloop <1489660+moshloop@users.noreply.github.com> --- .submodule_update_marker | 0 mission-control-chart | 2 +- modules/canary-checker | 2 +- modules/config-db | 2 +- modules/mission-control | 2 +- modules/mission-control-chart | 2 +- modules/mission-control-registry | 2 +- 7 files changed, 6 insertions(+), 6 deletions(-) create mode 100644 .submodule_update_marker diff --git a/.submodule_update_marker b/.submodule_update_marker new file mode 100644 index 00000000..e69de29b diff --git a/mission-control-chart b/mission-control-chart index 65e84d19..68f8ff87 160000 --- a/mission-control-chart +++ b/mission-control-chart @@ -1 +1 @@ -Subproject commit 65e84d195cc1aa597f79138d218d20c453fe7ca9 +Subproject commit 68f8ff875e3de267b916535ec42e915915d23632 diff --git a/modules/canary-checker b/modules/canary-checker index 541b80c5..8afe4983 160000 --- a/modules/canary-checker +++ b/modules/canary-checker @@ -1 +1 @@ -Subproject commit 541b80c5c8b898e0505f8740f2c9b1e21bb04062 +Subproject commit 8afe4983df037956e17bb3e7c5ddc27612077a29 diff --git a/modules/config-db b/modules/config-db index b82442d4..f0d0fb82 160000 --- a/modules/config-db +++ b/modules/config-db @@ -1 +1 @@ -Subproject commit b82442d49297a3673b18c9419b286b7ef8e8b272 +Subproject commit f0d0fb8228cfc73145bdc3909e311c78f8e0d9a8 diff --git a/modules/mission-control b/modules/mission-control index 82900895..6a1dc093 160000 --- a/modules/mission-control +++ b/modules/mission-control @@ -1 +1 @@ -Subproject commit 8290089576c4f20579eacbf124138904b33b97ab +Subproject commit 6a1dc093cbf96b7a18895f92d986a533b91a6b1a diff --git a/modules/mission-control-chart b/modules/mission-control-chart index 65e84d19..68f8ff87 160000 --- a/modules/mission-control-chart +++ b/modules/mission-control-chart @@ -1 +1 @@ -Subproject commit 65e84d195cc1aa597f79138d218d20c453fe7ca9 +Subproject commit 68f8ff875e3de267b916535ec42e915915d23632 diff --git a/modules/mission-control-registry b/modules/mission-control-registry index c0d9678f..2ff4e665 160000 --- a/modules/mission-control-registry +++ b/modules/mission-control-registry @@ -1 +1 @@ -Subproject commit c0d9678f764ae3fc7b252a0ce347b8190d1e7315 +Subproject commit 2ff4e6653841fd6119dd37b3597ad52c340ed5bf From 0a890b18153e2c13439301d3f784172b057e6f8b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 07:17:30 +0000 Subject: [PATCH 9/9] chore: remove temporary marker file Co-authored-by: moshloop <1489660+moshloop@users.noreply.github.com> --- .submodule_update_marker | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .submodule_update_marker diff --git a/.submodule_update_marker b/.submodule_update_marker deleted file mode 100644 index e69de29b..00000000