doc: docs for secrets sinks config

Author: nherment

docs/configuration/sinks/DataDog.rst

@@ -29,3 +29,23 @@ Save the file and run
    :name: cb-add-discord-sink
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
+
+Using Environment Variables for API Keys
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. code-block:: yaml
+
+   runner:
+     additional_env_vars:
+       - name: DATADOG_API_KEY
+         valueFrom:
+           secretKeyRef:
+             name: robusta-secrets
+             key: datadog_key
+
+   sinksConfig:
+     - datadog_sink:
+         name: datadog_sink
+         api_key: "{{ env.DATADOG_API_KEY }}"
+
+For more information, see :ref:`Managing Secrets`.

docs/configuration/sinks/Opsgenie.rst

@@ -59,6 +59,29 @@ Save the file and apply the configuration:
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+Using Environment Variables for API Keys
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To secure your Opsgenie API key, load it from a Kubernetes Secret:
+
+.. code-block:: yaml
+
+   runner:
+     additional_env_vars:
+       - name: OPSGENIE_API_KEY
+         valueFrom:
+           secretKeyRef:
+             name: robusta-secrets
+             key: opsgenie_key
+
+   sinksConfig:
+     - opsgenie_sink:
+         name: ops_genie_sink
+         api_key: "{{ env.OPSGENIE_API_KEY }}"
+         teams: ["noc"]
+
+See :ref:`Managing Secrets` for more information.
+
 **Example Output:**
 
 .. admonition:: Typically you'll send alerts from Robusta to OpsGenie and not deployment changes. We're showing a non-typical example with deployment changes because it helps compare the format with other sinks.

docs/configuration/sinks/PagerDuty.rst

@@ -59,6 +59,28 @@ Save the file and run
 
     helm upgrade robusta robusta/robusta --values=generated_values.yaml
 
+Securing API Keys with Environment Variables
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To keep your PagerDuty integration key secure:
+
+.. code-block:: yaml
+
+   runner:
+     additional_env_vars:
+       - name: PAGERDUTY_KEY
+         valueFrom:
+           secretKeyRef:
+             name: robusta-secrets
+             key: pagerduty_key
+
+   sinksConfig:
+     - pagerduty_sink:
+         name: main_pagerduty_sink
+         api_key: "{{ env.PAGERDUTY_KEY }}"
+
+See :ref:`Managing Secrets` for complete documentation.
+
 Example Output:
 
 .. admonition:: To view the Alerts, on PagerDuty's dashboard navigate to `Incidents` > `Alerts`

docs/configuration/sinks/index.rst

@@ -13,6 +13,11 @@ Robusta can send notifications to various destinations, known as sinks.
 * :ref:`sinks-overview`
 * :ref:`sink-scope-matching`
 
+.. tip::
+
+   To secure API keys and tokens in sink configurations, use Kubernetes Secrets with the
+   ``{{ env.VARIABLE_NAME }}`` syntax. See :ref:`Managing Secrets` for details and examples.
+
 Available sinks
 ^^^^^^^^^^^^^^^^^^^^^
 Click a sink for setup instructions.

docs/configuration/sinks/ms-teams.rst

@@ -24,6 +24,28 @@ Configuring the MS Teams sink
 
 Then do a :ref:`Helm Upgrade <Simple Upgrade>`.
 
+Securing Webhook URLs with Environment Variables
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Webhook URLs can contain sensitive information. Store them securely using Kubernetes Secrets:
+
+.. code-block:: yaml
+
+   runner:
+     additional_env_vars:
+       - name: MSTEAMS_WEBHOOK
+         valueFrom:
+           secretKeyRef:
+             name: robusta-secrets
+             key: msteams_webhook
+
+   sinksConfig:
+     - ms_teams_sink:
+         name: main_ms_teams_sink
+         webhook_url: "{{ env.MSTEAMS_WEBHOOK }}"
+
+For more details, see :ref:`Managing Secrets`.
+
 Obtaining a webhook URL
 -----------------------------------
 

docs/configuration/sinks/slack.rst

@@ -41,9 +41,29 @@ Generate a Slack API key by running ``robusta integrations slack``, then add to
          channel_override: DYNAMIC SLACK CHANNEL OVERRIDE (Optional)
          investigate_link: true/false # optional, if false no investigate links/buttons will be included in Slack messages
 
-.. warning::
+.. tip::
+
+    **Recommended: Load API keys from Kubernetes Secrets**
+
+    Instead of hardcoding your Slack API key, load it from a Kubernetes Secret:
+
+    .. code-block:: yaml
+
+       runner:
+         additional_env_vars:
+           - name: SLACK_API_KEY
+             valueFrom:
+               secretKeyRef:
+                 name: robusta-slack-secrets
+                 key: api_key
+
+       sinksConfig:
+         - slack_sink:
+             name: main_slack_sink
+             api_key: "{{ env.SLACK_API_KEY }}"
+             slack_channel: alerts
 
-    If you don't want to put your Slack key in Helm values, you can use a secret. See the :ref:`Managing Secrets <Managing Secrets>` section for more information.
+    For complete details, see :ref:`Managing Secrets`.
 
 Then do a :ref:`Helm Upgrade <Simple Upgrade>` to apply the new configuration.