secret

package
v0.34.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 20, 2023 License: Apache-2.0 Imports: 10 Imported by: 14

README

Secret & SecretLoader

Secret is a type to be used in CRDs to abstract the concept of loading a secret item instead of defining it with it's value directly.

Currently it supports Kubernetes secrets only, but it can be extended to refer to secrets in custom secret stores as well.

There are two main approaches to load secrets and one for testing.

  1. Load the secrets and return with their value directly if ValueFrom is set.
  2. Load the secrets in the background if MountFrom is set, but return only the full path where they should be available in a container. It's the callers responsibility to make those secrets available on that given path, e.g. by creating an aggregated secret with all the referenced secrets and mount it into the container through a secret volume (this is how we use it).
  3. Load the value directly if Value is set. (This is only good for testing.)

Once you're done with configuration you can create the SecretLoader and load your secrets through it.

mountSecrets := &secret.MountSecrets{}
secretLoader := secret.NewSecretLoader(client, namespace, "/path/to/mount", mountSecrets)

Then you can load the secrets. The following steps can be made more dynamic, like it is beeing used in the logging operator: https://github.com/banzaicloud/logging-operator/blob/master/pkg/sdk/model/types/stringmaps.go

// get the secretValue and use it as you like in an application configuration template for example
secretValue, err := secretLoader.Load(yourCustomResourceType.Spec.ExampleSecretField)

// get the path to the mount secret and use it as you like in an application configuration template for example
secretPath, err := secretLoader.Load(yourCustomResourceType.Spec.ExampleMountSecretField)

// render the configuration template and create a new secret from it that will be mounted into the container
appConfigSecret := &corev1.Secret{}
renderedTemplate := renderTemplate(secretValue, secretPath)
appConfigSecret.Data["app.conf"] = renderedTemplate

// create the combined secret to be mounted to the container on "/path/to/mount"
combinedSecret := &corev1.Secret{}
for _, secret := range *mountSecrets {
  combinedSecret.Data[secret.MappedKey] = secret.Value
}

For a full example please check out the logging operator code.

Also, this feature is currently only covered with tests in the logging operator, but this is a subject to change soon.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type K8sSecret 

type K8sSecret interface {
	GetToken() []byte
	GetCACert() []byte
}

type MountSecret 

type MountSecret struct {
	Namespace string
	Name      string
	Key       string
	MappedKey string
	Value     []byte
}

type MountSecrets 

type MountSecrets []MountSecret

func (*MountSecrets) Append 

func (m *MountSecrets) Append(namespace string, secret *corev1.SecretKeySelector, mappedKey string, value []byte)

type ReaderSecretGetterOption 

type ReaderSecretGetterOption = func(r *readerSecretGetter)

func WithBackOff 

func WithBackOff(backoff *wait.Backoff) ReaderSecretGetterOption

type Secret 

type Secret struct {
	// Refers to a non-secret value
	Value string `json:"value,omitempty"`
	// Refers to a secret value to be used directly
	ValueFrom *ValueFrom `json:"valueFrom,omitempty"`
	// Refers to a secret value to be used through a volume mount
	MountFrom *ValueFrom `json:"mountFrom,omitempty"`
}

func (*Secret) DeepCopy 

func (in *Secret) DeepCopy() *Secret

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Secret.

func (*Secret) DeepCopyInto 

func (in *Secret) DeepCopyInto(out *Secret)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SecretGetter 

type SecretGetter interface {
	Get(objectKey client.ObjectKey) (K8sSecret, error)
}

func NewReaderSecretGetter 

func NewReaderSecretGetter(client client.Client, opts ...ReaderSecretGetterOption) (SecretGetter, error)

type SecretLoader 

type SecretLoader interface {
	Load(secret *Secret) (string, error)
}

func NewSecretLoader 

func NewSecretLoader(client client.Reader, namespace, mountPath string, secrets *MountSecrets) SecretLoader

type ValueFrom 

type ValueFrom struct {
	SecretKeyRef *corev1.SecretKeySelector `json:"secretKeyRef,omitempty"`
}

func (*ValueFrom) DeepCopy 

func (in *ValueFrom) DeepCopy() *ValueFrom

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValueFrom.

func (*ValueFrom) DeepCopyInto 

func (in *ValueFrom) DeepCopyInto(out *ValueFrom)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.