Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use case: Using Init container with k8s secrets #1095

Merged
merged 1 commit into from
Aug 9, 2024
Merged

Use case: Using Init container with k8s secrets #1095

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions examples/using_init_container/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,15 @@ func main() {
fmt.Printf("My creds: username:'%s' password:'%s'.\n",
os.Getenv("USERNAME"), os.Getenv("PASSWORD"),
)

fmt.Println("")

path := "/opt/vsecm/secrets.json"
data, err := os.ReadFile(path)
if err != nil {
fmt.Println("File content: ", string(data))
}

fmt.Println("")

time.Sleep(5 * time.Second)
Expand Down
51 changes: 51 additions & 0 deletions examples/using_init_container_with_k8s_secrets/k8s/Deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,14 @@ spec:
containers:
- name: main
image: vsecm/example-using-init-container:latest

volumeMounts:
# Share with Sidecar. When the `main` container is ready,
# this volume will be populated with the secret that the
# `main` container needs.
- mountPath: /opt/vsecm
name: vsecm-secrets-volume

env:
- name: USERNAME
valueFrom:
Expand All @@ -45,6 +53,49 @@ spec:
secretKeyRef:
name: vsecm-secret-example
key: secret

# `main` shares this volume with `sidecar`.
- name: sidecar
image: vsecm/vsecm-ist-sidecar:latest
volumeMounts:
# /opt/vsecm/secrets.json is the place the secrets will be at.
# The main application can read the secrets from this location too.
- mountPath: /opt/vsecm
name: vsecm-secrets-volume
# Volume mount for SPIRE unix domain socket.
- name: spire-agent-socket
mountPath: /spire-agent-socket
readOnly: true

#
# You can configure this workload by providing environment variables.
#
# See https://vsecm.com/configuration for more information about
# these environment variables.
#
# When you don't explicitly provide env vars here, VMware Secrets Manager
# Safe will assume the default values outlined in the given link above.
#
env:
- name: SPIFFE_ENDPOINT_SOCKET
value: "unix:///spire-agent-socket/spire-agent.sock"
- name: VSECM_LOG_LEVEL
value: "7"
- name: VSECM_SPIFFEID_PREFIX_WORKLOAD
value: "spiffe://vsecm.com/workload/"
- name: VSECM_SPIFFEID_PREFIX_SAFE
value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/"
- name: VSECM_SIDECAR_POLL_INTERVAL
value: "5000"
- name: VSECM_SIDECAR_MAX_POLL_INTERVAL
value: "300000"
- name: VSECM_SIDECAR_EXPONENTIAL_BACKOFF_MULTIPLIER
value: "2"
- name: VSECM_SIDECAR_SUCCESS_THRESHOLD
value: "3"
- name: VSECM_SIDECAR_ERROR_THRESHOLD
value: "2"

initContainers:
# See `./register.sh` to register the workload and finalize
# this init container.
Expand Down