github.com/banzaicloud/operator-tools@v0.28.10/pkg/secret/README.md

github.com/banzaicloud/operator-tools@v0.28.10/pkg/secret/README.md (about)

     1  
     2  ## Secret & SecretLoader
     3  
     4  `Secret` is a type to be used in CRDs to abstract the concept of loading a secret item instead of defining it with it's value directly.
     5  
     6  Currently it supports Kubernetes secrets only, but it can be extended to refer to secrets in custom secret stores as well.
     7  
     8  There are two main approaches to load secrets and one for testing. 
     9   
    10  1. Load the secrets and return with their value directly if `ValueFrom` is set.
    11  1. Load the secrets in the background if `MountFrom` is set, but return only the full path where they should be available in a container. 
    12  It's the callers responsibility to make those secrets available on that given path, e.g. by creating an aggregated secret with all
    13  the referenced secrets and mount it into the container through a secret volume (this is how we use it).
    14  1. Load the value directly if `Value` is set. (This is only good for testing.)
    15  
    16  Once you're done with configuration you can create the `SecretLoader` and load your secrets through it.
    17  
    18  ```go
    19  mountSecrets := &secret.MountSecrets{}
    20  secretLoader := secret.NewSecretLoader(client, namespace, "/path/to/mount", mountSecrets)
    21  ```
    22  
    23  Then you can load the secrets. The following steps can be made more dynamic, like it is beeing used in the logging operator:
    24  https://github.com/banzaicloud/logging-operator/blob/master/pkg/sdk/model/types/stringmaps.go
    25  
    26  ```go
    27  // get the secretValue and use it as you like in an application configuration template for example
    28  secretValue, err := secretLoader.Load(yourCustomResourceType.Spec.ExampleSecretField)
    29  
    30  // get the path to the mount secret and use it as you like in an application configuration template for example
    31  secretPath, err := secretLoader.Load(yourCustomResourceType.Spec.ExampleMountSecretField)
    32  
    33  // render the configuration template and create a new secret from it that will be mounted into the container
    34  appConfigSecret := &corev1.Secret{}
    35  renderedTemplate := renderTemplate(secretValue, secretPath)
    36  appConfigSecret.Data["app.conf"] = renderedTemplate
    37  
    38  // create the combined secret to be mounted to the container on "/path/to/mount"
    39  combinedSecret := &corev1.Secret{}
    40  for _, secret := range *mountSecrets {
    41    combinedSecret.Data[secret.MappedKey] = secret.Value
    42  }
    43  ```
    44  
    45  For a full example please check out the [logging operator code](https://github.com/banzaicloud/logging-operator).
    46  
    47  Also, this feature is currently only covered with tests in the [logging operator](https://github.com/banzaicloud/logging-operator),
    48  but this is a subject to change soon.