diff --git a/docs/content/community/hello.md b/docs/content/community/hello.md
index 24ab994d..2407f7e6 100644
--- a/docs/content/community/hello.md
+++ b/docs/content/community/hello.md
@@ -49,6 +49,19 @@ As a small, dedicated team of security enthusiasts, we value focused, effective
communication. Thus, we prefer to consolidate our interactions into a single
channel, rather than dispersing them across multiple platforms.
+> **Türkçe Konuşanlar İçin:**
+>
+> Özgür yazılım birlikte olunca güzel 🤗.
+>
+> Eğer **VMware Secrets Manager** ile ilgili bir sorun varsa, projeye
+> katkıda bulunmak istiyorsan veya başka bir konuda yardıma ihtiyacın varsa,
+> dil engeli olmadan bize ulaşabilirsin.
+>
+> [Kampus Discord Sunucusu'nda **VMware Secrets Manager** kanalında][kampus]
+> buluşalım ve birlikte dünyayı daha güvenli hale getirelim 🤘.
+
+[kampus]: https://discord.gg/kampus "Join Kampus Discord Server"
+
## Join Our Public Meetings
> **We Are Stronger Together**
diff --git a/docs/content/community/maintainers.md b/docs/content/community/maintainers.md
index 3887b3d5..964d3f56 100644
--- a/docs/content/community/maintainers.md
+++ b/docs/content/community/maintainers.md
@@ -49,10 +49,10 @@ assisting in feature development.
**Qi Hu** (*Patrick*) [@BulldromeQ](https://github.com/BulldromeQ)
-Patrick has played a crucial role in integrating VSecM to work seamlessly with
-the [Carvel](https://carvel.dev) suite of tools. He has helped enhance the
-stability and reliability of both the VSecM and SPIRE. And he is actively
-involved in making VSecM even more robust.
+Patrick has played a crucial role in integrating **VSecM** to work seamlessly
+with the [Carvel](https://carvel.dev) suite of tools. He has helped enhance the
+stability and reliability of both the **VSecM** and **SPIRE**. And he is
+actively involved in making **VSecM** even more robust.
[codeowners]: https://github.com/vmware-tanzu/secrets-manager/blob/main/CODEOWNERS "VMware Secrets Manager CODEOWNERS"
diff --git a/docs/templates/index.html b/docs/templates/index.html
index 93b084bc..796bb00f 100644
--- a/docs/templates/index.html
+++ b/docs/templates/index.html
@@ -71,21 +71,21 @@
- Mark Your Calendars:
+ Mark Your Calendars:
The next
VSecM Contributor Sync
will be on...
Thursday, 2024-07-25
+ >Thursday, 2024-08-30
at 8:00am Pacific time.
diff --git a/examples/multiple_secrets/k8s-eks/Deployment.yaml b/examples/multiple_secrets/k8s-eks/Deployment.yaml
deleted file mode 100644
index ce57646e..00000000
--- a/examples/multiple_secrets/k8s-eks/Deployment.yaml
+++ /dev/null
@@ -1,61 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: example
- namespace: default
- labels:
- app.kubernetes.io/name: example
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: example
- template:
- metadata:
- labels:
- app.kubernetes.io/name: example
- spec:
- serviceAccountName: example
- containers:
- - name: main
- image: vsecm/example-multiple-secrets:0.26.2
- volumeMounts:
- # Volume mount for SPIRE unix domain socket.
- - name: spire-agent-socket
- mountPath: /spire-agent-socket
- readOnly: true
- #
- # You can configure this workload by providing environment variables.
- #
- # See https://vsecm.com/configuration for more information
- # about these environment variables.
- #
- # When you don't explicitly provide env vars here, VMware Secrets Manager
- # Safe will assume the default values outlined in the given link above.
- #
- env:
- - name: SPIFFE_ENDPOINT_SOCKET
- value: "unix:///spire-agent-socket/spire-agent.sock"
- - name: VSECM_LOG_LEVEL
- value: "7"
- - name: VSECM_SPIFFEID_PREFIX_WORKLOAD
- value: "spiffe://vsecm.com/workload/"
- - name: VSECM_SPIFFEID_PREFIX_SAFE
- value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/"
- volumes:
- # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket
- # ref: https://github.com/spiffe/spiffe-csi
- - name: spire-agent-socket
- csi:
- driver: "csi.spiffe.io"
- readOnly: true
diff --git a/examples/multiple_secrets/k8s-eks/Identity.yaml b/examples/multiple_secrets/k8s-eks/Identity.yaml
deleted file mode 100644
index 06ef6948..00000000
--- a/examples/multiple_secrets/k8s-eks/Identity.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: spire.spiffe.io/v1alpha1
-kind: ClusterSPIFFEID
-metadata:
- name: example
-spec:
- className: "vsecm"
- # SPIFFE ID `MUST` start with "spiffe://vsecm.com/workload/$workloadName/ns/"
- # for `vsecm-safe` to recognize the workload and dispatch secrets to it.
- spiffeIDTemplate: "spiffe://vsecm.com\
- /workload/example\
- /ns/{{ .PodMeta.Namespace }}\
- /sa/{{ .PodSpec.ServiceAccountName }}\
- /n/{{ .PodMeta.Name }}"
- podSelector:
- matchLabels:
- app.kubernetes.io/name: example
- workloadSelectorTemplates:
- - "k8s:ns:default"
- - "k8s:sa:example"
diff --git a/examples/multiple_secrets/k8s-eks/ServiceAccount.yaml b/examples/multiple_secrets/k8s-eks/ServiceAccount.yaml
deleted file mode 100644
index 548f20ac..00000000
--- a/examples/multiple_secrets/k8s-eks/ServiceAccount.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: example
- namespace: default
-automountServiceAccountToken: false
diff --git a/examples/multiple_secrets/k8s-eks/image-override.yaml b/examples/multiple_secrets/k8s-eks/image-override.yaml
deleted file mode 100644
index 7a114ff4..00000000
--- a/examples/multiple_secrets/k8s-eks/image-override.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: example
- namespace: default
-spec:
- template:
- spec:
- containers:
- - name: main
- image: public.ecr.aws/h8y1n7y7/example-multiple-secrets:0.26.2
- env:
- - name: VSECM_LOG_LEVEL
- value: "7"
\ No newline at end of file
diff --git a/examples/multiple_secrets/k8s-eks/kustomization.yaml b/examples/multiple_secrets/k8s-eks/kustomization.yaml
deleted file mode 100644
index e58cdad7..00000000
--- a/examples/multiple_secrets/k8s-eks/kustomization.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- Deployment.yaml
-generatorOptions:
- disableNameSuffixHash: true
-patches:
-- path: image-override.yaml
diff --git a/examples/multiple_secrets/k8s/Deployment.yaml b/examples/multiple_secrets/k8s/Deployment.yaml
index ce57646e..f6d428fd 100644
--- a/examples/multiple_secrets/k8s/Deployment.yaml
+++ b/examples/multiple_secrets/k8s/Deployment.yaml
@@ -28,7 +28,7 @@ spec:
serviceAccountName: example
containers:
- name: main
- image: vsecm/example-multiple-secrets:0.26.2
+ image: vsecm/example-multiple-secrets:latest
volumeMounts:
# Volume mount for SPIRE unix domain socket.
- name: spire-agent-socket
diff --git a/examples/multiple_secrets/k8s/image-override.yaml b/examples/multiple_secrets/k8s/image-override.yaml
index ce19daf8..ba2103de 100644
--- a/examples/multiple_secrets/k8s/image-override.yaml
+++ b/examples/multiple_secrets/k8s/image-override.yaml
@@ -18,6 +18,7 @@ spec:
spec:
containers:
- name: main
+ # Change this, if you want to use a different image:
image: localhost:5000/example-multiple-secrets:0.26.2
env:
- name: VSECM_LOG_LEVEL
diff --git a/examples/using_init_container/k8s-eks/Deployment.yaml b/examples/using_init_container/k8s-eks/Deployment.yaml
deleted file mode 100644
index 876223de..00000000
--- a/examples/using_init_container/k8s-eks/Deployment.yaml
+++ /dev/null
@@ -1,71 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: example
- namespace: default
- labels:
- app.kubernetes.io/name: example
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: example
- template:
- metadata:
- labels:
- app.kubernetes.io/name: example
- spec:
- serviceAccountName: example
- containers:
- - name: main
- image: vsecm/example-using-init-container:0.26.2
-
- initContainers:
- # See `./register.sh` to register the workload and finalize
- # this init container.
- - name: init-container
- image: vsecm/vsecm-ist-init-container:0.26.2
- volumeMounts:
- # Volume mount for SPIRE unix domain socket.
- - name: spire-agent-socket
- mountPath: /spire-agent-socket
- readOnly: true
- #
- # You can configure VSecM Init Container by providing
- # environment variables.
- #
- # See https://vsecm.com/configuration for more information
- # about these environment variables.
- #
- # When you don't explicitly provide env vars here, VMware Secrets Manager
- # Init Container will assume the default values outlined in the given
- # link above.
- #
- env:
- - name: SPIFFE_ENDPOINT_SOCKET
- value: "unix:///spire-agent-socket/spire-agent.sock"
- - name: VSECM_LOG_LEVEL
- value: "7"
- - name: VSECM_SPIFFEID_PREFIX_WORKLOAD
- value: "spiffe://vsecm.com/workload/"
- - name: VSECM_SPIFFEID_PREFIX_SAFE
- value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/"
- - name: VSECM_INIT_CONTAINER_POLL_INTERVAL
- value: "5000"
- volumes:
- # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket
- # ref: https://github.com/spiffe/spiffe-csi
- - name: spire-agent-socket
- csi:
- driver: "csi.spiffe.io"
- readOnly: true
diff --git a/examples/using_init_container/k8s-eks/Identity.yaml b/examples/using_init_container/k8s-eks/Identity.yaml
deleted file mode 100644
index 06ef6948..00000000
--- a/examples/using_init_container/k8s-eks/Identity.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: spire.spiffe.io/v1alpha1
-kind: ClusterSPIFFEID
-metadata:
- name: example
-spec:
- className: "vsecm"
- # SPIFFE ID `MUST` start with "spiffe://vsecm.com/workload/$workloadName/ns/"
- # for `vsecm-safe` to recognize the workload and dispatch secrets to it.
- spiffeIDTemplate: "spiffe://vsecm.com\
- /workload/example\
- /ns/{{ .PodMeta.Namespace }}\
- /sa/{{ .PodSpec.ServiceAccountName }}\
- /n/{{ .PodMeta.Name }}"
- podSelector:
- matchLabels:
- app.kubernetes.io/name: example
- workloadSelectorTemplates:
- - "k8s:ns:default"
- - "k8s:sa:example"
diff --git a/examples/using_init_container/k8s-eks/Secret.yaml b/examples/using_init_container/k8s-eks/Secret.yaml
deleted file mode 100644
index de021ff1..00000000
--- a/examples/using_init_container/k8s-eks/Secret.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: v1
-kind: Secret
-metadata:
- # The string after `vsecm-secret-` must match the workload's name.
- # For example, this is an VSecM-managed secret for the workload named `example`
- # with the SPIFFE ID
- # `"spiffe://vsecm.com/workload/example\
- # /ns/{{ .PodMeta.Namespace }}\
- # /sa/{{ .PodSpec.ServiceAccountName }}\
- # /n/{{ .PodMeta.Name }}"`
- name: vsecm-secret-example
- namespace: default
-type: Opaque
diff --git a/examples/using_init_container/k8s-eks/ServiceAccount.yaml b/examples/using_init_container/k8s-eks/ServiceAccount.yaml
deleted file mode 100644
index 548f20ac..00000000
--- a/examples/using_init_container/k8s-eks/ServiceAccount.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: example
- namespace: default
-automountServiceAccountToken: false
diff --git a/examples/using_init_container/k8s-eks/image-override.yaml b/examples/using_init_container/k8s-eks/image-override.yaml
deleted file mode 100644
index dc9e8a26..00000000
--- a/examples/using_init_container/k8s-eks/image-override.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: example
- namespace: default
-spec:
- template:
- spec:
- containers:
- - name: main
- image: public.ecr.aws/h8y1n7y7/example-using-init-container:0.26.2
- initContainers:
- - name: init-container
- image: public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.26.2
diff --git a/examples/using_init_container/k8s-eks/kustomization.yaml b/examples/using_init_container/k8s-eks/kustomization.yaml
deleted file mode 100644
index 9892008c..00000000
--- a/examples/using_init_container/k8s-eks/kustomization.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- Deployment.yaml
-patches:
-- path: image-override.yaml
-generatorOptions:
- disableNameSuffixHash: true
diff --git a/examples/using_init_container/k8s/Deployment.yaml b/examples/using_init_container/k8s/Deployment.yaml
index 876223de..b5d6e822 100644
--- a/examples/using_init_container/k8s/Deployment.yaml
+++ b/examples/using_init_container/k8s/Deployment.yaml
@@ -28,13 +28,13 @@ spec:
serviceAccountName: example
containers:
- name: main
- image: vsecm/example-using-init-container:0.26.2
+ image: vsecm/example-using-init-container:latest
initContainers:
# See `./register.sh` to register the workload and finalize
# this init container.
- name: init-container
- image: vsecm/vsecm-ist-init-container:0.26.2
+ image: vsecm/vsecm-ist-init-container:latest
volumeMounts:
# Volume mount for SPIRE unix domain socket.
- name: spire-agent-socket
diff --git a/examples/using_init_container/k8s/image-override.yaml b/examples/using_init_container/k8s/image-override.yaml
index f1fdd902..88aabb9d 100644
--- a/examples/using_init_container/k8s/image-override.yaml
+++ b/examples/using_init_container/k8s/image-override.yaml
@@ -18,7 +18,9 @@ spec:
spec:
containers:
- name: main
+ # Change this, if you want to use a different image:
image: localhost:5000/example-using-init-container:0.26.2
initContainers:
- name: init-container
+ # Change this, if you want to use a different image:
image: localhost:5000/vsecm-ist-init-container:0.26.2
diff --git a/examples/using_sdk_go/k8s-eks/Deployment.yaml b/examples/using_sdk_go/k8s-eks/Deployment.yaml
deleted file mode 100644
index f4573f92..00000000
--- a/examples/using_sdk_go/k8s-eks/Deployment.yaml
+++ /dev/null
@@ -1,61 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: example
- namespace: default
- labels:
- app.kubernetes.io/name: example
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: example
- template:
- metadata:
- labels:
- app.kubernetes.io/name: example
- spec:
- serviceAccountName: example
- containers:
- - name: main
- image: vsecm/example-using-sdk-go:0.26.2
- volumeMounts:
- # Volume mount for SPIRE unix domain socket.
- - name: spire-agent-socket
- mountPath: /spire-agent-socket
- readOnly: true
- #
- # You can configure this workload by providing environment variables.
- #
- # See https://vsecm.com/configuration for more information
- # about these environment variables.
- #
- # When you don't explicitly provide env vars here, VMware Secrets Manager
- # Safe will assume the default values outlined in the given link above.
- #
- env:
- - name: SPIFFE_ENDPOINT_SOCKET
- value: "unix:///spire-agent-socket/spire-agent.sock"
- - name: VSECM_LOG_LEVEL
- value: "7"
- - name: VSECM_SPIFFEID_PREFIX_WORKLOAD
- value: "spiffe://vsecm.com/workload/"
- - name: VSECM_SPIFFEID_PREFIX_SAFE
- value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/"
- volumes:
- # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket
- # ref: https://github.com/spiffe/spiffe-csi
- - name: spire-agent-socket
- csi:
- driver: "csi.spiffe.io"
- readOnly: true
diff --git a/examples/using_sdk_go/k8s-eks/Identity.yaml b/examples/using_sdk_go/k8s-eks/Identity.yaml
deleted file mode 100644
index 06ef6948..00000000
--- a/examples/using_sdk_go/k8s-eks/Identity.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: spire.spiffe.io/v1alpha1
-kind: ClusterSPIFFEID
-metadata:
- name: example
-spec:
- className: "vsecm"
- # SPIFFE ID `MUST` start with "spiffe://vsecm.com/workload/$workloadName/ns/"
- # for `vsecm-safe` to recognize the workload and dispatch secrets to it.
- spiffeIDTemplate: "spiffe://vsecm.com\
- /workload/example\
- /ns/{{ .PodMeta.Namespace }}\
- /sa/{{ .PodSpec.ServiceAccountName }}\
- /n/{{ .PodMeta.Name }}"
- podSelector:
- matchLabels:
- app.kubernetes.io/name: example
- workloadSelectorTemplates:
- - "k8s:ns:default"
- - "k8s:sa:example"
diff --git a/examples/using_sdk_go/k8s-eks/Secret.yaml b/examples/using_sdk_go/k8s-eks/Secret.yaml
deleted file mode 100644
index de021ff1..00000000
--- a/examples/using_sdk_go/k8s-eks/Secret.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: v1
-kind: Secret
-metadata:
- # The string after `vsecm-secret-` must match the workload's name.
- # For example, this is an VSecM-managed secret for the workload named `example`
- # with the SPIFFE ID
- # `"spiffe://vsecm.com/workload/example\
- # /ns/{{ .PodMeta.Namespace }}\
- # /sa/{{ .PodSpec.ServiceAccountName }}\
- # /n/{{ .PodMeta.Name }}"`
- name: vsecm-secret-example
- namespace: default
-type: Opaque
diff --git a/examples/using_sdk_go/k8s-eks/image-override.yaml b/examples/using_sdk_go/k8s-eks/image-override.yaml
deleted file mode 100644
index 787dff86..00000000
--- a/examples/using_sdk_go/k8s-eks/image-override.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: example
- namespace: default
-spec:
- template:
- spec:
- containers:
- - name: main
- image: public.ecr.aws/h8y1n7y7/example-using-sdk-go:0.26.2
diff --git a/examples/using_sdk_go/k8s-eks/kustomization.yaml b/examples/using_sdk_go/k8s-eks/kustomization.yaml
deleted file mode 100644
index 9892008c..00000000
--- a/examples/using_sdk_go/k8s-eks/kustomization.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- Deployment.yaml
-patches:
-- path: image-override.yaml
-generatorOptions:
- disableNameSuffixHash: true
diff --git a/examples/using_sdk_go/k8s/Deployment.yaml b/examples/using_sdk_go/k8s/Deployment.yaml
index f4573f92..5e2051bf 100644
--- a/examples/using_sdk_go/k8s/Deployment.yaml
+++ b/examples/using_sdk_go/k8s/Deployment.yaml
@@ -28,7 +28,7 @@ spec:
serviceAccountName: example
containers:
- name: main
- image: vsecm/example-using-sdk-go:0.26.2
+ image: vsecm/example-using-sdk-go:latest
volumeMounts:
# Volume mount for SPIRE unix domain socket.
- name: spire-agent-socket
diff --git a/examples/using_sdk_go/k8s/image-override.yaml b/examples/using_sdk_go/k8s/image-override.yaml
index 57e04822..87b800d6 100644
--- a/examples/using_sdk_go/k8s/image-override.yaml
+++ b/examples/using_sdk_go/k8s/image-override.yaml
@@ -18,4 +18,5 @@ spec:
spec:
containers:
- name: main
+ # Change this, if you want to use a different image
image: localhost:5000/example-using-sdk-go:0.26.2
diff --git a/examples/using_sidecar/k8s-eks/Deployment.yaml b/examples/using_sidecar/k8s-eks/Deployment.yaml
deleted file mode 100644
index 346621fd..00000000
--- a/examples/using_sidecar/k8s-eks/Deployment.yaml
+++ /dev/null
@@ -1,85 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: example
- namespace: default
- labels:
- app.kubernetes.io/name: example
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: example
- template:
- metadata:
- labels:
- app.kubernetes.io/name: example
- spec:
- serviceAccountName: example
- containers:
- - name: main
- image: vsecm/example-using-sidecar:0.26.2
- volumeMounts:
- # `main` shares this volume with `sidecar`.
- - mountPath: /opt/vsecm
- name: vsecm-secrets-volume
- - name: sidecar
- image: vsecm/vsecm-ist-sidecar:0.26.2
- volumeMounts:
- # /opt/vsecm/secrets.json is the place the secrets will be at.
- - mountPath: /opt/vsecm
- name: vsecm-secrets-volume
- # Volume mount for SPIRE unix domain socket.
- - name: spire-agent-socket
- mountPath: /spire-agent-socket
- readOnly: true
- #
- # You can configure this workload by providing environment variables.
- #
- # See https://vsecm.com/configuration for more information about
- # these environment variables.
- #
- # When you don't explicitly provide env vars here, VMware Secrets Manager
- # Safe will assume the default values outlined in the given link above.
- #
- env:
- - name: SPIFFE_ENDPOINT_SOCKET
- value: "unix:///spire-agent-socket/spire-agent.sock"
- - name: VSECM_LOG_LEVEL
- value: "7"
- - name: VSECM_SPIFFEID_PREFIX_WORKLOAD
- value: "spiffe://vsecm.com/workload/"
- - name: VSECM_SPIFFEID_PREFIX_SAFE
- value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/"
- - name: VSECM_SIDECAR_POLL_INTERVAL
- value: "5000"
- - name: VSECM_SIDECAR_MAX_POLL_INTERVAL
- value: "300000"
- - name: VSECM_SIDECAR_EXPONENTIAL_BACKOFF_MULTIPLIER
- value: "2"
- - name: VSECM_SIDECAR_SUCCESS_THRESHOLD
- value: "3"
- - name: VSECM_SIDECAR_ERROR_THRESHOLD
- value: "2"
- volumes:
- # A memory-backed volume is recommended (but not required) to keep
- # the secrets. The secrets can be stored in any kind of volume.
- - name: vsecm-secrets-volume
- emptyDir:
- medium: Memory
- # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket
- # ref: https://github.com/spiffe/spiffe-csi
- - name: spire-agent-socket
- csi:
- driver: "csi.spiffe.io"
- readOnly: true
diff --git a/examples/using_sidecar/k8s-eks/Identity.yaml b/examples/using_sidecar/k8s-eks/Identity.yaml
deleted file mode 100644
index 4cea3d90..00000000
--- a/examples/using_sidecar/k8s-eks/Identity.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: spire.spiffe.io/v1alpha1
-kind: ClusterSPIFFEID
-metadata:
- name: example
-spec:
- className: "vsecm"
- # SPIFFE ID `MUST` start with "spiffe://vsecm.com/workload/$workloadName/ns/"
- # for `safe` to recognize the workload and dispatch secrets to it.
- spiffeIDTemplate: "spiffe://vsecm.com\
- /workload/example\
- /ns/{{ .PodMeta.Namespace }}\
- /sa/{{ .PodSpec.ServiceAccountName }}\
- /n/{{ .PodMeta.Name }}"
- podSelector:
- matchLabels:
- app.kubernetes.io/name: example
- workloadSelectorTemplates:
- - "k8s:ns:default"
- - "k8s:sa:example"
diff --git a/examples/using_sidecar/k8s-eks/Secret.yaml b/examples/using_sidecar/k8s-eks/Secret.yaml
deleted file mode 100644
index de021ff1..00000000
--- a/examples/using_sidecar/k8s-eks/Secret.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: v1
-kind: Secret
-metadata:
- # The string after `vsecm-secret-` must match the workload's name.
- # For example, this is an VSecM-managed secret for the workload named `example`
- # with the SPIFFE ID
- # `"spiffe://vsecm.com/workload/example\
- # /ns/{{ .PodMeta.Namespace }}\
- # /sa/{{ .PodSpec.ServiceAccountName }}\
- # /n/{{ .PodMeta.Name }}"`
- name: vsecm-secret-example
- namespace: default
-type: Opaque
diff --git a/examples/using_sidecar/k8s-eks/ServiceAccount.yaml b/examples/using_sidecar/k8s-eks/ServiceAccount.yaml
deleted file mode 100644
index 548f20ac..00000000
--- a/examples/using_sidecar/k8s-eks/ServiceAccount.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: example
- namespace: default
-automountServiceAccountToken: false
diff --git a/examples/using_sidecar/k8s-eks/image-override.yaml b/examples/using_sidecar/k8s-eks/image-override.yaml
deleted file mode 100644
index 03ae87ab..00000000
--- a/examples/using_sidecar/k8s-eks/image-override.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: example
- namespace: default
-spec:
- template:
- spec:
- containers:
- - name: main
- image: public.ecr.aws/h8y1n7y7/example-using-sidecar:0.26.2
- - name: sidecar
- image: public.ecr.aws/h8y1n7y7/vsecm-ist-sidecar:0.26.2
diff --git a/examples/using_sidecar/k8s-eks/kustomization.yaml b/examples/using_sidecar/k8s-eks/kustomization.yaml
deleted file mode 100644
index 9892008c..00000000
--- a/examples/using_sidecar/k8s-eks/kustomization.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-# /*
-# | Protect your secrets, protect your sensitive data.
-# : Explore VMware Secrets Manager docs at https://vsecm.com/
-# / keep your secrets... secret
-# >/
-# <>/' Copyright 2023-present VMware Secrets Manager contributors.
-# >/' SPDX-License-Identifier: BSD-2-Clause
-# */
-
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- Deployment.yaml
-patches:
-- path: image-override.yaml
-generatorOptions:
- disableNameSuffixHash: true
diff --git a/examples/using_sidecar/k8s/Deployment.yaml b/examples/using_sidecar/k8s/Deployment.yaml
index 346621fd..6b7e9db0 100644
--- a/examples/using_sidecar/k8s/Deployment.yaml
+++ b/examples/using_sidecar/k8s/Deployment.yaml
@@ -28,13 +28,13 @@ spec:
serviceAccountName: example
containers:
- name: main
- image: vsecm/example-using-sidecar:0.26.2
+ image: vsecm/example-using-sidecar:latest
volumeMounts:
# `main` shares this volume with `sidecar`.
- mountPath: /opt/vsecm
name: vsecm-secrets-volume
- name: sidecar
- image: vsecm/vsecm-ist-sidecar:0.26.2
+ image: vsecm/vsecm-ist-sidecar:latest
volumeMounts:
# /opt/vsecm/secrets.json is the place the secrets will be at.
- mountPath: /opt/vsecm
diff --git a/examples/using_sidecar/k8s/image-override.yaml b/examples/using_sidecar/k8s/image-override.yaml
index b17962bd..637f943d 100644
--- a/examples/using_sidecar/k8s/image-override.yaml
+++ b/examples/using_sidecar/k8s/image-override.yaml
@@ -18,6 +18,8 @@ spec:
spec:
containers:
- name: main
+ # Change this, if you want to use a different image
image: localhost:5000/example-using-sidecar:0.26.2
- name: sidecar
+ # Change this, if you want to use a different image
image: localhost:5000/vsecm-ist-sidecar:0.26.2
diff --git a/examples/using_vsecm_inspector/Deployment.yaml b/examples/using_vsecm_inspector/Deployment.yaml
index 2737bf8a..9199e42c 100644
--- a/examples/using_vsecm_inspector/Deployment.yaml
+++ b/examples/using_vsecm_inspector/Deployment.yaml
@@ -28,7 +28,7 @@ spec:
serviceAccountName: vsecm-inspector
containers:
- name: main
- image: localhost:5000/vsecm-inspector:0.26.2
+ image: localhost:5000/vsecm-inspector:latest
volumeMounts:
- name: spire-agent-socket
mountPath: /spire-agent-socket
diff --git a/helm-charts/0.26.2/charts/safe/templates/Secret.yaml b/helm-charts/0.26.2/charts/safe/templates/Secret.yaml
index 7073ddbc..65adcc41 100644
--- a/helm-charts/0.26.2/charts/safe/templates/Secret.yaml
+++ b/helm-charts/0.26.2/charts/safe/templates/Secret.yaml
@@ -16,6 +16,8 @@ metadata:
labels:
{{- include "safe.labels" . | nindent 4 }}
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: {{ include "safe.serviceAccountName" . }}
type: Opaque
data:
# '{}' (e30=) is a special placeholder to tell Safe that the Secret
diff --git a/helm-charts/0.26.2/charts/safe/templates/ServiceAccount.yaml b/helm-charts/0.26.2/charts/safe/templates/ServiceAccount.yaml
index f5ca50c6..9cd283cb 100644
--- a/helm-charts/0.26.2/charts/safe/templates/ServiceAccount.yaml
+++ b/helm-charts/0.26.2/charts/safe/templates/ServiceAccount.yaml
@@ -23,4 +23,6 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: true
+secrets:
+ - name: {{ .Values.rootKeySecretName }}
{{- end }}
diff --git a/examples/using_sdk_go/k8s-eks/ServiceAccount.yaml b/helm-charts/0.26.2/charts/sentinel/templates/Role.yaml
similarity index 51%
rename from examples/using_sdk_go/k8s-eks/ServiceAccount.yaml
rename to helm-charts/0.26.2/charts/sentinel/templates/Role.yaml
index 548f20ac..49c9e02c 100644
--- a/examples/using_sdk_go/k8s-eks/ServiceAccount.yaml
+++ b/helm-charts/0.26.2/charts/sentinel/templates/Role.yaml
@@ -8,9 +8,15 @@
# >/' SPDX-License-Identifier: BSD-2-Clause
# */
-apiVersion: v1
-kind: ServiceAccount
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
metadata:
- name: example
- namespace: default
-automountServiceAccountToken: false
+ name: vsecm-sentinel-secret-reader
+ namespace: {{ .Values.global.vsecm.namespace }}
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ resourceNames: ["vsecm-sentinel-init-secret"]
+
+
diff --git a/helm-charts/0.26.2/charts/sentinel/templates/RoleBinding.yaml b/helm-charts/0.26.2/charts/sentinel/templates/RoleBinding.yaml
new file mode 100644
index 00000000..70e8b8fc
--- /dev/null
+++ b/helm-charts/0.26.2/charts/sentinel/templates/RoleBinding.yaml
@@ -0,0 +1,23 @@
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# / keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: read-secrets
+ namespace: {{ .Values.global.vsecm.namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "sentinel.serviceAccountName" . }}
+ namespace: {{ .Values.global.vsecm.namespace }}
+roleRef:
+ kind: Role
+ name: vsecm-sentinel-secret-reader
+ apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/helm-charts/0.26.2/charts/sentinel/templates/Secret.yaml b/helm-charts/0.26.2/charts/sentinel/templates/Secret.yaml
index 1f651f1d..e882fd3e 100644
--- a/helm-charts/0.26.2/charts/sentinel/templates/Secret.yaml
+++ b/helm-charts/0.26.2/charts/sentinel/templates/Secret.yaml
@@ -17,6 +17,8 @@ metadata:
labels:
{{- include "sentinel.labels" . | nindent 4 }}
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: {{ include "sentinel.serviceAccountName" . }}
type: Opaque
stringData:
data: {{ .Values.initCommand.command | quote }}
diff --git a/helm-charts/0.26.2/charts/sentinel/templates/ServiceAccount.yaml b/helm-charts/0.26.2/charts/sentinel/templates/ServiceAccount.yaml
index 7e4b044d..c9d9bbe9 100644
--- a/helm-charts/0.26.2/charts/sentinel/templates/ServiceAccount.yaml
+++ b/helm-charts/0.26.2/charts/sentinel/templates/ServiceAccount.yaml
@@ -23,4 +23,6 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
+secrets:
+ - name: vsecm-sentinel-init-secret
{{- end }}
diff --git a/k8s/0.26.2/eks/vsecm-distroless-fips.yaml b/k8s/0.26.2/eks/vsecm-distroless-fips.yaml
index 1b9d7784..09b77937 100644
--- a/k8s/0.26.2/eks/vsecm-distroless-fips.yaml
+++ b/k8s/0.26.2/eks/vsecm-distroless-fips.yaml
@@ -67,6 +67,8 @@ metadata:
kubernetes.io/enforce-mountable-secrets: "true"
kubernetes.io/mountable-secrets: vsecm-root-key
automountServiceAccountToken: true
+secrets:
+ - name: vsecm-root-key
---
# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml
# /*
@@ -95,6 +97,8 @@ metadata:
kubernetes.io/enforce-mountable-secrets: "true"
kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret
automountServiceAccountToken: false
+secrets:
+ - name: vsecm-sentinel-init-secret
---
# Source: vsecm/charts/safe/templates/Secret.yaml
# /*
@@ -120,6 +124,8 @@ metadata:
app.kubernetes.io/version: "0.26.2"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: vsecm-safe
type: Opaque
data:
# '{}' (e30=) is a special placeholder to tell Safe that the Secret
@@ -149,6 +155,8 @@ metadata:
app.kubernetes.io/version: "0.26.2"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: vsecm-sentinel
type: Opaque
stringData:
data: "exit:true\n--\n"
@@ -268,6 +276,53 @@ roleRef:
#
##
---
+# Source: vsecm/charts/sentinel/templates/Role.yaml
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# / keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: vsecm-sentinel-secret-reader
+ namespace: vsecm-system
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ resourceNames: ["vsecm-sentinel-init-secret"]
+---
+# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# / keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: read-secrets
+ namespace: vsecm-system
+subjects:
+ - kind: ServiceAccount
+ name: vsecm-sentinel
+ namespace: vsecm-system
+roleRef:
+ kind: Role
+ name: vsecm-sentinel-secret-reader
+ apiGroup: rbac.authorization.k8s.io
+---
# Source: vsecm/charts/safe/templates/Service.yaml
# /*
# | Protect your secrets, protect your sensitive data.
diff --git a/k8s/0.26.2/eks/vsecm-distroless.yaml b/k8s/0.26.2/eks/vsecm-distroless.yaml
index f26776b6..f7822bdd 100644
--- a/k8s/0.26.2/eks/vsecm-distroless.yaml
+++ b/k8s/0.26.2/eks/vsecm-distroless.yaml
@@ -67,6 +67,8 @@ metadata:
kubernetes.io/enforce-mountable-secrets: "true"
kubernetes.io/mountable-secrets: vsecm-root-key
automountServiceAccountToken: true
+secrets:
+ - name: vsecm-root-key
---
# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml
# /*
@@ -95,6 +97,8 @@ metadata:
kubernetes.io/enforce-mountable-secrets: "true"
kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret
automountServiceAccountToken: false
+secrets:
+ - name: vsecm-sentinel-init-secret
---
# Source: vsecm/charts/safe/templates/Secret.yaml
# /*
@@ -120,6 +124,8 @@ metadata:
app.kubernetes.io/version: "0.26.2"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: vsecm-safe
type: Opaque
data:
# '{}' (e30=) is a special placeholder to tell Safe that the Secret
@@ -149,6 +155,8 @@ metadata:
app.kubernetes.io/version: "0.26.2"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: vsecm-sentinel
type: Opaque
stringData:
data: "exit:true\n--\n"
@@ -268,6 +276,53 @@ roleRef:
#
##
---
+# Source: vsecm/charts/sentinel/templates/Role.yaml
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# / keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: vsecm-sentinel-secret-reader
+ namespace: vsecm-system
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ resourceNames: ["vsecm-sentinel-init-secret"]
+---
+# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# / keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: read-secrets
+ namespace: vsecm-system
+subjects:
+ - kind: ServiceAccount
+ name: vsecm-sentinel
+ namespace: vsecm-system
+roleRef:
+ kind: Role
+ name: vsecm-sentinel-secret-reader
+ apiGroup: rbac.authorization.k8s.io
+---
# Source: vsecm/charts/safe/templates/Service.yaml
# /*
# | Protect your secrets, protect your sensitive data.
diff --git a/k8s/0.26.2/local/vsecm-distroless-fips.yaml b/k8s/0.26.2/local/vsecm-distroless-fips.yaml
index a913c1cf..72410516 100644
--- a/k8s/0.26.2/local/vsecm-distroless-fips.yaml
+++ b/k8s/0.26.2/local/vsecm-distroless-fips.yaml
@@ -67,6 +67,8 @@ metadata:
kubernetes.io/enforce-mountable-secrets: "true"
kubernetes.io/mountable-secrets: vsecm-root-key
automountServiceAccountToken: true
+secrets:
+ - name: vsecm-root-key
---
# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml
# /*
@@ -95,6 +97,8 @@ metadata:
kubernetes.io/enforce-mountable-secrets: "true"
kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret
automountServiceAccountToken: false
+secrets:
+ - name: vsecm-sentinel-init-secret
---
# Source: vsecm/charts/safe/templates/Secret.yaml
# /*
@@ -120,6 +124,8 @@ metadata:
app.kubernetes.io/version: "0.26.2"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: vsecm-safe
type: Opaque
data:
# '{}' (e30=) is a special placeholder to tell Safe that the Secret
@@ -149,6 +155,8 @@ metadata:
app.kubernetes.io/version: "0.26.2"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: vsecm-sentinel
type: Opaque
stringData:
data: "exit:true\n--\n"
@@ -268,6 +276,53 @@ roleRef:
#
##
---
+# Source: vsecm/charts/sentinel/templates/Role.yaml
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# / keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: vsecm-sentinel-secret-reader
+ namespace: vsecm-system
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ resourceNames: ["vsecm-sentinel-init-secret"]
+---
+# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# / keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: read-secrets
+ namespace: vsecm-system
+subjects:
+ - kind: ServiceAccount
+ name: vsecm-sentinel
+ namespace: vsecm-system
+roleRef:
+ kind: Role
+ name: vsecm-sentinel-secret-reader
+ apiGroup: rbac.authorization.k8s.io
+---
# Source: vsecm/charts/safe/templates/Service.yaml
# /*
# | Protect your secrets, protect your sensitive data.
diff --git a/k8s/0.26.2/local/vsecm-distroless.yaml b/k8s/0.26.2/local/vsecm-distroless.yaml
index 4257a23f..b6d98968 100644
--- a/k8s/0.26.2/local/vsecm-distroless.yaml
+++ b/k8s/0.26.2/local/vsecm-distroless.yaml
@@ -67,6 +67,8 @@ metadata:
kubernetes.io/enforce-mountable-secrets: "true"
kubernetes.io/mountable-secrets: vsecm-root-key
automountServiceAccountToken: true
+secrets:
+ - name: vsecm-root-key
---
# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml
# /*
@@ -95,6 +97,8 @@ metadata:
kubernetes.io/enforce-mountable-secrets: "true"
kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret
automountServiceAccountToken: false
+secrets:
+ - name: vsecm-sentinel-init-secret
---
# Source: vsecm/charts/safe/templates/Secret.yaml
# /*
@@ -120,6 +124,8 @@ metadata:
app.kubernetes.io/version: "0.26.2"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: vsecm-safe
type: Opaque
data:
# '{}' (e30=) is a special placeholder to tell Safe that the Secret
@@ -149,6 +155,8 @@ metadata:
app.kubernetes.io/version: "0.26.2"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: vsecm-sentinel
type: Opaque
stringData:
data: "exit:true\n--\n"
@@ -268,6 +276,53 @@ roleRef:
#
##
---
+# Source: vsecm/charts/sentinel/templates/Role.yaml
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# / keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: vsecm-sentinel-secret-reader
+ namespace: vsecm-system
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ resourceNames: ["vsecm-sentinel-init-secret"]
+---
+# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# / keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: read-secrets
+ namespace: vsecm-system
+subjects:
+ - kind: ServiceAccount
+ name: vsecm-sentinel
+ namespace: vsecm-system
+roleRef:
+ kind: Role
+ name: vsecm-sentinel-secret-reader
+ apiGroup: rbac.authorization.k8s.io
+---
# Source: vsecm/charts/safe/templates/Service.yaml
# /*
# | Protect your secrets, protect your sensitive data.
diff --git a/k8s/0.26.2/remote/vsecm-distroless-fips.yaml b/k8s/0.26.2/remote/vsecm-distroless-fips.yaml
index 167552c7..4a638950 100644
--- a/k8s/0.26.2/remote/vsecm-distroless-fips.yaml
+++ b/k8s/0.26.2/remote/vsecm-distroless-fips.yaml
@@ -67,6 +67,8 @@ metadata:
kubernetes.io/enforce-mountable-secrets: "true"
kubernetes.io/mountable-secrets: vsecm-root-key
automountServiceAccountToken: true
+secrets:
+ - name: vsecm-root-key
---
# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml
# /*
@@ -95,6 +97,8 @@ metadata:
kubernetes.io/enforce-mountable-secrets: "true"
kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret
automountServiceAccountToken: false
+secrets:
+ - name: vsecm-sentinel-init-secret
---
# Source: vsecm/charts/safe/templates/Secret.yaml
# /*
@@ -120,6 +124,8 @@ metadata:
app.kubernetes.io/version: "0.26.2"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: vsecm-safe
type: Opaque
data:
# '{}' (e30=) is a special placeholder to tell Safe that the Secret
@@ -149,6 +155,8 @@ metadata:
app.kubernetes.io/version: "0.26.2"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: vsecm-sentinel
type: Opaque
stringData:
data: "exit:true\n--\n"
@@ -268,6 +276,53 @@ roleRef:
#
##
---
+# Source: vsecm/charts/sentinel/templates/Role.yaml
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# / keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: vsecm-sentinel-secret-reader
+ namespace: vsecm-system
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ resourceNames: ["vsecm-sentinel-init-secret"]
+---
+# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# / keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: read-secrets
+ namespace: vsecm-system
+subjects:
+ - kind: ServiceAccount
+ name: vsecm-sentinel
+ namespace: vsecm-system
+roleRef:
+ kind: Role
+ name: vsecm-sentinel-secret-reader
+ apiGroup: rbac.authorization.k8s.io
+---
# Source: vsecm/charts/safe/templates/Service.yaml
# /*
# | Protect your secrets, protect your sensitive data.
diff --git a/k8s/0.26.2/remote/vsecm-distroless.yaml b/k8s/0.26.2/remote/vsecm-distroless.yaml
index 96287ebd..a0836362 100644
--- a/k8s/0.26.2/remote/vsecm-distroless.yaml
+++ b/k8s/0.26.2/remote/vsecm-distroless.yaml
@@ -67,6 +67,8 @@ metadata:
kubernetes.io/enforce-mountable-secrets: "true"
kubernetes.io/mountable-secrets: vsecm-root-key
automountServiceAccountToken: true
+secrets:
+ - name: vsecm-root-key
---
# Source: vsecm/charts/sentinel/templates/ServiceAccount.yaml
# /*
@@ -95,6 +97,8 @@ metadata:
kubernetes.io/enforce-mountable-secrets: "true"
kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret
automountServiceAccountToken: false
+secrets:
+ - name: vsecm-sentinel-init-secret
---
# Source: vsecm/charts/safe/templates/Secret.yaml
# /*
@@ -120,6 +124,8 @@ metadata:
app.kubernetes.io/version: "0.26.2"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: vsecm-safe
type: Opaque
data:
# '{}' (e30=) is a special placeholder to tell Safe that the Secret
@@ -149,6 +155,8 @@ metadata:
app.kubernetes.io/version: "0.26.2"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/operated-by: vsecm
+ annotations:
+ kubernetes.io/service-account.name: vsecm-sentinel
type: Opaque
stringData:
data: "exit:true\n--\n"
@@ -268,6 +276,53 @@ roleRef:
#
##
---
+# Source: vsecm/charts/sentinel/templates/Role.yaml
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# / keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: vsecm-sentinel-secret-reader
+ namespace: vsecm-system
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ resourceNames: ["vsecm-sentinel-init-secret"]
+---
+# Source: vsecm/charts/sentinel/templates/RoleBinding.yaml
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# / keep your secrets... secret
+# >/
+# <>/' Copyright 2023-present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: read-secrets
+ namespace: vsecm-system
+subjects:
+ - kind: ServiceAccount
+ name: vsecm-sentinel
+ namespace: vsecm-system
+roleRef:
+ kind: Role
+ name: vsecm-sentinel-secret-reader
+ apiGroup: rbac.authorization.k8s.io
+---
# Source: vsecm/charts/safe/templates/Service.yaml
# /*
# | Protect your secrets, protect your sensitive data.