From c919bcabfca03997ef52250a05e8a0281beb7f43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20=C3=96z=C3=A7elik?= Date: Fri, 9 Aug 2024 10:12:56 -0700 Subject: [PATCH] update the code for the use case (#1095) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- examples/using_init_container/main.go | 9 ++++ .../k8s/Deployment.yaml | 51 +++++++++++++++++++ 2 files changed, 60 insertions(+) diff --git a/examples/using_init_container/main.go b/examples/using_init_container/main.go index af6dab87..8d2c9a4d 100644 --- a/examples/using_init_container/main.go +++ b/examples/using_init_container/main.go @@ -36,6 +36,15 @@ func main() { fmt.Printf("My creds: username:'%s' password:'%s'.\n", os.Getenv("USERNAME"), os.Getenv("PASSWORD"), ) + + fmt.Println("") + + path := "/opt/vsecm/secrets.json" + data, err := os.ReadFile(path) + if err != nil { + fmt.Println("File content: ", string(data)) + } + fmt.Println("") time.Sleep(5 * time.Second) diff --git a/examples/using_init_container_with_k8s_secrets/k8s/Deployment.yaml b/examples/using_init_container_with_k8s_secrets/k8s/Deployment.yaml index a1fd2406..a5a76dae 100644 --- a/examples/using_init_container_with_k8s_secrets/k8s/Deployment.yaml +++ b/examples/using_init_container_with_k8s_secrets/k8s/Deployment.yaml @@ -29,6 +29,14 @@ spec: containers: - name: main image: vsecm/example-using-init-container:latest + + volumeMounts: + # Share with Sidecar. When the `main` container is ready, + # this volume will be populated with the secret that the + # `main` container needs. + - mountPath: /opt/vsecm + name: vsecm-secrets-volume + env: - name: USERNAME valueFrom: @@ -45,6 +53,49 @@ spec: secretKeyRef: name: vsecm-secret-example key: secret + + # `main` shares this volume with `sidecar`. + - name: sidecar + image: vsecm/vsecm-ist-sidecar:latest + volumeMounts: + # /opt/vsecm/secrets.json is the place the secrets will be at. + # The main application can read the secrets from this location too. + - mountPath: /opt/vsecm + name: vsecm-secrets-volume + # Volume mount for SPIRE unix domain socket. + - name: spire-agent-socket + mountPath: /spire-agent-socket + readOnly: true + + # + # You can configure this workload by providing environment variables. + # + # See https://vsecm.com/configuration for more information about + # these environment variables. + # + # When you don't explicitly provide env vars here, VMware Secrets Manager + # Safe will assume the default values outlined in the given link above. + # + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: "unix:///spire-agent-socket/spire-agent.sock" + - name: VSECM_LOG_LEVEL + value: "7" + - name: VSECM_SPIFFEID_PREFIX_WORKLOAD + value: "spiffe://vsecm.com/workload/" + - name: VSECM_SPIFFEID_PREFIX_SAFE + value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/" + - name: VSECM_SIDECAR_POLL_INTERVAL + value: "5000" + - name: VSECM_SIDECAR_MAX_POLL_INTERVAL + value: "300000" + - name: VSECM_SIDECAR_EXPONENTIAL_BACKOFF_MULTIPLIER + value: "2" + - name: VSECM_SIDECAR_SUCCESS_THRESHOLD + value: "3" + - name: VSECM_SIDECAR_ERROR_THRESHOLD + value: "2" + initContainers: # See `./register.sh` to register the workload and finalize # this init container.