Secret Patterns#
This document demonstrates different external secrets usage patterns.
Note Examples shown below demonstrate using the ITCP Helm Chart for external secrets, but are easily translated to templating by hand. Note also that only the templating snippet of the configuration is shown. See Sync Secrets from Vault for a full example.
Docker config#
Demonstrate templating for docker config (for authenticating to a docker registry).
- name: docker-token
refreshInterval: "24h"
key: path/to/key
template:
type: "kubernetes.io/dockerconfigjson"
data:
.dockerconfigjson: "{\"auths\":{\"harbor.platform.it.vt.edu\":{\"username\":\"{{.username}}\",\"password\":\"{{.password}}\"}}}"
Entire secret#
In this example, an entire secret will be stored as a Kubernetes Secret.
Specific keys#
In this example, specific keys from the Vault secret will be stored as a Kubernetes Secret.
- name: my-secret
refreshInterval: "24h"
key: path/to/key
template:
engineVersion: v2
data:
username: "{{ .username }}"
password: "{{ .password }}"
Template from ConfigMap#
In this example, a ConfigMap is used to template a Kubernetes Secret.
A ConfigMap that templates in a secret:
apiVersion: v1
kind: ConfigMap
metadata:
name: my-config
data:
some-file.yml: |-
---
some-config:
random-key:
password: {{ .password | toString }}
The secret making use of the ConfigMap (template portion only):
- name: my-secret
key: path/to/key
template:
engineVersion: v2
templateFrom:
- configMap:
name: my-config
items:
- key: some-file.yml
Important: You will mount the Secret into your pod (not the ConfigMap):
volumes:
- name: my-config
secret:
secretName: my-secret
items:
- key: some-file.yml
path: some-file.yml