mirror of
https://github.com/lukaszraczylo/kubemirror.git
synced 2026-07-02 13:45:40 +00:00
Preparation for release.
This commit is contained in:
@@ -0,0 +1,142 @@
|
||||
# Secret Transformation Examples for KubeMirror
|
||||
# Demonstrates transformation rules applied to Kubernetes Secrets
|
||||
|
||||
---
|
||||
# Example 1: Environment-Specific Database Credentials
|
||||
# Creates namespace-specific database connection strings
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: database-credentials
|
||||
namespace: namespace-1
|
||||
annotations:
|
||||
kubemirror.raczylo.com/sync: "true"
|
||||
kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3"
|
||||
kubemirror.raczylo.com/transform: |
|
||||
rules:
|
||||
# Create namespace-specific database host
|
||||
- path: data.DB_HOST
|
||||
template: "{{.TargetNamespace}}.postgres.svc.cluster.local"
|
||||
|
||||
# Create namespace-specific database name
|
||||
- path: data.DB_NAME
|
||||
template: "app_{{replace .TargetNamespace \"-\" \"_\"}}"
|
||||
labels:
|
||||
kubemirror.raczylo.com/enabled: "true"
|
||||
example: "secret-template-transform"
|
||||
type: Opaque
|
||||
stringData:
|
||||
DB_HOST: "localhost"
|
||||
DB_NAME: "app_dev"
|
||||
DB_USER: "appuser"
|
||||
DB_PASSWORD: "defaultpass"
|
||||
|
||||
---
|
||||
# Example 2: Remove Admin Credentials from Non-Admin Namespaces
|
||||
# Deletes sensitive admin fields when mirroring to production
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: app-credentials
|
||||
namespace: namespace-1
|
||||
annotations:
|
||||
kubemirror.raczylo.com/sync: "true"
|
||||
kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3"
|
||||
kubemirror.raczylo.com/transform: |
|
||||
rules:
|
||||
# Remove admin credentials
|
||||
- path: data.ADMIN_USERNAME
|
||||
delete: true
|
||||
|
||||
- path: data.ADMIN_PASSWORD
|
||||
delete: true
|
||||
|
||||
- path: data.ROOT_TOKEN
|
||||
delete: true
|
||||
labels:
|
||||
kubemirror.raczylo.com/enabled: "true"
|
||||
example: "secret-delete-transform"
|
||||
type: Opaque
|
||||
stringData:
|
||||
APP_KEY: "app-key-12345"
|
||||
ADMIN_USERNAME: "admin"
|
||||
ADMIN_PASSWORD: "super-secret"
|
||||
ROOT_TOKEN: "root-token-xyz"
|
||||
|
||||
---
|
||||
# Example 3: API Key with Namespace-Specific Prefixes
|
||||
# Adds namespace identification to API keys
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: api-keys
|
||||
namespace: namespace-1
|
||||
annotations:
|
||||
kubemirror.raczylo.com/sync: "true"
|
||||
kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3,namespace-4"
|
||||
kubemirror.raczylo.com/transform: |
|
||||
rules:
|
||||
# Add namespace prefix to API key for tracking
|
||||
- path: data.API_KEY_PREFIX
|
||||
template: "{{upper (replace .TargetNamespace \"-\" \"_\")}}"
|
||||
|
||||
# Set environment-specific API endpoint
|
||||
- path: data.API_ENDPOINT
|
||||
template: "https://api.{{.TargetNamespace}}.example.com/v1"
|
||||
labels:
|
||||
kubemirror.raczylo.com/enabled: "true"
|
||||
example: "secret-api-transform"
|
||||
type: Opaque
|
||||
stringData:
|
||||
API_KEY_PREFIX: "DEV"
|
||||
API_KEY: "sk-1234567890"
|
||||
API_ENDPOINT: "https://api.dev.example.com/v1"
|
||||
|
||||
---
|
||||
# Example 4: Complex Multi-Rule Secret Transformation
|
||||
# Combines multiple transformation types for comprehensive secret management
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: app-secrets-complex
|
||||
namespace: namespace-1
|
||||
annotations:
|
||||
kubemirror.raczylo.com/sync: "true"
|
||||
kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3"
|
||||
kubemirror.raczylo.com/transform: |
|
||||
rules:
|
||||
# Set production-grade encryption key
|
||||
- path: data.ENCRYPTION_STRENGTH
|
||||
value: "AES-256"
|
||||
|
||||
# Create namespace-specific service URLs
|
||||
- path: data.SERVICE_URL
|
||||
template: "https://{{.TargetNamespace}}.services.example.com"
|
||||
|
||||
# Create namespace-based Redis host
|
||||
- path: data.REDIS_HOST
|
||||
template: "redis.{{.TargetNamespace}}.svc.cluster.local"
|
||||
|
||||
# Set cache key prefix based on namespace
|
||||
- path: data.CACHE_PREFIX
|
||||
template: "{{replace .TargetNamespace \"-\" \":\"}}:"
|
||||
|
||||
# Remove development-only secrets
|
||||
- path: data.DEV_OAUTH_SECRET
|
||||
delete: true
|
||||
|
||||
- path: data.LOCAL_SIGNING_KEY
|
||||
delete: true
|
||||
labels:
|
||||
kubemirror.raczylo.com/enabled: "true"
|
||||
app: "complex-app"
|
||||
example: "secret-complex-transform"
|
||||
type: Opaque
|
||||
stringData:
|
||||
ENCRYPTION_STRENGTH: "AES-128"
|
||||
SERVICE_URL: "https://localhost:8080"
|
||||
REDIS_HOST: "localhost"
|
||||
CACHE_PREFIX: "dev:"
|
||||
APP_SECRET: "secret-12345"
|
||||
DEV_OAUTH_SECRET: "dev-oauth-xyz"
|
||||
LOCAL_SIGNING_KEY: "local-key-abc"
|
||||
Reference in New Issue
Block a user