# Secret Transformation Examples for KubeMirror # Demonstrates transformation rules applied to Kubernetes Secrets --- # Example 1: Environment-Specific Database Credentials # Creates namespace-specific database connection strings apiVersion: v1 kind: Secret metadata: name: database-credentials namespace: namespace-1 annotations: kubemirror.raczylo.com/sync: "true" kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3" kubemirror.raczylo.com/transform: | rules: # Create namespace-specific database host - path: data.DB_HOST template: "{{.TargetNamespace}}.postgres.svc.cluster.local" # Create namespace-specific database name - path: data.DB_NAME template: "app_{{replace .TargetNamespace \"-\" \"_\"}}" labels: kubemirror.raczylo.com/enabled: "true" example: "secret-template-transform" type: Opaque stringData: DB_HOST: "localhost" DB_NAME: "app_dev" DB_USER: "appuser" DB_PASSWORD: "defaultpass" --- # Example 2: Remove Admin Credentials from Non-Admin Namespaces # Deletes sensitive admin fields when mirroring to production apiVersion: v1 kind: Secret metadata: name: app-credentials namespace: namespace-1 annotations: kubemirror.raczylo.com/sync: "true" kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3" kubemirror.raczylo.com/transform: | rules: # Remove admin credentials - path: data.ADMIN_USERNAME delete: true - path: data.ADMIN_PASSWORD delete: true - path: data.ROOT_TOKEN delete: true labels: kubemirror.raczylo.com/enabled: "true" example: "secret-delete-transform" type: Opaque stringData: APP_KEY: "app-key-12345" ADMIN_USERNAME: "admin" ADMIN_PASSWORD: "super-secret" ROOT_TOKEN: "root-token-xyz" --- # Example 3: API Key with Namespace-Specific Prefixes # Adds namespace identification to API keys apiVersion: v1 kind: Secret metadata: name: api-keys namespace: namespace-1 annotations: kubemirror.raczylo.com/sync: "true" kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3,namespace-4" kubemirror.raczylo.com/transform: | rules: # Add namespace prefix to API key for tracking - path: data.API_KEY_PREFIX template: "{{upper (replace .TargetNamespace \"-\" \"_\")}}" # Set environment-specific API endpoint - path: data.API_ENDPOINT template: "https://api.{{.TargetNamespace}}.example.com/v1" labels: kubemirror.raczylo.com/enabled: "true" example: "secret-api-transform" type: Opaque stringData: API_KEY_PREFIX: "DEV" API_KEY: "sk-1234567890" API_ENDPOINT: "https://api.dev.example.com/v1" --- # Example 4: Complex Multi-Rule Secret Transformation # Combines multiple transformation types for comprehensive secret management apiVersion: v1 kind: Secret metadata: name: app-secrets-complex namespace: namespace-1 annotations: kubemirror.raczylo.com/sync: "true" kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3" kubemirror.raczylo.com/transform: | rules: # Set production-grade encryption key - path: data.ENCRYPTION_STRENGTH value: "AES-256" # Create namespace-specific service URLs - path: data.SERVICE_URL template: "https://{{.TargetNamespace}}.services.example.com" # Create namespace-based Redis host - path: data.REDIS_HOST template: "redis.{{.TargetNamespace}}.svc.cluster.local" # Set cache key prefix based on namespace - path: data.CACHE_PREFIX template: "{{replace .TargetNamespace \"-\" \":\"}}:" # Remove development-only secrets - path: data.DEV_OAUTH_SECRET delete: true - path: data.LOCAL_SIGNING_KEY delete: true labels: kubemirror.raczylo.com/enabled: "true" app: "complex-app" example: "secret-complex-transform" type: Opaque stringData: ENCRYPTION_STRENGTH: "AES-128" SERVICE_URL: "https://localhost:8080" REDIS_HOST: "localhost" CACHE_PREFIX: "dev:" APP_SECRET: "secret-12345" DEV_OAUTH_SECRET: "dev-oauth-xyz" LOCAL_SIGNING_KEY: "local-key-abc"