kubemirror/examples/transform-secret.yaml

# Secret Transformation Examples for KubeMirror
# Demonstrates transformation rules applied to Kubernetes Secrets

---
# Example 1: Environment-Specific Database Credentials
# Creates namespace-specific database connection strings
apiVersion: v1
kind: Secret
metadata:
  name: database-credentials
  namespace: namespace-1
  annotations:
    kubemirror.raczylo.com/sync: "true"
    kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3"
    kubemirror.raczylo.com/transform: |
      rules:
        # Create namespace-specific database host
        - path: data.DB_HOST
          template: "{{.TargetNamespace}}.postgres.svc.cluster.local"

        # Create namespace-specific database name
        - path: data.DB_NAME
          template: "app_{{replace .TargetNamespace \"-\" \"_\"}}"
  labels:
    kubemirror.raczylo.com/enabled: "true"
    example: "secret-template-transform"
type: Opaque
stringData:
  DB_HOST: "localhost"
  DB_NAME: "app_dev"
  DB_USER: "appuser"
  DB_PASSWORD: "defaultpass"

---
# Example 2: Remove Admin Credentials from Non-Admin Namespaces
# Deletes sensitive admin fields when mirroring to production
apiVersion: v1
kind: Secret
metadata:
  name: app-credentials
  namespace: namespace-1
  annotations:
    kubemirror.raczylo.com/sync: "true"
    kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3"
    kubemirror.raczylo.com/transform: |
      rules:
        # Remove admin credentials
        - path: data.ADMIN_USERNAME
          delete: true

        - path: data.ADMIN_PASSWORD
          delete: true

        - path: data.ROOT_TOKEN
          delete: true
  labels:
    kubemirror.raczylo.com/enabled: "true"
    example: "secret-delete-transform"
type: Opaque
stringData:
  APP_KEY: "app-key-12345"
  ADMIN_USERNAME: "admin"
  ADMIN_PASSWORD: "super-secret"
  ROOT_TOKEN: "root-token-xyz"

---
# Example 3: API Key with Namespace-Specific Prefixes
# Adds namespace identification to API keys
apiVersion: v1
kind: Secret
metadata:
  name: api-keys
  namespace: namespace-1
  annotations:
    kubemirror.raczylo.com/sync: "true"
    kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3,namespace-4"
    kubemirror.raczylo.com/transform: |
      rules:
        # Add namespace prefix to API key for tracking
        - path: data.API_KEY_PREFIX
          template: "{{upper (replace .TargetNamespace \"-\" \"_\")}}"

        # Set environment-specific API endpoint
        - path: data.API_ENDPOINT
          template: "https://api.{{.TargetNamespace}}.example.com/v1"
  labels:
    kubemirror.raczylo.com/enabled: "true"
    example: "secret-api-transform"
type: Opaque
stringData:
  API_KEY_PREFIX: "DEV"
  API_KEY: "sk-1234567890"
  API_ENDPOINT: "https://api.dev.example.com/v1"

---
# Example 4: Complex Multi-Rule Secret Transformation
# Combines multiple transformation types for comprehensive secret management
apiVersion: v1
kind: Secret
metadata:
  name: app-secrets-complex
  namespace: namespace-1
  annotations:
    kubemirror.raczylo.com/sync: "true"
    kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3"
    kubemirror.raczylo.com/transform: |
      rules:
        # Set production-grade encryption key
        - path: data.ENCRYPTION_STRENGTH
          value: "AES-256"

        # Create namespace-specific service URLs
        - path: data.SERVICE_URL
          template: "https://{{.TargetNamespace}}.services.example.com"

        # Create namespace-based Redis host
        - path: data.REDIS_HOST
          template: "redis.{{.TargetNamespace}}.svc.cluster.local"

        # Set cache key prefix based on namespace
        - path: data.CACHE_PREFIX
          template: "{{replace .TargetNamespace \"-\" \":\"}}:"

        # Remove development-only secrets
        - path: data.DEV_OAUTH_SECRET
          delete: true

        - path: data.LOCAL_SIGNING_KEY
          delete: true
  labels:
    kubemirror.raczylo.com/enabled: "true"
    app: "complex-app"
    example: "secret-complex-transform"
type: Opaque
stringData:
  ENCRYPTION_STRENGTH: "AES-128"
  SERVICE_URL: "https://localhost:8080"
  REDIS_HOST: "localhost"
  CACHE_PREFIX: "dev:"
  APP_SECRET: "secret-12345"
  DEV_OAUTH_SECRET: "dev-oauth-xyz"
  LOCAL_SIGNING_KEY: "local-key-abc"