lukaszraczylo/kubemirror
1
0
Fork 0
mirror of https://github.com/lukaszraczylo/kubemirror.git synced 2026-06-05 22:43:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d0857e4f4ad7d75ea85e99f20333470c71c68dbf
kubemirror/examples/transform-secret.yaml
T

143 lines
4.2 KiB
YAML
Raw Blame History

# Secret Transformation Examples for KubeMirror
# Demonstrates transformation rules applied to Kubernetes Secrets
---
# Example 1: Environment-Specific Database Credentials
# Creates namespace-specific database connection strings
apiVersion: v1
kind: Secret
metadata:
name: database-credentials
namespace: namespace-1
annotations:
kubemirror.raczylo.com/sync: "true"
kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3"
kubemirror.raczylo.com/transform: |
rules:
# Create namespace-specific database host
- path: data.DB_HOST
template: "{{.TargetNamespace}}.postgres.svc.cluster.local"
# Create namespace-specific database name
- path: data.DB_NAME
template: "app_{{replace .TargetNamespace \"-\" \"_\"}}"
labels:
kubemirror.raczylo.com/enabled: "true"
example: "secret-template-transform"
type: Opaque
stringData:
DB_HOST: "localhost"
DB_NAME: "app_dev"
DB_USER: "appuser"
DB_PASSWORD: "defaultpass"
---
# Example 2: Remove Admin Credentials from Non-Admin Namespaces
# Deletes sensitive admin fields when mirroring to production
apiVersion: v1
kind: Secret
metadata:
name: app-credentials
namespace: namespace-1
annotations:
kubemirror.raczylo.com/sync: "true"
kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3"
kubemirror.raczylo.com/transform: |
rules:
# Remove admin credentials
- path: data.ADMIN_USERNAME
delete: true
- path: data.ADMIN_PASSWORD
delete: true
- path: data.ROOT_TOKEN
delete: true
labels:
kubemirror.raczylo.com/enabled: "true"
example: "secret-delete-transform"
type: Opaque
stringData:
APP_KEY: "app-key-12345"
ADMIN_USERNAME: "admin"
ADMIN_PASSWORD: "super-secret"
ROOT_TOKEN: "root-token-xyz"
---
# Example 3: API Key with Namespace-Specific Prefixes
# Adds namespace identification to API keys
apiVersion: v1
kind: Secret
metadata:
name: api-keys
namespace: namespace-1
annotations:
kubemirror.raczylo.com/sync: "true"
kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3,namespace-4"
kubemirror.raczylo.com/transform: |
rules:
# Add namespace prefix to API key for tracking
- path: data.API_KEY_PREFIX
template: "{{upper (replace .TargetNamespace \"-\" \"_\")}}"
# Set environment-specific API endpoint
- path: data.API_ENDPOINT
template: "https://api.{{.TargetNamespace}}.example.com/v1"
labels:
kubemirror.raczylo.com/enabled: "true"
example: "secret-api-transform"
type: Opaque
stringData:
API_KEY_PREFIX: "DEV"
API_KEY: "sk-1234567890"
API_ENDPOINT: "https://api.dev.example.com/v1"
---
# Example 4: Complex Multi-Rule Secret Transformation
# Combines multiple transformation types for comprehensive secret management
apiVersion: v1
kind: Secret
metadata:
name: app-secrets-complex
namespace: namespace-1
annotations:
kubemirror.raczylo.com/sync: "true"
kubemirror.raczylo.com/target-namespaces: "namespace-2,namespace-3"
kubemirror.raczylo.com/transform: |
rules:
# Set production-grade encryption key
- path: data.ENCRYPTION_STRENGTH
value: "AES-256"
# Create namespace-specific service URLs
- path: data.SERVICE_URL
template: "https://{{.TargetNamespace}}.services.example.com"
# Create namespace-based Redis host
- path: data.REDIS_HOST
template: "redis.{{.TargetNamespace}}.svc.cluster.local"
# Set cache key prefix based on namespace
- path: data.CACHE_PREFIX
template: "{{replace .TargetNamespace \"-\" \":\"}}:"
# Remove development-only secrets
- path: data.DEV_OAUTH_SECRET
delete: true
- path: data.LOCAL_SIGNING_KEY
delete: true
labels:
kubemirror.raczylo.com/enabled: "true"
app: "complex-app"
example: "secret-complex-transform"
type: Opaque
stringData:
ENCRYPTION_STRENGTH: "AES-128"
SERVICE_URL: "https://localhost:8080"
REDIS_HOST: "localhost"
CACHE_PREFIX: "dev:"
APP_SECRET: "secret-12345"
DEV_OAUTH_SECRET: "dev-oauth-xyz"
LOCAL_SIGNING_KEY: "local-key-abc"
Reference in New Issue View Git Blame Copy Permalink