admin
1bc8aadb85
- Streamlined README focused on quick start - Complete examples for all major use cases - Decision tree for choosing right pattern - Comprehensive troubleshooting guide
122 lines
2.7 KiB
YAML
122 lines
2.7 KiB
YAML
# Example 1: Simple API Key (No Rotation)
|
|
#
|
|
# Use case: Long-lived API key that doesn't need rotation
|
|
#
|
|
# Characteristics:
|
|
# - Generated once
|
|
# - No rotation schedule
|
|
# - No Reloader needed (static secret)
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: api-service
|
|
|
|
---
|
|
apiVersion: secrets.c5ai.ch/v1alpha1
|
|
kind: ManagedSecret
|
|
metadata:
|
|
name: api-keys
|
|
namespace: api-service
|
|
spec:
|
|
vault:
|
|
address: "http://openbao.openbao.svc.cluster.local:8200"
|
|
authMethod: kubernetes
|
|
role: managedsecret-operator
|
|
kvVersion: v2
|
|
mount: secret
|
|
path: api/service/keys
|
|
|
|
fields:
|
|
# Static service identifier
|
|
- name: service-id
|
|
type: static
|
|
value: "api-service-prod"
|
|
|
|
# Generated API key (long, alphanumeric)
|
|
- name: api-key
|
|
type: generated
|
|
generator:
|
|
type: password
|
|
length: 64
|
|
minDigits: 10
|
|
minSymbols: 0
|
|
minLowercase: 20
|
|
minUppercase: 20
|
|
symbolCharacters: "" # No symbols, just alphanumeric
|
|
allowRepeat: false
|
|
|
|
# Static API endpoint
|
|
- name: api-endpoint
|
|
type: static
|
|
value: "https://api.external-service.com/v1"
|
|
|
|
destination:
|
|
name: api-secret
|
|
type: Opaque
|
|
|
|
# No rotation - generate once and keep
|
|
rotation:
|
|
enabled: false
|
|
|
|
---
|
|
# Example Deployment using the API key
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: api-consumer
|
|
namespace: api-service
|
|
spec:
|
|
replicas: 2
|
|
selector:
|
|
matchLabels:
|
|
app: api-consumer
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: api-consumer
|
|
# No Reloader annotation needed - secret doesn't change
|
|
spec:
|
|
containers:
|
|
- name: app
|
|
image: your-app:latest
|
|
env:
|
|
- name: API_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: api-secret
|
|
key: api-key
|
|
- name: API_ENDPOINT
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: api-secret
|
|
key: api-endpoint
|
|
- name: SERVICE_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: api-secret
|
|
key: service-id
|
|
|
|
---
|
|
# Example: Using the secret in a ConfigMap template
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: api-config
|
|
namespace: api-service
|
|
data:
|
|
config.yaml: |
|
|
service:
|
|
name: api-consumer
|
|
# API credentials loaded from secret via environment variables
|
|
# See deployment above for how to inject API_KEY
|
|
|
|
endpoints:
|
|
external:
|
|
timeout: 30s
|
|
retry: 3
|
|
|
|
---
|
|
# How to retrieve the API key for external use
|
|
# kubectl get secret api-secret -n api-service -o jsonpath='{.data.api-key}' | base64 -d |