The next VSecM Contributor Sync will be on…
Thursday, 2024-01-25 at 8:00am Pacific time.

Secret Transformation

Introduction

This tutorial will show various way you can interpolate and transform secrets.

Transforming secrets may come in handy when your workload expects the secret in a different format than it has been initially provided, and you don’t want to write custom code to do the transformation.

To help us explore these transformations, we will use VSecM Inspector from the previous tutorial. If you haven’t installed it, before you proceed, please navigate to that lecture and install VSecM Inspector

Preparation

Let us define a few aliases first, they will speed things up:

SENTINEL=$(kubectl get po -n vsecm-system \
  | grep "vsecm-sentinel-" | awk '{print $1}')
SAFE=$(kubectl get po -n vsecm-system \
  | grep "vsecm-safe-" | awk '{print $1}')
WORKLOAD=$(kubectl get po -n default \
  | grep "example-" | awk '{print $1}')
INSPECTOR=$(kubectl get po -n default \
  | grep "vsecm-inspector-" | awk '{print $1}')

# Delete secrets assigned to the workload:
alias delete-secret="kubectl exec $SENTINEL \
  -n vsecm-system -- safe \
  -w example -s x -d"

alias inspect="kubectl exec $INSPECTOR -- ./env"

Now, we can start experimenting.

Cleanup

Let’s start with a blank slate again:

delete-secret
# Output: OK

inspect
# Output:
# Failed to fetch the secrets. Try again later.
# Secret does not exist

The Format (`-f`) Argument

VSecM Sentinel CLI accepts a format flag (-f), the possible values are

"json"
and "yaml"

If it is not given, it defaults to "json"; however, in the upcoming examples we’ll be explicit and provide this argument at all times.

Registering a JSON Secret

kubectl exec $SENTINEL -n vsecm-system -- safe \
  -w example \
  -s '{"username": "admin", "password": "VSecMRocks!"}' \
  -f json

inspect
# Output:
# {"username": "admin", "password": "VSecMRocks!"}

Registering a YAML Secret

kubectl exec $SENTINEL -n vsecm-system -- safe \
  -w example \
  -s '{"username": "admin", "password": "VSecMRocks!"}' \
  -f yaml

inspect
# Output:
# password: VSecMRocks!
# username: admin

Registering a JSON String (with invalid JSON)

Now we’ll deliberately make an error in our JSON. Notice the missing " in username": That is not valid JSON.

kubectl exec $SENTINEL -n vsecm-system -- safe \
  -w example \
  -s '{username": "admin", "password": "VSecMRocks!"}' \
  -f json

inspect
# Output:
# {username": "admin", "password": "VSecMRocks!"}

Registering a YAML String (with invalid JSON)

Since the JSON cannot be parsed, the output will not be a YAML:

kubectl exec $SENTINEL -n vsecm-system -- safe \
  -w example \
  -s '{username": "admin", "password": "VSecMRocks!"}' \
  -f yaml

inspect
# Output:
# {username": "admin", "password": "VSecMRocks!"}

Transforming A JSON Secret

kubectl exec $SENTINEL -n vsecm-system -- safe \
  -w example \
  -s '{"username": "admin", "password": "VSecMRocks!"}' \
  -t '{"USR":"{{.username}}", "PWD":"{{.password}}"}' \
  -f json

inspect
# Output:
# {"USR":"admin", "PWD":"VSecMRocks!"}

Transforming a YAML Secret

kubectl exec $SENTINEL -n vsecm-system -- safe \
  -w example \
  -s '{"username": "admin", "password": "VSecMRocks!"}' \
  -t '{"USR":"{{.username}}", "PWD":"{{.password}}"}' \
  -f yaml

inspect
# Output:
# PWD: VSecMRocks!
# USR: admin

Transforming a JSON Secret (invalid JSON)

If our secret is not valid JSON, then the YAML transformation will not be possible. VMware Secrets Manager will still try its best to provide something.

kubectl exec $SENTINEL -n vsecm-system -- safe \
  -w example \
  -s '{username": "admin", "password": "VSecMRocks!"}' \
  -t '{"USR":"{{.username}}", "PWD":"{{.password}}"}' \
  -f json

inspect
# Output:
# {username": "admin", "password": "VSecMRocks!"}

Transforming a JSON Secret (invalid template)

Since template is not valid, the template transformation will not happen.

kubectl exec $SENTINEL -n vsecm-system -- safe \
  -w example \
  -s '{"username": "admin", "password": "VSecMRocks!"}' \
  -t '{USR":"{{.username}}", "PWD":"{{.password}}"}' \
  -f json

inspect
# Output:
# {"username": "admin", "password": "VSecMRocks!"}

Transforming a JSON Secret (invalid template and JSON)

VMware Secrets Manager will still try its best:

kubectl exec $SENTINEL -n vsecm-system -- safe \
  -w example \
  -s '{username": "admin", "password": "VSecMRocks!"}' \
  -t '{USR":"{{.username}}", "PWD":"{{.password}}"}' \
  -f json

inspect
# Output:
# {username": "admin", "password": "VSecMRocks!"}

Transforming YAML Secret (invalid JSON)

kubectl exec $SENTINEL -n vsecm-system -- safe \
  -w example \
  -s '{username": "admin", "password": "VSecMRocks!"}' \
  -t '{"USR":"{{.username}}", "PWD":"{{.password}}"}' \
  -f yaml

inspect
# Output
# {username": "admin", "password": "VSecMRocks!"}

Transforming YAML Secret (invalid template)

kubectl exec $SENTINEL -n vsecm-system -- safe \
  -w example \
  -s '{"username": "admin", "password": "VSecMRocks!"}' \
  -t '{USR":"{{.username}}", "PWD":"{{.password}}"}' \
  -f yaml

inspect
# Output:
# {USR":"admin", "PWD":"VSecMRocks!"}

Transforming YAML Secret (invalid JSON and template)

kubectl exec $SENTINEL -n vsecm-system -- safe \
  -w example \
  -s '{username": "admin", "password": "VSecMRocks!"}' \
  -t '{USR":"{{.username}}", "PWD":"{{.password}}"}' \
  -f yaml

inspect
# Output:
# {username": "admin", "password": "VSecMRocks!"}

Conclusion

This tutorial demonstrated various ways to transform and interpolate secret values into JSON and YAML. We also observed how the output is affected when there is a formatting issue with the secret, or the template to transform the secret, or both of them.

The next section introduces a video tutorial that covers everything that has been mentioned so far and some more.

results matching ""

No results matching ""

Copyright © 2023-present VMware, Inc.

VMware Secrets Manager for Cloud-Native Apps
code is distributed under BSD 2-Clause License.

The documentation on this website
is distributed under CC-BY-4.0.

contact | privacy policy