This is the documentation for VMware Secrets Manager Go SDK.
You can also check out the Go Docs on pkg.go.dev
here.
sentry
The current SDK has two public methods under the package sentry
:
func Fetch
func Watch
func Fetch() (string, error)
Fetch
fetches the up-to-date secret that has been registered to the workload.
secret, err := sentry.Fetch()
In case of a problem, Fetch
will return an empty string and an error
explaining what went wrong.
func Watch()
Watch
synchronizes the internal state of the workload by talking to
VSecM Safe regularly. It periodically calls Fetch()
behind the scenes to get its work done. Once it fetches the secrets,
it saves them to the location defined in the VSECM_SIDECAR_SECRETS_PATH
environment variable (/opt/vsecm/secrets.json
by default).
Here is a demo workload that uses the Fetch()
API to retrieve secrets from
VSecM Safe.
package main
import (
"fmt"
"github.com/spiffe/vsecm-sdk-go/sentry"
"time"
)
func main() {
for {
// Fetch the secret bound to this workload
// using VMware Secrets Manager Go SDK:
data, err := sentry.Fetch()
if err != nil {
fmt.Println("Failed. Will retry...")
} else {
fmt.Println("secret: '", data, "'")
}
time.Sleep(5 * time.Second)
}
}
Here follows a possible Deployment descriptor for such a workload.
Check out VMware Secrets Manager demo workload manifests for additional examples.
apiVersion: v1
kind: ServiceAccount
metadata:
name: example
namespace: default
automountServiceAccountToken: false
---
apiVersion: spire.spiffe.io/v1alpha1
kind: ClusterSPIFFEID
metadata:
name: example
spec:
className: vsecm
spiffeIDTemplate: "spiffe://vsecm.com/workload/example"
podSelector:
matchLabels:
app.kubernetes.io/name: example
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: example
namespace: default
labels:
app.kubernetes.io/name: example
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: example
template:
metadata:
labels:
app.kubernetes.io/name: example
spec:
serviceAccountName: example
containers:
- name: main
image: vsecm/example-using-sdk-go:latest
volumeMounts:
- name: spire-agent-socket
mountPath: /spire-agent-socket
readOnly: true
env:
- name: SPIFFE_ENDPOINT_SOCKET
value: unix:///spire-agent-socket/spire-agent.sock
volumes:
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: Directory
startup
The current SDK has two public methods under the package sentry
:
func Watch
func Watch(waitTimeBeforeExit time.Duration)
Watch
continuously polls the associated secret of the workload to exist.
If the secret exists, and it is not empty, the function exits the process
container with a success status code (0
).
This is especially useful when used inside an init container.
waitTimeBeforeExit
: The duration to wait before a successful exit from
the function.You can also check out the relevant sections of the Registering Secrets article for an example of VMware Secrets Manager Go SDK usage.