Rating Star 1 Streamline Icon: https://streamlinehq.com  Star VMware Secrets Manager to show your support. Help us reach out to even more people with this amazing tech.

VSecM SDK

Link SDK

This is the documentation for VMware Secrets Manager Go SDK.

You can also check out the Go Docs on pkg.go.dev here.

Link Package sentry

The current SDK has two public methods under the package sentry:

  • func Fetch
  • func Watch

Link func Fetch() (string, error)

Fetch fetches the up-to-date secret that has been registered to the workload.

secret, err := sentry.Fetch()

In case of a problem, Fetch will return an empty string and an error explaining what went wrong.

Link func Watch()

Watch synchronizes the internal state of the workload by talking to VSecM Safe regularly. It periodically calls Fetch() behind the scenes to get its work done. Once it fetches the secrets, it saves them to the location defined in the VSECM_SIDECAR_SECRETS_PATH environment variable (/opt/vsecm/secrets.json by default).

Link Usage Example

Here is a demo workload that uses the Fetch() API to retrieve secrets from VSecM Safe.

package main

import (
  "fmt"
  "github.com/spiffe/vsecm-sdk-go/sentry"
  "time"
)

func main() {
  for {
    // Fetch the secret bound to this workload
    // using VMware Secrets Manager Go SDK:
    data, err := sentry.Fetch()

    if err != nil {
      fmt.Println("Failed. Will retry...")
    } else {
      fmt.Println("secret: '", data, "'")
    }

    time.Sleep(5 * time.Second)
  }
}

Here follows a possible Deployment descriptor for such a workload.

Check out VMware Secrets Manager demo workload manifests for additional examples.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: example
  namespace: default
automountServiceAccountToken: false
---
apiVersion: spire.spiffe.io/v1alpha1
kind: ClusterSPIFFEID
metadata:
  name: example
spec:
  className: vsecm
  spiffeIDTemplate: "spiffe://vsecm.com/workload/example"
  podSelector:
    matchLabels:
      app.kubernetes.io/name: example
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: example
  namespace: default
  labels:
    app.kubernetes.io/name: example
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: example
  template:
    metadata:
      labels:
        app.kubernetes.io/name: example
    spec:
      serviceAccountName: example
      containers:
        - name: main
          image: vsecm/example-using-sdk-go:latest
          volumeMounts:
          - name: spire-agent-socket
            mountPath: /spire-agent-socket
            readOnly: true
          env:
          - name: SPIFFE_ENDPOINT_SOCKET
            value: unix:///spire-agent-socket/spire-agent.sock
      volumes:
      - name: spire-agent-socket
        hostPath:
          path: /run/spire/sockets
          type: Directory

Link Package startup

The current SDK has two public methods under the package sentry:

  • func Watch

Link func Watch(waitTimeBeforeExit time.Duration)

Watch continuously polls the associated secret of the workload to exist. If the secret exists, and it is not empty, the function exits the process container with a success status code (0).

This is especially useful when used inside an init container.

Link Parameters

  • waitTimeBeforeExit: The duration to wait before a successful exit from the function.

You can also check out the relevant sections of the Registering Secrets article for an example of VMware Secrets Manager Go SDK usage.

edit this page ✏️