Calendar Favorite 1 Streamline Icon:  Mark Your Calendars: The next VSecM Contributor Sync will be on... Thursday, 2024-05-30 at 8:00a Pacific time.
Rating Star 1 Streamline Icon:  Star VMware Secrets Manager to show your support. Help us reach out to even more people with this amazing tech.


Link SDK

This is the documentation for VMware Secrets Manager Go SDK.

You can also check out the Go Docs on here.

Link Package sentry

The current SDK has two public methods under the package sentry:

  • func Fetch
  • func Watch

Link func Fetch() (string, error)

Fetch fetches the up-to-date secret that has been registered to the workload.

secret, err := sentry.Fetch()

In case of a problem, Fetch will return an empty string and an error explaining what went wrong.

Link func Watch()

Watch synchronizes the internal state of the workload by talking to VSecM Safe regularly. It periodically calls Fetch() behind the scenes to get its work done. Once it fetches the secrets, it saves them to the location defined in the VSECM_SIDECAR_SECRETS_PATH environment variable (/opt/vsecm/secrets.json by default).

Link Usage Example

Here is a demo workload that uses the Fetch() API to retrieve secrets from VSecM Safe.

package main

import (

func main() {
  for {
    // Fetch the secret bound to this workload
    // using VMware Secrets Manager Go SDK:
    data, err := sentry.Fetch()

    if err != nil {
      fmt.Println("Failed. Will retry...")
    } else {
      fmt.Println("secret: '", data, "'")

    time.Sleep(5 * time.Second)

Here follows a possible Deployment descriptor for such a workload.

Check out VMware Secrets Manager demo workload manifests for additional examples.

apiVersion: v1
kind: ServiceAccount
  name: example
  namespace: default
automountServiceAccountToken: false
kind: ClusterSPIFFEID
  name: example
  spiffeIDTemplate: "spiffe://"
    matchLabels: example
apiVersion: apps/v1
kind: Deployment
  name: example
  namespace: default
  labels: example
  replicas: 1
    matchLabels: example
      labels: example
      serviceAccountName: example
        - name: main
          image: vsecm/example-using-sdk-go:latest
          - name: spire-agent-socket
            mountPath: /spire-agent-socket
            readOnly: true
          - name: SPIFFE_ENDPOINT_SOCKET
            value: unix:///spire-agent-socket/agent.sock
      - name: spire-agent-socket
          path: /run/spire/sockets
          type: Directory

Link Package startup

The current SDK has two public methods under the package sentry:

  • func Watch

Link func Watch(waitTimeBeforeExit time.Duration)

Watch continuously polls the associated secret of the workload to exist. If the secret exists, and it is not empty, the function exits the process container with a success status code (0).

This is especially useful when used inside an init container.

Link Parameters

  • waitTimeBeforeExit: The duration to wait before a successful exit from the function.

You can also check out the relevant sections of the Registering Secrets article for an example of VMware Secrets Manager Go SDK usage.

edit this page ✏️