This is snapshot of VSecM’s documentation at version v0.24.1.
Check out the latest version of the documentation.

The next VSecM Contributor Sync will be on...
Thursday, 2024-04-25 at 8:00am Pacific time.

Mutating a Template File

Situation Analysis

Certain apps may require initialization scripts, which may include secrets. Storing these scripts with hard-coded secrets is a security gap. Storing these scripts in source control is a security incident waiting to happen.

Solution

A solution would be to create a template file with a placeholder to interpolate the secrets at deployment time.

As long as this template file is in an ephemeral “in-memory” volume and direct access to the workload is prevented by strict RBAC rules, we can consider the script and the secrets within it secure because data in an in-memory file system will be protected by the operating system’s built-in memory barriers: Only an app that can shell into the Pod can access the in-memory volume.

Strategy

Follow the Mounting Secrets as Volumes use case and configure the sidecar to mutate the file you need accordingly.

results matching ""

No results matching ""

Copyright © 2023-present VMware Secrets Manager contributors.

VMware Secrets Manager for Cloud-Native Apps
code is distributed under BSD 2-Clause License.

The documentation on this website
is distributed under CC-BY-4.0.

contact | privacy policy