Blog

Vals-Operator 0.6.2

July 4, 2022
Kubernetes
,
Security
,
Secrets
,
Sergio Rua

What is it?

Vals-Operator is a Kubernetes Operator to convert and keep synchronised secrets stored on external sources into Kubernetes native secrets. You can read more about it in a previous post.

What’s new?

We just released a new version of the operator, v0.6.2. In the last couple of releases, we have updated all core libraries to the latest versions to ensure there are no significant security issues. Therefore, the upgrade is recommended for anyone.

But the most exciting feature is the templates. The way we managed secrets until now allowed you to pass to the pod a list of environment variables with the secrets or a full file to mount:

For example:

apiVersion: digitalis.io/v1
kind: ValsSecret
metadata:
  name: vals-secret-sample
  labels:
    owner: digitalis.io
spec:
  name: my-secret # Optional, default is the resource name
  ttl: 5       # Optional, default is 0. The secret will be checked at every "reconcile period". See below.
  type: Opaque    # Default type, others supported
  data:
    username:
      ref: ref+awssecrets://PATH/TO/SECRET[?region=REGION#username
      encoding: text
    password:
      ref: ref+awssecrets://PATH/TO/SECRET[?region=REGION#password
      encoding: text

would be translated into a Kubernetes secret like:

apiVersion: v1
data:
  password: UEFTU1dPUkQ=
  username: VVNFUk5BTUU=
kind: Secret
metadata:
  name: my-secret
  namespace: default
type: Opaque

The problem is some applications don’t yet understand or use environment variables and they require a configuration file. This is why we’re now introduction templates to allow you to craft, amongst other things, config files into the secret:

apiVersion: digitalis.io/v1
kind: ValsSecret
metadata:
  name: vals-secret-sample
  labels:
    owner: digitalis.io
spec:
  name: my-secret # Optional, default is the resource name
  ttl: 5       # Optional, default is 0. The secret will be checked at every "reconcile period". See below.
  type: Opaque    # Default type, others supported
  data:
    username:
      ref: ref+awssecrets://PATH/TO/SECRET[?region=REGION#username
      encoding: text
    password:
      ref: ref+awssecrets://PATH/TO/SECRET[?region=REGION#password
      encoding: text
  template:
    config.yml: |
      # Config generated by Vals-Operator on {{ now | date "2006-01-02" }}
      username: {{.username}}
      password: {{.password}}
      {{- if .url }}
      url: {{ .url | lower }}
      {{ end }}

The templates use GoLang templates syntax that you’re probably familiar with already as it’s used by many tools like helm and helmfile. And like them, we also support the sprig library for a richer experience.

What’s next?

We want to increase the database password rotation engines and add support for SSL which has been in the cards for some time but we never got implemented.

If you think you can help and have spare time, we very much like you to get involved. Just have a look at the contributing guidelines.

Enjoy!

Subscribe to newsletter

Subscribe to receive the latest blog posts to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Read More

View all
Category one
Category two
Category three
Category four
Category

How to run Kubernetes on premises for beginners

It is easier than you thought
Read more
Category

Future-Proof Your Cloud: Considering European Options Beyond the Hyperscalers

Make Europe Great Again
Read more
Category

Collecting metrics, traces and logs

Simplicity is better
Read more

Ready to Transform 

Your Business?

Let’s Talk