examples/basic/api-keys.yaml at main · evan.jarrett.net/hsm-secrets-operator

A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th

fork

hsm-secrets-operator / examples / basic / api-keys.yaml

at main 126 lines 3.0 kB view raw

wrap content

Evan Jarrett add in new hsm plugin, clean up examples dir 8mo ago

18461c09

  1apiVersion: hsm.j5t.io/v1alpha1
  2kind: HSMSecret
  3metadata:
  4  name: external-api-keys
  5  namespace: default
  6  labels:
  7    app: myapp
  8    type: api-keys
  9  annotations:
 10    hsm.j5t.io/description: "API keys for external services (Stripe, AWS, etc.)"
 11spec:
 12  # HSM path is automatically set to the metadata.name (external-api-keys)
 13  
 14  # ParentRef identifies which operator instance should handle this HSMSecret
 15  parentRef:
 16    name: controller-manager
 17    namespace: hsm-secrets-operator-system
 18  
 19  # Enable automatic synchronization
 20  autoSync: true
 21  
 22  # Sync every 10 minutes (API keys might rotate frequently)
 23  syncInterval: 600
 24
 25---
 26# Example application using the API keys
 27apiVersion: apps/v1
 28kind: Deployment
 29metadata:
 30  name: payment-service
 31  namespace: default
 32spec:
 33  replicas: 3
 34  selector:
 35    matchLabels:
 36      app: payment-service
 37  template:
 38    metadata:
 39      labels:
 40        app: payment-service
 41    spec:
 42      containers:
 43      - name: payment-service
 44        image: mycompany/payment-service:v1.2.3
 45        env:
 46        # Stripe API key from HSM
 47        - name: STRIPE_API_KEY
 48          valueFrom:
 49            secretKeyRef:
 50              name: external-api-keys
 51              key: stripe_api_key
 52        - name: STRIPE_WEBHOOK_SECRET
 53          valueFrom:
 54            secretKeyRef:
 55              name: external-api-keys
 56              key: stripe_webhook_secret
 57        
 58        # AWS credentials from HSM
 59        - name: AWS_ACCESS_KEY_ID
 60          valueFrom:
 61            secretKeyRef:
 62              name: external-api-keys
 63              key: aws_access_key_id
 64        - name: AWS_SECRET_ACCESS_KEY
 65          valueFrom:
 66            secretKeyRef:
 67              name: external-api-keys
 68              key: aws_secret_access_key
 69        
 70        # Other third-party API keys
 71        - name: SENDGRID_API_KEY
 72          valueFrom:
 73            secretKeyRef:
 74              name: external-api-keys
 75              key: sendgrid_api_key
 76        - name: DATADOG_API_KEY
 77          valueFrom:
 78            secretKeyRef:
 79              name: external-api-keys
 80              key: datadog_api_key
 81        
 82        ports:
 83        - containerPort: 8080
 84          name: http
 85        
 86        # Health checks
 87        livenessProbe:
 88          httpGet:
 89            path: /health
 90            port: 8080
 91          initialDelaySeconds: 30
 92          periodSeconds: 10
 93        
 94        readinessProbe:
 95          httpGet:
 96            path: /ready
 97            port: 8080
 98          initialDelaySeconds: 5
 99          periodSeconds: 5
100        
101        # Resource limits
102        resources:
103          requests:
104            cpu: 100m
105            memory: 128Mi
106          limits:
107            cpu: 500m
108            memory: 512Mi
109
110---
111# Service for the payment service
112apiVersion: v1
113kind: Service
114metadata:
115  name: payment-service
116  namespace: default
117  labels:
118    app: payment-service
119spec:
120  selector:
121    app: payment-service
122  ports:
123  - port: 80
124    targetPort: 8080
125    name: http
126  type: ClusterIP

Configure Feed

Configure Feed