README
¶
Kubernetes Secret Source (k8s://)
The Kubernetes secret source retrieves secrets directly from the Kubernetes API.
Status
Plugin: This source is opt-in. It is not enabled by default and requires explicit configuration using WithKubernetes().
Dependencies
This plugin requires the Kubernetes client libraries:
k8s.io/client-gok8s.io/apimachineryk8s.io/api
Usage
To use the Kubernetes source, use the k8s:// scheme followed by the namespace (optional) and secret name. You can either specify a key to retrieve a single value, or end the path with a / to retrieve the entire secret data map as JSON.
Syntax
Format 1: With Namespace
k8s://<NAMESPACE>/<SECRET_NAME>/<KEY>
Or to get the entire secret as JSON:
k8s://<NAMESPACE>/<SECRET_NAME>/
Format 2: Default Namespace
k8s://<SECRET_NAME>/<KEY>
Or to get the entire secret as JSON:
k8s://<SECRET_NAME>/
(Defaults to namespace default)
Examples
Retrieve the entire secret db-creds as JSON in namespace prod:
k8s://prod/db-creds/
Retrieve key token from secret api-access in namespace default:
k8s://api-access/token
Configuration
To use this source, you must initialize spelunk with a Kubernetes client:
import (
"github.com/detro/spelunk"
"github.com/detro/spelunk/plugin/source/kubernetes"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
)
func main() {
// 1. Create Kubernetes client
config, _ := rest.InClusterConfig() // or BuildConfigFromFlags
clientset, _ := kubernetes.NewForConfig(config)
// 2. Initialize Spelunker with the Kubernetes plugin
s := spelunk.NewSpelunker(
kubernetes.WithKubernetes(clientset.CoreV1()),
)
// 3. Dig up secrets
secret, _ := s.DigUp(ctx, coord)
}
Behavior
- Parsing: Splits the location into Namespace, Name, and Key.
- Validation: Checks if Namespace and Name are valid DNS subdomains (RFC 1123).
- Retrieval: Uses
k8sClient.Secrets(namespace).Get()to fetch the secret resource. - Extraction: If a
Keywas provided, it looks up the specificKeyin the secret'sDatamap. If the path ends with/(no key), it marshals the entireDatamap into a JSON string and returns it. - Errors:
- Returns
ErrSecretNotFoundif the Secret resource doesn't exist. - Returns
ErrSecretKeyNotFoundif the Secret exists but the Key does not.
- Returns
Use Cases
- Kubernetes Operators/Controllers: Retrieving secrets dynamically without mounting them.
- In-Cluster Applications: accessing secrets from other namespaces (if RBAC permits).
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( ErrSecretSourceKubernetesInvalidLocation = fmt.Errorf( "invalid Kubernetes secret location format", ) ErrSecretSourceKubernetesInvalidName = fmt.Errorf("invalid Kubernetes name") )
Functions ¶
func WithKubernetes ¶
func WithKubernetes(k8sClient corev1.SecretsGetter) spelunk.SpelunkerOption
WithKubernetes enables the SecretSourceKubernetes.
Types ¶
type SecretSourceKubernetes ¶
type SecretSourceKubernetes struct {
// contains filtered or unexported fields
}
SecretSourceKubernetes digs up secrets from Kubernetes Secrets. The URI scheme for this source is "k8s".
k8s://NAMESPACE/NAME/KEY k8s://NAME/KEY (where NAMESPACE is "default") k8s://NAMESPACE/NAME/ k8s://NAME/ (where NAMESPACE is "default")
When `/KEY` is appended, Spelunk extracts the specific value in the secret's data map. Otherwise, if it ends with `/`, it returns the whole secret's data key-value map as JSON.
This types.SecretSource is a plug-in to spelunker.Spelunker and must be enabled explicitly.
func (*SecretSourceKubernetes) DigUp ¶
func (s *SecretSourceKubernetes) DigUp( ctx context.Context, coord types.SecretCoord, ) (string, error)
func (*SecretSourceKubernetes) Type ¶
func (s *SecretSourceKubernetes) Type() string
Source Files