SVIEW allows you to control external dependency injection for your deployment in several applications (generic, python)
Description
Currently four dependency engines are used.
| Key | Description |
|---|---|
iam |
Ability to define ServiceAccount roles in CLoud Provider. |
onepassword |
Ability to map 1Password secrets. |
ssm |
Ability to use Secret Store / Secret Manager engines. |
db |
Automatically injects Database user/passwords details. |
Description
This engine allows you to define roles in GCP cloud provider for the project. It automatically creates all necessary SA mappings to Service Account in K8S.
Description
| Key | Value | Description |
|---|---|---|
| buckets | "true" | A boolean indicating if buckets are enabled. |
| roles | - role/super - role/blah |
A list of roles, including role/super and role/blah. |
Code example
ServiceAccount:
create: true
dependency:
iam:
buckets: "true"
roles:
- role/super
- role/blah
Description
Helps easily connect you application to database instance
| Key | Value | Description |
|---|---|---|
| type | rds-mysql | The type of the database, in this case, RDS MySQL. |
| keys.secretKey | username | The secret key for the database username. |
| keys.envKey | MYSQL_USERNAME | The environment variable key for the username. |
| keys.namespace | overridens | (Optional) Namespace to refer to a database in another namespace. |
| keys.user | overrideuser | (Optional) User to refer to a database in another user context. |
| keys.instance | overrideinstance | (Optional) Instance to refer to a database in another instance. |
Code example
dependency:
db:
type: rds-mysql
keys:
- secretKey: username
envKey: MYSQL_USERNAME
### namespace, user and instance parameters are optional and can be used to refer to dbs in other dbs
namespace: overridens
user: overrideuser
instance: overrideinstance
###
- secretKey: password
envKey: MYSQL_PASSWORD
- secretKey: hostname
envKey: HOSTNAME
Description
SSM dependency is helpful when applications requires any dynamic parameters to use, so they can be placed onto cloud providers Parameter Store and fetched from there. With declaration like it is provided below, all the values are pulled and resulted secret will be created in application's namespace.
The format of the secret in cloud providers Parameter Store must match dependency block in an application's specification(
instance,namespace,stage,environmenthave to be the same) and have the following format:
/<stage>/<tenant>/<namespace>/application-secrets-<instance>
Example of SSM secret
Name:/dev/myenvironement/payments/application-secrets-gw
create SecureString
value:
{
"EMAIL_HOST_PASSWORD": "superSecret6x2#datA0+X",
"SOME_SECRET_KEY": "rt0plswerksdmakffr354_ka+0xrk^@xf042-f3fk203fk23fDk23"
}
Application configuration
Use table and example below to configure SSM dependency in application's configuration. By default keys referenced to the namespace and instance of the application.
It is possible to refer to the keys in another namespaces or from another instances by overriding required values per key. Then
ssmKeyscontains the list of paramaters to be fetched.
| Key | Value | Description |
|---|---|---|
| followKeysFormat | false | Whether to follow the keys format. Default value is false meaning all the keys in resulted secret are uppercased |
| secretName | nameOfSecretCreated | The name of the secret that is created. If not provided, will use default naming pattern. No need to specify in most of the cases. |
| instance | gw | The instance name to override. Defaults to application's name. |
| stage | dev | Stage name(dev,prod,etc.). Cannot be overwritten in application's dependency |
| environment | myenvironement | Environment name. Cannot be overwritten in application's dependency |
| namespace | payments | The namespace to override. Defaults to application's namespace |
| name | secrets | The name associated with the secret. Defaults to applications-secrets-${instance}-. |
| sOverride | secretsmanager | The service to override, specifically the secrets manager. AWS specific |
| json | "false" | A boolean indicating whether the secret's format is JSON. |
| keys | [] | List of keys to fetch from parameter store. If json: true, then will look into keys inside secret, if json:false, keys are parameter names in parameter store. |
Code example
dependency:
ssm:
followKeysFormat: true
secretName: application-secrets-gw
instance: gw
namespace: payments
name: secrets
sOverride: secretsmanager
json: "false"
keys:
- EMAIL_HOST_PASSWORD
- SOME_SECRET_KEY
- ssmKeys:
- anotherSUPER
- anotherBLAH
namespace: "extran"
instance: "extrai"
name: "exttarna"
sOverride: secretsmanager
json: "true"
Description
Helps applications to use paramaters and secrets stored in OnePassword. There two ways of declaring onepassword items: via list of key value pairs, or via key-value pairs.
| Key | Value | Description |
|---|---|---|
| onepassword.secrets.k8s-secret-as-list1 | - secretKey: spring.datasource.username remoteRef: key: db-credentials property: username - secretKey: spring.datasource.password remoteRef: key: db-credentials property: password |
List of secrets for k8s-secret-as-list1 with each secret containing a secretKey and a remoteRef. |
| onepassword.secrets.k8s-secret-as-list2 | - secretKey: spring.datasource.username remoteRef: key: db-credentials property: username |
List of secrets for k8s-secret-as-list2 with a secretKey and a remoteRef. |
| onepassword.secrets.k8s-secret-as-dict1 | spring.datasource.username: db-credentials/username spring.datasource.password: db-credentials/password |
Dictionary of secrets for k8s-secret-as-dict1, mapping secret keys to remote references. |
| onepassword.secrets.k8s-secret-as-dict2 | spring.datasource.username: db-credentials/username spring.datasource.password: db-credentials/password |
Dictionary of secrets for k8s-secret-as-dict2, mapping secret keys to remote references. |
Code example
dependency:
onepassword:
secrets:
k8s-secret-as-list1:
- secretKey: spring.datasource.username
remoteRef:
key: db-credentials
property: username
- secretKey: spring.datasource.password
remoteRef:
key: db-credentials
property: password
k8s-secret-as-list2:
- secretKey: spring.datasource.username
remoteRef:
key: db-credentials
property: username
## OR
k8s-secret-as-dict1:
spring.datasource.username: db-credentials/username
spring.datasource.password: db-credentials/password
k8s-secret-as-dict2:
spring.datasource.username: db-credentials/username
spring.datasource.password: db-credentials/password