### Initialize Project with Bun and Install Kubricate CLI Source: https://github.com/thaitype/kubricate/blob/main/README.md Sets up a new project using Bun and installs the Kubricate CLI as a development dependency. Bun is recommended for its fast setup and built-in TypeScript support, but npm, yarn, or pnpm can also be used. ```bash mkdir first-stack cd first-stack bun init -y bun add -d kubricate ``` -------------------------------- ### Setup Environment for Custom Secrets Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md Commands to set up the environment for custom type secret management. Copies the example environment file and shows the format for vendor API configuration with custom secret type. ```bash cp .env.example .env ``` ```bash # Vendor API Configuration (custom type: vendor.com/api-credentials) VENDOR_API_CONFIG={"api_key":"YOUR_API_KEY_HERE","api_endpoint":"https://api.vendor.example.com","api_timeout":"30"} ``` -------------------------------- ### Setup Ingress TLS Certificate and Key in .env File (Bash) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Provides bash commands to copy an example environment file and edit it to include TLS certificate and private key information. It specifies the required JSON format for the INGRESS_TLS variable, emphasizing PEM encoding and escaped newlines. ```bash cp .env.example .env # Ingress TLS Certificate INGRESS_TLS={"cert":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----","key":"-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"} ``` -------------------------------- ### Missing Key Parameter Example (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Demonstrates the error for missing 'key' in env injection and the fix. Emphasizes requirement of the key parameter; correct code includes it to avoid build failures. ```typescript .inject('env', { key: 'username' }) // ✅ Correct .inject('env') // ❌ Missing key ``` -------------------------------- ### Bulk Injection for All Credentials (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Examples for injecting all secret credentials at once, with or without a prefix. Optionally uses a prefix parameter; designed for bulk env var injection in Kubricate without needing individual keys. ```typescript .inject('envFrom') // No prefix .inject('envFrom', { prefix: 'DB_' }) // With prefix ``` -------------------------------- ### Kubernetes Manifest Generation Command Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Command to generate Kubernetes manifests using Kubricate. This command processes the configuration and outputs the necessary YAML files for deployment. ```bash pnpm kbr generate ``` -------------------------------- ### Kubernetes Basic Auth Secret YAML Output (Individual Injection) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Example of generated Kubernetes YAML for a Deployment that injects username and password from a basic auth secret as individual environment variables. ```yaml apiVersion: v1 kind: Secret metadata: name: api-credentials namespace: kubricate-with-basic-auth-secret type: kubernetes.io/basic-auth data: username: password: --- apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: api-service env: - name: API_USERNAME valueFrom: secretKeyRef: name: api-credentials key: username - name: API_PASSWORD valueFrom: secretKeyRef: name: api-credentials key: password ``` -------------------------------- ### Generate Kubernetes Manifests Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md Commands to generate Kubernetes manifests using kubricate. Shows both filter-based and directory-based approaches for generating resources with custom type secrets. ```bash pnpm --filter=@examples/with-custom-type-secret kubricate generate ``` ```bash pnpm kbr generate ``` -------------------------------- ### Kubernetes Basic Auth Secret YAML Output (Bulk Injection with Prefix) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Example of generated Kubernetes YAML for a Deployment using envFrom to inject credentials from a basic auth secret with a prefix (e.g., DB_username, DB_password). ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: db-client envFrom: - prefix: DB_ secretRef: name: db-credentials ``` -------------------------------- ### Check Generated Secrets in Output (Bash) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Bash command to inspect the generated YAML for Kubernetes Secret resources. Requires the output file to exist; uses grep to filter Secret sections for verification. ```bash cat output/apiServiceApp.yml | grep -A 5 "kind: Secret" ``` -------------------------------- ### Get Known Hosts Entry (Bash) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-ssh-auth-secret/README.md Retrieves the SSH host key entry for a given server (e.g., github.com) and formats it for the 'known_hosts' file. This is used to verify server identity during SSH connections. ```bash ssh-keyscan github.com ``` -------------------------------- ### Handle Multiple envFrom Prefixes in TypeScript Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Solves the issue of using different envFrom prefixes for the same provider instance. This requires separate provider instances since each Kubernetes Secret can only have one prefix value. ```typescript // ❌ Wrong - different prefixes for same provider .addProvider('BasicAuthProvider', new BasicAuthSecretProvider({ name: 'shared-creds' })) c.secrets('API_CREDS').inject('envFrom', { prefix: 'API_' }); c.secrets('DB_CREDS').inject('envFrom', { prefix: 'DB_' }); // ✅ Correct - separate providers for different secrets .addProvider('ApiProvider', new BasicAuthSecretProvider({ name: 'api-creds' })) .addProvider('DbProvider', new BasicAuthSecretProvider({ name: 'db-creds' })) c.secrets('API_CREDS', { provider: 'ApiProvider' }).inject('envFrom', { prefix: 'API_' }); c.secrets('DB_CREDS', { provider: 'DbProvider' }).inject('envFrom', { prefix: 'DB_' }); ``` -------------------------------- ### Invalid Key Example for Env Injection (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Shows incorrect usage with an invalid key, which causes validation errors. Highlights limitation to only 'username' or 'password' keys; correct version uses valid keys. ```typescript .inject('env', { key: 'username' }) // ✅ Correct .inject('env', { key: 'email' }) // ❌ Invalid ``` -------------------------------- ### Generate Kubernetes Manifests with Kubricate (Bash) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Demonstrates how to generate Kubernetes manifests using the Kubricate CLI. It provides two commands: one for local generation and another for generating within a monorepo context using pnpm filters. ```bash pnpm kbr generate pnpm --filter=@examples/with-tls-secret kubricate generate ``` -------------------------------- ### Fix Mixed Injection Strategies in TypeScript Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Shows how to avoid mixing injection strategies (env and envFrom) with the same provider which causes conflicts. The solution is to use consistent injection methods for the same secret provider. ```typescript // ❌ Wrong - mixing strategies c.secrets('CREDS') .forName('USER') .inject('env', { key: 'username', targetPath: 'custom.path' }); c.secrets('CREDS') .inject('envFrom', { prefix: 'DB_', targetPath: 'custom.path' }); // ✅ Correct - use only one strategy c.secrets('CREDS') .forName('USER') .inject('env', { key: 'username' }); c.secrets('CREDS') .forName('PASS') .inject('env', { key: 'password' }); ``` -------------------------------- ### Verify Environment Variables in Output (Bash) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Bash command to check environment variables in the generated YAML. Depends on the output YAML file; uses grep to extract env sections for debugging. ```bash cat output/apiServiceApp.yml | grep -A 10 "env:" ``` -------------------------------- ### Verifying Environment Variable Injection in Deployment Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Command to check if the TLS certificate and key have been correctly injected as environment variables in the Deployment manifest. It filters the output to show the 'env:' section, ensuring 'TLS_CERT' and 'TLS_KEY' are present. ```bash cat output/ingressControllerApp.yml | grep -A 12 "env:" ``` -------------------------------- ### Kubernetes Basic Auth Secret Configuration (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Configures a SecretManager with EnvConnector and BasicAuthSecretProvider to load and manage Kubernetes basic authentication secrets from environment variables. ```typescript export const secretManager = new SecretManager() .addConnector('EnvConnector', new EnvConnector()) // Provider for API credentials .addProvider('ApiCredentialsProvider', new BasicAuthSecretProvider({ name: 'api-credentials', namespace: 'default', })) // Provider for database credentials .addProvider('DbCredentialsProvider', new BasicAuthSecretProvider({ name: 'db-credentials', namespace: 'default', })) .setDefaultConnector('EnvConnector') .setDefaultProvider('ApiCredentialsProvider') .addSecret({ name: 'API_CREDENTIALS', provider: 'ApiCredentialsProvider', }) .addSecret({ name: 'DB_CREDENTIALS', provider: 'DbCredentialsProvider', }); ``` -------------------------------- ### Kubricate Secret Injection Strategies Source: https://github.com/thaitype/kubricate/blob/main/examples/with-ssh-auth-secret/README.md Illustrates correct and incorrect usage of Kubricate's secret injection methods, specifically contrasting the use of 'env' and 'envFrom'. It highlights the error of mixing these strategies for the same secret. ```typescript // ❌ Wrong - mixing strategies c.secrets('SSH_KEY').forName('KEY1').inject('env', { key: 'ssh-privatekey' }); c.secrets('SSH_KEY').inject('envFrom'); // ✅ Correct - use one strategy c.secrets('SSH_KEY').forName('KEY1').inject('env', { key: 'ssh-privatekey' }); c.secrets('SSH_KEY').forName('KEY2').inject('env', { key: 'known_hosts' }); ``` -------------------------------- ### Format SSH Private Key in JSON Source: https://github.com/thaitype/kubricate/blob/main/examples/with-ssh-auth-secret/README.md Demonstrates the correct JSON format for an SSH private key, ensuring newlines are represented by '\n'. This is crucial for services that parse JSON configurations. ```json {"ssh-privatekey":"-----BEGIN OPENSSH PRIVATE KEY-----\nline1\nline2\n-----END OPENSSH PRIVATE KEY-----"} ``` -------------------------------- ### Fix: Provide 'secretType' when creating CustomTypeSecretProvider Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md This example demonstrates the required `secretType` parameter when initializing a `CustomTypeSecretProvider`. This parameter is crucial for defining the type of secret being managed. ```typescript new CustomTypeSecretProvider({ name: 'vendor-api-secret', secretType: 'vendor.com/api-credentials', // ← Required }) ``` -------------------------------- ### Verifying Kubernetes Secret Generation Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Command to verify that the Kubernetes Secret resource has been correctly generated. It uses 'cat' and 'grep' to display the relevant section of the outputted YAML, confirming the secret's name, namespace, type, and data keys. ```bash cat output/ingressControllerApp.yml | grep -A 6 "kind: Secret" ``` -------------------------------- ### Kubricate envFrom Prefix Consistency Source: https://github.com/thaitype/kubricate/blob/main/examples/with-ssh-auth-secret/README.md Demonstrates how to correctly use prefixes with Kubricate's `envFrom` injection. It shows the error of using different prefixes and the correct approach of using a consistent prefix for all `envFrom` injections targeting the same secret. ```typescript // ❌ Wrong - different prefixes c.secrets('SSH_KEY').inject('envFrom', { prefix: 'GIT_' }); c.secrets('SSH_KEY').inject('envFrom', { prefix: 'SSH_' }); // ✅ Correct - same prefix c.secrets('SSH_KEY').inject('envFrom', { prefix: 'GIT_' }); c.secrets('SSH_KEY').inject('envFrom', { prefix: 'GIT_' }); ``` -------------------------------- ### Add Server Host Key to known_hosts Source: https://github.com/thaitype/kubricate/blob/main/examples/with-ssh-auth-secret/README.md Shows how to scan a server's host key and append it to the SSH known_hosts file. This is a common step to prevent man-in-the-middle attacks by pre-verifying server identities. ```bash ssh-keyscan your-server.com >> ~/.ssh/known_hosts ``` -------------------------------- ### Fix Missing Key Parameter for Env Injection in TlsSecretProvider Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Resolves the error where the 'key' parameter is required for environment variable injection with TlsSecretProvider. This ensures the correct secret key is specified for injection. ```typescript // ❌ Wrong .inject('env') // ✅ Correct .inject('env', { key: 'tls.crt' }) ``` -------------------------------- ### Kubernetes Basic Auth Secret Bulk Injection with Prefix (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Injects all keys from a BasicAuthSecretProvider into environment variables using envFrom, applying a specified prefix (e.g., DB_). This simplifies configuration when multiple credentials need to be exposed with a common prefix. ```typescript c.secrets('DB_CREDENTIALS').inject('envFrom', { prefix: 'DB_' }); ``` -------------------------------- ### Kubernetes SSH Auth Secret Format (JSON) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-ssh-auth-secret/README.md Defines the structure for a Kubernetes secret of type 'kubernetes.io/ssh-auth'. It requires 'ssh-privatekey' and optionally accepts 'known_hosts'. ```json { "ssh-privatekey": "-----BEGIN OPENSSH PRIVATE KEY-----\n...\n-----END OPENSSH PRIVATE KEY-----", "known_hosts": "github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7..." } ``` -------------------------------- ### Generated Custom Type Secret YAML Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md Shows the generated Kubernetes YAML for a custom-type secret and its injection into a deployment. The secret uses a custom type vendor.com/api-credentials with base64-encoded values. ```yaml apiVersion: v1 kind: Secret metadata: name: vendor-api-secret namespace: kubricate-with-custom-type-secret type: vendor.com/api-credentials data: api_key: api_endpoint: api_timeout: --- apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: vendor-integration env: - name: VENDOR_API_KEY valueFrom: secretKeyRef: name: vendor-api-secret key: api_key - name: VENDOR_API_ENDPOINT valueFrom: secretKeyRef: name: vendor-api-secret key: api_endpoint - name: VENDOR_API_TIMEOUT valueFrom: secretKeyRef: name: vendor-api-secret key: api_timeout ``` -------------------------------- ### Bash: Verify Generated Environment Variables Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md A bash command to inspect the generated Kubernetes manifest file and display environment variable definitions within the secrets. This helps in verifying that secret keys have been correctly injected as environment variables. ```bash cat output/vendorIntegrationApp.yml | grep -A 15 "env:" ``` -------------------------------- ### Bulk Inject SSH Secrets with Prefix as Env Vars (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-ssh-auth-secret/README.md Injects all key-value pairs from a secret ('DEPLOY_SSH_KEY') into environment variables, prepending each with 'DEPLOY_'. This method is useful for namespacing secrets and avoiding conflicts. ```typescript Stack.fromTemplate(simpleAppTemplate, { namespace: 'default', imageName: 'deployment-runner', name: 'deployment-service', }) .useSecrets(secretManager, c => { c.secrets('DEPLOY_SSH_KEY') .inject('envFrom', { prefix: 'DEPLOY_' }); }); ``` -------------------------------- ### Custom Secret JSON Format Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md Defines the expected JSON format for custom-type secrets with flexible key/value pairs. This structure is used by CustomTypeSecretProvider to create Kubernetes secrets with custom types. ```json { "api_key": "your-api-key", "api_endpoint": "https://api.vendor.example.com", "api_timeout": "30" } ``` -------------------------------- ### Generate SSH Key Pair (Bash) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-ssh-auth-secret/README.md Generates a new SSH key pair using RSA encryption with a key size of 4096 bits. The public and private keys are saved to the specified file path. ```bash ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -f ~/.ssh/id_rsa_kubricate ``` -------------------------------- ### Individual Key Injection for Env Vars (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Code for injecting specific keys like 'username' into environment variables with custom names. Requires calling .forName() and specifying the key; useful for granular control over env vars in Kubricate secrets. ```typescript .inject('env', { key: 'username' }) // Select specific key .forName('CUSTOM_ENV_NAME') // Set custom env var name ``` -------------------------------- ### Kubernetes Basic Auth Secret Individual Key Injection (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Injects 'username' and 'password' from a BasicAuthSecretProvider into environment variables with specific names (e.g., API_USERNAME, API_PASSWORD). Requires the secret to be defined and the SecretManager to be configured. ```typescript c.secrets('API_CREDENTIALS') .forName('API_USERNAME') .inject('env', { key: 'username' }); c.secrets('API_CREDENTIALS') .forName('API_PASSWORD') .inject('env', { key: 'password' }); ``` -------------------------------- ### Bash: Check Generated Kubernetes Secrets Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md A bash command to display the content of the generated Kubernetes Secret resources. It filters the output to show only the 'kind: Secret' section, allowing verification of the custom secret type and its associated data. ```bash cat output/vendorIntegrationApp.yml | grep -A 10 "kind: Secret" ``` -------------------------------- ### Create Custom Type Secret Provider Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md Configures a CustomTypeSecretProvider for vendor API credentials with custom secret type. Defines allowed keys for type safety and sets up the secret provider with name, namespace, and custom type. ```typescript export const secretManager = new SecretManager() .addConnector('EnvConnector', new EnvConnector()) // Provider for vendor API credentials with custom type .addProvider( 'VendorApiProvider', new CustomTypeSecretProvider({ name: 'vendor-api-secret', namespace: config.namespace, secretType: 'vendor.com/api-credentials', // Optional: restrict allowed keys for type safety allowedKeys: ['api_key', 'api_endpoint', 'api_timeout'], }) ) .setDefaultConnector('EnvConnector') .setDefaultProvider('VendorApiProvider') .addSecret({ name: 'VENDOR_API_CONFIG', provider: 'VendorApiProvider', }); ``` -------------------------------- ### Correct Usage: Separate Providers for Each Secret (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Shows the proper way to create multiple secrets by using individual BasicAuthSecretProvider instances, each managing a separate Kubernetes Secret. It requires Kubricate imports and results in distinct Secret resources without conflicts. ```typescript // Each provider creates its own Secret resource .addProvider('ApiCredentialsProvider', new BasicAuthSecretProvider({ name: 'api-credentials', // Secret 1 })) .addProvider('DbCredentialsProvider', new BasicAuthSecretProvider({ name: 'db-credentials', // Secret 2 })) .addSecret({ name: 'API_CREDENTIALS', provider: 'ApiCredentialsProvider' }) .addSecret({ name: 'DB_CREDENTIALS', provider: 'DbCredentialsProvider' }) ``` -------------------------------- ### Troubleshoot Invalid Key in AllowedKeys Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md Shows the error message when an attempt is made to inject a key that is not present in the `allowedKeys` list of the `CustomTypeSecretProvider`. The solution is to only use keys that are explicitly defined in the `allowedKeys` array. ```typescript // ✅ Correct - key is in allowedKeys .inject('env', { key: 'api_key' }) // ❌ Invalid - key not in allowedKeys .inject('env', { key: 'invalid_key' }) ``` -------------------------------- ### Resolve Secret Key Conflicts in TypeScript Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Demonstrates how to fix conflicts when multiple secrets try to use the same provider instance by creating separate provider instances. This addresses the limitation of kubernetes.io/basic-auth secrets only supporting username and password keys. ```typescript // ❌ Wrong - reusing same provider .addProvider('BasicAuthSecretProvider', new BasicAuthSecretProvider({ name: 'api-credentials' })) .addSecret({ name: 'API_CREDENTIALS' }) .addSecret({ name: 'DB_CREDENTIALS' }) // Conflict! // ✅ Correct - separate providers .addProvider('ApiCredentialsProvider', new BasicAuthSecretProvider({ name: 'api-credentials' })) .addProvider('DbCredentialsProvider', new BasicAuthSecretProvider({ name: 'db-credentials' })) .addSecret({ name: 'API_CREDENTIALS', provider: 'ApiCredentialsProvider' }) .addSecret({ name: 'DB_CREDENTIALS', provider: 'DbCredentialsProvider' }) ``` -------------------------------- ### Fix for Missing targetName Error (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Corrected TypeScript code to resolve the 'Missing targetName' error by adding .forName(). Requires Kubricate secrets API; ensures environment variable name is specified for env injection. ```typescript c.secrets('API_CREDENTIALS') .forName('API_USERNAME') // ← Add this .inject('env', { key: 'username' }); ``` -------------------------------- ### Incorrect Usage: Single Provider for Multiple Secrets (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Demonstrates the wrong way to use BasicAuthSecretProvider by adding multiple secrets to one provider, leading to key conflicts in Kubernetes Secret resources. It requires the BasicAuthSecretProvider class and causes build-time errors due to key collisions. ```typescript // This will cause a conflict! .addProvider('BasicAuthSecretProvider', new BasicAuthSecretProvider({ name: 'api-credentials', // Single Secret resource })) .addSecret({ name: 'API_CREDENTIALS' }) // username + password .addSecret({ name: 'DB_CREDENTIALS' }) // username + password (CONFLICT!) ``` -------------------------------- ### Define Custom Secret Provider with Allowed Keys Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md Instantiates a CustomTypeSecretProvider, defining a custom secret type and a list of allowed keys for enhanced type safety and validation. Attempting to use keys not in this list will result in a build-time error. ```typescript new CustomTypeSecretProvider({ name: 'vendor-api-secret', secretType: 'vendor.com/api-credentials', allowedKeys: ['api_key', 'api_endpoint', 'api_timeout'], }) ``` -------------------------------- ### Inject Custom Secret Keys to Environment Variables Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md Injects individual keys from a custom-type secret as environment variables in a Kubernetes deployment. Each key is mapped to a specific environment variable name using the secretKeyRef mechanism. ```typescript c.secrets('VENDOR_API_CONFIG') .forName('VENDOR_API_KEY') .inject('env', { key: 'api_key' }); c.secrets('VENDOR_API_CONFIG') .forName('VENDOR_API_ENDPOINT') .inject('env', { key: 'api_endpoint' }); c.secrets('VENDOR_API_CONFIG') .forName('VENDOR_API_TIMEOUT') .inject('env', { key: 'api_timeout' }); ``` -------------------------------- ### Enable Individual Key Injection When envFrom is Not Supported Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Addresses the limitation where TlsSecretProvider only supports 'env' injection, not 'envFrom', due to dots in TLS secret keys invalidating environment variable names. This solution demonstrates how to use individual key injection instead. ```typescript // ❌ Wrong - envFrom not supported c.secrets('TLS').inject('envFrom'); c.secrets('TLS').inject('envFrom', { prefix: 'TLS_' }); // ✅ Correct - individual key injection c.secrets('TLS').forName('TLS_CERT').inject('env', { key: 'tls.crt' }); c.secrets('TLS').forName('TLS_KEY').inject('env', { key: 'tls.key' }); ``` -------------------------------- ### Correcting Invalid Key Error in TypeScript Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Demonstrates the correct usage of the `.inject()` method for TLS secrets, resolving the 'Invalid key' error. It specifies that only 'tls.crt' and 'tls.key' are valid keys when injecting into environment variables. ```typescript .inject('env', { key: 'tls.crt' }) // ✅ Valid .inject('env', { key: 'tls.key' }) // ✅ Valid ``` -------------------------------- ### Kubernetes Basic Auth Secret Bulk Injection without Prefix (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-basic-auth-secret/README.md Injects all keys from a BasicAuthSecretProvider directly into environment variables using envFrom without any prefix. This is suitable when the secret keys map directly to desired environment variable names. ```typescript c.secrets('API_CREDENTIALS').inject('envFrom'); ``` -------------------------------- ### Fix: Provide 'key' parameter for env injection in Kubricate Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md This snippet shows the correct way to provide the 'key' parameter when using the `.inject('env', ...)` method for environment variable injection. Omitting the 'key' parameter will result in an error. ```typescript .inject('env', { key: 'api_key' }) // ✅ Correct .inject('env') // ❌ Missing key ``` -------------------------------- ### Inject SSH Private Key and Known Hosts as Env Vars (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-ssh-auth-secret/README.md Injects 'ssh-privatekey' and 'known_hosts' from a secret into separate environment variables named SSH_PRIVATE_KEY and SSH_KNOWN_HOSTS respectively. This provides granular control over environment variable names. ```typescript Stack.fromTemplate(simpleAppTemplate, { namespace: 'default', imageName: 'alpine/git', name: 'git-clone-service', }) .useSecrets(secretManager, c => { c.secrets('GIT_SSH_KEY') .forName('SSH_PRIVATE_KEY') .inject('env', { key: 'ssh-privatekey' }); c.secrets('GIT_SSH_KEY') .forName('SSH_KNOWN_HOSTS') .inject('env', { key: 'known_hosts' }); }); ``` -------------------------------- ### Troubleshoot Missing TargetName for Environment Injection Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md Illustrates the error message received when `.forName()` is not used before `.inject()` for environment variable injection. The solution involves adding `.forName('ENV_VAR_NAME')` to specify the target environment variable name. ```typescript c.secrets('VENDOR_API_CONFIG') .forName('VENDOR_API_KEY') // ← Add this .inject('env', { key: 'api_key' }); ``` -------------------------------- ### Kubricate Secret Manager Configuration for TLS (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Defines the SecretManager configuration for handling TLS secrets. It sets up an EnvConnector and a TlsSecretProvider, specifying the secret name, namespace, and default connector/provider. This configuration is used to add the 'INGRESS_TLS' secret. ```typescript export const secretManager = new SecretManager() .addConnector('EnvConnector', new EnvConnector()) .addProvider( 'IngressTlsProvider', new TlsSecretProvider({ name: 'ingress-tls', namespace: config.namespace, }) ) .setDefaultConnector('EnvConnector') .setDefaultProvider('IngressTlsProvider') .addSecret({ name: 'INGRESS_TLS', provider: 'IngressTlsProvider', }); ``` -------------------------------- ### Correcting Missing TargetName Error in TypeScript Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Provides the correct TypeScript code snippet to resolve the 'Missing targetName (.forName)' error. This involves ensuring that `.forName()` is called before `.inject('env', ...)` to specify the valid environment variable name. ```typescript // ✅ Correct c.secrets('INGRESS_TLS') .forName('TLS_CERT') .inject('env', { key: 'tls.crt' }); ``` -------------------------------- ### Resolve Conflict Detected Error by Using Separate Provider Instances Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Solves the 'Conflict detected' error which occurs when multiple secrets attempt to use the same provider instance. The solution involves creating distinct provider instances for each certificate to avoid conflicts. ```typescript // ❌ Wrong .addProvider('TlsProvider', new TlsSecretProvider({ name: 'ingress-tls' })) .addSecret({ name: 'INGRESS_TLS' }) .addSecret({ name: 'API_TLS' }) // Conflict! // ✅ Correct .addProvider('IngressTlsProvider', new TlsSecretProvider({ name: 'ingress-tls' })) .addProvider('ApiTlsProvider', new TlsSecretProvider({ name: 'api-tls' })) .addSecret({ name: 'INGRESS_TLS', provider: 'IngressTlsProvider' }) .addSecret({ name: 'API_TLS', provider: 'ApiTlsProvider' }) ``` -------------------------------- ### Add Multiple Custom Secret Providers to a Single Instance Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md Demonstrates how to add multiple CustomTypeSecretProvider instances to a single provider manager, each configured with a different name, secret type, and allowed keys. This allows for managing multiple distinct secret configurations within the same application context. ```typescript .addProvider('VendorApiProvider', new CustomTypeSecretProvider({ name: 'vendor-api-secret', secretType: 'vendor.com/api-credentials', allowedKeys: ['api_key', 'api_endpoint'], })) .addProvider('PaymentProvider', new CustomTypeSecretProvider({ name: 'payment-secret', secretType: 'payment.example.com/credentials', allowedKeys: ['merchant_id', 'api_secret'], })) .addSecret({ name: 'VENDOR_CONFIG', provider: 'VendorApiProvider' }) .addSecret({ name: 'PAYMENT_CONFIG', provider: 'PaymentProvider' }) ``` -------------------------------- ### Kubernetes TLS Secret Definition Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Defines a Kubernetes Secret of type 'kubernetes.io/tls' to store TLS certificate and private key data. This secret is intended to be mounted or referenced by other Kubernetes resources. It requires base64-encoded certificate and key content. ```yaml apiVersion: v1 kind: Secret metadata: name: ingress-tls namespace: kubricate-with-tls-secret type: kubernetes.io/tls data: tls.crt: tls.key: ``` -------------------------------- ### Managing Multiple TLS Secrets in TypeScript Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Demonstrates how to configure multiple TLS secrets using Kubricate's SecretManager and TlsSecretProvider in TypeScript. Each TlsSecretProvider instance creates a distinct Kubernetes Secret resource, allowing for independent management of different TLS certificates. ```typescript new SecretManager() .addProvider('IngressTlsProvider', new TlsSecretProvider({ name: 'ingress-tls', namespace: 'production', })) .addProvider('ApiTlsProvider', new TlsSecretProvider({ name: 'api-tls', namespace: 'production', })) .addSecret({ name: 'INGRESS_TLS', provider: 'IngressTlsProvider' }) .addSecret({ name: 'API_TLS', provider: 'ApiTlsProvider' }); ``` -------------------------------- ### Inject Individual Secret Key into Environment Variable Source: https://github.com/thaitype/kubricate/blob/main/examples/with-custom-type-secret/README.md Injects a specific key from a secret into an environment variable. Requires `.forName()` to specify the environment variable name and the `key` parameter must match a key defined in the secret's `allowedKeys`. ```typescript c.secrets('VENDOR_API_CONFIG') .forName('CUSTOM_ENV_NAME') // Environment variable name .inject('env', { key: 'api_key' }); // Key from secret ``` -------------------------------- ### JSON Input Format for TlsSecretProvider Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Specifies the expected JSON format for providing TLS certificate and key data to the TlsSecretProvider. The 'cert' and 'key' fields must contain PEM-formatted data with newlines escaped as '\n'. This format is automatically base64-encoded by Kubricate for Kubernetes. ```json { "cert": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----", "key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----" } ``` -------------------------------- ### Kubernetes TLS Secret Injection with Environment Variables (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Illustrates the correct method for injecting individual keys from a kubernetes.io/tls secret into environment variables using Kubricate. It contrasts this with the unsupported 'envFrom' method, explaining why it fails due to dots in key names (tls.crt, tls.key) which are invalid in environment variables. Supports custom environment variable names. ```typescript c.secrets('TLS').inject('envFrom'); // Would result in: tls.crt=, tls.key= (INVALID!) c.secrets('TLS').forName('TLS_CERT').inject('env', { key: 'tls.crt' }); c.secrets('TLS').forName('TLS_KEY').inject('env', { key: 'tls.key' }); // Results in: TLS_CERT=, TLS_KEY= (valid) ``` -------------------------------- ### TypeScript: Injecting TLS Secret Key to Environment Variable Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Illustrates the TypeScript syntax for injecting a specific key from a TLS secret into an environment variable. It highlights the use of `.forName()` to define a valid environment variable name (e.g., 'TLS_CERT') and `.inject('env', { key: 'tls.crt' })` to reference the actual secret key containing a dot. ```typescript c.secrets('INGRESS_TLS') .forName('TLS_CERT') // ← Valid env var name (no dots) .inject('env', { key: 'tls.crt' }); // ← Secret key (has dots) ``` -------------------------------- ### Stack Configuration for TLS Secret Injection (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Configures an ingress controller stack to utilize the SecretManager for TLS secret injection. It demonstrates how to reference the 'INGRESS_TLS' secret and inject its 'tls.crt' and 'tls.key' fields into custom environment variables named 'TLS_CERT' and 'TLS_KEY' respectively. ```typescript const ingressControllerApp = Stack.fromTemplate(simpleAppTemplate, { namespace: config.namespace, imageName: 'nginx', name: 'ingress-controller', }) .useSecrets(secretManager, c => { // Inject certificate as TLS_CERT environment variable c.secrets('INGRESS_TLS').forName('TLS_CERT').inject('env', { key: 'tls.crt' }); // Inject private key as TLS_KEY environment variable c.secrets('INGRESS_TLS').forName('TLS_KEY').inject('env', { key: 'tls.key' }); }) .override({ service: { apiVersion: 'v1', kind: 'Service', spec: { type: 'LoadBalancer', ports: [{ port: 443, targetPort: 443, protocol: 'TCP', name: 'https' }], }, }, }); ``` -------------------------------- ### Bulk Inject SSH Secrets without Prefix as Env Vars (TypeScript) Source: https://github.com/thaitype/kubricate/blob/main/examples/with-ssh-auth-secret/README.md Injects all key-value pairs from a secret ('GIT_SSH_KEY') directly into environment variables using their original key names ('ssh-privatekey', 'known_hosts'). This is suitable when original key names are desired. ```typescript Stack.fromTemplate(simpleAppTemplate, { namespace: 'default', imageName: 'ssh-tunnel', name: 'ssh-tunnel-worker', }) .useSecrets(secretManager, c => { c.secrets('GIT_SSH_KEY') .inject('envFrom'); }); ``` -------------------------------- ### Kubernetes Deployment with TLS Secrets as Environment Variables Source: https://github.com/thaitype/kubricate/blob/main/examples/with-tls-secret/README.md Configures a Kubernetes Deployment to use TLS certificate and key data from a Secret as environment variables. It maps the 'tls.crt' and 'tls.key' fields from the 'ingress-tls' secret to environment variables named 'TLS_CERT' and 'TLS_KEY', respectively, bypassing the limitation of dots in environment variable names. ```yaml apiVersion: apps/v1 kind: Deployment spec: template: spec: containers: - name: ingress-controller env: - name: TLS_CERT valueFrom: secretKeyRef: name: ingress-tls key: tls.crt - name: TLS_KEY valueFrom: secretKeyRef: name: ingress-tls key: tls.key ``` -------------------------------- ### Configure Kubricate Project Source: https://github.com/thaitype/kubricate/blob/main/README.md Illustrates how to configure a Kubricate project by creating a `kubricate.config.ts` file. This configuration file exports an object with defined stacks, linking the defined resources to the project. ```typescript // @filename: kubricate.config.ts import { defineConfig } from 'kubricate'; import { myNamespace } from './src/stacks'; export default defineConfig({ stacks: { myFirstStack: myNamespace, }, }); ``` -------------------------------- ### CLI: Validate and Apply Secrets Source: https://github.com/thaitype/kubricate/blob/main/README.md Validate the state of connectors and providers, and apply secrets to target providers like Azure KV or Kubernetes. This ensures secrets are correctly set up and available. ```bash kubricate secret validate # Validate connector/provider statekubricate secret apply # Apply secrets to target provider (e.g. Azure KV, Kubernetes) ``` -------------------------------- ### CLI: Plan and Hydrate Secrets Source: https://github.com/thaitype/kubricate/blob/main/README.md Execute secret hydration workflows to synchronize secrets between different systems. The 'plan' command previews actions, and 'hydrate' executes them. ```bash kubricate secret plan # Preview hydration actionskubricate secret hydrate # Execute hydration ``` -------------------------------- ### Configure Kubricate Project Settings Source: https://github.com/thaitype/kubricate/blob/main/README.md Wire together all components, including stacks and the secret manager, in the `kubricate.config.ts` file. This central configuration file defines the project's structure and behavior. ```typescript import { defineConfig } from 'kubricate'; import { myApp } from './src/stacks'; // import your stack import { secretManager } from './src/setup-secrets'; // import your secret manager export default defineConfig({ stacks: { app: myApp, }, secrets: { manager: secretManager, } }); ``` -------------------------------- ### CLI: Generate Kubernetes YAML Manifests Source: https://github.com/thaitype/kubricate/blob/main/README.md Use the Kubricate CLI to render Kubernetes manifests from all defined stacks. This command generates the necessary YAML files for deployment. ```bash kubricate generate ``` -------------------------------- ### Register Connectors for Secret Management Source: https://github.com/thaitype/kubricate/blob/main/README.md Connect to external secret systems like .env, Azure Key Vault, 1Password, or Vault. This step initializes the SecretManager and adds specific connectors. ```typescript // @filename: src/setup-secrets.ts export const secretManager = new SecretManager() .addConnector('Env', new EnvConnector()) .addConnector('AzureKV', new AzureKeyVaultConnector()); ``` -------------------------------- ### Generate Kubernetes Resources with Kubricate CLI Source: https://github.com/thaitype/kubricate/blob/main/README.md Command to generate Kubernetes YAML files from the defined Kubricate stacks. This command processes the configuration and stack definitions to output deployable YAML manifests, typically into an 'output' directory. ```bash bun kubricate generate ``` -------------------------------- ### Define Hydration Plan for Cross-System Secret Flow Source: https://github.com/thaitype/kubricate/blob/main/README.md Describe how secrets should flow between different systems, such as from a .env file to Azure Key Vault. This feature is currently in progress and subject to change. ```typescript // @filename: src/setup-secrets.ts secretManager.addHydrationPlan('EnvToKV', { from: 'Env', to: 'AzureKV', options: { conflictStrategy: 'overwrite' }, }); ``` -------------------------------- ### Define a Namespace Stack with Kubricate Source: https://github.com/thaitype/kubricate/blob/main/README.md Demonstrates how to define a simple Kubernetes Namespace resource using Kubricate's Stack API in TypeScript. This code snippet shows the basic structure for declaring a resource within a stack. ```typescript // @filename: src/stacks.ts import { Stack } from 'kubricate'; export const myNamespace = Stack.fromStatic('Namespace', { // you can write any name of the resource in the stack namespace: { apiVersion: 'v1', kind: 'Namespace', metadata: { name: 'my-namespace', }, }, }); ``` -------------------------------- ### Define Application Stack with Secret Injection Source: https://github.com/thaitype/kubricate/blob/main/README.md Use reusable stacks like `AppStack` and inject secrets from providers into your application. This integrates secrets seamlessly into your application's definition. ```typescript // @filename: src/stacks.ts import { Stack } from 'kubricate'; import { simpleAppTemplate } from '@kubricate/stacks'; export const myApp = nStack.fromTemplate(simpleAppTemplate, { imageName: 'nginx', name: 'my-app', }) .useSecrets(secretManager, (c) => { c.secrets('my_app_key').forName('ENV_APP_KEY').inject(); }); ``` -------------------------------- ### Declare Secrets for Application Use Source: https://github.com/thaitype/kubricate/blob/main/README.md Centralize your application secrets and optionally map them to a specific provider. This makes secrets easily accessible and manageable within Kubricate. ```typescript // @filename: src/setup-secrets.ts secretManager.addSecret({ name: 'my_app_key' }); ``` -------------------------------- ### Set Default Connector and Provider for Secret Hydration Source: https://github.com/thaitype/kubricate/blob/main/README.md When multiple connectors or providers are registered, set the default ones to be used during the secret hydration process. This ensures consistency in secret management. ```typescript // @filename: src/setup-secrets.ts secretManager.setDefaultConnector('AzureKV'); secretManager.setDefaultProvider('OpaqueSecretProvider'); ``` -------------------------------- ### Register Secret Providers for Kubernetes Injection Source: https://github.com/thaitype/kubricate/blob/main/README.md Define how secrets will be injected into Kubernetes resources such as Secrets, ConfigMaps, or annotations. This registers a specific provider with the secret manager. ```typescript // @filename: src/setup-secrets.ts secretManager.addProvider( 'OpaqueSecretProvider', new OpaqueSecretProvider({ name: 'secret-application' }) ); ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.