Secret References

Some Bridge components require access to secret values, such as credentials, in order to operate. These values are, in most cases, stored inside Kubernetes Secret objects, which administrators are responsible for making readily available to integrations which require them.

The TriggerMesh Integration Language relies on the notion of secret class to support the multitude of integrations available within TriggerMesh Bridges. Similarly to Kubernetes built-in secret types, a secret class is simply a list of requirements which must be satisfied by a Secret object, such as the number, name and format of the values present in the data of this Secret.

Usage of Secret References

Inside a component configuration body, secrets are referenced by name using the secret_name function. The Secret corresponding to the given name parameter is expected to be deployed in the same Kubernetes namespace as the deployed Bridge.

Example:

source example "my_source" {
  api_credentials = secret_name("my-credentials")
}

Please refer to the documentation of individual components in order to know what secret class to use in a certain context, and which data keys are supported/required by each component.

Secret Classes Reference

Below is a reference of all secret classes currently used by component implementations available in til. For each class, an example of kubectl command is provided to help you create an instance of this particular type of secret in the destination cluster.

aws
azure_sp
basic_auth
datadog
gcloud_service_account
github
kafka
logz
salesforce_oauth_jwt
sendgrid
slack
slack_app
splunk_hec
tls
twilio
zendesk

`aws` Secret Class

Used to authenticate to Amazon Web Services (AWS) with access keys.

Data Key(s)

access_key_id: access key ID (example: "AKIAIOSFODNN7EXAMPLE")
secret_access_key: secret access key (example: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY")

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=access_key_id=<ACCESS_KEY_ID> \
  --from-literal=secret_access_key=<SECRET_ACCESS_KEY>

`azure_sp` Secret Class

Used to authenticate to Microsoft Azure services with a service principal.

Data Key(s)

tenant_id: tenant ID of the Azure application represented by the service principal (example: "1a23b45c-6789-1a2b-3c4d-00000EXAMPLE")
client_id: client ID of the Azure application (example: "1a23b45c-6789-1a2b-3c4d-00000EXAMPLE")
client_secret: client secret of the Azure application

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=tenant_id=<TENANT_ID> \
  --from-literal=client_id=<CLIENT_ID> \
  --from-literal=client_secret=<CLIENT_SECRET>

`basic_auth` Secret Class

Used to serve or authenticate against a web endpoint which supports basic authentication.

Data Key(s)

username: name of the user to authenticate as
password: password of the selected user

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=username=<USERNAME> \
  --from-literal=password=<PASSWORD>

`datadog` Secret Class

Used to authenticate to the Datadog API.

Data Key(s)

apiKey: API key (example: "1a23b45c-6789-1a2b-3c4d-00000EXAMPLE")

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=apiKey=<API_KEY>

`gcloud_service_account` Secret Class

Used to authenticate to Google Cloud services with a service account.

Data Key(s)

key.json: service account key in JSON format (example: "{\"type\":\"service_account\", ...}")

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=key.json=<KEY>

`github` Secret Class

Used to authenticate to the GitHub API and validate requests originating from GitHub Apps.

Data Key(s)

access_token: access token to interact with the API
webhook_secret: secret token for securing webhooks

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=access_token=<ACCESS_TOKEN> \
  --from-literal=webhook_secret=<WEBHOOK_SECRET>

`kafka` Secret Class

Used to authenticate to Kafka brokers using different types of authentication mechanisms and protocols. Please consult the documentation of the Kafka Sink (Knative) for more details.

Data Key(s)

protocol: protocol to use for communicating with Kafka brokers (example: "SASL_PLAINTEXT", "SASL_SSL")
sasl.mechanism: SASL authentication mechanism to use, if supported (example: "PLAIN", "SCRAM-SHA-256")
ca.crt: certificate chain of a Certificate Authority (CA) for checking the authenticity of TLS connections (if enabled)
user: (SASL authentication) name of the user to authenticate
password: (SASL authentication) password of the selected user
user.crt: (TLS authentication) X.509 certificate, in PEM format (example: "-----BEGIN CERTIFICATE-----\nMIIH...\n-----END CERTIFICATE-----")
user.key: (TLS authentication) private key associated with the certificate, in PEM format (example: "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----")
user.skip: skip user authentication

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=protocol=<PROTOCOL> \
  --from-literal=sasl.mechanism=<SASL_MECHANISM> \
  --from-file=ca.crt=<CA_CERTIFICATE> \
  --from-literal=user=<USER> \
  --from-literal=password=<PASSWORD> \
  --from-file=user.crt=<USER_CERTIFICATE> \
  --from-file=user.key=<CERTIFICATE_KEY> \
  --from-literal=user.skip=<BOOLEAN>

`logz` Secret Class

Used to authenticate to the Logz.io with an API token.

Data Key(s)

token: API token (example: "VF2ZTc1R73SMtoN3CLiSDuG1nEXAMPLEAPITOKEN")

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=token=<TOKEN>

`salesforce_oauth_jwt` Secret Class

Used to authenticate requests to the Salesforce API using the OAuth 2.0 JWT bearer token flow.

Data Key(s)

secret_key: private key associated with the certificate used as the JWT signing secret (example: "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----")

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=secret_key=<SECRET_KEY>

`sendgrid` Secret Class

Used to authenticate to the Sendgrid API.

Data Key(s)

apiKey: API key (example: "SG.1FF3NpJbSPiD7kg04l9rXw.qLVd-PwJWX6tkEIJ2EXAMPLEKEY")

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=apiKey=<API_KEY>

`slack` Secret Class

Used to authenticate to Slack APIs with a bearer token.

Data Key(s)

token: bearer token (example: "xoxb-000000000000-00EXAMPLETOKEN")

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=token=<SIGNING_SECRET>

`slack_app` Secret Class

Used to verify requests originating from Slack in Slack apps.

Data Key(s)

signing_secret: signing secret of the app (example: "8f742231b10e8888abcd99yyyzzz85a5")

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=signing_secret=<SIGNING_SECRET>

`splunk_hec` Secret Class

Used to authenticate to a Splunk HTTP Event Collector.

Data Key(s)

hec_token: HEC token (example: "1a23b45c-6789-1a2b-3c4d-00000EXAMPLE")

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=hec_token=<HEC_TOKEN>

`tls` Secret Class

Used to authenticate to HTTP(S) endpoints using TLS Client Authentication.

Data Key(s)

certificate: X.509 certificate, usually in PEM format (example: "-----BEGIN CERTIFICATE-----\nMIIH...\n-----END CERTIFICATE-----")
key: private key associated with the certificate, usually in PEM format (example: "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----")
ca_certificate: certificate chain of a Certificate Authority (CA) for checking the authenticity of TLS connections

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=certificate=<CERTIFICATE> \
  --from-literal=key=<KEY> \
  --from-literal=ca_certificate=<CA_CERTIFICATE>

`twilio` Secret Class

Used to authenticate to the Twilio API with an auth token.

Data Key(s)

sid: account SID (example: "AC0000000000000000000EXAMPLESID")
token: auth token

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=sid=<ACCOUNT_SID> \
  --from-literal=token=<AUTH_TOKEN>

`zendesk` Secret Class

Used to authenticate to Zendesk APIs with an API token.

Data Key(s)

token: API token (example: "VF2ZTc1R73SMtoN3CLiSDuG1nEXAMPLEAPITOKEN")

Create Command

kubectl create secret generic <SECRET_NAME> \
  --from-literal=token=<TOKEN>

Secret References

Usage of Secret References

Secret Classes Reference

aws Secret Class

Data Key(s)

Create Command

azure_sp Secret Class

Data Key(s)

Create Command

basic_auth Secret Class

Data Key(s)

Create Command

datadog Secret Class

Data Key(s)

Create Command

gcloud_service_account Secret Class

Data Key(s)

Create Command

github Secret Class

Data Key(s)

Create Command

kafka Secret Class

Data Key(s)

Create Command

logz Secret Class

Data Key(s)

Create Command

salesforce_oauth_jwt Secret Class

Data Key(s)

Create Command

sendgrid Secret Class

Data Key(s)

Create Command

slack Secret Class

Data Key(s)

Create Command

slack_app Secret Class

Data Key(s)

Create Command

splunk_hec Secret Class

Data Key(s)

Create Command

tls Secret Class

Data Key(s)

Create Command

twilio Secret Class

Data Key(s)

Create Command

zendesk Secret Class

Data Key(s)

Create Command

`aws` Secret Class

`azure_sp` Secret Class

`basic_auth` Secret Class

`datadog` Secret Class

`gcloud_service_account` Secret Class

`github` Secret Class

`kafka` Secret Class

`logz` Secret Class

`salesforce_oauth_jwt` Secret Class

`sendgrid` Secret Class

`slack` Secret Class

`slack_app` Secret Class

`splunk_hec` Secret Class

`tls` Secret Class

`twilio` Secret Class

`zendesk` Secret Class