2022-07-15 20:28:57 +07:00
|
|
|
# Secrets management
|
|
|
|
|
|
2022-09-19 02:40:07 +07:00
|
|
|
## Overview
|
|
|
|
|
|
2022-07-15 20:28:57 +07:00
|
|
|
- Secrets are stored in [HashiCorp Vault](https://www.vaultproject.io)
|
|
|
|
|
- Vault is managed with [Vault Operator (Bank Vaults)](https://banzaicloud.com/docs/bank-vaults/operator), automatically initialize and unseal
|
|
|
|
|
- Secrets that can be generated are automatically generated and stored in Vault.
|
|
|
|
|
- Integrate with GitOps using [External Secrets Operator](https://external-secrets.io)
|
|
|
|
|
|
|
|
|
|
!!! info
|
|
|
|
|
|
|
|
|
|
Despite the name _External_ Secrets Operator, our Vault is deployed on the same cluster.
|
|
|
|
|
HashiCorp Vault can be replaced with AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, etc.
|
|
|
|
|
|
|
|
|
|
```mermaid
|
|
|
|
|
flowchart TD
|
2023-11-26 02:09:21 +07:00
|
|
|
subgraph global-secrets-namespace[global-secrets namespace]
|
|
|
|
|
secret-generator[Secret generator CronJob] -. generate secrets if not exist .-> kubernetes-secrets[Kubernetes Secrets]
|
2022-07-15 20:28:57 +07:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
subgraph app-namespace[application namespace]
|
|
|
|
|
ExternalSecret -. generate .-> Secret
|
|
|
|
|
App -- read --> Secret
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
ClusterSecretStore --> vault
|
|
|
|
|
ClusterSecretStore --> ExternalSecret
|
|
|
|
|
```
|
|
|
|
|
|
2022-09-19 02:40:07 +07:00
|
|
|
## Randomly generated secrets
|
2022-07-24 00:14:12 +07:00
|
|
|
|
|
|
|
|
This is useful when you want to generate random secrets like admin password and store in Vault.
|
|
|
|
|
|
|
|
|
|
```yaml title="./platform/vault/files/generate-secrets/config.yaml" hl_lines="2-6"
|
|
|
|
|
--8<--
|
|
|
|
|
./platform/vault/files/generate-secrets/config.yaml
|
|
|
|
|
--8<--
|
|
|
|
|
```
|
|
|
|
|
|
2022-09-19 02:40:07 +07:00
|
|
|
## How secrets are pulled from Vault to Kubernetes
|
2022-07-24 00:14:12 +07:00
|
|
|
|
2022-09-19 02:40:07 +07:00
|
|
|
When you apply an `ExternalSecret` object, for example:
|
2022-07-24 00:14:12 +07:00
|
|
|
|
|
|
|
|
```yaml hl_lines="4 21-23"
|
|
|
|
|
apiVersion: external-secrets.io/v1beta1
|
|
|
|
|
kind: ExternalSecret
|
|
|
|
|
metadata:
|
|
|
|
|
name: gitea-admin-secret
|
|
|
|
|
namespace: gitea
|
|
|
|
|
spec:
|
|
|
|
|
data:
|
|
|
|
|
- remoteRef:
|
|
|
|
|
conversionStrategy: Default
|
|
|
|
|
key: /gitea/admin
|
|
|
|
|
property: password
|
|
|
|
|
secretKey: password
|
|
|
|
|
refreshInterval: 1h
|
|
|
|
|
secretStoreRef:
|
|
|
|
|
kind: ClusterSecretStore
|
|
|
|
|
name: vault
|
|
|
|
|
target:
|
|
|
|
|
creationPolicy: Owner
|
|
|
|
|
deletionPolicy: Retain
|
|
|
|
|
template:
|
|
|
|
|
data:
|
|
|
|
|
password: '{{ .password }}'
|
|
|
|
|
username: gitea_admin
|
|
|
|
|
engineVersion: v2
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
This will create a corresponding Kubernetes secret:
|
|
|
|
|
|
|
|
|
|
`kubectl describe secrets -n gitea gitea-admin-secret`
|
|
|
|
|
|
|
|
|
|
```yaml hl_lines="1 8-11"
|
|
|
|
|
Name: gitea-admin-secret
|
|
|
|
|
Namespace: gitea
|
|
|
|
|
Labels: <none>
|
|
|
|
|
Annotations: reconcile.external-secrets.io/data-hash: <REDACTED>
|
|
|
|
|
|
|
|
|
|
Type: Opaque
|
|
|
|
|
|
|
|
|
|
Data
|
|
|
|
|
====
|
|
|
|
|
password: 32 bytes
|
|
|
|
|
username: 11 bytes
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Please see the official documentation for more information:
|
|
|
|
|
|
|
|
|
|
- [External Secrets Operator](https://external-secrets.io)
|
|
|
|
|
- [API specification](https://external-secrets.io/latest/spec)
|
