mirrors/khuedoan-homelab
1
0
Fork 0
mirror of https://github.com/khuedoan/homelab.git synced 2024-12-22 20:14:32 +07:00
Code Issues Packages Projects Releases Wiki Activity

chore: remove reference to Vault in docs and scripts

Browse Source
This commit is contained in:
Khue Doan 2023-11-26 03:00:12 +07:00
parent ca6a82737c
commit 093cc0d713
10 changed files with 24 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -81,8 +81,6 @@ They can't capture all the project's features, but they are sufficient to get a
| Continuous deployment with [ArgoCD](https://argoproj.github.io/cd/) |
| [![][lens-demo]][lens-demo] |
| Cluster management using [Lens](https://k8slens.dev/) |
| [![][vault-demo]][vault-demo] |
| Secret management with [Vault](https://www.vaultproject.io/) |
[deploy-demo]: https://asciinema.org/a/xkBRkwC6e9RAzVuMDXH3nGHp7.svg
[pxe-demo]: https://user-images.githubusercontent.com/27996771/157303477-df2e7410-8f02-4648-a86c-71e6b7e89e35.png
@ -93,7 +91,6 @@ They can't capture all the project's features, but they are sufficient to get a
[tekton-demo]: https://user-images.githubusercontent.com/27996771/149445374-58fd0605-bb9a-46e4-81d6-5e584d2b94a9.png
[argocd-demo]: https://user-images.githubusercontent.com/27996771/149444716-fc0d7282-4cf7-4ddb-97a4-1a3fb47ff2b8.png
[lens-demo]: https://user-images.githubusercontent.com/27996771/149448896-9d79947d-468c-45c6-a81d-b43654e8ab6b.png
[vault-demo]: https://user-images.githubusercontent.com/27996771/149452309-de4a893b-e94c-4ba8-9119-ea87449cf77e.png
### Tech stack
@ -203,11 +200,6 @@ They can't capture all the project's features, but they are sufficient to get a
<td><a href="https://tekton.dev">Tekton</a></td>
<td>Cloud native solution for building CI/CD systems</td>
</tr>
<tr>
<td><img width="32" src="https://simpleicons.org/icons/vault.svg"></td>
<td><a href="https://www.vaultproject.io">Vault</a></td>
<td>Secrets and encryption management system</td>
</tr>
<tr>
<td><img width="32" src="https://docs.zerotier.com/img/ZeroTierIcon.png"></td>
<td><a href="https://zerotier.com">ZeroTier</a></td>

34
docs/concepts/secrets-management.md
View File

@ -2,42 +2,44 @@
## Overview
- Secrets are stored in [HashiCorp Vault](https://www.vaultproject.io)
- Vault is managed with [Vault Operator (Bank Vaults)](https://banzaicloud.com/docs/bank-vaults/operator), automatically initialize and unseal
- Secrets that can be generated are automatically generated and stored in Vault.
- Integrate with GitOps using [External Secrets Operator](https://external-secrets.io)
- Global secrets are stored in the `global-secrets` namespace.
- Integrate with GitOps using [External Secrets Operator](https://external-secrets.io).
- Secrets that can be generated are automatically generated and stored in the `global-secrets` namespace.
!!! info
Despite the name _External_ Secrets Operator, our Vault is deployed on the same cluster.
HashiCorp Vault can be replaced with AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, etc.
Despite the name _External_ Secrets Operator, global secrets are created in the same cluster and synced
to other namespaces using the [Kubernetes provider](https://external-secrets.io/latest/provider/kubernetes).
While not supported by default in this project, you can also use other external providers such as HashiCorp Vault,
AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, 1Password, etc.
```mermaid
flowchart TD
subgraph global-secrets-namespace[global-secrets namespace]
secret-generator[Secret generator CronJob] -. generate secrets if not exist .-> kubernetes-secrets[Kubernetes Secrets]
secret-generator[Secret Generator] -- generate if not exist --> source-secrets[Source Secrets]
end
subgraph app-namespace[application namespace]
ExternalSecret -. generate .-> Secret
ExternalSecret -- create --> Secret
App -- read --> Secret
end
ClusterSecretStore --> vault
ClusterSecretStore --> ExternalSecret
ClusterSecretStore -- read --> source-secrets
ExternalSecret --- ClusterSecretStore
```
## Randomly generated secrets
This is useful when you want to generate random secrets like admin password and store in Vault.
This is useful when you want to generate random secrets like admin password and store in global secrets.
```yaml title="./platform/vault/files/generate-secrets/config.yaml" hl_lines="2-6"
```yaml title="./platform/global-secrets/files/secret-generator/config.yaml" hl_lines="2-6"
--8<--
./platform/vault/files/generate-secrets/config.yaml
./platform/global-secrets/files/secret-generator/config.yaml
--8<--
```
## How secrets are pulled from Vault to Kubernetes
## How secrets are pulled from global secrets to other namespaces
When you apply an `ExternalSecret` object, for example:
@ -51,13 +53,13 @@ spec:
data:
- remoteRef:
conversionStrategy: Default
key: /gitea/admin
key: gitea.admin
property: password
secretKey: password
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: global-secrets
target:
creationPolicy: Owner
deletionPolicy: Retain

3
docs/how-to-guides/troubleshooting/vault.md
View File

@ -1,3 +0,0 @@
# Vault
TODO (PR welcomed)

2
docs/installation/post-installation.md
View File

@ -15,8 +15,6 @@ Save the following files to a safe location like a password manager (if you're u
- ArgoCD:
- Username: `admin`
- Password: run `./scripts/argocd-admin-password`
- Vault:
- Root token: run `./scripts/vault-root-token`
- Grafana:
- Username: `admin`
- Password: `prom-operator` (TODO: use random password)

12
docs/reference/architecture/overview.md
View File

@ -23,7 +23,7 @@ Main components:
- `./metal`: bare metal management, install Linux and Kubernetes
- `./bootstrap`: GitOps bootstrap with ArgoCD
- `./system`: critical system components for the cluster (load balancer, storage, ingress, operation tools...)
- `./platform`: essential components for service hosting platform (vault, git...)
- `./platform`: essential components for service hosting platform (git, build runners, dashboards...)
- `./apps`: user facing applications
- `./external` (optional): externally managed services
@ -48,7 +48,7 @@ Everything is automated, after you edit the configuration files, you just need t
From now on, ArgoCD will do the rest:
- (3) Build the `./system` layer (storage, networking, monitoring, etc)
- (4) Build the `./platform` layer (Gitea, Vault, SSO, etc)
- (4) Build the `./platform` layer (Gitea, Grafana, SSO, etc)
- (5) Build the `./apps` layer: (Syncthing, Jellyfin, etc)
```mermaid
@ -81,9 +81,9 @@ flowchart TD
cloudflare -.-> cloudflared
subgraph platform
gitea[Gitea]
tekton[Tekton]
vault[Vault]
Gitea
Tekton
Grafana
end
subgraph apps
@ -168,7 +168,7 @@ Below is the pseudo code for the entire process, you don't have to read it right
migrate the homelab repository from GitHub
ArgoCD switch the source from GitHub to Gitea
ci
vault
dashboards
etc
./apps (depends on ./system and ./platform):
homepage

1
docs/reference/roadmap.md
View File

@ -37,7 +37,6 @@ Good enough for tinkering and personal usage, and reasonably secure.
- [x] Core applications
- [x] Gitea
- [x] Tekton
- [x] Vault
- [x] Private container registry
- [x] Homepage

1
mkdocs.yml
View File

@ -75,7 +75,6 @@ nav:
- how-to-guides/troubleshooting/gitea.md
- how-to-guides/troubleshooting/longhorn.md
- how-to-guides/troubleshooting/pxe-boot.md
- how-to-guides/troubleshooting/vault.md
- Reference:
- reference/index.md
- Architecture:

4
scripts/take-screenshots
View File

@ -25,10 +25,6 @@ apps = [
'name': 'argocd',
'url': 'https://argocd.khuedoan.com/applications/root'
},
{
'name': 'vault',
'url': 'https://vault.khuedoan.com/ui/vault/secrets'
},
{
'name': 'tekton',
'url': 'https://tekton.khuedoan.com/#/namespaces/tekton-pipelines/pipelineruns/homelab?pipelineTask=external&step=plan'

5
scripts/vault-root-token
View File

@ -1,5 +0,0 @@
#!/bin/sh
echo "WARNING: Root token can do anything in Vault, only use it for just enough initial setup or in emergencies." >&2
export KUBECONFIG=./metal/kubeconfig.yaml
kubectl get secrets vault-unseal-keys -n vault -o jsonpath='{.data.vault-root}' | base64 --decode

1
test/smoke_test.go
View File

@ -19,7 +19,6 @@ func TestSmoke(t *testing.T) {
}{
{"argocd-server", "argocd"},
{"hajimari", "hajimari"},
{"vault", "vault"},
{"gitea", "gitea"},
}