From 093cc0d713ae78d3d3aded46c2201099c9a4e1ad Mon Sep 17 00:00:00 2001
From: Khue Doan <mail@khuedoan.com>
Date: Sun, 26 Nov 2023 03:00:12 +0700
Subject: [PATCH] chore: remove reference to Vault in docs and scripts
---
README.md | 8 -----
docs/concepts/secrets-management.md | 34 +++++++++++----------
docs/how-to-guides/troubleshooting/vault.md | 3 --
docs/installation/post-installation.md | 2 --
docs/reference/architecture/overview.md | 12 ++++----
docs/reference/roadmap.md | 1 -
mkdocs.yml | 1 -
scripts/take-screenshots | 4 ---
scripts/vault-root-token | 5 ---
test/smoke_test.go | 1 -
10 files changed, 24 insertions(+), 47 deletions(-)
delete mode 100644 docs/how-to-guides/troubleshooting/vault.md
delete mode 100755 scripts/vault-root-token
diff --git a/README.md b/README.md
index 71996e5c..c8d7b2dc 100644
--- a/README.md
+++ b/README.md
@@ -81,8 +81,6 @@ They can't capture all the project's features, but they are sufficient to get a
| Continuous deployment with [ArgoCD](https://argoproj.github.io/cd/) |
| [![][lens-demo]][lens-demo] |
| Cluster management using [Lens](https://k8slens.dev/) |
-| [![][vault-demo]][vault-demo] |
-| Secret management with [Vault](https://www.vaultproject.io/) |
[deploy-demo]: https://asciinema.org/a/xkBRkwC6e9RAzVuMDXH3nGHp7.svg
[pxe-demo]: https://user-images.githubusercontent.com/27996771/157303477-df2e7410-8f02-4648-a86c-71e6b7e89e35.png
@@ -93,7 +91,6 @@ They can't capture all the project's features, but they are sufficient to get a
[tekton-demo]: https://user-images.githubusercontent.com/27996771/149445374-58fd0605-bb9a-46e4-81d6-5e584d2b94a9.png
[argocd-demo]: https://user-images.githubusercontent.com/27996771/149444716-fc0d7282-4cf7-4ddb-97a4-1a3fb47ff2b8.png
[lens-demo]: https://user-images.githubusercontent.com/27996771/149448896-9d79947d-468c-45c6-a81d-b43654e8ab6b.png
-[vault-demo]: https://user-images.githubusercontent.com/27996771/149452309-de4a893b-e94c-4ba8-9119-ea87449cf77e.png
### Tech stack
@@ -203,11 +200,6 @@ They can't capture all the project's features, but they are sufficient to get a
<td><a href="https://tekton.dev">Tekton</a></td>
<td>Cloud native solution for building CI/CD systems</td>
</tr>
- <tr>
- <td><img width="32" src="https://simpleicons.org/icons/vault.svg"></td>
- <td><a href="https://www.vaultproject.io">Vault</a></td>
- <td>Secrets and encryption management system</td>
- </tr>
<tr>
<td><img width="32" src="https://docs.zerotier.com/img/ZeroTierIcon.png"></td>
<td><a href="https://zerotier.com">ZeroTier</a></td>
diff --git a/docs/concepts/secrets-management.md b/docs/concepts/secrets-management.md
index 578a33bd..8528e645 100644
--- a/docs/concepts/secrets-management.md
+++ b/docs/concepts/secrets-management.md
@@ -2,42 +2,44 @@
## Overview
-- Secrets are stored in [HashiCorp Vault](https://www.vaultproject.io)
-- Vault is managed with [Vault Operator (Bank Vaults)](https://banzaicloud.com/docs/bank-vaults/operator), automatically initialize and unseal
-- Secrets that can be generated are automatically generated and stored in Vault.
-- Integrate with GitOps using [External Secrets Operator](https://external-secrets.io)
+- Global secrets are stored in the `global-secrets` namespace.
+- Integrate with GitOps using [External Secrets Operator](https://external-secrets.io).
+- Secrets that can be generated are automatically generated and stored in the `global-secrets` namespace.
!!! info
- Despite the name _External_ Secrets Operator, our Vault is deployed on the same cluster.
- HashiCorp Vault can be replaced with AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, etc.
+ Despite the name _External_ Secrets Operator, global secrets are created in the same cluster and synced
+ to other namespaces using the [Kubernetes provider](https://external-secrets.io/latest/provider/kubernetes).
+
+ While not supported by default in this project, you can also use other external providers such as HashiCorp Vault,
+ AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, 1Password, etc.
```mermaid
flowchart TD
subgraph global-secrets-namespace[global-secrets namespace]
- secret-generator[Secret generator CronJob] -. generate secrets if not exist .-> kubernetes-secrets[Kubernetes Secrets]
+ secret-generator[Secret Generator] -- generate if not exist --> source-secrets[Source Secrets]
end
subgraph app-namespace[application namespace]
- ExternalSecret -. generate .-> Secret
+ ExternalSecret -- create --> Secret
App -- read --> Secret
end
- ClusterSecretStore --> vault
- ClusterSecretStore --> ExternalSecret
+ ClusterSecretStore -- read --> source-secrets
+ ExternalSecret --- ClusterSecretStore
```
## Randomly generated secrets
-This is useful when you want to generate random secrets like admin password and store in Vault.
+This is useful when you want to generate random secrets like admin password and store in global secrets.
-```yaml title="./platform/vault/files/generate-secrets/config.yaml" hl_lines="2-6"
+```yaml title="./platform/global-secrets/files/secret-generator/config.yaml" hl_lines="2-6"
--8<--
-./platform/vault/files/generate-secrets/config.yaml
+./platform/global-secrets/files/secret-generator/config.yaml
--8<--
```
-## How secrets are pulled from Vault to Kubernetes
+## How secrets are pulled from global secrets to other namespaces
When you apply an `ExternalSecret` object, for example:
@@ -51,13 +53,13 @@ spec:
data:
- remoteRef:
conversionStrategy: Default
- key: /gitea/admin
+ key: gitea.admin
property: password
secretKey: password
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
- name: vault
+ name: global-secrets
target:
creationPolicy: Owner
deletionPolicy: Retain
diff --git a/docs/how-to-guides/troubleshooting/vault.md b/docs/how-to-guides/troubleshooting/vault.md
deleted file mode 100644
index cd808e46..00000000
--- a/docs/how-to-guides/troubleshooting/vault.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Vault
-
-TODO (PR welcomed)
diff --git a/docs/installation/post-installation.md b/docs/installation/post-installation.md
index df98bfab..39c0d12e 100644
--- a/docs/installation/post-installation.md
+++ b/docs/installation/post-installation.md
@@ -15,8 +15,6 @@ Save the following files to a safe location like a password manager (if you're u
- ArgoCD:
- Username: `admin`
- Password: run `./scripts/argocd-admin-password`
-- Vault:
- - Root token: run `./scripts/vault-root-token`
- Grafana:
- Username: `admin`
- Password: `prom-operator` (TODO: use random password)
diff --git a/docs/reference/architecture/overview.md b/docs/reference/architecture/overview.md
index e547933c..38555b60 100644
--- a/docs/reference/architecture/overview.md
+++ b/docs/reference/architecture/overview.md
@@ -23,7 +23,7 @@ Main components:
- `./metal`: bare metal management, install Linux and Kubernetes
- `./bootstrap`: GitOps bootstrap with ArgoCD
- `./system`: critical system components for the cluster (load balancer, storage, ingress, operation tools...)
-- `./platform`: essential components for service hosting platform (vault, git...)
+- `./platform`: essential components for service hosting platform (git, build runners, dashboards...)
- `./apps`: user facing applications
- `./external` (optional): externally managed services
@@ -48,7 +48,7 @@ Everything is automated, after you edit the configuration files, you just need t
From now on, ArgoCD will do the rest:
- (3) Build the `./system` layer (storage, networking, monitoring, etc)
-- (4) Build the `./platform` layer (Gitea, Vault, SSO, etc)
+- (4) Build the `./platform` layer (Gitea, Grafana, SSO, etc)
- (5) Build the `./apps` layer: (Syncthing, Jellyfin, etc)
```mermaid
@@ -81,9 +81,9 @@ flowchart TD
cloudflare -.-> cloudflared
subgraph platform
- gitea[Gitea]
- tekton[Tekton]
- vault[Vault]
+ Gitea
+ Tekton
+ Grafana
end
subgraph apps
@@ -168,7 +168,7 @@ Below is the pseudo code for the entire process, you don't have to read it right
migrate the homelab repository from GitHub
ArgoCD switch the source from GitHub to Gitea
ci
- vault
+ dashboards
etc
./apps (depends on ./system and ./platform):
homepage
diff --git a/docs/reference/roadmap.md b/docs/reference/roadmap.md
index a4443eea..f7564362 100644
--- a/docs/reference/roadmap.md
+++ b/docs/reference/roadmap.md
@@ -37,7 +37,6 @@ Good enough for tinkering and personal usage, and reasonably secure.
- [x] Core applications
- [x] Gitea
- [x] Tekton
- - [x] Vault
- [x] Private container registry
- [x] Homepage
diff --git a/mkdocs.yml b/mkdocs.yml
index 2d1fe707..e3c1d2fc 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -75,7 +75,6 @@ nav:
- how-to-guides/troubleshooting/gitea.md
- how-to-guides/troubleshooting/longhorn.md
- how-to-guides/troubleshooting/pxe-boot.md
- - how-to-guides/troubleshooting/vault.md
- Reference:
- reference/index.md
- Architecture:
diff --git a/scripts/take-screenshots b/scripts/take-screenshots
index 81808ae8..055309f8 100755
--- a/scripts/take-screenshots
+++ b/scripts/take-screenshots
@@ -25,10 +25,6 @@ apps = [
'name': 'argocd',
'url': 'https://argocd.khuedoan.com/applications/root'
},
- {
- 'name': 'vault',
- 'url': 'https://vault.khuedoan.com/ui/vault/secrets'
- },
{
'name': 'tekton',
'url': 'https://tekton.khuedoan.com/#/namespaces/tekton-pipelines/pipelineruns/homelab?pipelineTask=external&step=plan'
diff --git a/scripts/vault-root-token b/scripts/vault-root-token
deleted file mode 100755
index 8e0a4831..00000000
--- a/scripts/vault-root-token
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-
-echo "WARNING: Root token can do anything in Vault, only use it for just enough initial setup or in emergencies." >&2
-export KUBECONFIG=./metal/kubeconfig.yaml
-kubectl get secrets vault-unseal-keys -n vault -o jsonpath='{.data.vault-root}' | base64 --decode
diff --git a/test/smoke_test.go b/test/smoke_test.go
index 63576a2e..b9ecdf2f 100644
--- a/test/smoke_test.go
+++ b/test/smoke_test.go
@@ -19,7 +19,6 @@ func TestSmoke(t *testing.T) {
}{
{"argocd-server", "argocd"},
{"hajimari", "hajimari"},
- {"vault", "vault"},
{"gitea", "gitea"},
}