mirrors/khuedoan-homelab
1
0
Fork 0
mirror of https://github.com/khuedoan/homelab.git synced 2025-07-29 22:29:27 +07:00
Code Issues Packages Projects Releases Wiki Activity

chore: remove reference to Vault in docs and scripts

Browse Source
This commit is contained in:
Khue Doan
2023-11-26 03:00:12 +07:00
parent ca6a82737c
commit 093cc0d713
10 changed files with 24 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -81,8 +81,6 @@ They can't capture all the project's features, but they are sufficient to get a
| Continuous deployment with [ArgoCD](https://argoproj.github.io/cd/) | | Continuous deployment with [ArgoCD](https://argoproj.github.io/cd/) |
| [![][lens-demo]][lens-demo] | | [![][lens-demo]][lens-demo] |
| Cluster management using [Lens](https://k8slens.dev/) | | Cluster management using [Lens](https://k8slens.dev/) |
| [![][vault-demo]][vault-demo] |
| Secret management with [Vault](https://www.vaultproject.io/) |
[deploy-demo]: https://asciinema.org/a/xkBRkwC6e9RAzVuMDXH3nGHp7.svg [deploy-demo]: https://asciinema.org/a/xkBRkwC6e9RAzVuMDXH3nGHp7.svg
[pxe-demo]: https://user-images.githubusercontent.com/27996771/157303477-df2e7410-8f02-4648-a86c-71e6b7e89e35.png [pxe-demo]: https://user-images.githubusercontent.com/27996771/157303477-df2e7410-8f02-4648-a86c-71e6b7e89e35.png
@ -93,7 +91,6 @@ They can't capture all the project's features, but they are sufficient to get a
[tekton-demo]: https://user-images.githubusercontent.com/27996771/149445374-58fd0605-bb9a-46e4-81d6-5e584d2b94a9.png [tekton-demo]: https://user-images.githubusercontent.com/27996771/149445374-58fd0605-bb9a-46e4-81d6-5e584d2b94a9.png
[argocd-demo]: https://user-images.githubusercontent.com/27996771/149444716-fc0d7282-4cf7-4ddb-97a4-1a3fb47ff2b8.png [argocd-demo]: https://user-images.githubusercontent.com/27996771/149444716-fc0d7282-4cf7-4ddb-97a4-1a3fb47ff2b8.png
[lens-demo]: https://user-images.githubusercontent.com/27996771/149448896-9d79947d-468c-45c6-a81d-b43654e8ab6b.png [lens-demo]: https://user-images.githubusercontent.com/27996771/149448896-9d79947d-468c-45c6-a81d-b43654e8ab6b.png
[vault-demo]: https://user-images.githubusercontent.com/27996771/149452309-de4a893b-e94c-4ba8-9119-ea87449cf77e.png
### Tech stack ### Tech stack
@ -203,11 +200,6 @@ They can't capture all the project's features, but they are sufficient to get a
<td><a href="https://tekton.dev">Tekton</a></td> <td><a href="https://tekton.dev">Tekton</a></td>
<td>Cloud native solution for building CI/CD systems</td> <td>Cloud native solution for building CI/CD systems</td>
</tr> </tr>
<tr>
<td><img width="32" src="https://simpleicons.org/icons/vault.svg"></td>
<td><a href="https://www.vaultproject.io">Vault</a></td>
<td>Secrets and encryption management system</td>
</tr>
<tr> <tr>
<td><img width="32" src="https://docs.zerotier.com/img/ZeroTierIcon.png"></td> <td><img width="32" src="https://docs.zerotier.com/img/ZeroTierIcon.png"></td>
<td><a href="https://zerotier.com">ZeroTier</a></td> <td><a href="https://zerotier.com">ZeroTier</a></td>

34
docs/concepts/secrets-management.md
View File

@ -2,42 +2,44 @@
## Overview ## Overview
- Secrets are stored in [HashiCorp Vault](https://www.vaultproject.io) - Global secrets are stored in the `global-secrets` namespace.
- Vault is managed with [Vault Operator (Bank Vaults)](https://banzaicloud.com/docs/bank-vaults/operator), automatically initialize and unseal - Integrate with GitOps using [External Secrets Operator](https://external-secrets.io).
- Secrets that can be generated are automatically generated and stored in Vault. - Secrets that can be generated are automatically generated and stored in the `global-secrets` namespace.
- Integrate with GitOps using [External Secrets Operator](https://external-secrets.io)
!!! info !!! info
Despite the name _External_ Secrets Operator, our Vault is deployed on the same cluster. Despite the name _External_ Secrets Operator, global secrets are created in the same cluster and synced
HashiCorp Vault can be replaced with AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, etc. to other namespaces using the [Kubernetes provider](https://external-secrets.io/latest/provider/kubernetes).
While not supported by default in this project, you can also use other external providers such as HashiCorp Vault,
AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, 1Password, etc.
```mermaid ```mermaid
flowchart TD flowchart TD
subgraph global-secrets-namespace[global-secrets namespace] subgraph global-secrets-namespace[global-secrets namespace]
secret-generator[Secret generator CronJob] -. generate secrets if not exist .-> kubernetes-secrets[Kubernetes Secrets] secret-generator[Secret Generator] -- generate if not exist --> source-secrets[Source Secrets]
end end
subgraph app-namespace[application namespace] subgraph app-namespace[application namespace]
ExternalSecret -. generate .-> Secret ExternalSecret -- create --> Secret
App -- read --> Secret App -- read --> Secret
end end
ClusterSecretStore --> vault ClusterSecretStore -- read --> source-secrets
ClusterSecretStore --> ExternalSecret ExternalSecret --- ClusterSecretStore
``` ```
## Randomly generated secrets ## Randomly generated secrets
This is useful when you want to generate random secrets like admin password and store in Vault. This is useful when you want to generate random secrets like admin password and store in global secrets.
```yaml title="./platform/vault/files/generate-secrets/config.yaml" hl_lines="2-6" ```yaml title="./platform/global-secrets/files/secret-generator/config.yaml" hl_lines="2-6"
--8<-- --8<--
./platform/vault/files/generate-secrets/config.yaml ./platform/global-secrets/files/secret-generator/config.yaml
--8<-- --8<--
``` ```
## How secrets are pulled from Vault to Kubernetes ## How secrets are pulled from global secrets to other namespaces
When you apply an `ExternalSecret` object, for example: When you apply an `ExternalSecret` object, for example:
@ -51,13 +53,13 @@ spec:
data: data:
- remoteRef: - remoteRef:
conversionStrategy: Default conversionStrategy: Default
key: /gitea/admin key: gitea.admin
property: password property: password
secretKey: password secretKey: password
refreshInterval: 1h refreshInterval: 1h
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: global-secrets
target: target:
creationPolicy: Owner creationPolicy: Owner
deletionPolicy: Retain deletionPolicy: Retain

3
docs/how-to-guides/troubleshooting/vault.md
View File

@ -1,3 +0,0 @@
# Vault
TODO (PR welcomed)

2
docs/installation/post-installation.md
View File

@ -15,8 +15,6 @@ Save the following files to a safe location like a password manager (if you're u
- ArgoCD: - ArgoCD:
- Username: `admin` - Username: `admin`
- Password: run `./scripts/argocd-admin-password` - Password: run `./scripts/argocd-admin-password`
- Vault:
- Root token: run `./scripts/vault-root-token`
- Grafana: - Grafana:
- Username: `admin` - Username: `admin`
- Password: `prom-operator` (TODO: use random password) - Password: `prom-operator` (TODO: use random password)

12
docs/reference/architecture/overview.md
View File

@ -23,7 +23,7 @@ Main components:
- `./metal`: bare metal management, install Linux and Kubernetes - `./metal`: bare metal management, install Linux and Kubernetes
- `./bootstrap`: GitOps bootstrap with ArgoCD - `./bootstrap`: GitOps bootstrap with ArgoCD
- `./system`: critical system components for the cluster (load balancer, storage, ingress, operation tools...) - `./system`: critical system components for the cluster (load balancer, storage, ingress, operation tools...)
- `./platform`: essential components for service hosting platform (vault, git...) - `./platform`: essential components for service hosting platform (git, build runners, dashboards...)
- `./apps`: user facing applications - `./apps`: user facing applications
- `./external` (optional): externally managed services - `./external` (optional): externally managed services
@ -48,7 +48,7 @@ Everything is automated, after you edit the configuration files, you just need t
From now on, ArgoCD will do the rest: From now on, ArgoCD will do the rest:
- (3) Build the `./system` layer (storage, networking, monitoring, etc) - (3) Build the `./system` layer (storage, networking, monitoring, etc)
- (4) Build the `./platform` layer (Gitea, Vault, SSO, etc) - (4) Build the `./platform` layer (Gitea, Grafana, SSO, etc)
- (5) Build the `./apps` layer: (Syncthing, Jellyfin, etc) - (5) Build the `./apps` layer: (Syncthing, Jellyfin, etc)
```mermaid ```mermaid
@ -81,9 +81,9 @@ flowchart TD
cloudflare -.-> cloudflared cloudflare -.-> cloudflared
subgraph platform subgraph platform
gitea[Gitea] Gitea
tekton[Tekton] Tekton
vault[Vault] Grafana
end end
subgraph apps subgraph apps
@ -168,7 +168,7 @@ Below is the pseudo code for the entire process, you don't have to read it right
migrate the homelab repository from GitHub migrate the homelab repository from GitHub
ArgoCD switch the source from GitHub to Gitea ArgoCD switch the source from GitHub to Gitea
ci ci
vault dashboards
etc etc
./apps (depends on ./system and ./platform): ./apps (depends on ./system and ./platform):
homepage homepage

1
docs/reference/roadmap.md
View File

@ -37,7 +37,6 @@ Good enough for tinkering and personal usage, and reasonably secure.
- [x] Core applications - [x] Core applications
- [x] Gitea - [x] Gitea
- [x] Tekton - [x] Tekton
- [x] Vault
- [x] Private container registry - [x] Private container registry
- [x] Homepage - [x] Homepage

1
mkdocs.yml
View File

@ -75,7 +75,6 @@ nav:
- how-to-guides/troubleshooting/gitea.md - how-to-guides/troubleshooting/gitea.md
- how-to-guides/troubleshooting/longhorn.md - how-to-guides/troubleshooting/longhorn.md
- how-to-guides/troubleshooting/pxe-boot.md - how-to-guides/troubleshooting/pxe-boot.md
- how-to-guides/troubleshooting/vault.md
- Reference: - Reference:
- reference/index.md - reference/index.md
- Architecture: - Architecture:

4
scripts/take-screenshots
View File

@ -25,10 +25,6 @@ apps = [
'name': 'argocd', 'name': 'argocd',
'url': 'https://argocd.khuedoan.com/applications/root' 'url': 'https://argocd.khuedoan.com/applications/root'
}, },
{
'name': 'vault',
'url': 'https://vault.khuedoan.com/ui/vault/secrets'
},
{ {
'name': 'tekton', 'name': 'tekton',
'url': 'https://tekton.khuedoan.com/#/namespaces/tekton-pipelines/pipelineruns/homelab?pipelineTask=external&step=plan' 'url': 'https://tekton.khuedoan.com/#/namespaces/tekton-pipelines/pipelineruns/homelab?pipelineTask=external&step=plan'

5
scripts/vault-root-token
View File

@ -1,5 +0,0 @@
#!/bin/sh
echo "WARNING: Root token can do anything in Vault, only use it for just enough initial setup or in emergencies." >&2
export KUBECONFIG=./metal/kubeconfig.yaml
kubectl get secrets vault-unseal-keys -n vault -o jsonpath='{.data.vault-root}' | base64 --decode

1
test/smoke_test.go
View File

@ -19,7 +19,6 @@ func TestSmoke(t *testing.T) {
}{ }{
{"argocd-server", "argocd"}, {"argocd-server", "argocd"},
{"hajimari", "hajimari"}, {"hajimari", "hajimari"},
{"vault", "vault"},
{"gitea", "gitea"}, {"gitea", "gitea"},
} }