docs: add more secrets management details

This commit is contained in:
Khue Doan 2022-07-24 00:14:12 +07:00
parent db1ba14e78
commit 65c33f886c
3 changed files with 64 additions and 25 deletions

View File

@ -26,4 +26,66 @@ flowchart TD
ClusterSecretStore --> ExternalSecret ClusterSecretStore --> ExternalSecret
``` ```
TODO: more details on how to use secrets ## Generate random secret
This is useful when you want to generate random secrets like admin password and store in Vault.
```yaml title="./platform/vault/files/generate-secrets/config.yaml" hl_lines="2-6"
--8<--
./platform/vault/files/generate-secrets/config.yaml
--8<--
```
## Pulling secrets from Vault to Kubernetes
Commit and push an `ExternalSecret` object, for example:
```yaml hl_lines="4 21-23"
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-admin-secret
namespace: gitea
spec:
data:
- remoteRef:
conversionStrategy: Default
key: /gitea/admin
property: password
secretKey: password
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
creationPolicy: Owner
deletionPolicy: Retain
template:
data:
password: '{{ .password }}'
username: gitea_admin
engineVersion: v2
```
This will create a corresponding Kubernetes secret:
`kubectl describe secrets -n gitea gitea-admin-secret`
```yaml hl_lines="1 8-11"
Name: gitea-admin-secret
Namespace: gitea
Labels: <none>
Annotations: reconcile.external-secrets.io/data-hash: <REDACTED>
Type: Opaque
Data
====
password: 32 bytes
username: 11 bytes
```
Please see the official documentation for more information:
- [External Secrets Operator](https://external-secrets.io)
- [API specification](https://external-secrets.io/latest/spec)

View File

@ -2,7 +2,7 @@
## Overview ## Overview
Dnsmasq is used as either a DHCP server or DHCP proxy server for PXE metal provisioning. Dnsmasq is used as either a DHCP server or DHCP proxy server for PXE metal provisioning.
Proxy mode is enabled by default allowing the use of existing DHCP servers on the network. Proxy mode is enabled by default allowing the use of existing DHCP servers on the network.
A good description on how DHCP Proxy works can be found on the related [FOG project wiki page](https://wiki.fogproject.org/wiki/index.php?title=ProxyDHCP_with_dnsmasq) A good description on how DHCP Proxy works can be found on the related [FOG project wiki page](https://wiki.fogproject.org/wiki/index.php?title=ProxyDHCP_with_dnsmasq)

View File

@ -4,22 +4,6 @@
- key: password - key: password
length: 32 length: 32
special: true special: true
# TODO create tokens and put to Vault automatically
# - gitea/renovate:
# - id
# - token
# - gitea/dex:
# - client_id
# - client_secret
# TODO import to vault?
# - metal/ssh:
# - private_key # needs ending new line https://github.com/ansible/awx/issues/9082
# - external/terraform-cloud:
# - token
# - external/cloudflare:
# - email
# - api_token
# - account_id
# Dex # Dex
- path: dex/grafana - path: dex/grafana
@ -34,10 +18,3 @@
- key: password - key: password
length: 32 length: 32
special: true special: true
# Matrix
- path: matrix/bot/alert
data:
- key: password
length: 32
special: true