mirror of
https://github.com/khuedoan/homelab.git
synced 2024-12-23 01:24:36 +07:00
docs: add more secrets management details
This commit is contained in:
parent
db1ba14e78
commit
65c33f886c
@ -26,4 +26,66 @@ flowchart TD
|
|||||||
ClusterSecretStore --> ExternalSecret
|
ClusterSecretStore --> ExternalSecret
|
||||||
```
|
```
|
||||||
|
|
||||||
TODO: more details on how to use secrets
|
## Generate random secret
|
||||||
|
|
||||||
|
This is useful when you want to generate random secrets like admin password and store in Vault.
|
||||||
|
|
||||||
|
```yaml title="./platform/vault/files/generate-secrets/config.yaml" hl_lines="2-6"
|
||||||
|
--8<--
|
||||||
|
./platform/vault/files/generate-secrets/config.yaml
|
||||||
|
--8<--
|
||||||
|
```
|
||||||
|
|
||||||
|
## Pulling secrets from Vault to Kubernetes
|
||||||
|
|
||||||
|
Commit and push an `ExternalSecret` object, for example:
|
||||||
|
|
||||||
|
```yaml hl_lines="4 21-23"
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: gitea-admin-secret
|
||||||
|
namespace: gitea
|
||||||
|
spec:
|
||||||
|
data:
|
||||||
|
- remoteRef:
|
||||||
|
conversionStrategy: Default
|
||||||
|
key: /gitea/admin
|
||||||
|
property: password
|
||||||
|
secretKey: password
|
||||||
|
refreshInterval: 1h
|
||||||
|
secretStoreRef:
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
name: vault
|
||||||
|
target:
|
||||||
|
creationPolicy: Owner
|
||||||
|
deletionPolicy: Retain
|
||||||
|
template:
|
||||||
|
data:
|
||||||
|
password: '{{ .password }}'
|
||||||
|
username: gitea_admin
|
||||||
|
engineVersion: v2
|
||||||
|
```
|
||||||
|
|
||||||
|
This will create a corresponding Kubernetes secret:
|
||||||
|
|
||||||
|
`kubectl describe secrets -n gitea gitea-admin-secret`
|
||||||
|
|
||||||
|
```yaml hl_lines="1 8-11"
|
||||||
|
Name: gitea-admin-secret
|
||||||
|
Namespace: gitea
|
||||||
|
Labels: <none>
|
||||||
|
Annotations: reconcile.external-secrets.io/data-hash: <REDACTED>
|
||||||
|
|
||||||
|
Type: Opaque
|
||||||
|
|
||||||
|
Data
|
||||||
|
====
|
||||||
|
password: 32 bytes
|
||||||
|
username: 11 bytes
|
||||||
|
```
|
||||||
|
|
||||||
|
Please see the official documentation for more information:
|
||||||
|
|
||||||
|
- [External Secrets Operator](https://external-secrets.io)
|
||||||
|
- [API specification](https://external-secrets.io/latest/spec)
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
## Overview
|
## Overview
|
||||||
|
|
||||||
Dnsmasq is used as either a DHCP server or DHCP proxy server for PXE metal provisioning.
|
Dnsmasq is used as either a DHCP server or DHCP proxy server for PXE metal provisioning.
|
||||||
|
|
||||||
Proxy mode is enabled by default allowing the use of existing DHCP servers on the network.
|
Proxy mode is enabled by default allowing the use of existing DHCP servers on the network.
|
||||||
A good description on how DHCP Proxy works can be found on the related [FOG project wiki page](https://wiki.fogproject.org/wiki/index.php?title=ProxyDHCP_with_dnsmasq)
|
A good description on how DHCP Proxy works can be found on the related [FOG project wiki page](https://wiki.fogproject.org/wiki/index.php?title=ProxyDHCP_with_dnsmasq)
|
||||||
|
@ -4,22 +4,6 @@
|
|||||||
- key: password
|
- key: password
|
||||||
length: 32
|
length: 32
|
||||||
special: true
|
special: true
|
||||||
# TODO create tokens and put to Vault automatically
|
|
||||||
# - gitea/renovate:
|
|
||||||
# - id
|
|
||||||
# - token
|
|
||||||
# - gitea/dex:
|
|
||||||
# - client_id
|
|
||||||
# - client_secret
|
|
||||||
# TODO import to vault?
|
|
||||||
# - metal/ssh:
|
|
||||||
# - private_key # needs ending new line https://github.com/ansible/awx/issues/9082
|
|
||||||
# - external/terraform-cloud:
|
|
||||||
# - token
|
|
||||||
# - external/cloudflare:
|
|
||||||
# - email
|
|
||||||
# - api_token
|
|
||||||
# - account_id
|
|
||||||
|
|
||||||
# Dex
|
# Dex
|
||||||
- path: dex/grafana
|
- path: dex/grafana
|
||||||
@ -34,10 +18,3 @@
|
|||||||
- key: password
|
- key: password
|
||||||
length: 32
|
length: 32
|
||||||
special: true
|
special: true
|
||||||
|
|
||||||
# Matrix
|
|
||||||
- path: matrix/bot/alert
|
|
||||||
data:
|
|
||||||
- key: password
|
|
||||||
length: 32
|
|
||||||
special: true
|
|
||||||
|
Loading…
Reference in New Issue
Block a user