mirrors/khuedoan-homelab
1
0
Fork 0
mirror of https://github.com/khuedoan/homelab.git synced 2024-12-23 01:24:36 +07:00
Code Issues Packages Projects Releases Wiki Activity

docs: add more secrets management details

Browse Source
This commit is contained in:
Khue Doan 2022-07-24 00:14:12 +07:00
parent db1ba14e78
commit 65c33f886c
3 changed files with 64 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
docs/architecture/secrets-management.md
View File

@ -26,4 +26,66 @@ flowchart TD
ClusterSecretStore --> ExternalSecret
```
TODO: more details on how to use secrets
## Generate random secret
This is useful when you want to generate random secrets like admin password and store in Vault.
```yaml title="./platform/vault/files/generate-secrets/config.yaml" hl_lines="2-6"
--8<--
./platform/vault/files/generate-secrets/config.yaml
--8<--
```
## Pulling secrets from Vault to Kubernetes
Commit and push an `ExternalSecret` object, for example:
```yaml hl_lines="4 21-23"
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-admin-secret
namespace: gitea
spec:
data:
- remoteRef:
conversionStrategy: Default
key: /gitea/admin
property: password
secretKey: password
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
creationPolicy: Owner
deletionPolicy: Retain
template:
data:
password: '{{ .password }}'
username: gitea_admin
engineVersion: v2
```
This will create a corresponding Kubernetes secret:
`kubectl describe secrets -n gitea gitea-admin-secret`
```yaml hl_lines="1 8-11"
Name: gitea-admin-secret
Namespace: gitea
Labels: <none>
Annotations: reconcile.external-secrets.io/data-hash: <REDACTED>
Type: Opaque
Data
====
password: 32 bytes
username: 11 bytes
```
Please see the official documentation for more information:
- [External Secrets Operator](https://external-secrets.io)
- [API specification](https://external-secrets.io/latest/spec)

23
platform/vault/files/generate-secrets/config.yaml
View File

@ -4,22 +4,6 @@
- key: password
length: 32
special: true
# TODO create tokens and put to Vault automatically
# - gitea/renovate:
# - id
# - token
# - gitea/dex:
# - client_id
# - client_secret
# TODO import to vault?
# - metal/ssh:
# - private_key # needs ending new line https://github.com/ansible/awx/issues/9082
# - external/terraform-cloud:
# - token
# - external/cloudflare:
# - email
# - api_token
# - account_id
# Dex
- path: dex/grafana
@ -34,10 +18,3 @@
- key: password
length: 32
special: true
# Matrix
- path: matrix/bot/alert
data:
- key: password
length: 32
special: true