mirror of
https://github.com/khuedoan/homelab.git
synced 2024-12-23 01:04:32 +07:00
docs: add more secrets management details
This commit is contained in:
parent
db1ba14e78
commit
65c33f886c
@ -26,4 +26,66 @@ flowchart TD
|
||||
ClusterSecretStore --> ExternalSecret
|
||||
```
|
||||
|
||||
TODO: more details on how to use secrets
|
||||
## Generate random secret
|
||||
|
||||
This is useful when you want to generate random secrets like admin password and store in Vault.
|
||||
|
||||
```yaml title="./platform/vault/files/generate-secrets/config.yaml" hl_lines="2-6"
|
||||
--8<--
|
||||
./platform/vault/files/generate-secrets/config.yaml
|
||||
--8<--
|
||||
```
|
||||
|
||||
## Pulling secrets from Vault to Kubernetes
|
||||
|
||||
Commit and push an `ExternalSecret` object, for example:
|
||||
|
||||
```yaml hl_lines="4 21-23"
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: gitea-admin-secret
|
||||
namespace: gitea
|
||||
spec:
|
||||
data:
|
||||
- remoteRef:
|
||||
conversionStrategy: Default
|
||||
key: /gitea/admin
|
||||
property: password
|
||||
secretKey: password
|
||||
refreshInterval: 1h
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: vault
|
||||
target:
|
||||
creationPolicy: Owner
|
||||
deletionPolicy: Retain
|
||||
template:
|
||||
data:
|
||||
password: '{{ .password }}'
|
||||
username: gitea_admin
|
||||
engineVersion: v2
|
||||
```
|
||||
|
||||
This will create a corresponding Kubernetes secret:
|
||||
|
||||
`kubectl describe secrets -n gitea gitea-admin-secret`
|
||||
|
||||
```yaml hl_lines="1 8-11"
|
||||
Name: gitea-admin-secret
|
||||
Namespace: gitea
|
||||
Labels: <none>
|
||||
Annotations: reconcile.external-secrets.io/data-hash: <REDACTED>
|
||||
|
||||
Type: Opaque
|
||||
|
||||
Data
|
||||
====
|
||||
password: 32 bytes
|
||||
username: 11 bytes
|
||||
```
|
||||
|
||||
Please see the official documentation for more information:
|
||||
|
||||
- [External Secrets Operator](https://external-secrets.io)
|
||||
- [API specification](https://external-secrets.io/latest/spec)
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
## Overview
|
||||
|
||||
Dnsmasq is used as either a DHCP server or DHCP proxy server for PXE metal provisioning.
|
||||
Dnsmasq is used as either a DHCP server or DHCP proxy server for PXE metal provisioning.
|
||||
|
||||
Proxy mode is enabled by default allowing the use of existing DHCP servers on the network.
|
||||
A good description on how DHCP Proxy works can be found on the related [FOG project wiki page](https://wiki.fogproject.org/wiki/index.php?title=ProxyDHCP_with_dnsmasq)
|
||||
|
@ -4,22 +4,6 @@
|
||||
- key: password
|
||||
length: 32
|
||||
special: true
|
||||
# TODO create tokens and put to Vault automatically
|
||||
# - gitea/renovate:
|
||||
# - id
|
||||
# - token
|
||||
# - gitea/dex:
|
||||
# - client_id
|
||||
# - client_secret
|
||||
# TODO import to vault?
|
||||
# - metal/ssh:
|
||||
# - private_key # needs ending new line https://github.com/ansible/awx/issues/9082
|
||||
# - external/terraform-cloud:
|
||||
# - token
|
||||
# - external/cloudflare:
|
||||
# - email
|
||||
# - api_token
|
||||
# - account_id
|
||||
|
||||
# Dex
|
||||
- path: dex/grafana
|
||||
@ -34,10 +18,3 @@
|
||||
- key: password
|
||||
length: 32
|
||||
special: true
|
||||
|
||||
# Matrix
|
||||
- path: matrix/bot/alert
|
||||
data:
|
||||
- key: password
|
||||
length: 32
|
||||
special: true
|
||||
|
Loading…
Reference in New Issue
Block a user