From adce1db74678272a4eec11a147d3e714d3282911 Mon Sep 17 00:00:00 2001
From: Khue Doan <mail@khuedoan.com>
Date: Sat, 14 May 2022 14:00:00 +0700
Subject: [PATCH] docs: add secret management

---
 docs/src/SUMMARY.md                     |  1 +
 docs/src/reference/secret-management.md | 29 +++++++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 docs/src/reference/secret-management.md

diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md
index 8825e1d1..b42719c1 100644
--- a/docs/src/SUMMARY.md
+++ b/docs/src/SUMMARY.md
@@ -23,6 +23,7 @@
   - [Vault]()
 - [Reference](./reference/README.md)
   - [Architecture](./reference/architecture.md)
+  - [Secret management](./reference/secret-management.md)
   - [FAQ](./reference/faq.md)
   - [Contributors](./reference/contributors.md)
 
diff --git a/docs/src/reference/secret-management.md b/docs/src/reference/secret-management.md
new file mode 100644
index 00000000..113baa7e
--- /dev/null
+++ b/docs/src/reference/secret-management.md
@@ -0,0 +1,29 @@
+# Secret management
+
+## Overview
+
+- Secret are stored in [HashiCorp Vault](https://www.vaultproject.io)
+- Vault is managed with [Vault Operator (Bank Vaults)](https://banzaicloud.com/docs/bank-vaults/operator), automatically initialize and unseal
+- Secrets that can be generated are automatically generated and stored in Vault.
+- Integrate with GitOps using [External Secrets Operator](https://external-secrets.io)
+
+> Despite the name "_External_ Secrets Operator", our Vault is deployed on the same cluster.
+> HashiCorp Vault can be replaced with AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, etc.
+
+```mermaid
+flowchart TD
+  subgraph vault-namespace[vault namespace]
+    bank-vaults[Bank Vaults side car] -. init and unseal .- vault[(HashiCorp Vault)]
+    random-secret[Random secrets CronJob] -. generate secrets if not exist .-> vault[(HashiCorp Vault)]
+  end
+
+  subgraph app-namespace[application namespace]
+    ExternalSecret -. generate .-> Secret
+    App -- read --> Secret
+  end
+
+  ClusterSecretStore --> vault
+  ClusterSecretStore --> ExternalSecret
+```
+
+TODO: more details on how to use secrets