khuedoan-homelab/docs/architecture/secrets-management.md

Secrets management

• Secrets are stored in HashiCorp Vault
• Vault is managed with Vault Operator (Bank Vaults), automatically initialize and unseal
• Secrets that can be generated are automatically generated and stored in Vault.
• Integrate with GitOps using External Secrets Operator

!!! info

Despite the name _External_ Secrets Operator, our Vault is deployed on the same cluster.
HashiCorp Vault can be replaced with AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, etc.

flowchart TD
  subgraph vault-namespace[vault namespace]
    bank-vaults[Bank Vaults side car] -. init and unseal .- vault[(HashiCorp Vault)]
    random-secret[Random secrets CronJob] -. generate secrets if not exist .-> vault[(HashiCorp Vault)]
  end

  subgraph app-namespace[application namespace]
    ExternalSecret -. generate .-> Secret
    App -- read --> Secret
  end

  ClusterSecretStore --> vault
  ClusterSecretStore --> ExternalSecret

Generate random secret

This is useful when you want to generate random secrets like admin password and store in Vault.

--8<--
./platform/vault/files/generate-secrets/config.yaml
--8<--

Pulling secrets from Vault to Kubernetes

Commit and push an ExternalSecret object, for example:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: gitea-admin-secret
  namespace: gitea
spec:
  data:
  - remoteRef:
      conversionStrategy: Default
      key: /gitea/admin
      property: password
    secretKey: password
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    template:
      data:
        password: '{{ .password }}'
        username: gitea_admin
      engineVersion: v2

This will create a corresponding Kubernetes secret:

kubectl describe secrets -n gitea gitea-admin-secret

Name:         gitea-admin-secret
Namespace:    gitea
Labels:       <none>
Annotations:  reconcile.external-secrets.io/data-hash: <REDACTED>

Type:  Opaque

Data
====
password:  32 bytes
username:  11 bytes

Please see the official documentation for more information:

• External Secrets Operator
• API specification