mirror of https://github.com/khuedoan/homelab.git synced 2025-01-07 05:51:17 +07:00

Khue Doan 1405fadf1a refactor(docs): apply the Diátaxis framework

Squashed commit of the following:

commit 257867f196376df55fa0f57edbdf33967b1da04e
Author: Khue Doan <mail@khuedoan.com>
Date:   Sun Sep 18 16:45:42 2022 +0700

    refactor(docs): apply the Diátaxis framework

2022-09-19 02:40:07 +07:00

2.5 KiB

Raw Blame History

Secrets management

Overview

Secrets are stored in HashiCorp Vault
Vault is managed with Vault Operator (Bank Vaults), automatically initialize and unseal
Secrets that can be generated are automatically generated and stored in Vault.
Integrate with GitOps using External Secrets Operator

!!! info

Despite the name _External_ Secrets Operator, our Vault is deployed on the same cluster.
HashiCorp Vault can be replaced with AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, etc.

flowchart TD
  subgraph vault-namespace[vault namespace]
    bank-vaults[Bank Vaults side car] -. init and unseal .- vault[(HashiCorp Vault)]
    random-secret[Random secrets CronJob] -. generate secrets if not exist .-> vault[(HashiCorp Vault)]
  end

  subgraph app-namespace[application namespace]
    ExternalSecret -. generate .-> Secret
    App -- read --> Secret
  end

  ClusterSecretStore --> vault
  ClusterSecretStore --> ExternalSecret

Randomly generated secrets

This is useful when you want to generate random secrets like admin password and store in Vault.

--8<--
./platform/vault/files/generate-secrets/config.yaml
--8<--

How secrets are pulled from Vault to Kubernetes

When you apply an ExternalSecret object, for example:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: gitea-admin-secret
  namespace: gitea
spec:
  data:
  - remoteRef:
      conversionStrategy: Default
      key: /gitea/admin
      property: password
    secretKey: password
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    template:
      data:
        password: '{{ .password }}'
        username: gitea_admin
      engineVersion: v2

This will create a corresponding Kubernetes secret:

kubectl describe secrets -n gitea gitea-admin-secret

Name:         gitea-admin-secret
Namespace:    gitea
Labels:       <none>
Annotations:  reconcile.external-secrets.io/data-hash: <REDACTED>

Type:  Opaque

Data
====
password:  32 bytes
username:  11 bytes

Please see the official documentation for more information:

2.5 KiB Raw Blame History

Secrets management

Overview

Randomly generated secrets

How secrets are pulled from Vault to Kubernetes

2.5 KiB

Raw Blame History