Secrets management
Overview
- Secrets are stored in HashiCorp Vault
- Vault is managed with Vault Operator (Bank Vaults), automatically initialize and unseal
- Secrets that can be generated are automatically generated and stored in Vault.
- Integrate with GitOps using External Secrets Operator
Info
Despite the name External Secrets Operator, our Vault is deployed on the same cluster. HashiCorp Vault can be replaced with AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, etc.
flowchart TD
subgraph vault-namespace[vault namespace]
bank-vaults[Bank Vaults side car] -. init and unseal .- vault[(HashiCorp Vault)]
random-secret[Random secrets CronJob] -. generate secrets if not exist .-> vault[(HashiCorp Vault)]
end
subgraph app-namespace[application namespace]
ExternalSecret -. generate .-> Secret
App -- read --> Secret
end
ClusterSecretStore --> vault
ClusterSecretStore --> ExternalSecret
Randomly generated secrets
This is useful when you want to generate random secrets like admin password and store in Vault.
./platform/vault/files/generate-secrets/config.yaml
# Gitea
- path: gitea/admin
data:
- key: password
length: 32
special: true
# Dex
- path: dex/grafana
data:
- key: client_secret
length: 32
special: false
# Registry
- path: registry/admin
data:
- key: password
length: 32
special: true
# Tekton
- path: tekton/webhook
data:
- key: token
length: 32
special: false
How secrets are pulled from Vault to Kubernetes
When you apply an ExternalSecret
object, for example:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-admin-secret
namespace: gitea
spec:
data:
- remoteRef:
conversionStrategy: Default
key: /gitea/admin
property: password
secretKey: password
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
creationPolicy: Owner
deletionPolicy: Retain
template:
data:
password: '{{ .password }}'
username: gitea_admin
engineVersion: v2
This will create a corresponding Kubernetes secret:
kubectl describe secrets -n gitea gitea-admin-secret
Name: gitea-admin-secret
Namespace: gitea
Labels: <none>
Annotations: reconcile.external-secrets.io/data-hash: <REDACTED>
Type: Opaque
Data
====
password: 32 bytes
username: 11 bytes
Please see the official documentation for more information: