Secrets management

Overview

• Secrets are stored in HashiCorp Vault
• Vault is managed with Vault Operator (Bank Vaults), automatically initialize and unseal
• Secrets that can be generated are automatically generated and stored in Vault.
• Integrate with GitOps using External Secrets Operator

Info

Despite the name External Secrets Operator, our Vault is deployed on the same cluster. HashiCorp Vault can be replaced with AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, etc.

flowchart TD
  subgraph vault-namespace[vault namespace]
    bank-vaults[Bank Vaults side car] -. init and unseal .- vault[(HashiCorp Vault)]
    random-secret[Random secrets CronJob] -. generate secrets if not exist .-> vault[(HashiCorp Vault)]
  end

  subgraph app-namespace[application namespace]
    ExternalSecret -. generate .-> Secret
    App -- read --> Secret
  end

  ClusterSecretStore --> vault
  ClusterSecretStore --> ExternalSecret

Randomly generated secrets

This is useful when you want to generate random secrets like admin password and store in Vault.

./platform/vault/files/generate-secrets/config.yaml

# Gitea
- path: gitea/admin
  data:
    - key: password
      length: 32
      special: true

# Dex
- path: dex/grafana
  data:
    - key: client_secret
      length: 32
      special: false

# Registry
- path: registry/admin
  data:
    - key: password
      length: 32
      special: true

# Tekton
- path: tekton/webhook
  data:
    - key: token
      length: 32
      special: false

How secrets are pulled from Vault to Kubernetes

When you apply an ExternalSecret object, for example:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: gitea-admin-secret
  namespace: gitea
spec:
  data:
  - remoteRef:
      conversionStrategy: Default
      key: /gitea/admin
      property: password
    secretKey: password
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    template:
      data:
        password: '{{ .password }}'
        username: gitea_admin
      engineVersion: v2

This will create a corresponding Kubernetes secret:

kubectl describe secrets -n gitea gitea-admin-secret

Name:         gitea-admin-secret
Namespace:    gitea
Labels:       <none>
Annotations:  reconcile.external-secrets.io/data-hash: <REDACTED>

Type:  Opaque

Data
====
password:  32 bytes
username:  11 bytes

Please see the official documentation for more information:

• External Secrets Operator
• API specification