Skip to content

Commit

Permalink
Merge pull request #40 from stakater/update-secrets-management
Browse files Browse the repository at this point in the history 
enhance secrets management section
  • Loading branch information
@rasheedamir
rasheedamir authored Sep 26, 2022
2 parents 0ae232a + 20a40dd commit abc7ac7
Show file tree
Hide file tree
Showing 22 changed files with 58 additions and 11 deletions.
9 changes: 3 additions & 6 deletions docs/.vuepress/configs/sidebar.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,12 +182,9 @@ export const sidebarEn: SidebarConfig = [
text: "Secrets Management",
collapsible: true,
children: [
"/content/sre/secrets/introduction.md",
"/content/sre/secrets/sealed-secrets.md",
"/content/sre/secrets/vault.md",
"/content/sre/secrets/external-secret-operator/introduction.md",
"/content/sre/secrets/external-secret-operator/workflow.md",
"/content/sre/secrets/external-secret-operator/getting-started.md",
"/content/secrets-management/introduction.md",
"/content/secrets-management/sealed-secrets.md",
"/content/secrets-management/vault.md",
],
},
{
Expand Down
Empty file added docs/content/.gitkeep
View file
Empty file.
0 ...ternal-secret-operator/getting-started.md → ...ternal-secret-operator/getting-started.md
View file
File renamed without changes.
0 ...nal-secret-operator/images/OIDC-login.png → ...nal-secret-operator/images/OIDC-login.png
View file
File renamed without changes
0 ...nal-secret-operator/images/add-secret.png → ...nal-secret-operator/images/add-secret.png
View file
File renamed without changes
0 ...rator/images/external-secret-operator.png → ...rator/images/external-secret-operator.png
View file
File renamed without changes
0 .../external-secret-operator/introduction.md → .../external-secret-operator/introduction.md
View file
File renamed without changes.
0 ...rets/external-secret-operator/workflow.md → ...ment/external-secret-operator/workflow.md
View file
File renamed without changes.
0 ...ecrets/images/configure_secret_engine.png → ...gement/images/configure_secret_engine.png
View file
File renamed without changes
0 ...tent/sre/secrets/images/create_secret.png → ...crets-management/images/create_secret.png
View file
File renamed without changes
0 ...ontent/sre/secrets/images/login_popup.png → ...secrets-management/images/login_popup.png
View file
File renamed without changes
0 ...tent/sre/secrets/images/sealed-secret.png → ...crets-management/images/sealed-secret.png
View file
File renamed without changes
0 ...e/secrets/images/select_secret_engine.png → ...anagement/images/select_secret_engine.png
View file
File renamed without changes
0 .../sre/secrets/images/vault-agent-token.png → ...s-management/images/vault-agent-token.png
View file
File renamed without changes
0 ...e/secrets/images/vault-agent-workflow.png → ...anagement/images/vault-agent-workflow.png
View file
File renamed without changes
0 ...ontent/sre/secrets/images/vault-agent.png → ...secrets-management/images/vault-agent.png
View file
File renamed without changes
0 .../content/sre/secrets/images/vault_cli.png → ...t/secrets-management/images/vault_cli.png
View file
File renamed without changes
0 ...t/sre/secrets/images/vault_oidc_login.png → ...ts-management/images/vault_oidc_login.png
View file
File renamed without changes
0 ...ontent/sre/secrets/images/vault_token.png → ...secrets-management/images/vault_token.png
View file
File renamed without changes
0 docs/content/sre/secrets/introduction.md → ...ontent/secrets-management/introduction.md
View file
File renamed without changes.
0 docs/content/sre/secrets/sealed-secrets.md → ...tent/secrets-management/sealed-secrets.md
View file
File renamed without changes.
60 changes: 55 additions & 5 deletions docs/content/sre/secrets/vault.md → docs/content/secrets-management/vault.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,16 +69,18 @@ Vault login token=${TOKEN}

SAAP supports 3 different ways to consume secrets from Vault:

1. Option # 1 - Consume Vault secret via a volume
2. Option # 2 - Consume Vault secret via environment variable
3. Option # 3 - Consume Vault secret via ExternalSecrets
1. Option # 1 - Consume Vault secret via a Volume
2. Option # 2 - Consume Vault secret via Environment Variable
3. Option # 3 - Consume Vault secret via ExternalSecret (Recommended)

Below you can find step by step guide to consume via different options.

### Option # 1 - Consume Vault secret via a volume
### Option # 1 - Consume Vault secret via a Volume

To mount Vault secret in a volume do following:

_TODO_ Is this step required by all three options?

- **Step 1**: Add label in serviceaccount so it can be granted Vault read access to secret path

```
Expand Down Expand Up @@ -123,7 +125,7 @@ To mount Vault secret in a volume do following:
mountPath: /data/db-creds
```
### Option # 2 - Consume Vault secret via environment variable
### Option # 2 - Consume Vault secret via Environment Variable
To mount Vault secret in an environment variable do following:
Expand Down Expand Up @@ -186,3 +188,51 @@ To mount Vault secret in an environment variable do following:
[Here](https://github.com/stakater-lab/stakater-nordmart-review/blob/main/deploy/values.yaml#L24) is a working example.
Your secret should be available at the path defined above in Vault; a change in secret value in Vault will automatically restart the application by [Stakater Reloader](https://github.com/stakater/Reloader)
### Option # 3 - Consume Vault secret via ExternalSecret
Kubernetes secret do not support storing or retrieving secret data from external secret management systems, e.g. [HashiCorp Vault](https://www.vaultproject.io/)
**External Secrets** solves this problem by providing access to secrets stored externally. It does this by adding an `ExternalSecret` object to Kubernetes using a [CustomResourceDefinition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/).
SAAP comes with fully managed [**External Secrets Operator**](https://github.com/external-secrets/external-secrets/) to integrate with Vault and makes it extremely easy to consume secrets from Vault.
- **Step 1**: Add `tenant-vault-access` template to the tenant
```yaml
apiVersion: tenantoperator.stakater.com/v1alpha1
kind: Tenant
metadata:
name: gabbar
spec:
users:
owner:
- user1
- user2
quota: medium
namespacetemplate:
templateInstances:
- spec:
template: tenant-vault-access
sync: true
```
_TODO_ What will this template do? Who owns and manages this template? Is it owned by SAAP?
- **Step 2**: Enable `externalSecret` in your `deploy/values.yaml` and provide details of the secret path in Vault.
```yaml
externalSecret:
enabled: true
secretStore:
name: tenant-vault-secret-store
files:
inventory-postgres: #Name of Kubernetes Secret
data:
postgresql-password: #Name of Kubernetes Secret Key
remoteRef:
key: inventory-postgres #Name of Vault Secret
property: postgresql-password #Name of Vault Secret Key
```
_TODO_ So, when I update a secret in vault; then is the application restarted automatically by Reloader?

0 comments on commit abc7ac7

Please sign in to comment.