vault migration

README.md

@@ -57,11 +57,11 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 
 ### What's Inside
 
-- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets, Homepage (platform dashboard)
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Vault, Vault Secrets Operator, Homepage (platform dashboard)
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
 - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
-- **Secrets**: Sealed Secrets for secure Git storage
+- **Secrets**: Vault Secrets Operator (VSO) syncs secrets from HashiCorp Vault to K8s
 
 ### Key Features
 
@@ -187,7 +187,7 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A
 **Quick version**:
 1. Create `apps/myapp.yaml` (ArgoCD Application manifest)
 2. Create `helm-prod-values/myapp/values.yaml` (configuration)
-3. Create sealed secrets if needed
+3. Write secrets to Vault and create VaultStaticSecret CRD if needed
 4. Commit and push - ArgoCD auto-syncs!
 
 ### Update an Existing Application
@@ -200,22 +200,18 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A
 
 ### Manage Secrets
 
-**See detailed guide**: [Developer Guide - Working with Secrets](docs/DEVELOPER-GUIDE.md#working-with-secrets)
+**See detailed guide**: [Vault Secrets Operator Reference](docs/vault-secrets-operator.md)
 
 ```bash
-# Create plain secret
-kubectl create secret generic myapp-creds \
-  --from-literal=KEY=value \
-  --dry-run=client -o yaml > private/myapp-creds.yaml
+# 1. Write secret to Vault
+vault kv put kv/myapp/myapp-creds KEY=value
 
-# Seal it
-kubeseal --format=yaml --cert=pub-cert.pem \
-  < private/myapp-creds.yaml > secrets/myapp-creds-sealed.yaml
+# 2. Create VaultStaticSecret CRD (one-time, commit to git)
+# See docs/vault-secrets-operator.md for CRD template
 
-# Commit sealed version
-git add secrets/myapp-creds-sealed.yaml
-git commit -m "Add myapp credentials"
-git push
+# 3. Rotate secrets — no git commit needed!
+vault kv put kv/myapp/myapp-creds KEY=new-value
+# VSO picks up changes within 30 seconds
 ```
 
 ### Enable Authentication
@@ -328,7 +324,7 @@ kubectl patch application myapp -n argocd \
 ## 🔐 Security
 
 ### Secret Management
-- ✅ Sealed Secrets for Git storage
+- ✅ Vault Secrets Operator (VSO) for secret management
 - ✅ Kyverno auto-clones secrets to namespaces
 - ❌ Never commit plain secrets
 
@@ -355,7 +351,8 @@ kubectl patch application myapp -n argocd \
 | **Traefik** | Ingress controller | `traefik` | 2 |
 | **Cert-Manager** | TLS certificates | `cert-manager` | 1 |
 | **Kyverno** | Policy engine | `kyverno` | 1 |
-| **Sealed Secrets** | Secret encryption | `kube-system` | 1 |
+| **Vault** | Secret storage | `vault` | 1 |
+| **Vault Secrets Operator** | Secret sync (Vault → K8s) | `vault-secrets-operator-system` | 1 |
 | **Prometheus** | Metrics | `monitoring` | 1 |
 | **Grafana** | Dashboards | `monitoring` | 1 |
 | **Loki** | Logs | `monitoring` | 1 |
@@ -455,7 +452,7 @@ Applications deploy in order using `argocd.argoproj.io/sync-wave`:
 1. Read [Developer Guide - Deploying Your First Application](docs/DEVELOPER-GUIDE.md#deploying-your-first-application)
 2. Create ArgoCD Application manifest in `apps/`
 3. Create Helm values in `helm-prod-values/`
-4. Create sealed secrets if needed
+4. Write secrets to Vault and create VaultStaticSecret CRD if needed
 5. Commit and push - ArgoCD handles the rest!
 
 ### Modifying Infrastructure
@@ -499,7 +496,8 @@ Documentation lives in `docs/`. To update:
 - [Traefik Documentation](https://doc.traefik.io/traefik/)
 - [Cert-Manager Documentation](https://cert-manager.io/docs/)
 - [Grafana Tempo Documentation](https://grafana.com/docs/tempo/)
-- [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
+- [Vault Secrets Operator](https://developer.hashicorp.com/vault/docs/platform/k8s/vso)
+- [HashiCorp Vault](https://developer.hashicorp.com/vault/docs)
 
 ### Related Repositories
 - [forte-helm](https://git.forteapps.net/Forte/forte-helm) - Helm chart templates