vault migration

2026-04-30 22:38:33 +02:00
parent 2e09a2d404
commit 73376a0a7d
49 changed files with 1103 additions and 272 deletions
--- a/docs/OPERATIONS-RUNBOOK.md
+++ b/docs/OPERATIONS-RUNBOOK.md
@@ -188,13 +188,15 @@ Save the following file in private/ (gitignored) folder as secret.yaml
      <paste your private key here>
    project: default
 ```
-Seal the secret using `kubeseal` command 
+Write the secret to Vault:
 ```bash
-kubeseal --format=yaml \
-  --namespace=argocd \
-  < private/secret.yaml \
-  > secrets/forte-helm-repo-secret-sealed.yaml
+vault kv put kv/argocd/forte-helm-repo \
+  type=git \
+  url=ssh://git@git.forteapps.net:2222/Forte/forte-helm.git \
+  sshPrivateKey="$(cat private/ssh-key)" \
+  project=default
 ```
+Then create a VaultStaticSecret CRD with `argocd.argoproj.io/secret-type: repository` label.

 **Step 4: Register Repository in ArgoCD**

@@ -499,7 +501,7 @@ See [Developer Guide](DEVELOPER-GUIDE.md#deploying-your-first-application) for d
 **Quick checklist:**
 - [ ] Create `helm-prod-values/myapp/values.yaml`
 - [ ] Create `apps/myapp.yaml` in config repo
- [ ] Create SealedSecret if needed
+- [ ] Write secrets to Vault and create VaultStaticSecret CRD if needed
 - [ ] Commit and push changes
 - [ ] Verify sync in Slack/ArgoCD
 - [ ] Configure DNS for domain
@@ -670,92 +672,61 @@ db:

 ## Secret Management

+Secrets are managed via **HashiCorp Vault** and synced to Kubernetes by the **Vault Secrets Operator (VSO)**. See [Vault Secrets Operator Reference](vault-secrets-operator.md) for full details.
+
 ### Creating Secrets

-#### Step 1: Get Public Certificate
+#### Step 1: Write to Vault

 ```bash
-# Fetch sealed-secrets public cert (one-time)
-kubeseal --fetch-cert \
-  --controller-name=sealed-secrets-controller \
-  --controller-namespace=kube-system \
-  > pub-cert.pem
-
-# Save this certificate for future use
+# From literal values
+vault kv put kv/myapp/myapp-credentials \
+  API_KEY=secret123 \
+  DB_PASSWORD=pass456
 ```

-#### Step 2: Create Plain Secret
+#### Step 2: Create VaultStaticSecret CRD

-```bash
-# Method 1: From literal values
-kubectl create secret generic myapp-credentials \
-  --from-literal=API_KEY=secret123 \
-  --from-literal=DB_PASSWORD=pass456 \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
-
-# Method 2: From file
-kubectl create secret generic myapp-credentials \
-  --from-file=.env \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
-
-# Method 3: From multiple files
-kubectl create secret generic myapp-credentials \
-  --from-file=api-key.txt \
-  --from-file=db-password.txt \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
+```yaml
+# apps/base/myapp/myapp-credentials-vault.yaml
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: myapp-credentials
+  namespace: myapp
+spec:
+  type: kv-v2
+  mount: kv
+  path: myapp/myapp-credentials
+  destination:
+    name: myapp-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
 ```

-#### Step 3: Seal Secret
+#### Step 3: Commit CRD

 ```bash
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
-```
-
-#### Step 4: Commit Sealed Secret
-
-```bash
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Add myapp credentials"
+git add apps/base/myapp/myapp-credentials-vault.yaml
+git commit -m "Add myapp credentials (VSO)"
 git push
-
-# Delete plain secret
-rm private/myapp-credentials.yaml
 ```

-### Updating Secrets
+ArgoCD syncs the CRD, VSO creates the K8s Secret automatically.
+
+### Updating / Rotating Secrets
+
+**No git commit needed** — just update in Vault:

 ```bash
-# 1. Create new version
-kubectl create secret generic myapp-credentials \
-  --from-literal=API_KEY=new-secret-key \
-  --from-literal=DB_PASSWORD=new-password \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
+vault kv put kv/myapp/myapp-credentials \
+  API_KEY=new-secret-key \
+  DB_PASSWORD=new-password

-# 2. Seal it
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
-
-# 3. Commit
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Update myapp credentials"
-git push
-
-# 4. Restart pods to pick up new secret
+# VSO picks up changes within 30 seconds
+# Restart pods if needed
 kubectl rollout restart deployment myapp -n myapp
-
-# 5. Delete plain secret
-rm private/myapp-credentials.yaml
 ```

 ### Viewing Secrets (Unsealed)
@@ -832,30 +803,13 @@ OIDC auth requires an `auth-oidc` Secret with two keys:
 CLIENT_SECRET="your-oidc-client-secret-from-provider"
 COOKIE_SECRET=$(openssl rand -hex 32)

-# Create plain secret
-kubectl create secret generic auth-oidc \
-  --from-literal=client-secret=$CLIENT_SECRET \
-  --from-literal=cookie-secret=$COOKIE_SECRET \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
+# Write to Vault
+vault kv put kv/myapp/auth-oidc \
+  client-secret=$CLIENT_SECRET \
+  cookie-secret=$COOKIE_SECRET

-# Seal it
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-auth-oidc.yaml \
-  > secrets/myapp-auth-oidc-sealed.yaml
-
-# Apply sealed secret
-kubectl apply -f secrets/myapp-auth-oidc-sealed.yaml
-
-# Commit to Git
-git add secrets/myapp-auth-oidc-sealed.yaml
-git commit -m "Add OIDC secrets for myapp"
-git push
-
-# Clean up
-rm private/myapp-auth-oidc.yaml
+# Create VaultStaticSecret CRD (one-time) and commit
+# See docs/vault-secrets-operator.md for CRD template
 ```

 #### Rotating Authentication Secrets
@@ -882,16 +836,12 @@ kubectl rollout restart deployment myapp -n myapp
 # Rotate cookie secret (safe - invalidates existing sessions)
 NEW_COOKIE_SECRET=$(openssl rand -hex 32)

-# Recreate secret
-kubectl create secret generic auth-oidc \
-  --from-literal=client-secret=$CLIENT_SECRET \
-  --from-literal=cookie-secret=$NEW_COOKIE_SECRET \
-  --namespace=myapp \
-  --dry-run=client -o yaml | \
-  kubeseal --format=yaml --cert=pub-cert.pem --namespace=myapp | \
-  kubectl apply -f -
+# Update in Vault — no git commit needed
+vault kv put kv/myapp/auth-oidc \
+  client-secret=$CLIENT_SECRET \
+  cookie-secret=$NEW_COOKIE_SECRET

-# Restart to pick up new secret
+# VSO picks up within 30s. Restart pods to use new secret:
 kubectl rollout restart deployment myapp -n myapp
 ```

@@ -1342,13 +1292,11 @@ kubectl get applications -n argocd -w
               - pg_dump -U $DB_USER -d $DB_NAME > /backup/dump-$(date +%Y%m%d).sql
   ```

-3. **Sealed Secrets private key backup**
+3. **Vault backup**
   ```bash
-   # Backup sealed-secrets controller private key
-   kubectl get secret -n kube-system sealed-secrets-key \
-     -o yaml > sealed-secrets-key-backup.yaml
-
-   # Store in secure location (password manager, vault)
+   # Vault data is stored on PVC — ensure PVC snapshots are configured
+   # For disaster recovery, maintain Vault unseal keys in a secure location
+   # All secrets can be re-seeded from source if needed
   ```

 ---
@@ -1668,7 +1616,7 @@ echo "Remember to delete: $SECRET_FILE"
 - [ ] Gitea Actions workflow configured
 - [ ] Helm values created in `helm-prod-values/`
 - [ ] ArgoCD application manifest created in `apps/`
- [ ] Secrets created and sealed
+- [ ] Secrets written to Vault and VaultStaticSecret CRD created
 - [ ] DNS record added for domain
 - [ ] Application synced successfully
 - [ ] Health check passed