chore(format): prettier-normalize VAULT-SECRETS.md (table alignment + inline comments)
This commit is contained in:
Mos worker
@@ -211,7 +211,7 @@ Error: token expired
|
|||||||
Use this table to choose between the ESO bridge (default) and Direct-Vault (opt-in) patterns for every new app or integration.
|
Use this table to choose between the ESO bridge (default) and Direct-Vault (opt-in) patterns for every new app or integration.
|
||||||
|
|
||||||
| Factor | ESO Bridge (default) | Direct-Vault (opt-in) |
|
| Factor | ESO Bridge (default) | Direct-Vault (opt-in) |
|
||||||
| --- | --- | --- |
|
| --------------------------- | ----------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
|
||||||
| **Use-case** | All static secrets (DB creds, API keys, signing keys, OAuth secrets) | Dynamic creds with short TTLs (DB rotation, AWS STS, PKI), per-request audit trails, or lease renewal mid-pod-lifecycle |
|
| **Use-case** | All static secrets (DB creds, API keys, signing keys, OAuth secrets) | Dynamic creds with short TTLs (DB rotation, AWS STS, PKI), per-request audit trails, or lease renewal mid-pod-lifecycle |
|
||||||
| **App code change** | None — reads standard env vars via `secretKeyRef` | Requires Vault client (`hvac`, `node-vault`, `vault/api`) in application code |
|
| **App code change** | None — reads standard env vars via `secretKeyRef` | Requires Vault client (`hvac`, `node-vault`, `vault/api`) in application code |
|
||||||
| **Secret rotation** | ESO re-syncs on Vault write; pod restart or secret refresh picks up new value | App manages lease renewal or re-auth within the running process |
|
| **Secret rotation** | ESO re-syncs on Vault write; pod restart or secret refresh picks up new value | App manages lease renewal or re-auth within the running process |
|
||||||
@@ -295,7 +295,7 @@ env:
|
|||||||
name: <app>-secrets
|
name: <app>-secrets
|
||||||
key: JWT_SECRET
|
key: JWT_SECRET
|
||||||
- name: PORT
|
- name: PORT
|
||||||
value: "3000" # safe-default: non-secret, no Vault needed
|
value: '3000' # safe-default: non-secret, no Vault needed
|
||||||
```
|
```
|
||||||
|
|
||||||
### 4. App-side schema validation — TypeScript (zod)
|
### 4. App-side schema validation — TypeScript (zod)
|
||||||
@@ -471,7 +471,7 @@ spec:
|
|||||||
# deploy/deployment.yaml (env section for Direct-Vault app)
|
# deploy/deployment.yaml (env section for Direct-Vault app)
|
||||||
env:
|
env:
|
||||||
- name: VAULT_ADDR
|
- name: VAULT_ADDR
|
||||||
value: "https://vault.example.com" # safe-default: non-secret cluster address
|
value: 'https://vault.example.com' # safe-default: non-secret cluster address
|
||||||
- name: VAULT_ROLE_ID
|
- name: VAULT_ROLE_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
|
|||||||
@@ -211,7 +211,7 @@ Error: token expired
|
|||||||
Use this table to choose between the ESO bridge (default) and Direct-Vault (opt-in) patterns for every new app or integration.
|
Use this table to choose between the ESO bridge (default) and Direct-Vault (opt-in) patterns for every new app or integration.
|
||||||
|
|
||||||
| Factor | ESO Bridge (default) | Direct-Vault (opt-in) |
|
| Factor | ESO Bridge (default) | Direct-Vault (opt-in) |
|
||||||
| --- | --- | --- |
|
| --------------------------- | ----------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
|
||||||
| **Use-case** | All static secrets (DB creds, API keys, signing keys, OAuth secrets) | Dynamic creds with short TTLs (DB rotation, AWS STS, PKI), per-request audit trails, or lease renewal mid-pod-lifecycle |
|
| **Use-case** | All static secrets (DB creds, API keys, signing keys, OAuth secrets) | Dynamic creds with short TTLs (DB rotation, AWS STS, PKI), per-request audit trails, or lease renewal mid-pod-lifecycle |
|
||||||
| **App code change** | None — reads standard env vars via `secretKeyRef` | Requires Vault client (`hvac`, `node-vault`, `vault/api`) in application code |
|
| **App code change** | None — reads standard env vars via `secretKeyRef` | Requires Vault client (`hvac`, `node-vault`, `vault/api`) in application code |
|
||||||
| **Secret rotation** | ESO re-syncs on Vault write; pod restart or secret refresh picks up new value | App manages lease renewal or re-auth within the running process |
|
| **Secret rotation** | ESO re-syncs on Vault write; pod restart or secret refresh picks up new value | App manages lease renewal or re-auth within the running process |
|
||||||
@@ -295,7 +295,7 @@ env:
|
|||||||
name: <app>-secrets
|
name: <app>-secrets
|
||||||
key: JWT_SECRET
|
key: JWT_SECRET
|
||||||
- name: PORT
|
- name: PORT
|
||||||
value: "3000" # safe-default: non-secret, no Vault needed
|
value: '3000' # safe-default: non-secret, no Vault needed
|
||||||
```
|
```
|
||||||
|
|
||||||
### 4. App-side schema validation — TypeScript (zod)
|
### 4. App-side schema validation — TypeScript (zod)
|
||||||
@@ -471,7 +471,7 @@ spec:
|
|||||||
# deploy/deployment.yaml (env section for Direct-Vault app)
|
# deploy/deployment.yaml (env section for Direct-Vault app)
|
||||||
env:
|
env:
|
||||||
- name: VAULT_ADDR
|
- name: VAULT_ADDR
|
||||||
value: "https://vault.example.com" # safe-default: non-secret cluster address
|
value: 'https://vault.example.com' # safe-default: non-secret cluster address
|
||||||
- name: VAULT_ROLE_ID
|
- name: VAULT_ROLE_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
|
|||||||
Reference in New Issue
Block a user