chore(format): prettier-normalize VAULT-SECRETS.md (table alignment + inline comments)
This commit is contained in:
Mos worker
@@ -210,15 +210,15 @@ Error: token expired
|
|||||||
|
|
||||||
Use this table to choose between the ESO bridge (default) and Direct-Vault (opt-in) patterns for every new app or integration.
|
Use this table to choose between the ESO bridge (default) and Direct-Vault (opt-in) patterns for every new app or integration.
|
||||||
|
|
||||||
| Factor | ESO Bridge (default) | Direct-Vault (opt-in) |
|
| Factor | ESO Bridge (default) | Direct-Vault (opt-in) |
|
||||||
| --- | --- | --- |
|
| --------------------------- | ----------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
|
||||||
| **Use-case** | All static secrets (DB creds, API keys, signing keys, OAuth secrets) | Dynamic creds with short TTLs (DB rotation, AWS STS, PKI), per-request audit trails, or lease renewal mid-pod-lifecycle |
|
| **Use-case** | All static secrets (DB creds, API keys, signing keys, OAuth secrets) | Dynamic creds with short TTLs (DB rotation, AWS STS, PKI), per-request audit trails, or lease renewal mid-pod-lifecycle |
|
||||||
| **App code change** | None — reads standard env vars via `secretKeyRef` | Requires Vault client (`hvac`, `node-vault`, `vault/api`) in application code |
|
| **App code change** | None — reads standard env vars via `secretKeyRef` | Requires Vault client (`hvac`, `node-vault`, `vault/api`) in application code |
|
||||||
| **Secret rotation** | ESO re-syncs on Vault write; pod restart or secret refresh picks up new value | App manages lease renewal or re-auth within the running process |
|
| **Secret rotation** | ESO re-syncs on Vault write; pod restart or secret refresh picks up new value | App manages lease renewal or re-auth within the running process |
|
||||||
| **Audit granularity** | Access logged at Vault when ESO syncs; no per-request app audit | Every app request to Vault is a separate audit log entry |
|
| **Audit granularity** | Access logged at Vault when ESO syncs; no per-request app audit | Every app request to Vault is a separate audit log entry |
|
||||||
| **Operational burden** | Low — ESO handles polling, sync, and k8s Secret lifecycle | Higher — app must handle auth, lease renewal, error paths, and token rotation |
|
| **Operational burden** | Low — ESO handles polling, sync, and k8s Secret lifecycle | Higher — app must handle auth, lease renewal, error paths, and token rotation |
|
||||||
| **Justification required?** | No — this is the default | Yes — document in project README under "Secrets architecture" |
|
| **Justification required?** | No — this is the default | Yes — document in project README under "Secrets architecture" |
|
||||||
| **Example use cases** | Web app DB password, OAuth client secret, JWT signing key, API token | HashiCorp DB secrets engine with 15-min TTL leases, AWS STS assume-role, Vault PKI short-lived certs |
|
| **Example use cases** | Web app DB password, OAuth client secret, JWT signing key, API token | HashiCorp DB secrets engine with 15-min TTL leases, AWS STS assume-role, Vault PKI short-lived certs |
|
||||||
|
|
||||||
**Decision rule:** If you are unsure, use ESO. Only justify Direct-Vault when the secret cannot be safely stored in a k8s Secret (too short-lived, per-request TTL required, or mid-lifecycle renewal needed).
|
**Decision rule:** If you are unsure, use ESO. Only justify Direct-Vault when the secret cannot be safely stored in a k8s Secret (too short-lived, per-request TTL required, or mid-lifecycle renewal needed).
|
||||||
|
|
||||||
@@ -254,16 +254,16 @@ metadata:
|
|||||||
spec:
|
spec:
|
||||||
refreshInterval: 1h
|
refreshInterval: 1h
|
||||||
secretStoreRef:
|
secretStoreRef:
|
||||||
name: vault-backend # ClusterSecretStore name — verify with cluster admin
|
name: vault-backend # ClusterSecretStore name — verify with cluster admin
|
||||||
kind: ClusterSecretStore
|
kind: ClusterSecretStore
|
||||||
target:
|
target:
|
||||||
name: <app>-secrets # k8s Secret name that will be created
|
name: <app>-secrets # k8s Secret name that will be created
|
||||||
creationPolicy: Owner
|
creationPolicy: Owner
|
||||||
data:
|
data:
|
||||||
- secretKey: DB_PASSWORD # key in the k8s Secret
|
- secretKey: DB_PASSWORD # key in the k8s Secret
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: secret/k3s/<app> # Vault path
|
key: secret/k3s/<app> # Vault path
|
||||||
property: db_password # field within the Vault secret
|
property: db_password # field within the Vault secret
|
||||||
- secretKey: API_KEY
|
- secretKey: API_KEY
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: secret/k3s/<app>
|
key: secret/k3s/<app>
|
||||||
@@ -282,7 +282,7 @@ env:
|
|||||||
- name: DB_PASSWORD
|
- name: DB_PASSWORD
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: <app>-secrets # matches ExternalSecret target.name
|
name: <app>-secrets # matches ExternalSecret target.name
|
||||||
key: DB_PASSWORD
|
key: DB_PASSWORD
|
||||||
- name: API_KEY
|
- name: API_KEY
|
||||||
valueFrom:
|
valueFrom:
|
||||||
@@ -295,7 +295,7 @@ env:
|
|||||||
name: <app>-secrets
|
name: <app>-secrets
|
||||||
key: JWT_SECRET
|
key: JWT_SECRET
|
||||||
- name: PORT
|
- name: PORT
|
||||||
value: "3000" # safe-default: non-secret, no Vault needed
|
value: '3000' # safe-default: non-secret, no Vault needed
|
||||||
```
|
```
|
||||||
|
|
||||||
### 4. App-side schema validation — TypeScript (zod)
|
### 4. App-side schema validation — TypeScript (zod)
|
||||||
@@ -471,7 +471,7 @@ spec:
|
|||||||
# deploy/deployment.yaml (env section for Direct-Vault app)
|
# deploy/deployment.yaml (env section for Direct-Vault app)
|
||||||
env:
|
env:
|
||||||
- name: VAULT_ADDR
|
- name: VAULT_ADDR
|
||||||
value: "https://vault.example.com" # safe-default: non-secret cluster address
|
value: 'https://vault.example.com' # safe-default: non-secret cluster address
|
||||||
- name: VAULT_ROLE_ID
|
- name: VAULT_ROLE_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
|
|||||||
@@ -210,15 +210,15 @@ Error: token expired
|
|||||||
|
|
||||||
Use this table to choose between the ESO bridge (default) and Direct-Vault (opt-in) patterns for every new app or integration.
|
Use this table to choose between the ESO bridge (default) and Direct-Vault (opt-in) patterns for every new app or integration.
|
||||||
|
|
||||||
| Factor | ESO Bridge (default) | Direct-Vault (opt-in) |
|
| Factor | ESO Bridge (default) | Direct-Vault (opt-in) |
|
||||||
| --- | --- | --- |
|
| --------------------------- | ----------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
|
||||||
| **Use-case** | All static secrets (DB creds, API keys, signing keys, OAuth secrets) | Dynamic creds with short TTLs (DB rotation, AWS STS, PKI), per-request audit trails, or lease renewal mid-pod-lifecycle |
|
| **Use-case** | All static secrets (DB creds, API keys, signing keys, OAuth secrets) | Dynamic creds with short TTLs (DB rotation, AWS STS, PKI), per-request audit trails, or lease renewal mid-pod-lifecycle |
|
||||||
| **App code change** | None — reads standard env vars via `secretKeyRef` | Requires Vault client (`hvac`, `node-vault`, `vault/api`) in application code |
|
| **App code change** | None — reads standard env vars via `secretKeyRef` | Requires Vault client (`hvac`, `node-vault`, `vault/api`) in application code |
|
||||||
| **Secret rotation** | ESO re-syncs on Vault write; pod restart or secret refresh picks up new value | App manages lease renewal or re-auth within the running process |
|
| **Secret rotation** | ESO re-syncs on Vault write; pod restart or secret refresh picks up new value | App manages lease renewal or re-auth within the running process |
|
||||||
| **Audit granularity** | Access logged at Vault when ESO syncs; no per-request app audit | Every app request to Vault is a separate audit log entry |
|
| **Audit granularity** | Access logged at Vault when ESO syncs; no per-request app audit | Every app request to Vault is a separate audit log entry |
|
||||||
| **Operational burden** | Low — ESO handles polling, sync, and k8s Secret lifecycle | Higher — app must handle auth, lease renewal, error paths, and token rotation |
|
| **Operational burden** | Low — ESO handles polling, sync, and k8s Secret lifecycle | Higher — app must handle auth, lease renewal, error paths, and token rotation |
|
||||||
| **Justification required?** | No — this is the default | Yes — document in project README under "Secrets architecture" |
|
| **Justification required?** | No — this is the default | Yes — document in project README under "Secrets architecture" |
|
||||||
| **Example use cases** | Web app DB password, OAuth client secret, JWT signing key, API token | HashiCorp DB secrets engine with 15-min TTL leases, AWS STS assume-role, Vault PKI short-lived certs |
|
| **Example use cases** | Web app DB password, OAuth client secret, JWT signing key, API token | HashiCorp DB secrets engine with 15-min TTL leases, AWS STS assume-role, Vault PKI short-lived certs |
|
||||||
|
|
||||||
**Decision rule:** If you are unsure, use ESO. Only justify Direct-Vault when the secret cannot be safely stored in a k8s Secret (too short-lived, per-request TTL required, or mid-lifecycle renewal needed).
|
**Decision rule:** If you are unsure, use ESO. Only justify Direct-Vault when the secret cannot be safely stored in a k8s Secret (too short-lived, per-request TTL required, or mid-lifecycle renewal needed).
|
||||||
|
|
||||||
@@ -254,16 +254,16 @@ metadata:
|
|||||||
spec:
|
spec:
|
||||||
refreshInterval: 1h
|
refreshInterval: 1h
|
||||||
secretStoreRef:
|
secretStoreRef:
|
||||||
name: vault-backend # ClusterSecretStore name — verify with cluster admin
|
name: vault-backend # ClusterSecretStore name — verify with cluster admin
|
||||||
kind: ClusterSecretStore
|
kind: ClusterSecretStore
|
||||||
target:
|
target:
|
||||||
name: <app>-secrets # k8s Secret name that will be created
|
name: <app>-secrets # k8s Secret name that will be created
|
||||||
creationPolicy: Owner
|
creationPolicy: Owner
|
||||||
data:
|
data:
|
||||||
- secretKey: DB_PASSWORD # key in the k8s Secret
|
- secretKey: DB_PASSWORD # key in the k8s Secret
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: secret/k3s/<app> # Vault path
|
key: secret/k3s/<app> # Vault path
|
||||||
property: db_password # field within the Vault secret
|
property: db_password # field within the Vault secret
|
||||||
- secretKey: API_KEY
|
- secretKey: API_KEY
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: secret/k3s/<app>
|
key: secret/k3s/<app>
|
||||||
@@ -282,7 +282,7 @@ env:
|
|||||||
- name: DB_PASSWORD
|
- name: DB_PASSWORD
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: <app>-secrets # matches ExternalSecret target.name
|
name: <app>-secrets # matches ExternalSecret target.name
|
||||||
key: DB_PASSWORD
|
key: DB_PASSWORD
|
||||||
- name: API_KEY
|
- name: API_KEY
|
||||||
valueFrom:
|
valueFrom:
|
||||||
@@ -295,7 +295,7 @@ env:
|
|||||||
name: <app>-secrets
|
name: <app>-secrets
|
||||||
key: JWT_SECRET
|
key: JWT_SECRET
|
||||||
- name: PORT
|
- name: PORT
|
||||||
value: "3000" # safe-default: non-secret, no Vault needed
|
value: '3000' # safe-default: non-secret, no Vault needed
|
||||||
```
|
```
|
||||||
|
|
||||||
### 4. App-side schema validation — TypeScript (zod)
|
### 4. App-side schema validation — TypeScript (zod)
|
||||||
@@ -471,7 +471,7 @@ spec:
|
|||||||
# deploy/deployment.yaml (env section for Direct-Vault app)
|
# deploy/deployment.yaml (env section for Direct-Vault app)
|
||||||
env:
|
env:
|
||||||
- name: VAULT_ADDR
|
- name: VAULT_ADDR
|
||||||
value: "https://vault.example.com" # safe-default: non-secret cluster address
|
value: 'https://vault.example.com' # safe-default: non-secret cluster address
|
||||||
- name: VAULT_ROLE_ID
|
- name: VAULT_ROLE_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
|
|||||||
Reference in New Issue
Block a user