README: Extend docs for secrets

cloudogu · Jan 16, 2023 · 1a3dbf8 · 1a3dbf8
1 parent 64a45d5
commit 1a3dbf8
Show file tree

Hide file tree

Showing 3 changed files with 221 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -437,6 +437,24 @@ the sync status failed, for example.
 
 Via the `vault` parameter, you can deploy Hashicorp Vault and the External Secrets Operator into your GitOps playground.
 
+With this, the whole flow from secret value in Vault to kubernetes `Secret` via External Secrets Operator can be seen in 
+action:
+
+![External Secret Operator <-> Vault - flow](https://www.plantuml.com/plantuml/proxy?src=https://raw.githubusercontent.com/cloudogu/gitops-playground/feature/vault/docs/plantuml-src/External-Secret-Operator-Flow.puml&fmt=svg)
+
+For this to work, the GitOps playground configures the whole chain in Kubernetes and vault (when [dev mode](#dev-mode) is used): 
+
+![External Secret Operator Custom Resources](https://www.plantuml.com/plantuml/proxy?src=https://raw.githubusercontent.com/cloudogu/gitops-playground/feature/vault/docs/plantuml-src/External-Secret-Operator-CRs.puml&fmt=svg)
+
+* In k8s `namespaces` `argocd-staging` and `argocd-production`:
+  * Creates `SecretStore` and `ServiceAccount` (used to authenticate with vault)
+  * Creates `ExternalSecrets`
+* In Vault:
+  * Create secrets for staging and prod
+  * Create a human user for changing the secrets
+  * Authorizes the service accounts on those secrets
+* Creates an [example app](#example-app) that uses the `secrets`
+
 #### dev mode 
 
 For testing you can set the parameter `--vault=dev` to deploy vault in development mode. This will lead to 

diff --git a/docs/plantuml-src/External-Secret-Operator-CRs.puml b/docs/plantuml-src/External-Secret-Operator-CRs.puml
@@ -0,0 +1,100 @@
+@startuml
+
+!includeurl https://raw.githubusercontent.com/michiel/plantuml-kubernetes-sprites/master/resource/k8s-sprites-unlabeled-25pct.iuml
+
+!define ICONURL https://raw.githubusercontent.com/tupadr3/plantuml-icon-font-sprites/v2.4.0
+!includeurl ICONURL/font-awesome-5/key.puml
+!includeurl ICONURL/font-awesome-5/warehouse.puml
+!includeurl ICONURL/font-awesome-5/user_secret.puml
+!includeurl ICONURL/font-awesome-5/robot.puml
+
+!define CLOUDOGUURL https://raw.githubusercontent.com/cloudogu/plantuml-cloudogu-sprites/master
+!includeurl CLOUDOGUURL/tools/k8s.puml
+
+!define CLOUDOGU_BLUE #23a3dd
+
+!define COLOR_ABOVE_TRANSPARENT_BACKGROUND WHITE
+
+skinparam backgroundcolor TRANSPARENT
+skinparam actorStyle awesome
+
+
+
+rectangle "<$k8s>\nK8s" as k8s {
+    rectangle "<$robot>\nExternal\nSecrets\nOperator" as ESO
+
+    rectangle "<$ns>\nNamespace" as ns {
+        collections "<$secret>\nSecrets" as secrets
+        collections "<$pod>\nPods" as pods
+        together {
+            collections "<$user_secret>\nExternalSecrets\n- specify path in vault" as ES
+            rectangle "<$warehouse>\nSecretStore" as Store
+        }
+        rectangle "<$sa>\nService Account" as sa
+    }
+    rectangle "<$key>\nVault" as vault
+}
+
+
+ESO --> Store : read
+ESO --> ES : read
+ESO --> vault : read\n(using info from ES+SS)
+'ESO --> vault : uses info from\n ExternalSecret + SecretStore\nto read actual secret 
+ESO -> secrets : create
+secrets <-- pods : use
+ES -> Store: reference
+Store --> sa : reference
+Store -> vault : reference
+
+
+skinparam arrow {
+  Color BLACK
+}
+
+skinparam node {
+  BorderColor CLOUDOGU_BLUE
+}
+
+skinparam actor {
+  BackgroundColor #23a3dd
+  BorderColor #16688d
+  FontColor #000000
+}
+
+skinparam actor {
+    BackgroundColor CLOUDOGU_BLUE
+    BorderColor #16688d
+}
+
+skinparam rectangle {
+    BackgroundColor WHITE
+    BorderColor CLOUDOGU_BLUE
+    FontColor CLOUDOGU_BLUE
+}
+
+skinparam collections {
+    BackgroundColor WHITE
+    BorderColor CLOUDOGU_BLUE
+    FontColor CLOUDOGU_BLUE
+}
+
+skinparam interface {
+    BackgroundColor WHITE
+    BorderColor #16688d
+}
+
+skinparam note {
+    BackgroundColor WHITE
+    BorderColor #16688d
+}
+
+skinparam rectangle<<Hidden>> {
+    textColor Transparent
+    borderColor Transparent
+    backgroundColor Transparent
+    fontColor Transparent
+    stereotypeFontColor Transparent
+}
+
+
+@enduml
diff --git a/docs/plantuml-src/External-Secret-Operator-Flow.puml b/docs/plantuml-src/External-Secret-Operator-Flow.puml
@@ -0,0 +1,103 @@
+@startuml
+
+!includeurl https://raw.githubusercontent.com/michiel/plantuml-kubernetes-sprites/master/resource/k8s-sprites-unlabeled-25pct.iuml
+
+!define ICONURL https://raw.githubusercontent.com/tupadr3/plantuml-icon-font-sprites/v2.4.0
+!includeurl ICONURL/common.puml
+!includeurl ICONURL/devicons/git.puml
+!includeurl ICONURL/font-awesome-5/sync.puml
+!includeurl ICONURL/font-awesome-5/key.puml
+!includeurl ICONURL/font-awesome-5/sun.puml
+!includeurl ICONURL/font-awesome-5/fire.puml
+!includeurl ICONURL/font-awesome-5/robot.puml
+!includeurl ICONURL/font-awesome-5/envelope.puml
+!includeurl ICONURL/font-awesome-5/box.puml
+!includeurl ICONURL/material/computer.puml
+
+!define CLOUDOGUURL https://raw.githubusercontent.com/cloudogu/plantuml-cloudogu-sprites/master
+!includeurl CLOUDOGUURL/tools/k8s.puml
+!includeurl CLOUDOGUURL/dogus/scm.puml
+
+!define CLOUDOGU_BLUE #23a3dd
+
+!define COLOR_ABOVE_TRANSPARENT_BACKGROUND WHITE
+
+skinparam backgroundcolor TRANSPARENT
+skinparam actorStyle awesome
+
+
+
+actor Developer as dev
+
+rectangle "<$k8s>\nK8s" as k8s {
+    rectangle "<$git>\nGitOps Repos" as configRepo
+    rectangle "<$sync>\nGitOps\nOperators" as gitops
+    rectangle "<$k8s>\nAPI-Server" as apiServer
+    rectangle "<$key>\nVault" as vault
+    rectangle "<$robot>\nExternal\nSecrets\nOperator" as ESO
+}
+
+vault <-- dev  : 1. Create secret value
+configRepo <- dev : 2. Push ExternalSecret
+
+configRepo <- gitops : 3. Pull
+gitops -> apiServer : 4. Apply
+
+'dev -> k8s
+apiServer <- ESO : 6. Read ExternalSecret
+ESO -> vault : 7. Read secret value
+apiServer <- ESO : 8. Create Secret
+
+
+
+skinparam arrow {
+  Color BLACK
+}
+
+skinparam node {
+  BorderColor CLOUDOGU_BLUE
+}
+
+skinparam actor {
+  BackgroundColor #23a3dd
+  BorderColor #16688d
+  FontColor #000000
+}
+
+skinparam actor {
+    BackgroundColor CLOUDOGU_BLUE
+    BorderColor #16688d
+}
+
+skinparam rectangle {
+    BackgroundColor WHITE
+    BorderColor CLOUDOGU_BLUE
+    FontColor CLOUDOGU_BLUE
+}
+
+skinparam collections {
+    BackgroundColor WHITE
+    BorderColor CLOUDOGU_BLUE
+    FontColor CLOUDOGU_BLUE
+}
+
+skinparam interface {
+    BackgroundColor WHITE
+    BorderColor #16688d
+}
+
+skinparam note {
+    BackgroundColor WHITE
+    BorderColor #16688d
+}
+
+skinparam rectangle<<Hidden>> {
+    textColor Transparent
+    borderColor Transparent
+    backgroundColor Transparent
+    fontColor Transparent
+    stereotypeFontColor Transparent
+}
+
+
+@enduml