52 lines
1.6 KiB
Plaintext
52 lines
1.6 KiB
Plaintext
```plaintext
|
|
%% Secrets Management Strategy (ADR-0017)
|
|
%% Flowchart showing dual secret paths: SOPS bootstrap vs Vault runtime
|
|
|
|
flowchart TB
|
|
subgraph bootstrap["🚀 Bootstrap Secrets (Git-encrypted)"]
|
|
direction TB
|
|
sops_files["*.sops.yaml<br/>📄 Encrypted in Git"]
|
|
age_key["🔑 Age Key<br/>(backed up externally)"]
|
|
sops_dec["SOPS Decryption"]
|
|
flux_dec["Flux Controller"]
|
|
bs_secrets["🔐 Bootstrap Secrets<br/>• Talos machine secrets<br/>• GitHub deploy key<br/>• Initial Vault unseal"]
|
|
end
|
|
|
|
subgraph runtime["⚙️ Runtime Secrets (Vault-managed)"]
|
|
direction TB
|
|
vault["🏦 HashiCorp Vault<br/>HA (3 replicas) + Raft"]
|
|
eso["External Secrets<br/>Operator"]
|
|
app_secrets["🔑 Application Secrets<br/>• Database credentials<br/>• API keys<br/>• OAuth secrets"]
|
|
end
|
|
|
|
subgraph apps["📦 Applications"]
|
|
direction TB
|
|
pods["Workload Pods"]
|
|
end
|
|
|
|
%% Bootstrap flow
|
|
sops_files -->|"Commit to Git"| flux_dec
|
|
age_key -->|"Decrypts"| sops_dec
|
|
flux_dec --> sops_dec
|
|
sops_dec -->|"Creates"| bs_secrets
|
|
|
|
%% Runtime flow
|
|
vault -->|"ExternalSecret CR"| eso
|
|
eso -->|"Syncs to"| app_secrets
|
|
|
|
%% Consumption
|
|
bs_secrets -->|"Mounted"| pods
|
|
app_secrets -->|"Mounted"| pods
|
|
|
|
classDef bootstrap fill:#3498db,color:white
|
|
classDef vault fill:#27ae60,color:white
|
|
classDef secrets fill:#e74c3c,color:white
|
|
classDef app fill:#9b59b6,color:white
|
|
|
|
class sops_files,age_key,sops_dec,flux_dec bootstrap
|
|
class vault,eso vault
|
|
class bs_secrets,app_secrets secrets
|
|
class pods app
|
|
|
|
```
|