Vault--(reference docs left);SealedSecrets++

README.md

@@ -151,57 +151,27 @@ kubectl delete ingressroute traefik-dashboard --namespace kube-system
 ```
 
 ### 3) Secret management
-*Perform these steps **after** configuring persistent storage **and** ingress*
+*Prereq*: latest `kubeseal` [release](https://github.com/bitnami-labs/sealed-secrets/releases)
-##### 3.1) Create `persistentVolume` and `ingressRoute`
+
-*Requires specifying a `uid` & `gid` in the flexvolSMB-`persistentVolume`*
+##### 3.1) Install Helm Chart
+See [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets#helm-chart):
 ```shell
-kubectl create namespace vault
+helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
-kubectl apply -f services/Vault/persistentVolume-Vault.yml
-kubectl apply -f services/Vault/ingressRoute-Vault.yml
-```
-##### 3.2) Install Helm Chart
-*REMOVED; left for reference*
-See [HashiCorp Vault](https://www.vaultproject.io/docs/platform/k8s/helm/run):
-```shell
-helm repo add hashicorp https://helm.releases.hashicorp.com
 helm repo update
-helm install vault hashicorp/vault --namespace vault --values=services/Vault/chart-values.yml
+helm install sealed-secrets-controller -n kube-system sealed-secrets/sealed-secrets
 ```
-Configure Vault for use;
+
-- ~~Enable Kubernetes authentication (see https://www.vaultproject.io/api-docs/auth/kubernetes)~~
+Fix servicename (see [#502](https://github.com/bitnami-labs/sealed-secrets/issues/502)):
-- Store basic access policy template
-- Enable `kv`-engine
 ```
-# kubectl exec -n vault -it vault-0 -- sh
+kubectl patch service -n kube-system sealed-secrets-controller -p '{"spec": {"ports": [{"port": 8080, protocol: "TCP", targetPort: 8080}]}}'
-
-# It might be necessary to first login with an existing token:
-# vault login
-
-cat <<EOF > /home/vault/app-policy.hcl
-path "secret*" {
-  capabilities = ["read"]
-}
-EOF
-
-vault secrets enable -path=secret -version=2 kv
 ```
+
 ### 4) Services
 ##### 4.1) [Adminer](https://www.adminer.org/)    <small>(SQL management)</small>
 ```shell
 kubectl apply -f services/Adminer/configMap-Adminer.yml
 kubectl apply -f services/Adminer/deploy-Adminer.yml
 ```
-Vault configuration:
-```
-vault kv put secret/adminer \
-  sqlitepw=<value>
-vault write auth/kubernetes/role/adminer \
-  bound_service_account_names=adminer \
-  bound_service_account_namespaces=default \
-  policies=adminer \
-  ttl=1h
-vault policy write adminer /home/vault/app-policy.hcl
-```
 ##### 4.2) [Vaultwarden](https://github.com/dani-garcia/vaultwarden)    <small>(password manager)</small>
 *Requires [mount.cifs](https://linux.die.net/man/8/mount.cifs)' option `nobrl`*
 ```shell

services/Vault/README.md

@@ -0,0 +1,35 @@
+### 1) HashiCorp Vault
+Not currently in use (using bitnami sealed-secrets instead); left for reference
+
+##### 1.1) Create `persistentVolume` and `ingressRoute`
+*Requires specifying a `uid` & `gid` in the flexvolSMB-`persistentVolume`*
+```shell
+kubectl create namespace vault
+kubectl apply -f services/Vault/persistentVolume-Vault.yml
+kubectl apply -f services/Vault/ingressRoute-Vault.yml
+```
+##### 1.2) Install Helm Chart
+*REMOVED; left for reference*
+See [HashiCorp Vault](https://www.vaultproject.io/docs/platform/k8s/helm/run):
+```shell
+helm repo add hashicorp https://helm.releases.hashicorp.com
+helm repo update
+helm install vault hashicorp/vault --namespace vault --values=services/Vault/chart-values.yml
+```
+Configure Vault for use;
+- ~~Enable Kubernetes authentication (see https://www.vaultproject.io/api-docs/auth/kubernetes)~~- Store basic access policy template
+- Enable `kv`-engine
+```
+# kubectl exec -n vault -it vault-0 -- sh
+
+# It might be necessary to first login with an existing token:
+# vault login
+
+cat <<EOF > /home/vault/app-policy.hcl
+path "secret*" {
+  capabilities = ["read"]
+}
+EOF
+
+vault secrets enable -path=secret -version=2 kv
+```