feat: add sealed secrets as platform secrets documentation#143
feat: add sealed secrets as platform secrets documentation#143ferruhcihan wants to merge 2 commits into
Conversation
ferruhcihan
requested review from
j-zimnowoda,
merll and
mwildman-akamai
as code owners
- Fix overview.md link: Sealed Secrets now points to sealed-secrets.md, not sops.md - Add auto-migration note to all v5.x deprecation caution banners - Add UI-first intro to for-ops/console/secrets.md (write-only values, never plaintext) - Fix ESO refresh: hardcoded one-hour interval with propagation lag note - Deduplicate kubectl backup command: keep canonical in sealed-secrets-key.md, replace inline blocks in sealed-secrets.md, recovery.md, and console/secrets.md with links - Remove deprecated sops, manage-age, change-admin-password pages from sidebar - Fix update-admin-password.md Step 2: log in to Keycloak admin console using platform admin credentials - Add mandatory Step 2 to post-install-steps.md: back up the sealed-secrets key pair immediately Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
j-zimnowoda
left a comment
j-zimnowoda
left a comment
There was a problem hiding this comment.
Review findings applied in commit 6071259. Also added a mandatory key-backup step to post-install-steps.md (not in this diff) — missing that step means a new operator could lose the cluster with no recovery path.
| Install with Azure Entra ID for OIDC. | ||
|
|
||
| ### [Use SOPS for encryption](sops.md) | ||
| ### [Sealed Secrets](sops.md) |
There was a problem hiding this comment.
Link points to sops.md, which opens with a "SOPS was removed" caution banner. Should point to sealed-secrets.md. Fixed.
| sidebar_label: Secrets | ||
| --- | ||
|
|
||
| Platform secrets are encrypted using [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) and distributed to applications via the [External Secrets Operator](https://external-secrets.io) (ESO). No secrets are stored in plaintext on disk or in Git. |
There was a problem hiding this comment.
Page is under the Console section but opens with architecture rather than what the operator sees in the UI. Added a UI-first intro: operators can create and modify secrets but values are write-only and never displayed in plaintext.
|
|
||
| 1. Helmfile applies updated `ExternalSecret` resources. | ||
| 2. ESO syncs the corresponding Kubernetes Secrets to each application's namespace. | ||
| 3. ESO refreshes all secrets on a one-hour interval to keep them in sync. |
There was a problem hiding this comment.
one-hour interval reads as configurable. It is hardcoded. Changed to: "ESO refreshes all secrets on a hardcoded one-hour interval. Secret updates take up to one hour to propagate to application namespaces."
|
|
||
| ### Step 2: Update the Password in Keycloak | ||
|
|
||
| 1. Log in to Keycloak as the `otomi-admin` user. |
There was a problem hiding this comment.
Log in to Keycloak as the \otomi-admin` user` is ambiguous — could mean the account self-service page. The next step navigates to the admin console Users panel. Changed to: "Log in to the Keycloak admin console using the platform admin credentials."
| --- | ||
|
|
||
| :::caution | ||
| SOPS-based encryption was removed in v6.0.0. See [Sealed Secrets](sealed-secrets.md) for the current approach. |
There was a problem hiding this comment.
All five v5.x deprecation banners (sops.md, manage-age.md, change-admin-password.md, use-the-cli.md, key-management.md) are missing a reassurance that the upgrade migrates secrets automatically. A v5.x reader has no confidence the upgrade is safe. Added: "Upgrading from v5.x to v6.0.0 migrates your secrets automatically."
| The sealed-secrets key pair is the root of trust for all platform secrets. Back it up immediately after installation. | ||
|
|
||
| ```bash | ||
| kubectl get secrets -n sealed-secrets \ |
There was a problem hiding this comment.
The kubectl get secrets export command is duplicated verbatim in four places (sealed-secrets.md, recovery.md, console/secrets.md, sealed-secrets-key.md). Kept the canonical copy in sealed-secrets-key.md and replaced the other three with links — one change point if the command ever changes.
| To obtain the manifest from a running cluster before decommissioning it: | ||
|
|
||
| ```bash | ||
| kubectl get secrets -n sealed-secrets \ |
There was a problem hiding this comment.
Same duplication issue as sealed-secrets.md — replaced inline command block with a link to sealed-secrets-key.md.
| "get-started/installation/dns", | ||
| "get-started/installation/oidc", | ||
| "get-started/installation/sealed-secrets", | ||
| "get-started/installation/sops", |
There was a problem hiding this comment.
sops, manage-age, and change-admin-password are deprecated v5.x pages now marked with caution banners. Listing them alongside current v6.x pages in the sidebar creates confusion for new users. Removed from the sidebar; pages remain reachable via search and the cross-links in the caution banners.
2 participants
No description provided.