تشغيل أي مهارة في Manus بنقرة واحدة

secrets

النجوم٢٤

التفرعات٣

آخر تحديث٣٠ مارس ٢٠٢٦ في ١٣:٤١

Secret management patterns for the Kubernetes homelab platform. Covers secret-generator, ExternalSecret, app-secrets Terragrunt module, and cross-namespace replication via kubernetes-replicator. Use when: (1) Adding secrets for a new application, (2) Deciding between secret-generator and ExternalSecret, (3) Configuring cross-namespace secret replication, (4) Creating persistent secrets via the app-secrets Terragrunt module, (5) Debugging secret sync failures. Triggers: "secret", "ExternalSecret", "secret-generator", "aws ssm", "parameter store", "kubernetes-replicator", "replicate secret", "app-secrets", "persistent secret", "cross-namespace secret", "secret not syncing", "ClusterSecretStore"

التثبيت

التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.

تشغيل في Manus

المصدر

ionfury

ionfury/homelab

فتح مستودع GitHub عرض مستودعات المنشئ

تنزيل

تشغيل في Manus

المهن ذات الصلةSOC

استنادا إلى تصنيف SOC المهني

محللو أمن المعلوماتمهن الحاسوب والرياضيات·SOC 15-1212

مديرو الشبكات وأنظمة الحاسوبSOC 15-1244

مستكشف الملفات

4 ملفات

SKILL.md

readonly

name	secrets
description	Secret management patterns for the Kubernetes homelab platform. Covers secret-generator, ExternalSecret, app-secrets Terragrunt module, and cross-namespace replication via kubernetes-replicator. Use when: (1) Adding secrets for a new application, (2) Deciding between secret-generator and ExternalSecret, (3) Configuring cross-namespace secret replication, (4) Creating persistent secrets via the app-secrets Terragrunt module, (5) Debugging secret sync failures. Triggers: "secret", "ExternalSecret", "secret-generator", "aws ssm", "parameter store", "kubernetes-replicator", "replicate secret", "app-secrets", "persistent secret", "cross-namespace secret", "secret not syncing", "ClusterSecretStore"
user-invocable	false

Secrets Management

Four mechanisms exist for provisioning secrets. See reference.md for the mechanism comparison table and annotation reference.

Decision Tree

App needs a secret?
│
├─ Can it be randomly generated? (password, API key, token)
│   │
│   ├─ Does it need to survive cluster rebuilds?
│   │   ├─ YES (e.g., encryption key seed, LDAP key)
│   │   │   └─ Use app-secrets Terragrunt module + ExternalSecret
│   │   └─ NO (e.g., session secret, internal API key)
│   │       └─ Use secret-generator annotation
│   │
│   └─ Is it a database credential?
│       └─ Use secret-generator with type: kubernetes.io/basic-auth
│
├─ Must match an external value? (OAuth, cloud API, webhook URL)
│   └─ Use ExternalSecret → AWS SSM
│
├─ Shared across namespaces? (DB superuser, Dragonfly password)
│   └─ Use kubernetes-replicator annotations
│
└─ Unclear?
    └─ AskUserQuestion: "Can this secret be randomly generated,
       or must it match a specific external value?"

Mechanism 1: secret-generator (Ephemeral, In-Cluster)

The mittwald/kubernetes-secret-generator controller watches for annotated Secrets and auto-populates them with random values. Preferred for secrets that do not need to persist across cluster rebuilds.

Template: see reference.md

Mechanism 2: ExternalSecret (Persistent, from AWS SSM)

ESO pulls values from AWS SSM Parameter Store via the aws-ssm ClusterSecretStore at kubernetes/platform/config/secrets/cluster-secret-store.yaml (region: us-east-2).

SSM path convention: /homelab/kubernetes/${cluster_name}/<app-or-secret-name>

Template: see reference.md

Mechanism 3: app-secrets Terragrunt Module (Generated + Persistent)

For secrets that must be randomly generated AND survive cluster rebuilds. OpenTofu generates random values and stores them as a JSON SecureString in AWS SSM. An ExternalSecret then pulls individual keys.

lifecycle.prevent_destroy = true protects the SSM parameter. lifecycle.ignore_changes = [value] prevents re-generating on subsequent applies. Local backup written to ~/.secrets/homelab/<app>-secrets.json.

Workflow: create unit → add to stack → apply → create ExternalSecret using the multi-key JSON pattern from Mechanism 2. Real example: infrastructure/units/lldap-secrets/terragrunt.hcl.

Template: see reference.md

Mechanism 4: kubernetes-replicator (Cross-Namespace)

Copies Secrets from one namespace to another. Used when a shared resource generates a secret that consumer namespaces need. Add replication annotations to the source Secret, then create an empty consumer Secret referencing it. Add both files to their respective kustomization.yaml.

Template: see reference.md

Three-Tier Pattern (Exemplar: Authelia)

kubernetes/clusters/live/config/authelia-prereqs/ demonstrates all three types together:

File	Mechanism	Purpose
`lldap-secrets.yaml`	ExternalSecret (app-secrets module)	Persistent LLDAP encryption keys
`authelia-db-credentials.yaml`	secret-generator	Ephemeral DB password
`cnpg-superuser-replica.yaml`	kubernetes-replicator	Replicated from database namespace
`dragonfly-secret-replication.yaml`	kubernetes-replicator	Replicated from database namespace

Debugging

Run scripts/check-secret-sync.sh <name> <namespace> for the full status check sequence.

To verify an SSM parameter exists:

aws ssm get-parameter --name "/homelab/kubernetes/<cluster>/<secret>" --with-decryption

See reference.md for common failure causes and alert definitions.

Cross-References

Document	Relevance
kubernetes/platform/CLAUDE.md	Secrets management overview, SSM parameters for bootstrap
deploy-app skill	Secrets decision tree for new deployments
cnpg-database skill	Database credential chain
terragrunt skill	Infrastructure operations for app-secrets module

المزيد من هذا المستودع

نفس المستودع

dashboard-design

ionfury/homelab

Visual design and layout for Grafana dashboards — panel hierarchy, type selection, color/threshold design, and iterative screenshot-based refinement. Use when: (1) Deciding what panels belong on a new dashboard, (2) Choosing panel types for specific data patterns, (3) Structuring visual hierarchy and layout, (4) Applying color and thresholds to communicate status, (5) Reviewing dashboard appearance via Playwright screenshots, (6) Iterating on readability and density Triggers: "dashboard design", "visual design", "layout design", "panel type", "color scheme", "screenshot review", "iterate dashboard", "dashboard looks", "visual feedback", "refine dashboard", "dashboard hierarchy", "information density"

2026-05-1924

architecture-review

ionfury/homelab

Architecture evaluation criteria and technology standards for the homelab. Preloaded into the designer agent to ground design decisions in established patterns and principles. Use when: (1) Evaluating a proposed technology addition, (2) Reviewing architecture decisions, (3) Assessing stack fit for a new component, (4) Comparing implementation approaches. Triggers: "architecture review", "evaluate technology", "stack fit", "should we use", "technology comparison", "design review", "architecture decision"

2026-04-0824

deploy-app

ionfury/homelab

End-to-end application deployment orchestration for the Kubernetes homelab. Covers research, worktree setup, Flux ResourceSet configuration, dev cluster testing, monitoring integration, and PR creation. Use when: (1) Deploying a new application to the cluster, (2) Adding a new Helm release to the platform, (3) Setting up monitoring, alerting, and health checks for a new service, (4) Testing deployment on dev cluster before GitOps promotion. Triggers: "deploy app", "add new application", "deploy to kubernetes", "install helm chart", "/deploy-app", "set up new service", "add monitoring for", "deploy with monitoring"

2026-03-3024

cnpg-database

ionfury/homelab

CloudNative-PG (CNPG) PostgreSQL database management for the Kubernetes homelab. Covers shared platform cluster, dedicated per-app clusters, credential provisioning, cross-namespace replication via kubernetes-replicator, and monitoring. Use when: (1) Adding a new database for an application, (2) Creating a dedicated CNPG cluster, (3) Setting up database credentials and cross-namespace replication, (4) Debugging database connectivity or CNPG cluster health, (5) Adding PostgreSQL extensions for specialized workloads. Triggers: "database", "postgresql", "postgres", "cnpg", "cloudnative-pg", "pooler", "pgbouncer", "database credentials", "db password", "managed roles", "Database CRD", "database cluster", "shared database", "dedicated database", "cnpg cluster"

2026-03-2324

gateway-routing

ionfury/homelab

Gateway API routing, TLS certificates, and WAF configuration for the homelab Kubernetes platform. Use when: (1) Exposing a service via HTTPRoute, (2) Choosing between internal and external gateways, (3) Debugging TLS or routing issues, (4) Understanding or tuning WAF (Coraza) behavior. Triggers: "httproute", "gateway", "expose service", "add route", "certificate", "tls", "coraza", "waf", "internal gateway", "external gateway", "dns", "ingress", "routing", "cert-manager", "letsencrypt", "homelab-ca"

2026-03-2324

instruction-eval

ionfury/homelab

Evaluate whether changes to skills and CLAUDE.md files have helped or harmed Claude's operational posture. Use when: (1) after trimming or refactoring skills/CLAUDE.md files, (2) doing a periodic regression check, (3) validating that factored reference files are still accessible, (4) confirming hard constraints are still enforced after instruction changes. Triggers: "test instructions", "regression test", "evaluate skills", "did trimming break anything", "validate claude posture", "test claude docs", "instruction quality"

2026-03-2324

name	secrets
description	Secret management patterns for the Kubernetes homelab platform. Covers secret-generator, ExternalSecret, app-secrets Terragrunt module, and cross-namespace replication via kubernetes-replicator. Use when: (1) Adding secrets for a new application, (2) Deciding between secret-generator and ExternalSecret, (3) Configuring cross-namespace secret replication, (4) Creating persistent secrets via the app-secrets Terragrunt module, (5) Debugging secret sync failures. Triggers: "secret", "ExternalSecret", "secret-generator", "aws ssm", "parameter store", "kubernetes-replicator", "replicate secret", "app-secrets", "persistent secret", "cross-namespace secret", "secret not syncing", "ClusterSecretStore"
user-invocable	false

Secrets Management

Four mechanisms exist for provisioning secrets. See reference.md for the mechanism comparison table and annotation reference.

Decision Tree

App needs a secret?
│
├─ Can it be randomly generated? (password, API key, token)
│   │
│   ├─ Does it need to survive cluster rebuilds?
│   │   ├─ YES (e.g., encryption key seed, LDAP key)
│   │   │   └─ Use app-secrets Terragrunt module + ExternalSecret
│   │   └─ NO (e.g., session secret, internal API key)
│   │       └─ Use secret-generator annotation
│   │
│   └─ Is it a database credential?
│       └─ Use secret-generator with type: kubernetes.io/basic-auth
│
├─ Must match an external value? (OAuth, cloud API, webhook URL)
│   └─ Use ExternalSecret → AWS SSM
│
├─ Shared across namespaces? (DB superuser, Dragonfly password)
│   └─ Use kubernetes-replicator annotations
│
└─ Unclear?
    └─ AskUserQuestion: "Can this secret be randomly generated,
       or must it match a specific external value?"

Mechanism 1: secret-generator (Ephemeral, In-Cluster)

Template: see reference.md

Mechanism 2: ExternalSecret (Persistent, from AWS SSM)

ESO pulls values from AWS SSM Parameter Store via the aws-ssm ClusterSecretStore at kubernetes/platform/config/secrets/cluster-secret-store.yaml (region: us-east-2).

SSM path convention: /homelab/kubernetes/${cluster_name}/<app-or-secret-name>

Template: see reference.md

Mechanism 3: app-secrets Terragrunt Module (Generated + Persistent)

Workflow: create unit → add to stack → apply → create ExternalSecret using the multi-key JSON pattern from Mechanism 2. Real example: infrastructure/units/lldap-secrets/terragrunt.hcl.

Template: see reference.md

Mechanism 4: kubernetes-replicator (Cross-Namespace)

Template: see reference.md

Three-Tier Pattern (Exemplar: Authelia)

kubernetes/clusters/live/config/authelia-prereqs/ demonstrates all three types together:

File	Mechanism	Purpose
`lldap-secrets.yaml`	ExternalSecret (app-secrets module)	Persistent LLDAP encryption keys
`authelia-db-credentials.yaml`	secret-generator	Ephemeral DB password
`cnpg-superuser-replica.yaml`	kubernetes-replicator	Replicated from database namespace
`dragonfly-secret-replication.yaml`	kubernetes-replicator	Replicated from database namespace

Debugging

Run scripts/check-secret-sync.sh <name> <namespace> for the full status check sequence.

To verify an SSM parameter exists:

aws ssm get-parameter --name "/homelab/kubernetes/<cluster>/<secret>" --with-decryption

See reference.md for common failure causes and alert definitions.

Cross-References

Document	Relevance
kubernetes/platform/CLAUDE.md	Secrets management overview, SSM parameters for bootstrap
deploy-app skill	Secrets decision tree for new deployments
cnpg-database skill	Database credential chain
terragrunt skill	Infrastructure operations for app-secrets module