TazLab K8s Secrets Mapping

The ExternalSecrets delivery model bridges external secret stores with native Kubernetes secrets. All cluster secrets are now served by HashiCorp Vault (tazlab-secrets-vault). Infisical (tazlab-secrets) is retained as a legacy fallback for external consumers only.

Mapping Inventory

All secrets stored under secret/data/tazlab-k8s/static/<domain>/<consumer>/<KEY> in Vault KV v2. remoteRef.property: value used for all entries.

K8s SecretNamespaceVault Path (relative to secret/data/)
wildcard-tlsMultipletazlab-k8s/static/tls/wildcard/WILDCARD_{CRT,KEY}
cloudflare-api-tokencert-manager, cloudflare-ddnstazlab-k8s/static/infra/cloudflare-ddns/CLOUDFLARE_API_TOKEN
github-api-tokenflux-systemtazlab-k8s/static/infra/github/GITHUB_TOKEN
mnemosyne-mcp-secretstazlab-dbtazlab-k8s/static/apps/mnemosyne-mcp/GEMINI_API_KEY
dex-google-secretsdextazlab-k8s/static/auth/dex/DEX_GOOGLE_*
dex-rendered-configdextazlab-k8s/static/auth/dex/DEX_GOOGLE_*
oauth2-proxy-secretsauthtazlab-k8s/static/auth/oauth2-proxy/OAUTH2_*
s3-backrest-credstazlab-dbtazlab-k8s/static/storage/tazlab-db/AWS_*
grafana-bootstrap-secretflux-systemtazlab-k8s/static/monitoring/grafana/GRAFANA_DB_PASSWORD
tailscale-operator-oauthtailscaletazlab-k8s/static/infra/tailscale/TAILSCALE_OPERATOR_*

Store Configuration

StoreBackendStatus
tazlab-secrets-vaultHashiCorp Vault (Hetzner)โœ… Primary (all cluster secrets)
tazlab-secretsInfisical (legacy)๐Ÿ”„ Retained for backward compat only

See Also