TazLab K8s Secrets Mapping
The ExternalSecrets delivery model bridges external secret stores with native Kubernetes secrets. All cluster secrets are now served by HashiCorp Vault (tazlab-secrets-vault). Infisical (tazlab-secrets) is retained as a legacy fallback for external consumers only.
Mapping Inventory
All secrets stored under secret/data/tazlab-k8s/static/<domain>/<consumer>/<KEY> in Vault KV v2. remoteRef.property: value used for all entries.
| K8s Secret | Namespace | Vault Path (relative to secret/data/) |
|---|---|---|
wildcard-tls | Multiple | tazlab-k8s/static/tls/wildcard/WILDCARD_{CRT,KEY} |
cloudflare-api-token | cert-manager, cloudflare-ddns | tazlab-k8s/static/infra/cloudflare-ddns/CLOUDFLARE_API_TOKEN |
github-api-token | flux-system | tazlab-k8s/static/infra/github/GITHUB_TOKEN |
mnemosyne-mcp-secrets | tazlab-db | tazlab-k8s/static/apps/mnemosyne-mcp/GEMINI_API_KEY |
dex-google-secrets | dex | tazlab-k8s/static/auth/dex/DEX_GOOGLE_* |
dex-rendered-config | dex | tazlab-k8s/static/auth/dex/DEX_GOOGLE_* |
oauth2-proxy-secrets | auth | tazlab-k8s/static/auth/oauth2-proxy/OAUTH2_* |
s3-backrest-creds | tazlab-db | tazlab-k8s/static/storage/tazlab-db/AWS_* |
grafana-bootstrap-secret | flux-system | tazlab-k8s/static/monitoring/grafana/GRAFANA_DB_PASSWORD |
tailscale-operator-oauth | tailscale | tazlab-k8s/static/infra/tailscale/TAILSCALE_OPERATOR_* |
Store Configuration
| Store | Backend | Status |
|---|---|---|
tazlab-secrets-vault | HashiCorp Vault (Hetzner) | โ Primary (all cluster secrets) |
tazlab-secrets | Infisical (legacy) | ๐ Retained for backward compat only |
See Also
- Vault: Vault Contract
- Architecture rule: Terraform vs Flux
- Hub: TazLab K8s Hub