Document Vault Structure

[srueg]

Context

The current Vault structure enforces the <tenant-id>/<cluster-id>/ structure. Nothing more is enforced or recommended.
We should document the best practices around secrets in Vault and how to structure them.
Some inputs:

• Use as less key-value pairs per secret as possible (it's not possible to update only single key-value pairs)
• Use descriptive names, so it's clear what a secret is used for
• Consistent naming (e.g. token vs. password, vs.
• ...

Alternatives

Implement more secrets generation via Lieutenant-operator which would enforce certain structures.

[corvus-ch]

Use as less key-value pairs per secret as possible (it's not possible to update only single key-value pairs)

There is vault kv patch that can do that.

[corvus-ch]

So far, we assumed secretes to be defined on the cluster level. However, some secrets might be better put on the level of a tenant and shared between all clusters of that tenant.

Would it also makes sens to have globally defined secretes? Maybe but this certainly needs security considerations.