From 8e6c35324cfc54fcff2b73bfc1d68edda5c8191f Mon Sep 17 00:00:00 2001 From: kappa Date: Mon, 13 Apr 2026 09:36:23 +0900 Subject: [PATCH] =?UTF-8?q?docs:=20Vault=20=EC=8B=9C=ED=81=AC=EB=A6=BF=20?= =?UTF-8?q?=EA=B5=AC=EC=A1=B0=202026-04-13=20=EC=A0=84=EC=88=98=20?= =?UTF-8?q?=EC=97=85=EB=8D=B0=EC=9D=B4=ED=8A=B8=20=E2=80=94=20=EC=8B=A0?= =?UTF-8?q?=EA=B7=9C=20=EA=B2=BD=EB=A1=9C=20=EC=B6=94=EA=B0=80,=20?= =?UTF-8?q?=EC=9E=90=EC=A3=BC=20=EC=82=AC=EC=9A=A9=20=EC=8B=9C=ED=81=AC?= =?UTF-8?q?=EB=A6=BF=20=EB=B9=A0=EB=A5=B8=20=EC=B0=B8=EC=A1=B0,=20KV=20v1?= =?UTF-8?q?=20=EC=A3=BC=EC=9D=98=EC=82=AC=ED=95=AD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- infra/vault.md | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/infra/vault.md b/infra/vault.md index de874ad..93530c5 100644 --- a/infra/vault.md +++ b/infra/vault.md @@ -23,22 +23,40 @@ Vault root token은 만료 없음 (TTL: 0s) 접근 정책: infra-read(읽기 전용), infra-admin(읽기/쓰기) -## 시크릿 구조 (KV v2) +## 시크릿 구조 (KV v1) -카테고리별 정리: +⚠️ **KV v1** — 버전 관리 없음. 덮어쓰기 주의. +⚠️ **시크릿 읽을 때 모든 키를 확인할 것** — 한 경로에 여러 키가 있음 (예: cloudflare에 api_token과 global_api_key 둘 다 있음) + +### 전수 목록 (2026-04-13 실측) | 카테고리 | 경로 | 내용 | |----------|------|------| -| infra/ | apisix, argocd, cert-manager, cf-tunnel-manager, google/eab, k8s/infra-tool, safeline, ssh, ssh/id_ed25519, tailscale | 인프라 서비스 | -| cloud/ | alibaba, aws, backblaze, backblaze/restic, bunnycdn, cloudflare, cloudflare/r2, linode, vultr, zenlayer | 클라우드 프로바이더 | -| database/ | postgres, redis, bunnydb/cs-blocklist | DB | -| apps/ | gitea, gitea/registry, myapp, n8n, nocodb, telegram-ai-support, waf-saas | 자체 앱/서비스 | -| ai/ | brave, context7, google/drive-mcp, openai, openrouter, pinecone, testsprite, vertex | AI/LLM API | -| messaging/ | discord/bot, discord/nocodb-webhook, mailgun/api-key, mailgun/smtp, telegram | 메시징/알림 | +| ai/ | brave, context7, deepseek, google/drive-mcp, openai, openrouter, pinecone, testsprite, vertex | AI/LLM API | +| apps/ | anomaly-detect, cf-multisite, discord, figma, gitea, gitea/registry, k3s, myapp, n8n, nocodb, ops-agents-ssh, outline, portainer, postgres, sftpgo, telegram-ai-support, trader, twilio, waf-saas | 자체 앱/서비스 | +| auth/ | api-keys/openai, api-keys/stripe, google/ca/ | 인증 | +| cloud/ | alibaba, aws, backblaze, backblaze/restic, bunnycdn, cloudflare, cloudflare-netbis, cloudflare/r2, cloudflare/turnstile-crowdsec-captcha, cloudflare/turnstile-inouter-bunny, latitude, lightsail, linode, r2-gitea, r2-multisite, r2-sftpgo, supabase, vultr, zenlayer | 클라우드 프로바이더 | | company/ | bank, info, ironclad, korbit, koreaexim, popbill | 회사/비즈니스 | -| product/ | irondesk/ton-wallet, irondesk/tron | 제품 관련 | +| database/ | bunnydb/cs-blocklist, postgres, redis | DB | | domain/ | globalping, maxmind, namecheap, namecheap/api, namecheap/api-server, namecheap/deposit-api, namecheap/registrant | 도메인/DNS | -| auth/ | api-keys/openai, api-keys/stripe, google/ca/external-account-key, google/ca/service-account | 인증 | +| infra/ | apisix, argocd, cert-manager, cf-tunnel-manager, crowdsec-bunny-bouncer, google/eab, k8s/infra-tool, mariadb, safeline, ssh, ssh/id_ed25519, tailscale | 인프라 서비스 | +| messaging/ | discord-brokkr, discord-claude-code, discord/bot, discord/claudechannel, discord/nocodb-webhook, discord/webhook-heimdall, discord/webhook-relay, mailgun/api-key, mailgun/smtp, telegram | 메시징/알림 | +| openclaw/ | discord/, gateway/, gitea/, integrations/, oauth/, runtime/, test, tools/ | OpenClaw 에이전트 시스템 | +| product/ | irondesk/ | 제품 관련 | + +### 자주 사용하는 시크릿 (빠른 참조) + +| 용도 | 경로 | 주요 키 | 주의사항 | +|------|------|---------|----------| +| **Cloudflare API** | `cloud/cloudflare` | `api_token` (제한), **`global_api_key`** (전체 권한), `email`, `account_id` | Rulesets/Firewall/Rate Limits는 `global_api_key`만 접근 가능 | +| BunnyCDN API | `cloud/bunnycdn` | `api_key` | | +| Gitea API | `apps/gitea` | `api_token`, `url`, `admin_password` | | +| Outline API | `apps/outline` | `api-key` (kappa), `brokkr-api-key` (에이전트) | | +| Portainer API | `apps/portainer` | `api_token`, `url` | | +| Turnstile (crowdsec) | `cloud/cloudflare/turnstile-crowdsec-captcha` | `sitekey`, `secret_key` | | +| Mailgun | `messaging/mailgun/api-key` | | | +| Discord 봇 | `messaging/discord/bot` | | | +| ops 에이전트 SSH | `apps/ops-agents-ssh` | `private_key`, `public_key` | | ## SSH CA (Signed Certificates)