From 2467a9e6974c27905851d2d7268d7d5f3d3e143e Mon Sep 17 00:00:00 2001 From: Masaki Yatsu Date: Tue, 9 Sep 2025 21:39:00 +0900 Subject: [PATCH] chore: update CLAUDE.md --- CLAUDE.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 101a4a6..308a2b2 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -85,13 +85,23 @@ All scripts in `/keycloak/scripts/` follow this pattern: ### Credential Storage Pattern -Credentials are automatically generated and stored in Vault: +The credential storage approach depends on whether External Secrets Operator is available: + +**When External Secrets is available** (determined by `helm status external-secrets -n ${EXTERNAL_SECRETS_NAMESPACE}`): + +- Credentials are generated and stored in Vault using `just vault::put` commands +- Vault commands are used for secret management ```bash -# Example: PostgreSQL superuser password +# Example: PostgreSQL superuser password (only when External Secrets is available) just vault::get secret/postgres/superuser password ``` +**When External Secrets is NOT available**: + +- Credentials are stored directly as Kubernetes Secrets +- Vault commands are NOT used + #### Secret Management Rules 1. **Environment File**: Do NOT write to `.env.local` directly for secrets. Use it only for configuration values. @@ -121,6 +131,11 @@ just vault::get secret/postgres/superuser password - Public clients are suitable for browser-based applications and native apps - Only use confidential clients (with secret) when required by the service +6. **Password Generation**: + - Use `just utils::random-password` whenever possible to generate random passwords + - Avoid using `openssl rand -base64 32` or other direct methods + - This ensures consistent password generation across all modules + ### Important Considerations 1. **Root Token**: Vault root token is required for initial setup.