docs: add examples

.licensei.toml

@@ -35,7 +35,7 @@ ignored = [
 
 [header]
 authors = ["Cisco"]
-ignorePaths = [".direnv", ".devenv", "vendor"]
+ignorePaths = [".direnv", ".devenv", "vendor", "examples"]
 ignoreFiles = ["zz_generated.*.go"]
 template = """// Copyright © :YEAR: :AUTHOR:
 //

README.md

@@ -56,7 +56,7 @@ To get familiarized, we will show how you can use these tools to answer two ques
 To answer the first question, we shall create some database secrets and synchronize them into Vault.<br>
 For the second question, we will use some secrets from Vault to create an access file for an application.
 
-You can find complete examples and instructions in the [EXAMPLE](EXAMPLE.md) file.
+You can find complete examples and instructions in the [EXAMPLE](examples/single-source-advanced/EXAMPLE.md) file.
 
 ## Documentation
 

examples/README.md

@@ -0,0 +1,5 @@
+## Usage Examples
+
+Here you can find various examples on how you can use **Secret Sync**. Examples include:
+
+- [single-source-advanced](single-source-advanced) - Use a central source of truth to synchronize secrets into different secret stores. Uses templating for fine-grained synchronization.

examples/assets/gen-assets.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Requirement: https://github.com/terrastruct/d2
+
+ASSET_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+for d2_file in "$ASSET_DIR"/*.d2
+do
+  # Get files
+  png_file=${d2_file%".d2"}.png
+
+  # Generate PNG from diagram
+  d2 $d2_file $png_file
+done

examples/assets/native-approach.d2

@@ -0,0 +1,46 @@
+direction: down
+
+Vault: {
+  label: Vault
+  shape: image
+  icon: https://www.svgrepo.com/download/448679/vault.svg
+}
+
+AWSSM: {
+  label: AWS Secrets Manager
+  shape: image
+  icon: https://icons.terrastruct.com/aws%2FSecurity%2C%20Identity%2C%20&%20Compliance%2FAWS-Secrets-Manager.svg
+}
+
+GCPSM: {
+  label: GCP Secret Manager
+  shape: image
+  icon: https://www.svgrepo.com/download/375492/secret-manager.svg
+}
+
+AzureKeyVault: {
+  label: Azure Key Vault
+  shape: image
+  icon: https://icons.terrastruct.com/azure%2FSecurity%20Service%20Color%2FKey%20Vaults.svg
+}
+
+Cluster: {
+  label: Cluster
+  icon: https://icons.terrastruct.com/azure%2F_Companies%2FKubernetes.svg
+
+  Local: {
+    Label: Secret
+    style: {
+      stroke: blue
+      stroke-dash: 3
+    }
+  }
+  Workload: Workload
+
+  Local -> Workload
+}
+
+Cluster.Local <- Vault
+Cluster.Local <- AWSSM
+Cluster.Local <- GCPSM
+Cluster.Local <- AzureKeyVault

examples/assets/secret-sync.d2

@@ -0,0 +1,137 @@
+direction: down
+
+Vault: {
+  label: Vault
+  shape: image
+  icon: https://www.svgrepo.com/download/448679/vault.svg
+}
+
+AWSSM: {
+  label: AWS Secrets Manager
+  shape: image
+  icon: https://icons.terrastruct.com/aws%2FSecurity%2C%20Identity%2C%20&%20Compliance%2FAWS-Secrets-Manager.svg
+  style: {
+    opacity: 0.4
+  }
+}
+
+GCPSM: {
+  label: GCP Secret Manager
+  shape: image
+  icon: https://www.svgrepo.com/download/375492/secret-manager.svg
+  style: {
+    opacity: 0.4
+  }
+}
+
+AzureKeyVault: {
+  label: Azure Key Vault
+  shape: image
+  icon: https://icons.terrastruct.com/azure%2FSecurity%20Service%20Color%2FKey%20Vaults.svg
+  style: {
+    opacity: 0.4
+  }
+}
+
+BVSecretSync: {
+  label: Bank-Vaults Secret Sync
+  shape: image
+  icon: https://raw.githubusercontent.com/bank-vaults/bank-vaults.dev/main/assets/icons/logo.svg
+}
+
+Vault -> BVSecretSync
+AWSSM -> BVSecretSync {
+  style: {
+    opacity: 0.4
+  }
+}
+GCPSM -> BVSecretSync {
+  style: {
+    opacity: 0.4
+  }
+}
+AzureKeyVault -> BVSecretSync {
+  style: {
+    opacity: 0.4
+  }
+}
+
+ClusterA: {
+  label: Cluster A
+  icon: https://icons.terrastruct.com/azure%2F_Companies%2FKubernetes.svg
+
+  style: {
+    opacity: 0.4
+  }
+
+  LocalA: Secret {
+    style: {
+      opacity: 0.4
+    }
+  }
+  WorkloadA: Workload {
+      style: {
+        opacity: 0.4
+      }
+  }
+
+  LocalA -> WorkloadA {
+    style: {
+      opacity: 0.4
+    }
+  }
+}
+
+ClusterB: {
+  label: Cluster B
+  icon: https://icons.terrastruct.com/azure%2F_Companies%2FKubernetes.svg
+
+  LocalB: {
+    label: Local Vault
+    shape: image
+    width: 80
+    icon: https://www.svgrepo.com/download/448679/vault.svg
+  }
+  WorkloadB: Workload
+
+  LocalB -> WorkloadB
+}
+
+LocalC: {
+    label: Tenant Environment
+    shape: image
+    width: 80
+    icon: https://www.svgrepo.com/download/375492/secret-manager.svg
+    style: {
+      opacity: 0.4
+    }
+}
+
+ClusterC: {
+  label: Cluster C
+  icon: https://icons.terrastruct.com/azure%2F_Companies%2FKubernetes.svg
+
+  style: {
+    opacity: 0.4
+  }
+
+  WorkloadC: Workload {
+      style: {
+        opacity: 0.4
+      }
+  }
+}
+
+LocalC -> ClusterC.WorkloadC
+
+BVSecretSync -> ClusterB.LocalB: Sync
+BVSecretSync -> ClusterA.LocalA: Sync {
+  style: {
+    opacity: 0.4
+  }
+}
+BVSecretSync -> LocalC: Sync {
+  style: {
+    opacity: 0.4
+  }
+}

examples/assets/single-source-advanced.d2

@@ -0,0 +1,66 @@
+direction: right
+
+Vault: {
+  label: Central Vault
+  shape: image
+  icon: https://www.svgrepo.com/download/448679/vault.svg
+}
+
+SecretSync: {
+  label: Bank-Vaults Secret Sync
+  label.near: outside-top-right
+  icon: https://raw.githubusercontent.com/bank-vaults/bank-vaults.dev/main/assets/icons/logo.svg
+  icon.near: outside-top-left
+
+  dest: Target Auth
+  plan: Sync Plan
+  sync: Sync
+  src: Source Auth
+
+  src -> sync: input in{
+                         style {
+                           stroke-dash: 3
+                         }
+                       }
+  dest -> sync: input in{
+                          style {
+                            stroke-dash: 3
+                          }
+                        }
+  plan -> sync: input in{
+                          style {
+                            stroke-dash: 3
+                          }
+                        }
+}
+
+Cluster: {
+  label: Cluster
+  icon: https://icons.terrastruct.com/azure%2F_Companies%2FKubernetes.svg
+
+  Workload: Workload
+  Vault: {
+    label: Local Vault
+    shape: image
+    width: 80
+    icon: https://www.svgrepo.com/download/448679/vault.svg
+  }
+
+  Vault -> Workload
+}
+
+SecretSync.src <- Vault: referenced in {
+  style {
+    stroke-dash: 3
+  }
+}
+
+
+SecretSync.dest <- Cluster.Vault: referenced in {
+  style {
+    stroke-dash: 3
+  }
+}
+
+Vault -> SecretSync.sync: get
+SecretSync.sync -> Cluster.Vault: set

EXAMPLE.md → examples/single-source-advanced/README.md

@@ -31,7 +31,7 @@ alias secret-sync="docker run --rm -v /tmp:/tmp ghcr.io/bank-vaults/secret-sync:
 
 ### 2. Define secret stores
 
-Documentation and examples on how to use different secret stores can be found in chapter [Secret Store](README.md#secret-store).
+Documentation and examples on how to use different secret stores can be found in chapter [Secret Store](../../README.md#secret-store).
 
 #### 2.1. Local store
 Create a directory and a config file to use as the _local secret store_.
@@ -65,7 +65,7 @@ EOF
 ```
 
 ### 3. Define sync plans
-Documentation and examples on how to create a more extensive sync plan can be found in chapter [Sync Plan](README.md#sync-plan).
+Documentation and examples on how to create a more extensive sync plan can be found in chapter [Sync Plan](../../README.md#sync-plan).
 
 #### 3.1. Database secrets
 Define a sync plan for `db-host`, `db-user`, `db-pass` secrets.
@@ -120,7 +120,7 @@ echo -n "very-secret-password" > /tmp/example/local-store/db-pass
 
 ### 5. Perform sync
 
-Secret synchronization is performed using the [CLI](README.md#running-the-synchronization) by executing the sync plan between source and target secret stores.
+Secret synchronization is performed using the [CLI](../../README.md#running-the-synchronization) by executing the sync plan between source and target secret stores.
 
 #### 5.1. Database secrets