[enterprise-4.20] OSDOCS-16037 added metrics and log level assemblies and modules

_topic_maps/_topic_map.yml

@@ -1259,6 +1259,10 @@ Topics:
     File: external-secrets-operator-config-net-policy
   - Name: Configuring the egress proxy
     File: external-secrets-operator-proxy
+  - Name: Monitoring the External Secrets Operator for Red Hat OpenShift
+    File: external-secrets-monitoring
+  - Name: Customizing the External Secrets Operator for Red Hat OpenShift
+    File: external-secrets-log-levels
   - Name: Uninstalling the External Secrets Operator
     File: external-secrets-operator-uninstall
   - Name: External Secrets Operator APIs

modules/external-secrets-bit-warden-config.adoc

@@ -0,0 +1,67 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-log-levels.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="external-secrets-bit-warden-config_{context}"]
+= Configuring the bitwardenSecretManagerProvider plugin
+
+You can enable the `bitwardenSecretManagerProvider` to use the Bitwarden Secrets Manager provider as a source for your secrets.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+* You have created the `ExternalSecretsConfig` custom resource.
+
+.Procedure
+
+. Edit the `ExternalSecretsConfig` custom resource by running the following command:
++
+[source,terminal]
+----
+$  oc edit externalsecretsconfigs.operator.openshift.io cluster
+----
+
+. Edit the `spec.plugins.bitwardenSecretManagerProvider` section as follows to enable the Bitwarden Secrets Manager:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: ExternalSecretsConfig
+...
+spec:
+  plugins:
+    bitwardenSecretManagerProvider:
+      mode: Enabled
+      secretRef:
+        name: <secret_object_name>
+----
++
+where:
+
+name:: The name of the secret containing the certificate key pair for the plugin. The key name in the secret for the certificate must be `tls.crt`. The key name for the private key must be `tls.key`. The key name for the Certificate Authority (CA) certificate key name must be `ca.crt`. Configuring the secret is optional when the cert-manager certificate provider is configured.
+
+. Save your changes and exit the editor.
+
+. If you disable the plugin the following resources must be deleted manually by running the following commands:
+
+[source,terminal]
+----
+$ oc delete deployments.apps bitwarden-sdk-server -n external-secrets
+----
+
+[source,terminal]
+----
+$ oc delete certificates.cert-manager.io bitwarden-tls-certs -n external-secrets
+----
+
+[source,terminal]
+----
+$ oc delete service bitwarden-sdk-server -n external-secrets
+----
+
+[source,terminal]
+----
+$ oc delete serviceaccounts bitwarden-sdk-server -n external-secrets
+----
+

modules/external-secrets-cert-manager-config.adoc

@@ -0,0 +1,86 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-log-levels.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="external-secrets-cert-manager-config_{context}"]
+= Configuring cert-manager for the external-secrets certificate requirements
+
+The `external-secrets` webhook and plugins can be assigned to `cert-manager` for certificate management. This configuration is optional.
+
+When `cert-manager` is not used, `external-secrets` defaults to its own certificate management. In this mode, it automatically generates the required certificates for the webhook, while you are responsible for manually configuring certificates for the plugins.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+* You have created the `ExternalSecretsConfig` custom resource.
+* You have installed the {cert-manager-operator}. For more information, see "Installing the {cert-manager-operator}"
+
+.Procedure
+
+. Edit the `ExternalSecretsConfig` custom resource by running the following command:
++
+[source,terminal]
+----
+$  oc edit externalsecretsconfigs.operator.openshift.io cluster
+----
+
+. Configure `cert-manager` by editing the `spec.controllerConfig.certProvider.certManager` section as follows:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: ExternalSecretsConfig
+...
+spec:
+  controllerConfig:
+    certProvider:
+      certManager:
+        injectAnnotations: "true"
+        issuerRef:
+          name: <issuer_name>
+          kind: <issuer_kind>
+          group: <issuer_group>
+        mode: Enabled
+----
++
+where:
+
+injectAnnotation:: Must be set to `true` when enabled.
+name:: Name of the issuer object referenced in `ExternalSecretsConfig`.
+kind:: API issuer. Can be set to either `Issuer` or `ClusterIssuer`.
+group:: API issuer group. The group name must be `cert-manager.io`.
+mode:: Must be set to `Enabled`. This is an immutable field and cannot be modified once it is configured.
+
+. Save your changes.
+
+. After you update the `cert-manager` configurations in the `externalsecretsconfig.operator.openshift.io` object, you must manually delete `external-secrets-cert-controller` deployment by running the following command. This prevents performance degradation of the `external-secrets` application.
++
+[source,terminal]
+----
+$ oc delete deployments.apps external-secrets-cert-controller -n external-secrets
+----
+
+. Optionally, you can delete other resources created for the `cert-controller` by running the following commands:
++
+[source,terminal]
+----
+$ oc delete clusterrolebindings.rbac.authorization.k8s.io external-secrets-cert-controller
+----
++
+[source,terminal]
+----
+$ oc delete clusterroles.rbac.authorization.k8s.io external-secrets-cert-controller
+----
++
+[source,terminal]
+----
+$ oc delete serviceaccounts external-secrets-cert-controller -n external-secrets
+----
++
+[source,terminal]
+----
+$ oc delete secrets external-secrets-webhook -n external-secrets
+----
+
+

modules/external-secrets-enable-metrics.adoc

@@ -0,0 +1,128 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/exteernal-secrets-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="external-secrets-enable-metrics_{context}"]
+= Configuring metrics collection for {external-secrets-operator} operands by using a ServiceMonitor
+
+[role="_abstract"]
+The {external-secrets-operator} operands exposes metrics by default on port `8080` at the `/metrics` service endpoint for all three components (`external-secrets`, `external-secrets-cert-controll`, and `external-secrets-webhook`). You can configure metrics collection for the external-secrets operands by creating a `ServiceMonitor` custom resource (CR) that enables the Prometheus Operator to collect custom metrics. For more information, see "Configuring user workload monitoring".
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* You have installed the {external-secrets-operator}.
+* You have enabled the user workload monitoring.
+
+.Procedure
+
+. Create the `ClusterRoleBinding` resource required for granting permissions to access metrics:
+
+.. Create the `clusterrolebinding-external-secrets.yaml` YAML file:
++
+The following example shows a `cluserrolebinding-external-secrets.yaml` file.
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: external-secrets
+  name: external-secrets-allow-metrics-access
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-secrets-operator-metrics-reader
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets
+  - kind: ServiceAccount
+    name: external-secrets-cert-controller
+    namespace: external-secrets
+  - kind: ServiceAccount
+    name: external-secrets-webhook
+    namespace: external-secrets
+----
+
+.. Create the `ClusterRoldeBinding` custom resource by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f clusterrolebinding-external-secrets.yaml
+----
+
+. Create the `ServiceMonitor` CR:
+
+.. Create the `servicemonitor-external-secrets.yaml` YAML file:
++
+[source,yaml]
+----
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app: external-secrets
+  name: external-secrets-metrics-monitor
+  namespace: external-secrets
+spec:
+  endpoints:
+    - interval: 60s
+      path: /metrics
+      port: metrics
+      scheme: http
+      scrapeTimeout: 30s
+  namespaceSelector:
+    matchNames:
+      - external-secrets
+  selector:
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+          - external-secrets
+          - external-secrets-cert-controller
+          - external-secrets-webhook
+      - key: app.kubernetes.io/instance
+        operator: In
+        values:
+          - external-secrets
+      - key: app.kubernetes.io/managed-by
+        operator: In
+        values:
+          - external-secrets-operator
+----
+
+.. Create the `ServiceMonitor` CR by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f servicemonitor-external-secrets.yaml
+----
++
+After the `ServiceMonitor` CR is created, the user workload Prometheus instance begins metrics collection from the {external-secrets-operator} operands. The collected metrics are labeled with `job="external-secrets"`,`job="external-secrets-cainjector"`, and `job="external-secrets-webhook"`.
+
+.Verification
+
+. In the {product-title} web console, navigate to *Observe* -> *Targets*.
+
+. In the Label filter field, enter the following labels to filter the metrics targets for each operand:
++
+[source,terminal]
+----
+$ service=external-secrets
+----
++
+[source,terminal]
+----
+$ service=external-secrets-cert-controller-metrics
+----
++
+[source,terminal]
+----
+$ service=external-secrets-webhook
+----
+
+. Confirm that the *Status* column shows `Up` for the `external-secrets`, `external-secrets-cert-controller` and `external-secrets-webhook`.

modules/external-secrets-enable-operand-log-level.adoc

@@ -0,0 +1,44 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-log-levels.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="external-secrets-enable-operand-log-level_{context}"]
+= Setting a log level for the {external-secrets-operator} operand
+
+You can set a log level for the {external-secrets-operator} to determine the verbosity of log messages.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+* You have created the `ExternalSecretsConfig` custom resource.
+
+.Procedure
+
+. Edit the `ExternalSecretsConfig` CR by running the following command:
++
+[source,terminal]
+----
+$ oc edit externalsecretsconfigs.operator.openshift.io cluster
+----
+
+. Set the log level value by editing the `spec.appConfig.logLevel` section:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: ExternalSecretsConfig
+...
+spec:
+  appConfig:
+    logLevel: <log_level> <1>
+----
++
+<1> Supports the value range of 1-5. The log level gets mapped to the following operand support levels:
+ * 1 - warnings
+ * 2 - error logs
+ * 3 - info logs
+ * 4 and 5 - debug logs
+
+. Save your changes and exit the editor.
+

modules/external-secrets-enable-operator-log-level.adoc

@@ -0,0 +1,52 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-log-levels.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="external-secrets-enable-operator-log-level_{context}"]
+= Setting a log level for the {external-secrets-operator}
+
+You can set a log level for the {external-secrets-operator} to determine the verbosity of the operator log messages.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+* You have created the `ExternalSecretsConfig` custom resource.
+
+.Procedure
+
+* Update the subscription object for {external-secrets-operator} to provide the verbosity level for the operator logs by running the following command:
++
+[source,terminal]
+----
+$ oc -n <external_secrets_operator_namespace> patch subscription openshift-external-secrets-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"OPERATOR_LOG_LEVEL","value":"<log_level>"}]}}}'
+----
++
+where:
+
+external_secrets_operator_namespace:: Namespace where the operator is installed.
+
+log_level:: Supports the value range of 1-5. The default is 2.
+
+.Verification
+
+. The External Secrets Operator pod is redeployed. Verify that the log level of the {external-secrets-operator} is updated by running the following command:
++
+[source,terminal]
+----
+$ oc set env deploy/external-secrets-operator-controller-manager -n external-secrets-operator --list | grep -e OPERATOR_LOG_LEVEL -e container
+----
++
+.Example output
+[source,terminal]
+----
+# deployments/external-secrets-operator-controller-manager, container manager
+OPERATOR_LOG_LEVEL=2
+----
+
+. Verify that the log level of the {external-secrets-operator} is updated by running the `oc logs` command:
++
+[source,terminal]
+----
+$ oc logs -n external-secrets-operator -f deployments/external-secrets-operator-controller-manager -c manager
+----