diff --git a/modules/secrets-store-aws.adoc b/modules/secrets-store-aws.adoc index 90090507a52e..83ce6694eb68 100644 --- a/modules/secrets-store-aws.adoc +++ b/modules/secrets-store-aws.adoc @@ -15,22 +15,22 @@ endif::[] [id="secrets-store-aws_{context}"] = Mounting secrets from {secrets-store-provider} -You can use the {secrets-store-operator} to mount secrets from {secrets-store-provider} to a Container Storage Interface (CSI) volume in {product-title}. To mount secrets from {secrets-store-provider}, your cluster must be installed on AWS and use AWS Security Token Service (STS). +You can use the {secrets-store-operator} to mount secrets from {secrets-store-provider} external secrets store to a Container Storage Interface (CSI) volume in {product-title}. .Prerequisites -* Your cluster is installed on AWS and uses AWS Security Token Service (STS). -* You installed the {secrets-store-operator}. See _Installing the {secrets-store-driver}_ for instructions. -* You configured {secrets-store-provider} to store the required secrets. -* You extracted and prepared the `ccoctl` binary. -* You installed the `jq` CLI tool. * You have access to the cluster as a user with the `cluster-admin` role. +* You have installed the `jq` tool. +* You have extracted and prepared the `ccoctl` utility. +* You have installed the cluster on {aws-first} and the cluster uses {aws-short} Security Token Service (STS). +* You have installed the {secrets-store-operator}. For more information, see "Installing the {secrets-store-driver}". +* You have configured {secrets-store-provider} to store the required secrets. .Procedure . Install the {secrets-store-provider} provider: -.. Create a YAML file with the following configuration for the provider resources: +.. Create a YAML file by using the following example configuration: + [IMPORTANT] ==== @@ -148,24 +148,23 @@ $ oc adm policy add-scc-to-user privileged -z csi-secrets-store-provider-aws -n $ oc apply -f aws-provider.yaml ---- -. Grant permission to allow the service account to read the AWS secret object: +. Grant the read permission to the service account for the AWS secret object: .. Create a directory to contain the credentials request by running the following command: + [source,terminal] ---- -$ mkdir credentialsrequest-dir-aws +$ mkdir ---- -.. Create a YAML file with the following configuration for the credentials request: +.. Create a YAML file that defines the `CredentialsRequest` resource configuration. See the following example configuration: + -.Example `credentialsrequest.yaml` file [source,yaml] ---- apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: - name: aws-provider-test + name: aws-creds-request namespace: openshift-cloud-credential-operator spec: providerSpec: @@ -191,10 +190,10 @@ endif::aws-systems-manager-parameter-store[] name: aws-creds namespace: my-namespace serviceAccountNames: - - aws-provider + - ---- -.. Retrieve the OIDC provider by running the following command: +.. Retrieve the OpenID Connect (OIDC) provider by running the following command: + [source,terminal] ---- @@ -214,8 +213,8 @@ Copy the OIDC provider name `` from the output to use in the ---- $ ccoctl aws create-iam-roles \ --name my-role --region= \ - --credentials-requests-dir=credentialsrequest-dir-aws \ - --identity-provider-arn arn:aws:iam:::oidc-provider/ --output-dir=credrequests-ccoctl-output + --credentials-requests-dir= \ + --identity-provider-arn arn:aws:iam:::oidc-provider/ --output-dir= ---- + .Example output diff --git a/modules/secrets-store-azure.adoc b/modules/secrets-store-azure.adoc index 91274125ed36..83d1522608c0 100644 --- a/modules/secrets-store-azure.adoc +++ b/modules/secrets-store-azure.adoc @@ -4,29 +4,29 @@ :_mod-docs-content-type: PROCEDURE [id="secrets-store-azure_{context}"] -= Mounting secrets from Azure Key Vault += Mounting secrets from {azure-short} Key Vault -You can use the {secrets-store-operator} to mount secrets from Azure Key Vault to a Container Storage Interface (CSI) volume in {product-title}. To mount secrets from Azure Key Vault, your cluster must be installed on Microsoft Azure. +You can use the {secrets-store-operator} to mount secrets from {azure-first} Key Vault to a Container Storage Interface (CSI) volume in {product-title}. To mount secrets from {azure-short} Key Vault. .Prerequisites -* Your cluster is installed on Azure. -* You installed the {secrets-store-operator}. See _Installing the {secrets-store-driver}_ for instructions. -* You configured Azure Key Vault to store the required secrets. -* You installed the Azure CLI (`az`). +* Your have installed a cluster on {azure-short}. * You have access to the cluster as a user with the `cluster-admin` role. +* You have installed the {azure-short} CLI (`az`). +* You have installed the {secrets-store-operator}. See "Installing the {secrets-store-driver}" for instructions. +* You have configured {azure-short} Key Vault to store the required secrets. .Procedure -. Install the Azure Key Vault provider: +. Install the {azure-short} Key Vault provider: -.. Create a YAML file with the following configuration for the provider resources: +.. Create a YAML file named `azure-provider.yaml` that defines the `ServiceAccount` resource configuration. See the following example configuration: + [IMPORTANT] ==== -The Azure Key Vault provider for the {secrets-store-driver} is an upstream provider. +The {azure-short} Key Vault provider for the {secrets-store-driver} is an upstream provider. -This configuration is modified from the configuration provided in the upstream link:https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/getting-started/installation/[Azure documentation] so that it works properly with {product-title}. Changes to this configuration might impact functionality. +This configuration is modified from the configuration provided in the upstream link:https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/getting-started/installation/[{azure-short} documentation] so that it works properly with {product-title}. Changes to this configuration might impact functionality. ==== + .Example `azure-provider.yaml` file @@ -197,11 +197,11 @@ $ oc -n my-namespace label secret secrets-store-creds secrets-store.csi.k8s.io/u apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: - name: my-azure-provider <1> - namespace: my-namespace <2> + name: my-azure-provider #<1> + namespace: my-namespace #<2> spec: - provider: azure <3> - parameters: <4> + provider: azure #<3> + parameters: #<4> usePodIdentity: "false" useVMManagedIdentity: "false" userAssignedIdentityID: "" @@ -235,8 +235,8 @@ $ oc create -f secret-provider-class-azure.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: my-azure-deployment <1> - namespace: my-namespace <2> + name: my-azure-deployment #<1> + namespace: my-namespace #<2> spec: replicas: 1 selector: @@ -263,14 +263,14 @@ spec: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: - secretProviderClass: "my-azure-provider" <3> + secretProviderClass: "my-azure-provider" #<3> nodePublishSecretRef: - name: secrets-store-creds <4> + name: secrets-store-creds #<4> ---- <1> Specify the name for the deployment. <2> Specify the namespace for the deployment. This must be the same namespace as the secret provider class. <3> Specify the name of the secret provider class. -<4> Specify the name of the Kubernetes secret that contains the service principal credentials to access Azure Key Vault. +<4> Specify the name of the Kubernetes secret that contains the service principal credentials to access {azure-short} Key Vault. .. Create the `Deployment` object by running the following command: + @@ -281,7 +281,7 @@ $ oc create -f deployment.yaml .Verification -* Verify that you can access the secrets from Azure Key Vault in the pod volume mount: +* Verify that you can access the secrets from {azure-short} Key Vault in the pod volume mount: .. List the secrets in the pod mount by running the following command: + diff --git a/modules/secrets-store-google.adoc b/modules/secrets-store-google.adoc index c14dac7ed8ff..0bf70845a32c 100644 --- a/modules/secrets-store-google.adoc +++ b/modules/secrets-store-google.adoc @@ -10,16 +10,16 @@ You can use the {secrets-store-operator} to mount secrets from Google Secret Man .Prerequisites -* You installed the {secrets-store-operator}. See _Installing the {secrets-store-driver}_ for instructions. -* You configured Google Secret Manager to store the required secrets. -* You created a service account key named `key.json` from your {gcp-full} service account. * You have access to the cluster as a user with the `cluster-admin` role. +* You have installed the {secrets-store-operator}. See "Installing the {secrets-store-driver}" for instructions. +* You have configured Google Secret Manager to store the required secrets. +* You have created a service account key named `key.json` from your {gcp-full} service account. .Procedure . Install the Google Secret Manager provider: -.. Create a YAML file with the following configuration for the provider resources: +.. Create a YAML file Create a YAML file named `gcp-provider.yaml` that defines the `ServiceAccount` resource configuration. See the following example configuration: + .Example `gcp-provider.yaml` file [source,yaml] @@ -151,7 +151,7 @@ $ oc adm policy add-scc-to-user privileged -z csi-secrets-store-provider-gcp -n $ oc apply -f gcp-provider.yaml ---- -. Grant permission to read the Google Secret Manager secret: +. Grant a read permission to the Google Secret Manager secret: .. Create a new project by running the following command: + diff --git a/modules/secrets-store-vault.adoc b/modules/secrets-store-vault.adoc index e64b276242a9..796cee8f313d 100644 --- a/modules/secrets-store-vault.adoc +++ b/modules/secrets-store-vault.adoc @@ -20,9 +20,9 @@ Other cloud providers might work, but have not been tested yet. Additional cloud .Prerequisites -* You installed the {secrets-store-operator}. See _Installing the {secrets-store-driver}_ for instructions. -* You installed Helm. * You have access to the cluster as a user with the `cluster-admin` role. +* You have installed the {secrets-store-operator}. See "Installing the {secrets-store-driver}" for instructions. +* You have installed Helm. .Procedure @@ -228,42 +228,6 @@ $ oc exec -i vault-0 --namespace=vault -- vault write auth/kubernetes/role/csi \ Success! Data written to: auth/kubernetes/role/csi ---- -.. Verify that all of the `vault` pods are running properly by running the following command: -+ -[source,terminal] ----- -$ oc get pods -n vault ----- -+ -.Example output -[source,terminal] ----- -NAME READY STATUS RESTARTS AGE -vault-0 1/1 Running 0 43m -vault-csi-provider-87rgw 2/2 Running 0 19m -vault-csi-provider-bd6hp 2/2 Running 0 19m -vault-csi-provider-smlv7 2/2 Running 0 19m ----- - -.. Verify that all of the `secrets-store-csi-driver` pods are running properly by running the following command: -+ -[source,terminal] ----- -$ oc get pods -n openshift-cluster-csi-drivers | grep -E "secrets" ----- -+ -.Example output -[source,terminal] ----- -secrets-store-csi-driver-node-46d2g 3/3 Running 0 45m -secrets-store-csi-driver-node-d2jjn 3/3 Running 0 45m -secrets-store-csi-driver-node-drmt4 3/3 Running 0 45m -secrets-store-csi-driver-node-j2wlt 3/3 Running 0 45m -secrets-store-csi-driver-node-v9xv4 3/3 Running 0 45m -secrets-store-csi-driver-node-vlz28 3/3 Running 0 45m -secrets-store-csi-driver-operator-84bd699478-fpxrw 1/1 Running 0 47m ----- - . Create a secret provider class to define your secrets store provider: .. Create a YAML file that defines the `SecretProviderClass` object: @@ -274,11 +238,11 @@ secrets-store-csi-driver-operator-84bd699478-fpxrw 1/1 Running 0 apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: - name: my-vault-provider <1> - namespace: my-namespace <2> + name: my-vault-provider #<1> + namespace: my-namespace #<2> spec: - provider: vault <3> - parameters: <4> + provider: vault #<3> + parameters: #<4> roleName: "csi" vaultAddress: "http://vault.vault:8200" objects: | @@ -308,8 +272,8 @@ $ oc create -f secret-provider-class-vault.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: busybox-deployment <1> - namespace: my-namespace <2> + name: busybox-deployment #<1> + namespace: my-namespace #<2> labels: app: busybox spec: @@ -340,7 +304,7 @@ spec: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: - secretProviderClass: "my-vault-provider" <3> + secretProviderClass: "my-vault-provider" #<3> ---- <1> Specify the name for the deployment. <2> Specify the namespace for the deployment. This must be the same namespace as the secret provider class. @@ -355,7 +319,43 @@ $ oc create -f deployment.yaml .Verification -* Verify that you can access the secrets from your HashiCorp Vault in the pod volume mount: +.. Verify that all of the `vault` pods are running properly by running the following command: ++ +[source,terminal] +---- +$ oc get pods -n vault +---- ++ +.Example output +[source,terminal] +---- +NAME READY STATUS RESTARTS AGE +vault-0 1/1 Running 0 43m +vault-csi-provider-87rgw 2/2 Running 0 19m +vault-csi-provider-bd6hp 2/2 Running 0 19m +vault-csi-provider-smlv7 2/2 Running 0 19m +---- + +.. Verify that all of the `secrets-store-csi-driver` pods are running by running the following command: ++ +[source,terminal] +---- +$ oc get pods -n openshift-cluster-csi-drivers | grep -E "secrets" +---- ++ +.Example output +[source,terminal] +---- +secrets-store-csi-driver-node-46d2g 3/3 Running 0 45m +secrets-store-csi-driver-node-d2jjn 3/3 Running 0 45m +secrets-store-csi-driver-node-drmt4 3/3 Running 0 45m +secrets-store-csi-driver-node-j2wlt 3/3 Running 0 45m +secrets-store-csi-driver-node-v9xv4 3/3 Running 0 45m +secrets-store-csi-driver-node-vlz28 3/3 Running 0 45m +secrets-store-csi-driver-operator-84bd699478-fpxrw 1/1 Running 0 47m +---- + +. Verify that you can access the secrets from your HashiCorp Vault in the pod volume mount: .. List the secrets in the pod mount by running the following command: + diff --git a/nodes/pods/nodes-pods-secrets-store.adoc b/nodes/pods/nodes-pods-secrets-store.adoc index fc739381dab6..78d793d6aaca 100644 --- a/nodes/pods/nodes-pods-secrets-store.adoc +++ b/nodes/pods/nodes-pods-secrets-store.adoc @@ -68,6 +68,11 @@ include::modules/secrets-store-google.adoc[leveloffset=+2] // Mounting secrets from HashiCorp Vault include::modules/secrets-store-vault.adoc[leveloffset=+2] +[role="_additional-resources"] +.Additional resources + +* xref:../../applications/working_with_helm_charts/installing-helm.adoc#installing-helm[Installing Helm] + // Enabling synchronization of mounted content as Kubernetes secrets include::modules/secrets-store-sync-secrets.adoc[leveloffset=+1]