diff --git a/modules/secrets-store-aws.adoc b/modules/secrets-store-aws.adoc index fa4505f65349..0b7756d6c362 100644 --- a/modules/secrets-store-aws.adoc +++ b/modules/secrets-store-aws.adoc @@ -15,22 +15,22 @@ endif::[] [id="secrets-store-aws_{context}"] = Mounting secrets from {secrets-store-provider} -You can use the {secrets-store-operator} to mount secrets from {secrets-store-provider} to a CSI volume in {product-title}. To mount secrets from {secrets-store-provider}, your cluster must be installed on AWS and use AWS Security Token Service (STS). +You can use the {secrets-store-operator} to mount secrets from {secrets-store-provider} external secrets store to a Container Storage Interface (CSI) volume in {product-title}. .Prerequisites -* Your cluster is installed on AWS and uses AWS Security Token Service (STS). -* You have installed the {secrets-store-operator}. See _Installing the {secrets-store-driver}_ for instructions. -* You have configured {secrets-store-provider} to store the required secrets. -* You have extracted and prepared the `ccoctl` binary. -* You have installed the `jq` CLI tool. * You have access to the cluster as a user with the `cluster-admin` role. +* You have installed the `jq` tool. +* You have extracted and prepared the `ccoctl` utility. +* You have installed the cluster on {aws-first} and the cluster uses {aws-short} Security Token Service (STS). +* You have installed the {secrets-store-operator}. For more information, see "Installing the {secrets-store-driver}". +* You have configured {secrets-store-provider} to store the required secrets. .Procedure . Install the {secrets-store-provider} provider: -.. Create a YAML file with the following configuration for the provider resources: +.. Create a YAML file by using the following example configuration: + [IMPORTANT] ==== @@ -148,24 +148,23 @@ $ oc adm policy add-scc-to-user privileged -z csi-secrets-store-provider-aws -n $ oc apply -f aws-provider.yaml ---- -. Grant permission to allow the service account to read the AWS secret object: +. Grant the read permission to the service account for the AWS secret object: .. Create a directory to contain the credentials request by running the following command: + [source,terminal] ---- -$ mkdir credentialsrequest-dir-aws +$ mkdir ---- -.. Create a YAML file with the following configuration for the credentials request: +.. Create a YAML file that defines the `CredentialsRequest` resource configuration. See the following example configuration: + -.Example `credentialsrequest.yaml` file [source,yaml] ---- apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: - name: aws-provider-test + name: aws-creds-request namespace: openshift-cloud-credential-operator spec: providerSpec: @@ -191,10 +190,10 @@ endif::aws-systems-manager-parameter-store[] name: aws-creds namespace: my-namespace serviceAccountNames: - - aws-provider + - ---- -.. Retrieve the OIDC provider by running the following command: +.. Retrieve the OpenID Connect (OIDC) provider by running the following command: + [source,terminal] ---- @@ -214,8 +213,8 @@ Copy the OIDC provider name `` from the output to use in the ---- $ ccoctl aws create-iam-roles \ --name my-role --region= \ - --credentials-requests-dir=credentialsrequest-dir-aws \ - --identity-provider-arn arn:aws:iam:::oidc-provider/ --output-dir=credrequests-ccoctl-output + --credentials-requests-dir= \ + --identity-provider-arn arn:aws:iam:::oidc-provider/ --output-dir= ---- + .Example output diff --git a/modules/secrets-store-azure.adoc b/modules/secrets-store-azure.adoc index 87b8628518ae..57e1bb43fa26 100644 --- a/modules/secrets-store-azure.adoc +++ b/modules/secrets-store-azure.adoc @@ -4,29 +4,29 @@ :_mod-docs-content-type: PROCEDURE [id="secrets-store-azure_{context}"] -= Mounting secrets from Azure Key Vault += Mounting secrets from {azure-short} Key Vault -You can use the {secrets-store-operator} to mount secrets from Azure Key Vault to a CSI volume in {product-title}. To mount secrets from Azure Key Vault, your cluster must be installed on Microsoft Azure. +You can use the {secrets-store-operator} to mount secrets from {azure-first} Key Vault to a Container Storage Interface (CSI) volume in {product-title}. To mount secrets from {azure-short} Key Vault. .Prerequisites -* Your cluster is installed on Azure. -* You have installed the {secrets-store-operator}. See _Installing the {secrets-store-driver}_ for instructions. -* You have configured Azure Key Vault to store the required secrets. -* You have installed the Azure CLI (`az`). +* Your have installed a cluster on {azure-short}. * You have access to the cluster as a user with the `cluster-admin` role. +* You have installed the {azure-short} CLI (`az`). +* You have installed the {secrets-store-operator}. See "Installing the {secrets-store-driver}" for instructions. +* You have configured {azure-short} Key Vault to store the required secrets. .Procedure -. Install the Azure Key Vault provider: +. Install the {azure-short} Key Vault provider: -.. Create a YAML file with the following configuration for the provider resources: +.. Create a YAML file named `azure-provider.yaml` that defines the `ServiceAccount` resource configuration. See the following example configuration: + [IMPORTANT] ==== -The Azure Key Vault provider for the {secrets-store-driver} is an upstream provider. +The {azure-short} Key Vault provider for the {secrets-store-driver} is an upstream provider. -This configuration is modified from the configuration provided in the upstream link:https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/getting-started/installation/[Azure documentation] so that it works properly with {product-title}. Changes to this configuration might impact functionality. +This configuration is modified from the configuration provided in the upstream link:https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/getting-started/installation/[{azure-short} documentation] so that it works properly with {product-title}. Changes to this configuration might impact functionality. ==== + .Example `azure-provider.yaml` file @@ -197,11 +197,11 @@ $ oc -n my-namespace label secret secrets-store-creds secrets-store.csi.k8s.io/u apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: - name: my-azure-provider <1> - namespace: my-namespace <2> + name: my-azure-provider #<1> + namespace: my-namespace #<2> spec: - provider: azure <3> - parameters: <4> + provider: azure #<3> + parameters: #<4> usePodIdentity: "false" useVMManagedIdentity: "false" userAssignedIdentityID: "" @@ -235,8 +235,8 @@ $ oc create -f secret-provider-class-azure.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: my-azure-deployment <1> - namespace: my-namespace <2> + name: my-azure-deployment #<1> + namespace: my-namespace #<2> spec: replicas: 1 selector: @@ -263,14 +263,14 @@ spec: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: - secretProviderClass: "my-azure-provider" <3> + secretProviderClass: "my-azure-provider" #<3> nodePublishSecretRef: - name: secrets-store-creds <4> + name: secrets-store-creds #<4> ---- <1> Specify the name for the deployment. <2> Specify the namespace for the deployment. This must be the same namespace as the secret provider class. <3> Specify the name of the secret provider class. -<4> Specify the name of the Kubernetes secret that contains the service principal credentials to access Azure Key Vault. +<4> Specify the name of the Kubernetes secret that contains the service principal credentials to access {azure-short} Key Vault. .. Create the `Deployment` object by running the following command: + @@ -281,7 +281,7 @@ $ oc create -f deployment.yaml .Verification -* Verify that you can access the secrets from Azure Key Vault in the pod volume mount: +* Verify that you can access the secrets from {azure-short} Key Vault in the pod volume mount: .. List the secrets in the pod mount: +