mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
369 lines
11 KiB
Plaintext
369 lines
11 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * nodes/pods/nodes-pods-secrets-store.adoc
|
|
//
|
|
// IMPORTANT: This file requires you to define :secrets-store-provider: before including this module.
|
|
|
|
ifeval::["{secrets-store-provider}" == "AWS Secrets Manager"]
|
|
:aws-secrets-manager:
|
|
endif::[]
|
|
ifeval::["{secrets-store-provider}" == "AWS Systems Manager Parameter Store"]
|
|
:aws-systems-manager-parameter-store:
|
|
endif::[]
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="secrets-store-aws_{context}"]
|
|
= Mounting secrets from {secrets-store-provider}
|
|
|
|
You can use the {secrets-store-operator} to mount secrets from {secrets-store-provider} to a Container Storage Interface (CSI) volume in {product-title}. To mount secrets from {secrets-store-provider}, your cluster must be installed on AWS and use AWS Security Token Service (STS).
|
|
|
|
.Prerequisites
|
|
|
|
* Your cluster is installed on AWS and uses AWS Security Token Service (STS).
|
|
* You installed the {secrets-store-operator}. See _Installing the {secrets-store-driver}_ for instructions.
|
|
* You configured {secrets-store-provider} to store the required secrets.
|
|
* You extracted and prepared the `ccoctl` binary.
|
|
* You installed the `jq` CLI tool.
|
|
* You have access to the cluster as a user with the `cluster-admin` role.
|
|
|
|
.Procedure
|
|
|
|
. Install the {secrets-store-provider} provider:
|
|
|
|
.. Create a YAML file with the following configuration for the provider resources:
|
|
+
|
|
[IMPORTANT]
|
|
====
|
|
The {secrets-store-provider} provider for the {secrets-store-driver} is an upstream provider.
|
|
|
|
This configuration is modified from the configuration provided in the upstream link:https://github.com/aws/secrets-store-csi-driver-provider-aws#installing-the-aws-provider[AWS documentation] so that it works properly with {product-title}. Changes to this configuration might impact functionality.
|
|
====
|
|
+
|
|
.Example `aws-provider.yaml` file
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: csi-secrets-store-provider-aws
|
|
namespace: openshift-cluster-csi-drivers
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: csi-secrets-store-provider-aws-cluster-role
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["serviceaccounts/token"]
|
|
verbs: ["create"]
|
|
- apiGroups: [""]
|
|
resources: ["serviceaccounts"]
|
|
verbs: ["get"]
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get"]
|
|
- apiGroups: [""]
|
|
resources: ["nodes"]
|
|
verbs: ["get"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: csi-secrets-store-provider-aws-cluster-rolebinding
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: csi-secrets-store-provider-aws-cluster-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: csi-secrets-store-provider-aws
|
|
namespace: openshift-cluster-csi-drivers
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: DaemonSet
|
|
metadata:
|
|
namespace: openshift-cluster-csi-drivers
|
|
name: csi-secrets-store-provider-aws
|
|
labels:
|
|
app: csi-secrets-store-provider-aws
|
|
spec:
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
selector:
|
|
matchLabels:
|
|
app: csi-secrets-store-provider-aws
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: csi-secrets-store-provider-aws
|
|
spec:
|
|
serviceAccountName: csi-secrets-store-provider-aws
|
|
hostNetwork: false
|
|
containers:
|
|
- name: provider-aws-installer
|
|
image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r2-50-g5b4aca1-2023.06.09.21.19
|
|
imagePullPolicy: Always
|
|
args:
|
|
- --provider-volume=/etc/kubernetes/secrets-store-csi-providers
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 100Mi
|
|
limits:
|
|
cpu: 50m
|
|
memory: 100Mi
|
|
securityContext:
|
|
privileged: true
|
|
volumeMounts:
|
|
- mountPath: "/etc/kubernetes/secrets-store-csi-providers"
|
|
name: providervol
|
|
- name: mountpoint-dir
|
|
mountPath: /var/lib/kubelet/pods
|
|
mountPropagation: HostToContainer
|
|
tolerations:
|
|
- operator: Exists
|
|
volumes:
|
|
- name: providervol
|
|
hostPath:
|
|
path: "/etc/kubernetes/secrets-store-csi-providers"
|
|
- name: mountpoint-dir
|
|
hostPath:
|
|
path: /var/lib/kubelet/pods
|
|
type: DirectoryOrCreate
|
|
nodeSelector:
|
|
kubernetes.io/os: linux
|
|
----
|
|
|
|
.. Grant privileged access to the `csi-secrets-store-provider-aws` service account by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc adm policy add-scc-to-user privileged -z csi-secrets-store-provider-aws -n openshift-cluster-csi-drivers
|
|
----
|
|
|
|
.. Create the provider resources by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc apply -f aws-provider.yaml
|
|
----
|
|
|
|
. Grant permission to allow the service account to read the AWS secret object:
|
|
|
|
.. Create a directory to contain the credentials request by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ mkdir credentialsrequest-dir-aws
|
|
----
|
|
|
|
.. Create a YAML file with the following configuration for the credentials request:
|
|
+
|
|
.Example `credentialsrequest.yaml` file
|
|
[source,yaml]
|
|
----
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: CredentialsRequest
|
|
metadata:
|
|
name: aws-provider-test
|
|
namespace: openshift-cloud-credential-operator
|
|
spec:
|
|
providerSpec:
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: AWSProviderSpec
|
|
ifdef::aws-secrets-manager[]
|
|
statementEntries:
|
|
- action:
|
|
- "secretsmanager:GetSecretValue"
|
|
- "secretsmanager:DescribeSecret"
|
|
effect: Allow
|
|
resource: "arn:*:secretsmanager:*:*:secret:testSecret-??????"
|
|
endif::aws-secrets-manager[]
|
|
ifdef::aws-systems-manager-parameter-store[]
|
|
statementEntries:
|
|
- action:
|
|
- "ssm:GetParameter"
|
|
- "ssm:GetParameters"
|
|
effect: Allow
|
|
resource: "arn:*:ssm:*:*:parameter/testParameter*"
|
|
endif::aws-systems-manager-parameter-store[]
|
|
secretRef:
|
|
name: aws-creds
|
|
namespace: my-namespace
|
|
serviceAccountNames:
|
|
- aws-provider
|
|
----
|
|
|
|
.. Retrieve the OIDC provider by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get --raw=/.well-known/openid-configuration | jq -r '.issuer'
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
https://<oidc_provider_name>
|
|
----
|
|
Copy the OIDC provider name `<oidc_provider_name>` from the output to use in the next step.
|
|
|
|
.. Use the `ccoctl` tool to process the credentials request by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ ccoctl aws create-iam-roles \
|
|
--name my-role --region=<aws_region> \
|
|
--credentials-requests-dir=credentialsrequest-dir-aws \
|
|
--identity-provider-arn arn:aws:iam::<aws_account>:oidc-provider/<oidc_provider_name> --output-dir=credrequests-ccoctl-output
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
2023/05/15 18:10:34 Role arn:aws:iam::<aws_account_id>:role/my-role-my-namespace-aws-creds created
|
|
2023/05/15 18:10:34 Saved credentials configuration to: credrequests-ccoctl-output/manifests/my-namespace-aws-creds-credentials.yaml
|
|
2023/05/15 18:10:35 Updated Role policy for Role my-role-my-namespace-aws-creds
|
|
----
|
|
+
|
|
Copy the `<aws_role_arn>` from the output to use in the next step. For example, `arn:aws:iam::<aws_account_id>:role/my-role-my-namespace-aws-creds`.
|
|
|
|
.. Bind the service account with the role ARN by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc annotate -n my-namespace sa/aws-provider eks.amazonaws.com/role-arn="<aws_role_arn>"
|
|
----
|
|
|
|
. Create a secret provider class to define your secrets store provider:
|
|
|
|
.. Create a YAML file that defines the `SecretProviderClass` object:
|
|
+
|
|
.Example `secret-provider-class-aws.yaml`
|
|
[source,yaml]
|
|
----
|
|
apiVersion: secrets-store.csi.x-k8s.io/v1
|
|
kind: SecretProviderClass
|
|
metadata:
|
|
name: my-aws-provider <1>
|
|
namespace: my-namespace <2>
|
|
spec:
|
|
provider: aws <3>
|
|
parameters: <4>
|
|
ifdef::aws-secrets-manager[]
|
|
objects: |
|
|
- objectName: "testSecret"
|
|
objectType: "secretsmanager"
|
|
endif::aws-secrets-manager[]
|
|
ifdef::aws-systems-manager-parameter-store[]
|
|
objects: |
|
|
- objectName: "testParameter"
|
|
objectType: "ssmparameter"
|
|
endif::aws-systems-manager-parameter-store[]
|
|
----
|
|
<1> Specify the name for the secret provider class.
|
|
<2> Specify the namespace for the secret provider class.
|
|
<3> Specify the provider as `aws`.
|
|
<4> Specify the provider-specific configuration parameters.
|
|
|
|
.. Create the `SecretProviderClass` object by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create -f secret-provider-class-aws.yaml
|
|
----
|
|
|
|
. Create a deployment to use this secret provider class:
|
|
|
|
.. Create a YAML file that defines the `Deployment` object:
|
|
+
|
|
.Example `deployment.yaml`
|
|
[source,yaml]
|
|
----
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: my-aws-deployment <1>
|
|
namespace: my-namespace <2>
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: my-storage
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: my-storage
|
|
spec:
|
|
serviceAccountName: aws-provider
|
|
containers:
|
|
- name: busybox
|
|
image: k8s.gcr.io/e2e-test-images/busybox:1.29
|
|
command:
|
|
- "/bin/sleep"
|
|
- "10000"
|
|
volumeMounts:
|
|
- name: secrets-store-inline
|
|
mountPath: "/mnt/secrets-store"
|
|
readOnly: true
|
|
volumes:
|
|
- name: secrets-store-inline
|
|
csi:
|
|
driver: secrets-store.csi.k8s.io
|
|
readOnly: true
|
|
volumeAttributes:
|
|
secretProviderClass: "my-aws-provider" <3>
|
|
----
|
|
<1> Specify the name for the deployment.
|
|
<2> Specify the namespace for the deployment. This must be the same namespace as the secret provider class.
|
|
<3> Specify the name of the secret provider class.
|
|
|
|
.. Create the `Deployment` object by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create -f deployment.yaml
|
|
----
|
|
|
|
.Verification
|
|
|
|
* Verify that you can access the secrets from {secrets-store-provider} in the pod volume mount:
|
|
|
|
.. List the secrets in the pod mount by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc exec my-aws-deployment-<hash> -n my-namespace -- ls /mnt/secrets-store/
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
ifdef::aws-secrets-manager[]
|
|
testSecret
|
|
endif::aws-secrets-manager[]
|
|
ifdef::aws-systems-manager-parameter-store[]
|
|
testParameter
|
|
endif::aws-systems-manager-parameter-store[]
|
|
----
|
|
|
|
.. View a secret in the pod mount by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc exec my-aws-deployment-<hash> -n my-namespace -- cat /mnt/secrets-store/testSecret
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
<secret_value>
|
|
----
|
|
|
|
ifeval::["{secrets-store-provider}" == "AWS Secrets Manager"]
|
|
:!aws-secrets-manager:
|
|
endif::[]
|
|
ifeval::["{secrets-store-provider}" == "AWS Systems Manager Parameter Store"]
|
|
:!aws-systems-manager-parameter-store:
|
|
endif::[]
|