|
|
@@ -937,7 +937,7 @@
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
<a href="#imported_cert-public_cert-and-private_cert" class="md-nav__link">
|
|
|
- imported_cert, public_cert and private_cert
|
|
|
+ imported_cert, public_cert, and private_cert
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
@@ -1774,7 +1774,7 @@
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
<a href="#imported_cert-public_cert-and-private_cert" class="md-nav__link">
|
|
|
- imported_cert, public_cert and private_cert
|
|
|
+ imported_cert, public_cert, and private_cert
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
@@ -1830,16 +1830,14 @@
|
|
|
<h1>Secrets Manager</h1>
|
|
|
|
|
|
<h2 id="ibm-cloud-secret-manager">IBM Cloud Secret Manager</h2>
|
|
|
-<p>External Secrets Operator integrates with <a href="https://www.ibm.com/cloud/secrets-manager">IBM Secret Manager</a> for secret management.</p>
|
|
|
+<p>External Secrets Operator integrates with <a href="https://www.ibm.com/cloud/secrets-manager">IBM Cloud Secret Manager</a> for secret management.</p>
|
|
|
<h3 id="authentication">Authentication</h3>
|
|
|
<p>We support API key and trusted profile container authentication for this provider.</p>
|
|
|
<h4 id="api-key-secret">API key secret</h4>
|
|
|
<p>To generate your key (for test purposes we are going to generate from your user), first got to your (Access IAM) page:</p>
|
|
|
<p><img alt="iam" src="../../pictures/screenshot_api_keys_iam.png" /></p>
|
|
|
-<p>On the left, click "IBM Cloud API Keys":</p>
|
|
|
+<p>On the left, click "API Keys", then click on "Create"</p>
|
|
|
<p><img alt="iam-left" src="../../pictures/screenshot_api_keys_iam_left.png" /></p>
|
|
|
-<p>Press "Create an IBM Cloud API Key":</p>
|
|
|
-<p><img alt="iam-create-button" src="../../pictures/screenshot_api_keys_create_button.png" /></p>
|
|
|
<p>Pick a name and description for your key:</p>
|
|
|
<p><img alt="iam-create-key" src="../../pictures/screenshot_api_keys_create.png" /></p>
|
|
|
<p>You have created a key. Press the eyeball to show the key. Copy or save it because keys can't be displayed or downloaded twice.</p>
|
|
|
@@ -1854,18 +1852,18 @@
|
|
|
<p><img alt="iam-left" src="../../pictures/screenshot_container_auth_create_group.png" /></p>
|
|
|
<p>Pick a name and description for your group:</p>
|
|
|
<p><img alt="iam-left" src="../../pictures/screenshot_container_auth_create_group_1.png" /></p>
|
|
|
-<p>Click on "Access Policies":</p>
|
|
|
+<p>Click on "Access", and then on "Assign":</p>
|
|
|
<p><img alt="iam-left" src="../../pictures/screenshot_container_auth_create_group_2.png" /></p>
|
|
|
<p>Click on "Assign Access", select "IAM services", and pick "Secrets Manager" from the pick-list:</p>
|
|
|
<p><img alt="iam-left" src="../../pictures/screenshot_container_auth_create_group_3.png" /></p>
|
|
|
-<p>Scope to "All resources" or "Resources based on selected attributes", select "SecretsReader":</p>
|
|
|
+<p>Scope to "All resources" or "Resources based on selected attributes":</p>
|
|
|
<p><img alt="iam-left" src="../../pictures/screenshot_container_auth_create_group_4.png" /></p>
|
|
|
+<p>Select the "SecretsReader" service access policy:</p>
|
|
|
+<p><img alt="iam-left" src="../../pictures/screenshot_container_auth_create_group_5.png" /></p>
|
|
|
<p>Click "Add" and "Assign" to save the access group.</p>
|
|
|
<p>Next, on the left, click "Trusted profiles":</p>
|
|
|
<p><img alt="iam-left" src="../../pictures/screenshot_container_auth_iam_left.png" /></p>
|
|
|
-<p>Press "Create":</p>
|
|
|
-<p><img alt="iam-create-button" src="../../pictures/screenshot_container_auth_create_button.png" /></p>
|
|
|
-<p>Pick a name and description for your profile:</p>
|
|
|
+<p>Press "Create" and pick a name and description for your profile:</p>
|
|
|
<p><img alt="iam-create-key" src="../../pictures/screenshot_container_auth_create_1.png" /></p>
|
|
|
<p>Scope the profile's access.</p>
|
|
|
<p>The compute service type will be "Red Hat OpenShift on IBM Cloud". Additional restriction can be configured based on cloud or cluster metadata, or if "Specific resources" is selected, restriction to a specific cluster.</p>
|
|
|
@@ -1917,11 +1915,9 @@
|
|
|
<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apiKey</span><span class="w"></span>
|
|
|
</code></pre></div>
|
|
|
<strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> in <code>secretApiKeySecretRef</code> with the namespace where the secret resides.</p>
|
|
|
-<p><strong>NOTE:</strong> Only <code>secretApiKeySecretRef</code> or <code>containerAuth</code> should be specified, depending on authentication me
|
|
|
-thod being used.</p>
|
|
|
-<p>To find your serviceURL, under your Secrets Manager resource, go to "Endpoints" on the left.
|
|
|
-Note: Use the url without the <code>/api</code> suffix that is presented in the UI.
|
|
|
-See here for a list of <a href="https://cloud.ibm.com/apidocs/secrets-manager#getting-started-endpoints">publicly available endpoints</a>.</p>
|
|
|
+<p><strong>NOTE:</strong> Only <code>secretApiKeySecretRef</code> or <code>containerAuth</code> should be specified, depending on authentication method being used.</p>
|
|
|
+<p>To find your <code>serviceURL</code>, under your Secrets Manager resource, go to "Endpoints" on the left.</p>
|
|
|
+<p>See here for a list of <a href="https://cloud.ibm.com/apidocs/secrets-manager#getting-started-endpoints">publicly available endpoints</a>.</p>
|
|
|
<p><img alt="iam-create-success" src="../../pictures/screenshot_service_url.png" /></p>
|
|
|
<h3 id="secret-types">Secret Types</h3>
|
|
|
<p>We support the following secret types of <a href="https://cloud.ibm.com/apidocs/secrets-manager">IBM Secrets Manager</a>:</p>
|
|
|
@@ -1994,7 +1990,7 @@ See here for a list of <a href="https://cloud.ibm.com/apidocs/secrets-manager#ge
|
|
|
<li><code>remoteRef</code> retrieves an apikey from secrets manager and sets it for specified <code>secretKey</code></li>
|
|
|
<li><code>dataFrom</code> retrieves an apikey from secrets manager and sets it for the <code>apikey</code> Kubernetes secret key</li>
|
|
|
</ul>
|
|
|
-<h4 id="imported_cert-public_cert-and-private_cert">imported_cert, public_cert and private_cert</h4>
|
|
|
+<h4 id="imported_cert-public_cert-and-private_cert">imported_cert, public_cert, and private_cert</h4>
|
|
|
<ul>
|
|
|
<li><code>remoteRef</code> requires a <code>property</code> to be set for either <code>certificate</code>, <code>private_key</code> or <code>intermediate</code> to retrieve respective fields from the secrets manager secret and set in specified <code>secretKey</code></li>
|
|
|
<li><code>dataFrom</code> retrieves all <code>certificate</code>, <code>private_key</code> and <code>intermediate</code> fields from the secrets manager secret and sets appropriate key:value pairs in the resulting Kubernetes secret</li>
|