Skip to content

Commit

Permalink
update readme
Browse files Browse the repository at this point in the history
  • Loading branch information
@lijiuxing1
lijiuxing1 committed Dec 26, 2024
1 parent f155ad6 commit 424fa8d
Show file tree
Hide file tree
Showing 2 changed files with 178 additions and 128 deletions.
153 changes: 89 additions & 64 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,89 +75,114 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `rbac.install` | Install default service account | true |

## Usage

- KMS Secrets Manager
Add your secret data to [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info.
Now create a test secret:

```shell
aliyun kms CreateSecret --SecretName test-kms --SecretData 1234 --VersionId v1
```

Create an access policy for the pod scoped down to just the secrets it should have :

```shell
aliyun ram CreatePolicy --PolicyName kms-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": ["kms:GetSecretValue", "kms:Decrypt"],"Resource": "acs:kms:{region-id}:{aliyun-uid}:secret/test-kms"}],"Version": "1"}'
```
- OOS Secret Parameter
Add your secret data to [Alibaba Cloud OOS Encrypted Parameter](https://www.alibabacloud.com/help/en/oos/getting-started/manage-encryption-parameters) with aliyun CLI tool, firstly use `aliyun configure` to set your parameter and default region info.
Now create a test secret:

```shell
aliyun oos CreateSecretParameter --Value SecretParameter --Name test-oos
```

Create an access policy for the pod scoped down to just the secrets it should have :

```shell
aliyun ram CreatePolicy --PolicyName oos-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": ["oos:GetSecretParameter"],"Resource": "acs:oos:{region-id}:{aliyun-uid}:secretparameter/test-oos"}],"Version": "1"}'
```
Synchronize kms secret please refer to KMS Secrets Manager, and synchronize oos parameter please refer to OOS Secret Parameter.
1. KMS Secrets Manager
- Add your secret data to [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info.
Now create a test secret:

```shell
aliyun kms CreateSecret --SecretName test-kms --SecretData 1234 --VersionId v1 --EncryptionKeyId <kms-key-id> --DKMSInstanceId <kms-instance-id>
```

- Create an access policy for the pod scoped down to just the secrets it should have :

```shell
aliyun ram CreatePolicy --PolicyName kms-test --PolicyDocument '{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:GetSecretValue",
"kms:Decrypt"
],
"Resource": [
"acs:kms:cn-hangzhou:{aliyun-uid}:secret/test-kms",
"acs:kms:cn-hangzhou:{aliyun-uid}:key/{kms-key-id}"
]
}
]}'
```
2. OOS Secret Parameter
- Add your secret data to [Alibaba Cloud OOS Encrypted Parameter](https://www.alibabacloud.com/help/en/oos/getting-started/manage-encryption-parameters) with aliyun CLI tool, firstly use `aliyun configure` to set your parameter and default region info.
Now create a test parameter:

```shell
aliyun oos CreateSecretParameter --Value SecretParameter --Name test-oos
```

- Create an access policy for the pod scoped down to just the secrets it should have :

```shell
aliyun ram CreatePolicy --PolicyName oos-test --PolicyDocument '{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oos:GetSecretParameter",
"kms:GetSecretValue"
],
"Resource": "acs:oos:cn-hangzhou:{aliyun-uid}:secretparameter/test-oos"
}
]}'
```

### Enable [RRSA](https://www.alibabacloud.com/help/zh/container-service-for-kubernetes/latest/use-rrsa-to-enforce-access-control#section-ywl-59g-j8h) feature

RAM Roles for Service Accounts (RRSA) is the recommended secure authentication method for obtaining secrets in Alibaba Cloud Secrets Manager and OOS Encrypted Parameter. For the configuration, please refer to the following steps:

1. Create the RAM OIDC provider for the cluster with [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) or reference [RRSA](https://www.alibabacloud.com/help/zh/container-service-for-kubernetes/latest/use-rrsa-to-enforce-access-control#section-ywl-59g-j8h) doc if you have not already done so:

```shell
ack-ram-tool rrsa enable -c <clusterId>
```
```shell
ack-ram-tool rrsa enable -c <clusterId>
```

2. Next create the service account to be used by the pod, and associate the above RAM policy based on the product to synchronize with that service account. Here we use [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) CLI to simplify the steps of RAM role creation and authorization:

```shell
ack-ram-tool rrsa associate-role -c <clusterId> --create-role-if-not-exist -r <roleName> -n <namespace> -s csi-secrets-store-provider-alibabacloud
```
```shell
ack-ram-tool rrsa associate-role -c <clusterId> --create-role-if-not-exist -r <roleName> -n <namespace> -s csi-secrets-store-provider-alibabacloud
```

3. Create a secret named `alibaba-credentials` in target cluster, create a template file below named `alibaba-credentials.yaml`:

```yaml
apiVersion: v1
data:
oidcproviderarn: ****
rolearn: **** #specify the assumed ram role ARN, base64 encoding required
kind: Secret
metadata:
name: alibaba-credentials
namespace: <namespace>
type: Opaque
```
```yaml
apiVersion: v1
data:
oidcproviderarn: acs:ram::<aliyun-uid>:oidc-provider/ack-rrsa-<ack-cluster-id> # specify the cluster's OIDC provider ARN, base64 encoding required
rolearn: acs:ram::<aliyun-uid>:role/<ram-role-name> # specify the assumed ram role ARN, base64 encoding required
kind: Secret
metadata:
name: alibaba-credentials
namespace: <namespace>
type: Opaque
```

**oidcproviderarn**: specify the cluster's OIDC provider ARN, you can obtain the value in [RAM SSO](https://ram.console.aliyun.com/providers) console, then find the target provider ARN in the `OIDC` tab, base64 encoding required
**rolearn**: specify the assumed ram role ARN, base64 encoding required
**namespace**: specify the namespace which will install provider
**oidcproviderarn**: specify the cluster's OIDC provider ARN, you can obtain the value in [RAM SSO](https://ram.console.aliyun.com/providers) console, then find the target provider ARN in the `OIDC` tab, base64 encoding required
**rolearn**: specify the assumed ram role ARN, base64 encoding required
**namespace**: specify the namespace which will install provider
Run the command to deploy secret:
Run the command to deploy secret:
```bash
kubectl apply -f alibaba-credentials.yaml
```
```bash
kubectl apply -f alibaba-credentials.yaml
```
4. Update below envVarsFromSecret configuration in the values.yaml:
```yaml
envVarsFromSecret:
ALICLOUD_ROLE_ARN:
secretKeyRef: alibaba-credentials
key: rolearn
ALICLOUD_OIDC_PROVIDER_ARN:
secretKeyRef: alibaba-credentials
key: oidcproviderarn
rrsa:
# Specifies whether using rrsa and enalbe sa token volume projection, default is false
enable: true
```
```yaml
envVarsFromSecret:
ALICLOUD_ROLE_ARN:
secretKeyRef: alibaba-credentials
key: rolearn
ALICLOUD_OIDC_PROVIDER_ARN:
secretKeyRef: alibaba-credentials
key: oidcproviderarn
rrsa:
# Specifies whether using rrsa and enalbe sa token volume projection, default is false
enable: true
```
Now create the SecretProviderClass which tells the provider which secrets are to be mounted in the pod. The secretproviderclass.yaml in the [examples](./examples) directory will mount all secret created above.
Expand Down
153 changes: 89 additions & 64 deletions charts/csi-secrets-store-provider-alibabacloud/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,89 +75,114 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `rbac.install` | Install default service account | true |

## Usage

- KMS Secrets Manager
Add your secret data to [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info.
Now create a test secret:

```shell
aliyun kms CreateSecret --SecretName test-kms --SecretData 1234 --VersionId v1
```

Create an access policy for the pod scoped down to just the secrets it should have :

```shell
aliyun ram CreatePolicy --PolicyName kms-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": ["kms:GetSecretValue", "kms:Decrypt"],"Resource": "acs:kms:{region-id}:{aliyun-uid}:secret/test-kms"}],"Version": "1"}'
```
- OOS Secret Parameter
Add your secret data to [Alibaba Cloud OOS Eencrypted Parameter](https://www.alibabacloud.com/help/en/oos/getting-started/manage-encryption-parameters) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info.
Now create a test secret:

```shell
aliyun oos CreateSecretParameter --Value SecretParameter --Name test-oos
```

Create an access policy for the pod scoped down to just the secrets it should have :

```shell
aliyun ram CreatePolicy --PolicyName oos-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": ["oos:GetSecretParameter"],"Resource": "acs:oos:{region-id}:{aliyun-uid}:secretparameter/test-oos"}],"Version": "1"}'
```
Synchronize kms secret please refer to KMS Secrets Manager, and synchronize oos parameter please refer to OOS Secret Parameter.
1. KMS Secrets Manager
- Add your secret data to [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info.
Now create a test secret:

```shell
aliyun kms CreateSecret --SecretName test-kms --SecretData 1234 --VersionId v1 --EncryptionKeyId <kms-key-id> --DKMSInstanceId <kms-instance-id>
```

- Create an access policy for the pod scoped down to just the secrets it should have :

```shell
aliyun ram CreatePolicy --PolicyName kms-test --PolicyDocument '{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:GetSecretValue",
"kms:Decrypt"
],
"Resource": [
"acs:kms:cn-hangzhou:{aliyun-uid}:secret/test-kms",
"acs:kms:cn-hangzhou:{aliyun-uid}:key/{kms-key-id}"
]
}
]}'
```
2. OOS Secret Parameter
- Add your secret data to [Alibaba Cloud OOS Eencrypted Parameter](https://www.alibabacloud.com/help/en/oos/getting-started/manage-encryption-parameters) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info.
Now create a test secret:

```shell
aliyun oos CreateSecretParameter --Value SecretParameter --Name test-oos
```

- Create an access policy for the pod scoped down to just the secrets it should have :

```shell
aliyun ram CreatePolicy --PolicyName oos-test --PolicyDocument '{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oos:GetSecretParameter",
"kms:GetSecretValue"
],
"Resource": "acs:oos:cn-hangzhou:{aliyun-uid}:secretparameter/test-oos"
}
]}'
```

### Enable [RRSA](https://www.alibabacloud.com/help/zh/container-service-for-kubernetes/latest/use-rrsa-to-enforce-access-control#section-ywl-59g-j8h) feature

RAM Roles for Service Accounts (RRSA) is the recommended secure authentication method for obtaining secrets in Alibaba Cloud Secrets Manager and OOS Eencrypted Parameter. For the configuration, please refer to the following steps:

1. Create the RAM OIDC provider for the cluster with [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) or reference [RRSA](https://www.alibabacloud.com/help/zh/container-service-for-kubernetes/latest/use-rrsa-to-enforce-access-control#section-ywl-59g-j8h) doc if you have not already done so:

```shell
ack-ram-tool rrsa enable -c <clusterId>
```
```shell
ack-ram-tool rrsa enable -c <clusterId>
```

2. Next create the service account to be used by the pod, and associate the above RAM policy based on the product to synchronize with that service account. Here we use [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) CLI to simplify the steps of RAM role creation and authorization:

```shell
ack-ram-tool rrsa associate-role -c <clusterId> --create-role-if-not-exist -r <roleName> -n <namespace> -s csi-secrets-store-provider-alibabacloud
```
```shell
ack-ram-tool rrsa associate-role -c <clusterId> --create-role-if-not-exist -r <roleName> -n <namespace> -s csi-secrets-store-provider-alibabacloud
```

3. Create a secret named `alibaba-credentials` in target cluster, create a template file below named `alibaba-credentials.yaml`:

```yaml
apiVersion: v1
data:
oidcproviderarn: ****
rolearn: **** #specify the assumed ram role ARN, base64 encoding required
kind: Secret
metadata:
name: alibaba-credentials
namespace: <namespace>
type: Opaque
```
```yaml
apiVersion: v1
data:
oidcproviderarn: acs:ram::<aliyun-uid>:oidc-provider/ack-rrsa-<ack-cluster-id> # specify the cluster's OIDC provider ARN, base64 encoding required
rolearn: acs:ram::<aliyun-uid>:role/<ram-role-name> # specify the assumed ram role ARN, base64 encoding required
kind: Secret
metadata:
name: alibaba-credentials
namespace: <namespace>
type: Opaque
```

**oidcproviderarn**: specify the cluster's OIDC provider ARN, you can obtain the value in [RAM SSO](https://ram.console.aliyun.com/providers) console, then find the target provider ARN in the `OIDC` tab, base64 encoding required
**rolearn**: specify the assumed ram role ARN, base64 encoding required
**namespace **: specify the namespace which will install provider
**oidcproviderarn**: specify the cluster's OIDC provider ARN, you can obtain the value in [RAM SSO](https://ram.console.aliyun.com/providers) console, then find the target provider ARN in the `OIDC` tab, base64 encoding required
**rolearn**: specify the assumed ram role ARN, base64 encoding required
**namespace**: specify the namespace which will install provider
Run the command to deploy secret:
Run the command to deploy secret:
```bash
kubectl apply -f alibaba-credentials.yaml
```
```bash
kubectl apply -f alibaba-credentials.yaml
```
4. Update below envVarsFromSecret configuration in the values.yaml:
```yaml
envVarsFromSecret:
ALICLOUD_ROLE_ARN:
secretKeyRef: alibaba-credentials
key: rolearn
ALICLOUD_OIDC_PROVIDER_ARN:
secretKeyRef: alibaba-credentials
key: oidcproviderarn
rrsa:
# Specifies whether using rrsa and enalbe sa token volume projection, default is false
enable: true
```
```yaml
envVarsFromSecret:
ALICLOUD_ROLE_ARN:
secretKeyRef: alibaba-credentials
key: rolearn
ALICLOUD_OIDC_PROVIDER_ARN:
secretKeyRef: alibaba-credentials
key: oidcproviderarn
rrsa:
# Specifies whether using rrsa and enalbe sa token volume projection, default is false
enable: true
```
Now create the SecretProviderClass which tells the provider which secrets are to be mounted in the pod. The secretproviderclass.yaml in the [examples](./examples) directory will mount all secret created above.
Expand Down

0 comments on commit 424fa8d

Please sign in to comment.