From 424fa8dfa700f4ec0bf907291c2be51e78cb0607 Mon Sep 17 00:00:00 2001 From: lijiuxing Date: Thu, 26 Dec 2024 16:07:08 +0800 Subject: [PATCH] update readme --- README.md | 153 ++++++++++-------- .../README.md | 153 ++++++++++-------- 2 files changed, 178 insertions(+), 128 deletions(-) diff --git a/README.md b/README.md index 13862bb..ba89cc8 100644 --- a/README.md +++ b/README.md @@ -75,33 +75,58 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `rbac.install` | Install default service account | true | ## Usage - -- KMS Secrets Manager - Add your secret data to [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info. - Now create a test secret: - - ```shell - aliyun kms CreateSecret --SecretName test-kms --SecretData 1234 --VersionId v1 - ``` - - Create an access policy for the pod scoped down to just the secrets it should have : - - ```shell - aliyun ram CreatePolicy --PolicyName kms-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": ["kms:GetSecretValue", "kms:Decrypt"],"Resource": "acs:kms:{region-id}:{aliyun-uid}:secret/test-kms"}],"Version": "1"}' - ``` -- OOS Secret Parameter - Add your secret data to [Alibaba Cloud OOS Encrypted Parameter](https://www.alibabacloud.com/help/en/oos/getting-started/manage-encryption-parameters) with aliyun CLI tool, firstly use `aliyun configure` to set your parameter and default region info. - Now create a test secret: - - ```shell - aliyun oos CreateSecretParameter --Value SecretParameter --Name test-oos - ``` - - Create an access policy for the pod scoped down to just the secrets it should have : - - ```shell - aliyun ram CreatePolicy --PolicyName oos-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": ["oos:GetSecretParameter"],"Resource": "acs:oos:{region-id}:{aliyun-uid}:secretparameter/test-oos"}],"Version": "1"}' - ``` + Synchronize kms secret please refer to KMS Secrets Manager, and synchronize oos parameter please refer to OOS Secret Parameter. +1. KMS Secrets Manager + - Add your secret data to [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info. + Now create a test secret: + + ```shell + aliyun kms CreateSecret --SecretName test-kms --SecretData 1234 --VersionId v1 --EncryptionKeyId --DKMSInstanceId + ``` + + - Create an access policy for the pod scoped down to just the secrets it should have : + + ```shell + aliyun ram CreatePolicy --PolicyName kms-test --PolicyDocument '{ + "Version": "1", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "kms:GetSecretValue", + "kms:Decrypt" + ], + "Resource": [ + "acs:kms:cn-hangzhou:{aliyun-uid}:secret/test-kms", + "acs:kms:cn-hangzhou:{aliyun-uid}:key/{kms-key-id}" + ] + } + ]}' + ``` +2. OOS Secret Parameter + - Add your secret data to [Alibaba Cloud OOS Encrypted Parameter](https://www.alibabacloud.com/help/en/oos/getting-started/manage-encryption-parameters) with aliyun CLI tool, firstly use `aliyun configure` to set your parameter and default region info. + Now create a test parameter: + + ```shell + aliyun oos CreateSecretParameter --Value SecretParameter --Name test-oos + ``` + + - Create an access policy for the pod scoped down to just the secrets it should have : + + ```shell + aliyun ram CreatePolicy --PolicyName oos-test --PolicyDocument '{ + "Version": "1", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "oos:GetSecretParameter", + "kms:GetSecretValue" + ], + "Resource": "acs:oos:cn-hangzhou:{aliyun-uid}:secretparameter/test-oos" + } + ]}' + ``` ### Enable [RRSA](https://www.alibabacloud.com/help/zh/container-service-for-kubernetes/latest/use-rrsa-to-enforce-access-control#section-ywl-59g-j8h) feature @@ -109,55 +134,55 @@ RAM Roles for Service Accounts (RRSA) is the recommended secure authentication m 1. Create the RAM OIDC provider for the cluster with [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) or reference [RRSA](https://www.alibabacloud.com/help/zh/container-service-for-kubernetes/latest/use-rrsa-to-enforce-access-control#section-ywl-59g-j8h) doc if you have not already done so: -```shell -ack-ram-tool rrsa enable -c -``` + ```shell + ack-ram-tool rrsa enable -c + ``` 2. Next create the service account to be used by the pod, and associate the above RAM policy based on the product to synchronize with that service account. Here we use [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) CLI to simplify the steps of RAM role creation and authorization: -```shell -ack-ram-tool rrsa associate-role -c --create-role-if-not-exist -r -n -s csi-secrets-store-provider-alibabacloud -``` + ```shell + ack-ram-tool rrsa associate-role -c --create-role-if-not-exist -r -n -s csi-secrets-store-provider-alibabacloud + ``` 3. Create a secret named `alibaba-credentials` in target cluster, create a template file below named `alibaba-credentials.yaml`: -```yaml -apiVersion: v1 -data: - oidcproviderarn: **** - rolearn: **** #specify the assumed ram role ARN, base64 encoding required -kind: Secret -metadata: - name: alibaba-credentials - namespace: -type: Opaque -``` + ```yaml + apiVersion: v1 + data: + oidcproviderarn: acs:ram:::oidc-provider/ack-rrsa- # specify the cluster's OIDC provider ARN, base64 encoding required + rolearn: acs:ram:::role/ # specify the assumed ram role ARN, base64 encoding required + kind: Secret + metadata: + name: alibaba-credentials + namespace: + type: Opaque + ``` -**oidcproviderarn**: specify the cluster's OIDC provider ARN, you can obtain the value in [RAM SSO](https://ram.console.aliyun.com/providers) console, then find the target provider ARN in the `OIDC` tab, base64 encoding required -**rolearn**: specify the assumed ram role ARN, base64 encoding required -**namespace**: specify the namespace which will install provider + **oidcproviderarn**: specify the cluster's OIDC provider ARN, you can obtain the value in [RAM SSO](https://ram.console.aliyun.com/providers) console, then find the target provider ARN in the `OIDC` tab, base64 encoding required + **rolearn**: specify the assumed ram role ARN, base64 encoding required + **namespace**: specify the namespace which will install provider -Run the command to deploy secret: + Run the command to deploy secret: -```bash -kubectl apply -f alibaba-credentials.yaml -``` + ```bash + kubectl apply -f alibaba-credentials.yaml + ``` 4. Update below envVarsFromSecret configuration in the values.yaml: -```yaml -envVarsFromSecret: - ALICLOUD_ROLE_ARN: - secretKeyRef: alibaba-credentials - key: rolearn - ALICLOUD_OIDC_PROVIDER_ARN: - secretKeyRef: alibaba-credentials - key: oidcproviderarn - -rrsa: - # Specifies whether using rrsa and enalbe sa token volume projection, default is false - enable: true -``` + ```yaml + envVarsFromSecret: + ALICLOUD_ROLE_ARN: + secretKeyRef: alibaba-credentials + key: rolearn + ALICLOUD_OIDC_PROVIDER_ARN: + secretKeyRef: alibaba-credentials + key: oidcproviderarn + + rrsa: + # Specifies whether using rrsa and enalbe sa token volume projection, default is false + enable: true + ``` Now create the SecretProviderClass which tells the provider which secrets are to be mounted in the pod. The secretproviderclass.yaml in the [examples](./examples) directory will mount all secret created above. diff --git a/charts/csi-secrets-store-provider-alibabacloud/README.md b/charts/csi-secrets-store-provider-alibabacloud/README.md index 05d3a6d..00d6fae 100644 --- a/charts/csi-secrets-store-provider-alibabacloud/README.md +++ b/charts/csi-secrets-store-provider-alibabacloud/README.md @@ -75,33 +75,58 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `rbac.install` | Install default service account | true | ## Usage - -- KMS Secrets Manager - Add your secret data to [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info. - Now create a test secret: - - ```shell - aliyun kms CreateSecret --SecretName test-kms --SecretData 1234 --VersionId v1 - ``` - - Create an access policy for the pod scoped down to just the secrets it should have : - - ```shell - aliyun ram CreatePolicy --PolicyName kms-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": ["kms:GetSecretValue", "kms:Decrypt"],"Resource": "acs:kms:{region-id}:{aliyun-uid}:secret/test-kms"}],"Version": "1"}' - ``` -- OOS Secret Parameter - Add your secret data to [Alibaba Cloud OOS Eencrypted Parameter](https://www.alibabacloud.com/help/en/oos/getting-started/manage-encryption-parameters) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info. - Now create a test secret: - - ```shell - aliyun oos CreateSecretParameter --Value SecretParameter --Name test-oos - ``` - - Create an access policy for the pod scoped down to just the secrets it should have : - - ```shell - aliyun ram CreatePolicy --PolicyName oos-test --PolicyDocument '{"Statement": [{"Effect": "Allow","Action": ["oos:GetSecretParameter"],"Resource": "acs:oos:{region-id}:{aliyun-uid}:secretparameter/test-oos"}],"Version": "1"}' - ``` + Synchronize kms secret please refer to KMS Secrets Manager, and synchronize oos parameter please refer to OOS Secret Parameter. +1. KMS Secrets Manager + - Add your secret data to [Alibaba Cloud Secrets Manager](https://www.alibabacloud.com/help/en/key-management-service/latest/secrets-manager-overview) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info. + Now create a test secret: + + ```shell + aliyun kms CreateSecret --SecretName test-kms --SecretData 1234 --VersionId v1 --EncryptionKeyId --DKMSInstanceId + ``` + + - Create an access policy for the pod scoped down to just the secrets it should have : + + ```shell + aliyun ram CreatePolicy --PolicyName kms-test --PolicyDocument '{ + "Version": "1", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "kms:GetSecretValue", + "kms:Decrypt" + ], + "Resource": [ + "acs:kms:cn-hangzhou:{aliyun-uid}:secret/test-kms", + "acs:kms:cn-hangzhou:{aliyun-uid}:key/{kms-key-id}" + ] + } + ]}' + ``` +2. OOS Secret Parameter + - Add your secret data to [Alibaba Cloud OOS Eencrypted Parameter](https://www.alibabacloud.com/help/en/oos/getting-started/manage-encryption-parameters) with aliyun CLI tool, firstly use `aliyun configure` to set your credentials and default region info. + Now create a test secret: + + ```shell + aliyun oos CreateSecretParameter --Value SecretParameter --Name test-oos + ``` + + - Create an access policy for the pod scoped down to just the secrets it should have : + + ```shell + aliyun ram CreatePolicy --PolicyName oos-test --PolicyDocument '{ + "Version": "1", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "oos:GetSecretParameter", + "kms:GetSecretValue" + ], + "Resource": "acs:oos:cn-hangzhou:{aliyun-uid}:secretparameter/test-oos" + } + ]}' + ``` ### Enable [RRSA](https://www.alibabacloud.com/help/zh/container-service-for-kubernetes/latest/use-rrsa-to-enforce-access-control#section-ywl-59g-j8h) feature @@ -109,55 +134,55 @@ RAM Roles for Service Accounts (RRSA) is the recommended secure authentication m 1. Create the RAM OIDC provider for the cluster with [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) or reference [RRSA](https://www.alibabacloud.com/help/zh/container-service-for-kubernetes/latest/use-rrsa-to-enforce-access-control#section-ywl-59g-j8h) doc if you have not already done so: -```shell -ack-ram-tool rrsa enable -c -``` + ```shell + ack-ram-tool rrsa enable -c + ``` 2. Next create the service account to be used by the pod, and associate the above RAM policy based on the product to synchronize with that service account. Here we use [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) CLI to simplify the steps of RAM role creation and authorization: -```shell -ack-ram-tool rrsa associate-role -c --create-role-if-not-exist -r -n -s csi-secrets-store-provider-alibabacloud -``` + ```shell + ack-ram-tool rrsa associate-role -c --create-role-if-not-exist -r -n -s csi-secrets-store-provider-alibabacloud + ``` 3. Create a secret named `alibaba-credentials` in target cluster, create a template file below named `alibaba-credentials.yaml`: -```yaml -apiVersion: v1 -data: - oidcproviderarn: **** - rolearn: **** #specify the assumed ram role ARN, base64 encoding required -kind: Secret -metadata: - name: alibaba-credentials - namespace: -type: Opaque -``` + ```yaml + apiVersion: v1 + data: + oidcproviderarn: acs:ram:::oidc-provider/ack-rrsa- # specify the cluster's OIDC provider ARN, base64 encoding required + rolearn: acs:ram:::role/ # specify the assumed ram role ARN, base64 encoding required + kind: Secret + metadata: + name: alibaba-credentials + namespace: + type: Opaque + ``` -**oidcproviderarn**: specify the cluster's OIDC provider ARN, you can obtain the value in [RAM SSO](https://ram.console.aliyun.com/providers) console, then find the target provider ARN in the `OIDC` tab, base64 encoding required -**rolearn**: specify the assumed ram role ARN, base64 encoding required -**namespace **: specify the namespace which will install provider + **oidcproviderarn**: specify the cluster's OIDC provider ARN, you can obtain the value in [RAM SSO](https://ram.console.aliyun.com/providers) console, then find the target provider ARN in the `OIDC` tab, base64 encoding required + **rolearn**: specify the assumed ram role ARN, base64 encoding required + **namespace**: specify the namespace which will install provider -Run the command to deploy secret: + Run the command to deploy secret: -```bash -kubectl apply -f alibaba-credentials.yaml -``` + ```bash + kubectl apply -f alibaba-credentials.yaml + ``` 4. Update below envVarsFromSecret configuration in the values.yaml: -```yaml -envVarsFromSecret: - ALICLOUD_ROLE_ARN: - secretKeyRef: alibaba-credentials - key: rolearn - ALICLOUD_OIDC_PROVIDER_ARN: - secretKeyRef: alibaba-credentials - key: oidcproviderarn - -rrsa: - # Specifies whether using rrsa and enalbe sa token volume projection, default is false - enable: true -``` + ```yaml + envVarsFromSecret: + ALICLOUD_ROLE_ARN: + secretKeyRef: alibaba-credentials + key: rolearn + ALICLOUD_OIDC_PROVIDER_ARN: + secretKeyRef: alibaba-credentials + key: oidcproviderarn + + rrsa: + # Specifies whether using rrsa and enalbe sa token volume projection, default is false + enable: true + ``` Now create the SecretProviderClass which tells the provider which secrets are to be mounted in the pod. The secretproviderclass.yaml in the [examples](./examples) directory will mount all secret created above.