doc: update read-from-keyvault example

andyzhangx · andyzhangx · commit 1165dc5200bb · 2019-10-09T10:51:06.000Z
diff --git a/README.md b/README.md
@@ -62,12 +62,16 @@ kubectl create -f storageclass-blobfuse-csi-existing-container.yaml
 kubectl create -f https://raw.githubusercontent.com/csi-driver/blobfuse-csi-driver/master/deploy/example/pvc-blobfuse-csi.yaml
 ```
 
-#### Option#2: provide storage account name and key
- - Use `kubectl create secret` to create `azure-secret` with existing storage account name and key
+#### Option#2: provide storage account name and key(or sastoken)
+ - Use `kubectl create secret` to create `azure-secret` with existing storage account name and key(or sastoken)
 ```
-kubectl create secret generic azure-secret --from-literal accountname=NAME --from-literal accountkey="KEY" --type=Opaque
+kubectl create secret generic azure-secret --from-literal azurestorageaccountname=NAME --from-literal azurestorageaccountkey="KEY" --type=Opaque
+#kubectl create secret generic azure-secret --from-literal azurestorageaccountname=NAME --from-literal azurestorageaccountsastoken
+="sastoken" --type=Opaque
 ```
 
+> storage account key(or sastoken) could also be stored in Azure Key Vault, check example here: [read-from-keyvault](./docs/read-from-keyvault.md)
+
  - Create a blobfuse CSI PV, download `pv-blobfuse-csi.yaml` file and edit `containerName` in `volumeAttributes`
 ```sh
 wget https://raw.githubusercontent.com/csi-driver/blobfuse-csi-driver/master/deploy/example/pv-blobfuse-csi.yaml
diff --git a/deploy/example/keyvault/pvc-blobfuse-csi-static-keyvault.yaml b/deploy/example/keyvault/pvc-blobfuse-csi-static-keyvault.yaml
diff --git a/deploy/example/pv-blobfuse-csi-keyvault.yaml b/deploy/example/pv-blobfuse-csi-keyvault.yaml
@@ -15,9 +15,5 @@ spec:
     volumeAttributes:
       containerName: EXISTING_CONTAINER_NAME
       storageAccountName: EXISTING_STORAGE_ACCOUNT_NAME
-      keyVaultURL: xxx
+      keyVaultURL: https://xxx.vault.azure.net/
       keyVaultSecretName: xxx
-      keyVaultSecretVersion: xxx  # use "current versoin" if empty
-    nodePublishSecretRef:
-      name: azure-secret
-      namespace: default
diff --git a/docs/driver-parameters.md b/docs/driver-parameters.md
@@ -23,9 +23,8 @@ Name | Meaning | Available Value | Mandatory | Default value
 --- | --- | --- | --- | ---
 volumeAttributes.containerName | existing container name | existing container name | Yes |
 volumeAttributes.storageAccountName | existing storage account name | existing storage account name | Yes |
-volumeAttributes.keyVaultURL | url of the key vault | the key vault which has been created | Yes |
-volumeAttributes.keyVaultSecretName | name of the secret in key vault | the secret which has been created | Yes |
-volumeAttributes.keyVaultSecretVersion | existing container name | existing container name | No |if empty, driver will use "current versoin"
-nodePublishSecretRef.name | secret name that stores storage account name and key | existing secret name |  Yes  | 
+volumeAttributes.keyVaultURL | Azure Key Vault DNS name | existing Azure Key Vault DNS name | No |
+volumeAttributes.keyVaultSecretName | Azure Key Vault secret name | existing Azure Key Vault secret name | No |
+volumeAttributes.keyVaultSecretVersion | Azure Key Vault secret version | existing version | No |if empty, driver will use "current versoin"
+nodePublishSecretRef.name | secret name that stores storage account name and key(or sastoken) | existing kubernetes secret name |  No  |
 nodePublishSecretRef.namespace | namespace where the secret is | k8s namespace  |  No  | `default`
-
diff --git a/docs/read-from-keyvault.md b/docs/read-from-keyvault.md
@@ -1,8 +1,8 @@
-# Use Blobfuse CSI Driver with Azure Key Vault
+# Use Blobfuse CSI Driver with storage account key(or sastoken) stored in Azure Key Vault
 
 > Attention: Currently, we just support use Key Vault in static provisioning scenario.
 
-## Prepare Key Vault
+## Prerequisite
 
 1. Create an Azure Key Vault
 
@@ -12,11 +12,14 @@
 
    ```console
    # Assign Reader Role to the service principal for your keyvault
-   az role assignment create --role Reader --assignee <YOUR SPN CLIENT ID> --scope /subscriptions/<subscriptionid>/resourcegroups/<resourcegroup>/providers/Microsoft.KeyVault/vaults/$keyvaultname
-   
-   az keyvault set-policy -n $keyvaultname --key-permissions get --spn <YOUR SPN CLIENT ID>
-   az keyvault set-policy -n $keyvaultname --secret-permissions get --spn <YOUR SPN CLIENT ID>
-   az keyvault set-policy -n $keyvaultname --certificate-permissions get --spn <YOUR CLIENT ID>
+   aadclientid=
+   keyvaultname=
+
+   az role assignment create --role Reader --assignee $aadclientid --scope /subscriptions/<subscriptionid>/resourcegroups/<resourcegroup>/providers/Microsoft.KeyVault/vaults/$keyvaultname
+
+   az keyvault set-policy -n $keyvaultname --key-permissions get --spn $aadclientid
+   az keyvault set-policy -n $keyvaultname --secret-permissions get --spn $aadclientid
+   az keyvault set-policy -n $keyvaultname --certificate-permissions get --spn $aadclientid
    ```
 
 ## Install blobfuse CSI driver on a kubernetes cluster
@@ -26,15 +29,13 @@ Please refer to [install blobfuse csi driver](https://github.com/csi-driver/blob
 1.  Download a `pv-blobfuse-csi-keyvault.yaml`, edit `keyVaultURL`, `keyVaultSecretName`, `containerName` in PV
 > `keyVaultSecretVersion` is the optional parameter. If not specified, it will be *current versoin*.
 ```
-wget https://raw.githubusercontent.com/csi-driver/blobfuse-csi-driver/master/deploy/example/keyvault/pv-blobfuse-csi-keyvault.yaml
+wget https://raw.githubusercontent.com/csi-driver/blobfuse-csi-driver/master/deploy/example/pv-blobfuse-csi-keyvault.yaml
 vi pv-blobfuse-csi-keyvault.yaml
 kubectl apply -f pv-blobfuse-csi-keyvault.yaml
 ```
 
 ## Create PVC 
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/csi-driver/blobfuse-csi-driver/master/deploy/example/keyvault/pvc-blobfuse-csi-static-keyvault.yaml
+kubectl apply -f https://raw.githubusercontent.com/csi-driver/blobfuse-csi-driver/master/deploy/example/pvc-blobfuse-csi-static.yaml
 ```
-
-
