CLOUDP-200138: Add secret management sample snippets (#1147)

Author: josvazg

docs/secret-management/external-secrets/Readme.md

@@ -0,0 +1,16 @@
+# Automated secret provisioning with External Secrets
+
+The Atlas Kubernetes Operator consumes credentials from Kubernetes Secrets, continuously waiting for changes in them.
+
+With this, the Operator is ready to support both manually or automatically deployed secrets. Among the automated secrets, one popular solution is to provision the secrets directly off the company's or team's Vault service of choice. One Open Source tool allowing for this automation is [External Secrets](https://external-secrets.io/latest/).
+
+In this directory we have a couple of examples on how you would integrate the Operator Atlas credentials and DB User Password with a Hashicorp Vault.
+
+For more details, please check out the documentation at [External Secrets](https://external-secrets.io/latest/) directly.
+
+Here are some pointers to popular External Secrets providers:
+
+- [Hashicorp Vault](https://external-secrets.io/latest/provider/hashicorp-vault/).
+- [AWS Secrets Manager](https://external-secrets.io/latest/provider/aws-secrets-manager/) or [Parameters Store](https://external-secrets.io/latest/provider/aws-parameter-store/).
+- [Azure Key Vault](https://external-secrets.io/latest/provider/azure-key-vault/).
+- [Google Cloud Secret Manager](https://external-secrets.io/latest/provider/google-secrets-manager/).

docs/secret-management/external-secrets/atlas.yaml

@@ -0,0 +1,31 @@
+# atlas External Secret CRD specifies a reference to the Atlas account 
+# credentials to be fetched from the Vault for the atlas system namespace
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: atlas
+  namespace: mongodb-atlas-system
+spec:
+  refreshInterval: "15s"
+  secretStoreRef:
+    name: vault-store # defined at vault-system.yaml
+    kind: SecretStore
+  target:
+    name: mongodb-atlas-operator-api-key
+    template:
+      metadata:
+        labels:
+          atlas.mongodb.com/type: credentials
+  data:
+  - secretKey: orgId
+    remoteRef:
+      key: secret/data/kube01/external-secrets/atlas-account
+      property: orgId
+  - secretKey: publicApiKey
+    remoteRef:
+      key: secret/data/kube01/external-secrets/atlas-account
+      property: publicApiKey
+  - secretKey: privateApiKey
+    remoteRef:
+      key: secret/data/kube01/external-secrets/atlas-account
+      property: privateApiKey

docs/secret-management/external-secrets/dbuser.yaml

@@ -0,0 +1,23 @@
+# dbuser External Secret CRD specifies a reference to the db user password
+# to be fetched from the Vault for the default namespace
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: dbuser
+  namespace: default
+spec:
+  refreshInterval: "15s"
+  secretStoreRef:
+    name: vault-store # defined at vault-default.yaml
+    kind: SecretStore
+  target:
+    name: dbuser-password
+    template:
+      metadata:
+        labels:
+          atlas.mongodb.com/type: credentials
+  data:
+  - secretKey: password
+    remoteRef:
+      key: secret/data/kube01/external-secrets/db-user
+      property: password

docs/secret-management/external-secrets/vault-default.yaml

@@ -0,0 +1,31 @@
+# vault-store Secrets Store CRD specifies a Vault access to be used
+# to fetch secrets for the atlas default namespace
+#
+# Example parameters:
+# - This is the config for cluster "kube01" out of possibly many others.
+# - Hashicorp Vault:                          https://vault.internal.io
+# - Vault OIDC Auth mount point for kube01:   jwt-kube01
+# - Service Account mapped to the Vault Role: {name: default, ns: default}
+# - Vault Role mapped to the Service Account: jwt-kube01-default
+# - OIDC audience "aud" at the JWT token:     vault
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: vault-store
+  namespace: default
+spec:
+  provider:
+    vault:
+      server: "https://vault.internal.io"
+      path: "secret"
+      version: "v2"
+      auth:
+        jwt:
+          path: "jwt-kube01"
+          role: "jwt-kube01-default"
+          kubernetesServiceAccountToken:
+            expirationSeconds: 600
+            serviceAccountRef:
+              name: "default"
+              audiences:
+              - vault

docs/secret-management/external-secrets/vault-system.yaml

@@ -0,0 +1,31 @@
+# vault-store Secrets Store CRD specifies a Vault access to be used
+# to fetch secrets for the atlas system namespace
+#
+# Example parameters:
+# - This is the config for cluster "kube01" out of possibly many others.
+# - Hashicorp Vault:                          https://vault.internal.io
+# - Vault OIDC Auth mount point for kube01:   jwt-kube01
+# - Service Account mapped to the Vault Role: {name: default, ns: mongodb-atlas-system}
+# - Vault Role mapped to the Service Account: jwt-kube01-system
+# - OIDC audience "aud" at the JWT token:     vault
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: vault-store
+  namespace: mongodb-atlas-system
+spec:
+  provider:
+    vault:
+      server: "https://vault.internal.io"
+      path: "secret"
+      version: "v2"
+      auth:
+        jwt:
+          path: "jwt-kube01"
+          role: "jwt-kube01-system"
+          kubernetesServiceAccountToken:
+            expirationSeconds: 600
+            serviceAccountRef:
+              name: "default"
+              audiences:
+              - vault

docs/secret-management/secrets-store-csi/Readme.md

@@ -0,0 +1,16 @@
+# Automated secret provisioning with Secrets Store CSI Driver
+
+The Atlas Kubernetes Operator consumes credentials from Kubernetes Secrets, continuously waiting for changes in them.
+
+With this, the Operator is ready to support both manually or automatically deployed secrets. Among the automated secrets, one popular solution is to provision the secrets directly off the company's or team's Vault service of choice. One Open Source tool allowing for this automation is [Secrets Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/). Note, however, [the main usage of the CSI driver is to mount secrets as local files in pods, but it also supports the option to expose Kubernetes Secrets our of those mounts so long as some pod is mounting them](https://secrets-store-csi-driver.sigs.k8s.io/topics/sync-as-kubernetes-secret).
+
+In this directory we have a couple of examples on how you would integrate the Operator Atlas credentials and DB User Password with a Hashicorp Vault.
+
+For more details, please check out the documentation at [Secrets Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/) directly.
+
+Here are the pointers to the Secrets Store provider plugins:
+
+- [Hashicorp Vault](https://github.com/hashicorp/vault-csi-provider).
+- [AWS plugin provider](https://github.com/aws/secrets-store-csi-driver-provider-aws) Secrets Manager or Parameters Store.
+- [Azure Key Vault](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/).
+- [Google Cloud Secret Manager](https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp).

docs/secret-management/secrets-store-csi/ako-patch.yaml

@@ -0,0 +1,20 @@
+# ako-patch adds a container to the AKO pod to fetch the Atlas credentials
+# using the Secret Store CSI driver's "atlas" Secret Provider Class
+spec:
+  template:
+    spec:
+      containers:
+      - name: system-secret-placeholder
+        image: mongodb/atlas
+        command: ["sleep", "infinity"]
+        volumeMounts:
+        - name: secrets-store-mount
+          mountPath: "/mnt/secrets-store"
+          readOnly: true
+      volumes:
+        - name: secrets-store-mount
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: atlas # defined at atlas.yaml

docs/secret-management/secrets-store-csi/atlas.yaml

@@ -0,0 +1,42 @@
+# atlas Secret Provider Class CRD specifies a CSI Vault access 
+# and the Atlas account credentials to be fetched for the atlas system namespace
+#
+# Example parameters:
+# - This is the config for cluster "kube01" out of possibly many others.
+# - Hashicorp Vault:                              https://vault.internal.io
+# - Vault Kubernetes Auth mount point for kube01: k8s-kube01
+# - Service Account mapped to the Vault Role:     {name: default, ns: mongodb-atlas-system}
+# - Vault Role mapped to the Service Account:     k8s-kube01-default
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: atlas
+  namespace: mongodb-atlas-system
+spec:
+  provider: vault
+  secretObjects:
+  - data:
+    - key: orgId
+      objectName: atlas-org
+    - key: publicApiKey
+      objectName: atlas-pub-key
+    - key: privateApiKey
+      objectName: atlas-secret-key
+    secretName: mongodb-atlas-operator-api-key
+    type: Opaque
+    labels:
+      atlas.mongodb.com/type: credentials
+  parameters:
+    vaultAddress: https://vault.internal.io
+    vaultKubernetesMountPath: k8s-kube01
+    roleName: k8s-kube01-role
+    objects: |
+      - objectName: atlas-org
+        secretPath: secret/data/kube01/secrets-store/atlas-account
+        secretKey: orgId
+      - objectName: atlas-pub-key
+        secretPath: secret/data/kube01/secrets-store/atlas-account
+        secretKey: publicApiKey
+      - objectName: atlas-secret-key
+        secretPath: secret/data/kube01/secrets-store/atlas-account
+        secretKey: privateApiKey

docs/secret-management/secrets-store-csi/dbuser.yaml

@@ -0,0 +1,32 @@
+# vault Secret Provider Class CRD specifies a CSI Vault access 
+# and secrets to be fetched to the default namespace
+#
+# Example parameters:
+# - This is the config for cluster "kube01" out of possibly many others.
+# - Hashicorp Vault:                              https://vault.internal.io
+# - Vault Kubernetes Auth mount point for kube01: k8s-kube01
+# - Service Account mapped to the Vault Role:     {name: default, ns: default}
+# - Vault Role mapped to the Service Account:     k8s-kube01-default
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: dbuser
+  namespace: default
+spec:
+  provider: vault
+  secretObjects:
+  - data:
+    - key: password
+      objectName: dbuser
+    secretName: dbuser-password
+    type: Opaque
+    labels:
+      atlas.mongodb.com/type: credentials
+  parameters:
+    vaultAddress: https://vault.internal.io
+    vaultKubernetesMountPath: k8s-kube01
+    roleName: k8s-kube01-role
+    objects: |
+      - objectName: "dbuser"
+        secretPath: "secret/data/kube01/secrets-store/db-user"
+        secretKey: "password"

docs/secret-management/secrets-store-csi/placeholder.yaml

@@ -0,0 +1,23 @@
+# secret-placeholder is a sentinel pod used just to ensure the CSI driver will
+# fetch the dbuser credentials and sync them as a Kubernetes Cluster for the
+# Atlas Database User CRD to use it and produce a connection string from it
+kind: Pod
+apiVersion: v1
+metadata:
+  name: secret-placeholder
+spec:
+  containers:
+  - image: mongodb/atlas
+    command: ["sleep", "infinity"]
+    name: secret-placeholder
+    volumeMounts:
+    - name: secrets-store-mount
+      mountPath: "/mnt/secrets-store"
+      readOnly: true
+  volumes:
+    - name: secrets-store-mount
+      csi:
+        driver: secrets-store.csi.k8s.io
+        readOnly: true
+        volumeAttributes:
+          secretProviderClass: dbuser # defined at dbuser.yaml