Merge pull request #62385 from bergerhoffer/OSDOCS-5806-secret-store

OSDOCS 5806: Adding docs for using the secrets store CSI driver

Author: bergerhoffer

_attributes/common-attributes.adoc

@@ -194,3 +194,5 @@ endif::[]
 // Web terminal
 :web-terminal-op: Web Terminal Operator
 :devworkspace-op: DevWorkspace Operator
+:secrets-store-driver: Secrets Store CSI driver
+:secrets-store-operator: Secrets Store CSI Driver Operator

_topic_maps/_topic_map.yml

@@ -2239,8 +2239,10 @@ Topics:
     File: nodes-pods-autoscaling
   - Name: Automatically adjust pod resource levels with the vertical pod autoscaler
     File: nodes-pods-vertical-autoscaler
-  - Name: Providing sensitive data to pods
+  - Name: Providing sensitive data to pods by using secrets
     File: nodes-pods-secrets
+  - Name: Providing sensitive data to pods by using an external secrets store
+    File: nodes-pods-secrets-store
   - Name: Creating and using config maps
     File: nodes-pods-configmaps
   - Name: Using Device Manager to make devices available to nodes

modules/gathering-data-specific-features.adoc

@@ -74,6 +74,10 @@ endif::openshift-dedicated[]
 
 |`registry.redhat.io/openshift-gitops-1/must-gather-rhel8:v<installed_version_GitOps>`
 |Data collection for {gitops-title}.
+
+|`registry.redhat.io/openshift4/ose-csi-driver-shared-resource-mustgather-rhel8:v<installed_version_secret_store>`
+|Data collection for the {secrets-store-operator}.
+
 |===
 
 [NOTE]
@@ -113,6 +117,9 @@ ifndef::openshift-dedicated[]
 |Data collection for Local Storage Operator.
 endif::openshift-dedicated[]
 
+|`quay.io/openshift/origin-secrets-store-csi-mustgather`
+|Data collection for the {secrets-store-operator}.
+
 |===
 
 endif::openshift-origin[]

modules/persistent-storage-csi-secrets-store-driver-install.adoc

@@ -5,7 +5,7 @@
 
 :_content-type: PROCEDURE
 [id="persistent-storage-csi-secrets-store-driver-install_{context}"]
-= Installing the Secrets Store CSI Driver
+= Installing the {secrets-store-driver}
 
 .Prerequisites
 * Access to the {product-title} web console.
@@ -14,12 +14,12 @@
 
 .Procedure
 
-To install the Secrets Store CSI Driver:
+To install the {secrets-store-driver}:
 
-. Install the Secrets Store Container Storage Interface (CSI) driver operator:
+. Install the {secrets-store-operator}:
 .. Log in to the web console.
 .. Click *Operators* → *OperatorHub*.
-.. Locate the Secrets Store CSI Operator by typing "Secrets Store CSI" in the filter box.
+.. Locate the {secrets-store-operator} by typing "Secrets Store CSI" in the filter box.
 .. Click the *Secrets Store CSI Driver Operator* button.
 .. On the *Secrets Store CSI Driver Operator* page, click *Install*.
 .. On the *Install Operator* page, ensure that:
@@ -29,7 +29,7 @@ To install the Secrets Store CSI Driver:
 * *Installed Namespace* is set to *openshift-cluster-csi-drivers*.
 .. Click *Install*.
 +
-After the installation finishes, the Secrets Store CSI Operator is listed in the *Installed Operators* section of the web console.
+After the installation finishes, the {secrets-store-operator} is listed in the *Installed Operators* section of the web console.
 
 . Create the `ClusterCSIDriver` instance for the driver (`secrets-store.csi.k8s.io`):
 .. Click *Administration* -> *CustomResourceDefinitions* -> *ClusterCSIDriver*.
@@ -47,6 +47,3 @@ spec:
   managementState: Managed
 ----
 .. Click *Create*.
-
-. Install a third-party provider plugin for your chosen secret store.
-// TODO: Add link authentication content//

modules/persistent-storage-csi-secrets-store-driver-overview.adoc

@@ -1,14 +1,33 @@
 // Module included in the following assemblies:
 //
 // * storage/container_storage_interface/persistent-storage-csi-secrets-store.adoc
-//
+// * nodes/pods/nodes-pods-secrets-store.adoc
+
+ifeval::["{context}" == "persistent-storage-csi-secrets-store"]
+:storage:
+endif::[]
+ifeval::["{context}" == "nodes-pods-secrets-store"]
+:nodes:
+endif::[]
 
 :_content-type: CONCEPT
 [id="persistent-storage-csi-secrets-store-driver-overview_{context}"]
+ifdef::storage[]
 = Overview
+endif::storage[]
+ifdef::nodes[]
+= About the {secrets-store-operator}
+endif::nodes[]
+
+Kubernetes secrets are stored with Base64 encoding. etcd provides encryption at rest for these secrets, but when secrets are retrieved, they are decrypted and presented to the user. If role-based access control is not configured properly on your cluster, anyone with API or etcd access can retrieve or modify a secret. Additionally, anyone who is authorized to create a pod in a namespace can use that access to read any secret in that namespace.
 
-Kubernetes secrets are stored with Base64 encoding. etcd provides encryption at rest for these secrets, but when secrets are retrieved, they are decrypted and presented to the user. If role-based access control is not configured properly on your cluster, anyone with API or etcd access can retrieve or modify a secret. Additionally, anyone who is authorized to create a pod in a namespace can use that access to read any secret in that namespace. 
+To store and manage your secrets securely, you can configure the {product-title} Secrets Store Container Storage Interface (CSI) Driver Operator to mount secrets from an external secret management system, such as Azure Key Vault, by using a provider plugin. Applications can then use the secret, but the secret does not persist on the system after the application pod is destroyed.
 
-For secure storage and management of your secrets, the {product-title} Secrets Store Container Storage Interface (CSI) Driver Operator allows you to mount secrets from an external secret management system, such as Azure Key Vault using a provider plugin. Applications can use the secret, but the secret does not persist on the system after the application pod is destroyed.
+The {secrets-store-operator}, `secrets-store.csi.k8s.io`, enables {product-title} to mount multiple secrets, keys, and certificates stored in enterprise-grade external secrets stores into pods as a volume. The {secrets-store-operator} communicates with the provider using gRPC to fetch the mount contents from the specified external secrets store. After the volume is attached, the data in it is mounted into the container's file system. Secrets store volumes are mounted in-line.
 
-The Secrets Store CSI Driver Operator, `secrets-store.csi.k8s.io`, allows {product-title} to mount multiple secrets, keys, and certificates stored in enterprise-grade external secrets stores into pods as a volume. The Secrets Store CSI Driver Operator communicates with the provider using gRPC to fetch the mount contents from the specified external secrets store. After the volume is attached, the data in it is mounted into the container's file system. Secrets store volumes are mounted in-line.
+ifeval::["{context}" == "persistent-storage-csi-secrets-store"]
+:!storage:
+endif::[]
+ifeval::["{context}" == "nodes-pods-secrets-store"]
+:!nodes:
+endif::[]

modules/persistent-storage-csi-secrets-store-driver-uninstall.adoc

@@ -5,7 +5,7 @@
 
 :_content-type: PROCEDURE
 [id="persistent-storage-csi-secrets-store-driver-uninstall_{context}"]
-= Uninstalling the Secrets Store CSI Driver Operator
+= Uninstalling the {secrets-store-operator}
 
 .Prerequisites
 * Access to the {product-title} web console.
@@ -14,7 +14,7 @@
 
 .Procedure
 
-To uninstall the Secrets Store CSI Driver Operator:
+To uninstall the {secrets-store-operator}:
 
 . Stop all application pods that use the `secrets-store.csi.k8s.io` provider.
 . Remove any third-party provider plug-in for your chosen secret store.
@@ -23,16 +23,16 @@ To uninstall the Secrets Store CSI Driver Operator:
 .. On the *Instances* tab, for *secrets-store.csi.k8s.io*, on the far left side, click the drop-down menu, and then click *Delete ClusterCSIDriver*.
 .. When prompted, click *Delete*.
 . Verify that the CSI driver pods are no longer running.
-. Uninstall the Secrets Store CSI Driver Operator:
+. Uninstall the {secrets-store-operator}:
 +
 [NOTE]
 ====
 Before you can uninstall the Operator, you must remove the CSI driver first.
 ====
 +
 .. Click *Operators* → *Installed Operators*.
-.. On the *Installed Operators* page, scroll or type Secrets Store CSI into the *Search by name* box to find the Operator, and then click it.
+.. On the *Installed Operators* page, scroll or type "Secrets Store CSI" into the *Search by name* box to find the Operator, and then click it.
 .. On the upper, right of the *Installed Operators* > *Operator details* page, click *Actions* → *Uninstall Operator*.
 .. When prompted on the *Uninstall Operator* window, click the *Uninstall* button to remove the Operator from the namespace. Any applications deployed by the Operator on the cluster need to be cleaned up manually.
 +
-After uninstalling, the Secrets Store CSI Driver Operator is no longer listed in the *Installed Operators* section of the web console.
+After uninstalling, the {secrets-store-operator} is no longer listed in the *Installed Operators* section of the web console.

modules/secrets-store-auto-rotation.adoc

@@ -0,0 +1,13 @@
+// Module included in the following assemblies:
+//
+// * nodes/pods/nodes-pods-secrets-store.adoc
+
+:_content-type: CONCEPT
+[id="secrets-store-auto-rotation_{context}"]
+= Automatic rotation
+
+The {secrets-store-driver} periodically rotates the content in the mounted volume with the content from the external secrets store. If a secret is updated in the external secrets store, the secret will be updated in the mounted volume. The {secrets-store-operator} polls for updates every 2 minutes.
+
+If you enabled synchronization of mounted content as Kubernetes secrets, the Kubernetes secrets are also rotated.
+
+Applications consuming the secret data must watch for updates to the secrets.