Merge pull request #60607 from lpettyjo/OSDOCS-5785

OSDOCS-5785#Secret Store CSI operator (TP)

Author: lpettyjo

_topic_maps/_topic_map.yml

@@ -1604,6 +1604,8 @@ Topics:
     File: persistent-storage-csi-cinder
   - Name: OpenStack Manila CSI Driver Operator
     File: persistent-storage-csi-manila
+  - Name: Secrets Store CSI Driver Operator
+    File: persistent-storage-csi-secrets-store
   - Name: VMware vSphere CSI Driver Operator
     File: persistent-storage-csi-vsphere
 - Name: Generic ephemeral volumes

modules/persistent-storage-csi-secrets-store-driver-install.adoc

@@ -0,0 +1,52 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent-storage-csi-secrets-store.adoc
+//
+
+:_content-type: PROCEDURE
+[id="persistent-storage-csi-secrets-store-driver-install_{context}"]
+= Installing the Secrets Store CSI Driver
+
+.Prerequisites
+* Access to the {product-title} web console.
+
+* Administrator access to the cluster.
+
+.Procedure
+
+To install the Secrets Store CSI Driver:
+
+. Install the Secrets Store Container Storage Interface (CSI) driver operator:
+.. Log in to the web console.
+.. Click *Operators* → *OperatorHub*.
+.. Locate the Secrets Store CSI Operator by typing "Secrets Store CSI" in the filter box.
+.. Click the *Secrets Store CSI Driver Operator* button.
+.. On the *Secrets Store CSI Driver Operator* page, click *Install*.
+.. On the *Install Operator* page, ensure that:
++
+* *All namespaces on the cluster (default)* is selected.
+
+* *Installed Namespace* is set to *openshift-cluster-csi-drivers*.
+.. Click *Install*.
++
+After the installation finishes, the Secrets Store CSI Operator is listed in the *Installed Operators* section of the web console.
+
+. Create the `ClusterCSIDriver` instance for the driver (`secrets-store.csi.k8s.io`):
+.. Click *Administration* -> *CustomResourceDefinitions* -> *ClusterCSIDriver*.
+.. On the *Instances* tab, click *Create ClusterCSIDriver*.
++
+Use the following YAML file:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: ClusterCSIDriver
+metadata:
+    name: secrets-store.csi.k8s.io
+spec:
+  managementState: Managed
+----
+.. Click *Create*.
+
+. Install a third-party provider plugin for your chosen secret store.
+// TODO: Add link authentication content//

modules/persistent-storage-csi-secrets-store-driver-overview.adoc

@@ -0,0 +1,14 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent-storage-csi-secrets-store.adoc
+//
+
+:_content-type: CONCEPT
+[id="persistent-storage-csi-secrets-store-driver-overview_{context}"]
+= Overview
+
+Kubernetes secrets are stored with Base64 encoding. etcd provides encryption at rest for these secrets, but when secrets are retrieved, they are decrypted and presented to the user. If role-based access control is not configured properly on your cluster, anyone with API or etcd access can retrieve or modify a secret. Additionally, anyone who is authorized to create a pod in a namespace can use that access to read any secret in that namespace. 
+
+For secure storage and management of your secrets, the {product-title} Secrets Store Container Storage Interface (CSI) Driver Operator allows you to mount secrets from an external secret management system, such as Azure Key Vault using a provider plugin. Applications can use the secret, but the secret does not persist on the system after the application pod is destroyed.
+
+The Secrets Store CSI Driver Operator, `secrets-store.csi.k8s.io`, allows {product-title} to mount multiple secrets, keys, and certificates stored in enterprise-grade external secrets stores into pods as a volume. The Secrets Store CSI Driver Operator communicates with the provider using gRPC to fetch the mount contents from the specified external secrets store. After the volume is attached, the data in it is mounted into the container's file system. Secrets store volumes are mounted in-line.

modules/persistent-storage-csi-secrets-store-driver-uninstall.adoc

@@ -0,0 +1,38 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent-storage-csi-secrets-store.adoc
+//
+
+:_content-type: PROCEDURE
+[id="persistent-storage-csi-secrets-store-driver-uninstall_{context}"]
+= Uninstalling the Secrets Store CSI Driver Operator
+
+.Prerequisites
+* Access to the {product-title} web console.
+
+* Administrator access to the cluster.
+
+.Procedure
+
+To uninstall the Secrets Store CSI Driver Operator:
+
+. Stop all application pods that use the `secrets-store.csi.k8s.io` provider.
+. Remove any third-party provider plug-in for your chosen secret store.
+. Remove the Container Storage Interface (CSI) driver and associated manifests:
+.. Click *Administration* → *CustomResourceDefinitions* → *ClusterCSIDriver*.
+.. On the *Instances* tab, for *secrets-store.csi.k8s.io*, on the far left side, click the drop-down menu, and then click *Delete ClusterCSIDriver*.
+.. When prompted, click *Delete*.
+. Verify that the CSI driver pods are no longer running.
+. Uninstall the Secrets Store CSI Driver Operator:
++
+[NOTE]
+====
+Before you can uninstall the Operator, you must remove the CSI driver first.
+====
++
+.. Click *Operators* → *Installed Operators*.
+.. On the *Installed Operators* page, scroll or type Secrets Store CSI into the *Search by name* box to find the Operator, and then click it.
+.. On the upper, right of the *Installed Operators* > *Operator details* page, click *Actions* → *Uninstall Operator*.
+.. When prompted on the *Uninstall Operator* window, click the *Uninstall* button to remove the Operator from the namespace. Any applications deployed by the Operator on the cluster need to be cleaned up manually.
++
+After uninstalling, the Secrets Store CSI Driver Operator is no longer listed in the *Installed Operators* section of the web console.

storage/container_storage_interface/ephemeral-storage-csi-inline.adoc

@@ -11,8 +11,10 @@ toc::[]
 Container Storage Interface (CSI) inline ephemeral volumes allow you to define a `Pod` spec that creates inline ephemeral volumes when a pod is deployed and delete them when a pod is destroyed.
 
 This feature is only available with supported Container Storage Interface (CSI) drivers:
+
 * Shared Resource CSI driver
 * Azure File CSI driver
+* Secrets Store CSI driver
 
 include::modules/ephemeral-storage-csi-inline-overview.adoc[leveloffset=+1]
 

storage/container_storage_interface/persistent-storage-csi-secrets-store.adoc

@@ -0,0 +1,27 @@
+[id="persistent-storage-csi-secrets-store"]
+= Secrets Store CSI Driver
+include::_attributes/common-attributes.adoc[]
+:context: persistent-storage-csi-secrets-store
+
+toc::[]
+
+include::modules/persistent-storage-csi-secrets-store-driver-overview.adoc[leveloffset=+1]
+
+For more information about CSI inline volumes, see xref:../../storage/container_storage_interface/ephemeral-storage-csi-inline.adoc#ephemeral-storage-csi-inline[CSI inline ephemeral volumes].
+
+:FeatureName: Secrets Store CSI Driver Operator
+include::snippets/technology-preview.adoc[leveloffset=+1]
+
+//TODO Add module for supported providers dules/secrets-store-providers.adoc
+
+Familiarity with xref:../../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[persistent storage] and xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[configuring CSI volumes] is recommended when working with a CSI driver.
+
+include::modules/persistent-storage-csi-about.adoc[leveloffset=+1]
+
+include::modules/persistent-storage-csi-secrets-store-driver-install.adoc[leveloffset=+1]
+
+include::modules/persistent-storage-csi-secrets-store-driver-uninstall.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+== Additional resources
+* xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[Configuring CSI volumes]