Merge pull request #46908 from mburke5678/BZ-2093995-bugfix

BZ-2093995: Add content of creating type: kubernetes.io/service-account-token secret

Author: mburke5678

modules/nodes-pods-secrets-about.adoc

@@ -81,99 +81,6 @@ but indicate that the creator of the secret intended to conform to the key/value
 
 For examples of different secret types, see the code samples in _Using Secrets_.
 
-[id="nodes-pods-secrets-about-examples_{context}"]
-== Example secret configurations
-
-The following are sample secret configuration files.
-
-.YAML `Secret` object that creates four files
-
-[source,yaml]
-----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: test-secret
-data:
-  username: dmFsdWUtMQ0K     <1>
-  password: dmFsdWUtMQ0KDQo= <2>
-stringData:
-  hostname: myapp.mydomain.com <3>
-  secret.properties: |-     <4>
-    property1=valueA
-    property2=valueB
-----
-<1> File contains decoded values.
-<2> File contains decoded values.
-<3> File contains the provided string.
-<4> File contains the provided data.
-
-.YAML of a pod populating files in a volume with secret data
-
-[source,yaml]
-----
-apiVersion: v1
-kind: Pod
-metadata:
-  name: secret-example-pod
-spec:
-  containers:
-    - name: secret-test-container
-      image: busybox
-      command: [ "/bin/sh", "-c", "cat /etc/secret-volume/*" ]
-      volumeMounts:
-          # name must match the volume name below
-          - name: secret-volume
-            mountPath: /etc/secret-volume
-            readOnly: true
-  volumes:
-    - name: secret-volume
-      secret:
-        secretName: test-secret
-  restartPolicy: Never
-----
-
-.YAML of a pod populating environment variables with secret data
-
-[source,yaml]
-----
-apiVersion: v1
-kind: Pod
-metadata:
-  name: secret-example-pod
-spec:
-  containers:
-    - name: secret-test-container
-      image: busybox
-      command: [ "/bin/sh", "-c", "export" ]
-      env:
-        - name: TEST_SECRET_USERNAME_ENV_VAR
-          valueFrom:
-            secretKeyRef:
-              name: test-secret
-              key: username
-  restartPolicy: Never
-----
-
-.YAML of a build config populating environment variables with secret data
-
-[source,yaml]
-----
-apiVersion: build.openshift.io/v1
-kind: BuildConfig
-metadata:
-  name: secret-example-bc
-spec:
-  strategy:
-    sourceStrategy:
-      env:
-      - name: TEST_SECRET_USERNAME_ENV_VAR
-        valueFrom:
-          secretKeyRef:
-            name: test-secret
-            key: username
-----
-
 [id="nodes-pods-secrets-about-keys_{context}"]
 == Secret data keys
 

modules/nodes-pods-secrets-creating-basic.adoc

@@ -0,0 +1,50 @@
+// Module included in the following assemblies:
+//
+// * nodes/nodes-pods-secrets.adoc
+
+:_content-type: PROCEDURE
+[id="nodes-pods-secrets-creating-basic_{context}"]
+= Creating a basic authentication secret
+
+As an administrator, you can create a basic authentication secret, which allows you to store the credentials needed for basic authentication. When using this secret type, the `data` parameter of the `Secret` object must contain the following keys encoded in the base64 format:
+
+* `username`: the user name for authentication
+* `password`: the password or token for authentication
+
+[NOTE]
+====
+You can use the `stringData` parameter to use clear text content.
+====
+
+.Procedure
+
+. Create a `Secret` object in a YAML file on a control plane node:
++
+.Example `secret` object
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-basic-auth
+type: kubernetes.io/basic-auth <1>
+data:
+stringData: <2>
+  username: admin
+  password: t0p-Secret
+----
+<1> Specifies a basic authentication secret.
+<2> Specifies the basic authentication values to use.
+
+. Use the following command to create the `Secret` object:
++
+[source,terminal]
+----
+$ oc create -f <filename>.yaml
+----
+
+. To use the secret in a pod:
+
+.. Update the pod's service account to reference the secret, as shown in the "Understanding how to create secrets" section.
+
+.. Create the pod, which consumes the secret as an environment variable or as a file (using a `secret` volume), as shown in the "Understanding how to create secrets" section.

modules/nodes-pods-secrets-creating-docker.adoc

@@ -0,0 +1,65 @@
+// Module included in the following assemblies:
+//
+// * nodes/nodes-pods-secrets.adoc
+
+:_content-type: PROCEDURE
+[id="nodes-pods-secrets-creating-docker_{context}"]
+= Creating a Docker configuration secret
+
+As an administrator, you can create a Docker configuration secret, which allows you to store the credentials for accessing a container image registry.
+
+* `kubernetes.io/dockercfg`. Use this secret type to store your local Docker configuration file. The `data` parameter of the `secret` object must contain the contents of a `.dockercfg` file encoded in the base64 format.
+
+* `kubernetes.io/dockerconfigjson`. Use this secret type to store your local Docker configuration JSON file. The `data` parameter of the `secret` object must contain the contents of a `.docker/config.json` file encoded in the base64 format.
+
+.Procedure
+
+. Create a `Secret` object in a YAML file on a control plane node.
++
+--
+.Example Docker configuration `secret` object
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-docker-cfg
+  namespace: my-project
+type: kubernetes.io/dockerconfig <1>
+data:
+  .dockerconfig:bm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg== <2>
+----
+<1> Specifies that the secret is using a Docker configuration file.
+<2> The output of a base64-encoded Docker configuration file
+--
++
+--
+.Example Docker configuration JSON `secret` object
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-docker-json
+  namespace: my-project
+type: kubernetes.io/dockerconfig <1>
+data:
+  .dockerconfigjson:bm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg== <2>
+----
+<1> Specifies that the secret is using a Docker configuration JSONfile.
+<2> The output of a base64-encoded Docker configuration JSON file
+--
+
+. Use the following command to create the `Secret` object
++
+[source,terminal]
+----
+$ oc create -f <filename>.yaml
+----
+
+. To use the secret in a pod:
+
+.. Update the pod's service account to reference the secret, as shown in the "Understanding how to create secrets" section.
+
+.. Create the pod, which consumes the secret as an environment variable or as a file (using a `secret` volume), as shown in the "Understanding how to create secrets" section.
+

modules/nodes-pods-secrets-creating-opaque.adoc

@@ -6,11 +6,11 @@
 [id="nodes-pods-secrets-creating-opaque_{context}"]
 = Creating an opaque secret
 
-As an administrator, you can create an opaque secret, which allows for unstructured `key:value` pairs that can contain arbitrary values.
+As an administrator, you can create an opaque secret, which allows you to store unstructured `key:value` pairs that can contain arbitrary values.
 
 .Procedure
 
-. Create a `Secret` object in a YAML file on master.
+. Create a `Secret` object in a YAML file on a control plane node.
 +
 For example:
 +
@@ -31,12 +31,11 @@ data:
 +
 [source,terminal]
 ----
-$ oc create -f <filename>
+$ oc create -f <filename>.yaml
 ----
 
 . To use the secret in a pod:
 
-.. Update the service account for the pod where you want to use the secret to allow the reference to the secret.
+.. Update the pod's service account to reference the secret, as shown in the "Understanding how to create secrets" section.
 
-.. Create the pod, which consumes the secret as an environment variable or as a file
-(using a `secret` volume).
+.. Create the pod, which consumes the secret as an environment variable or as a file (using a `secret` volume), as shown in the "Understanding how to create secrets" section.

modules/nodes-pods-secrets-creating-sa.adoc

@@ -0,0 +1,49 @@
+// Module included in the following assemblies:
+//
+// * nodes/nodes-pods-secrets.adoc
+
+:_content-type: PROCEDURE
+[id="nodes-pods-secrets-creating-sa_{context}"]
+= Creating a service account token secret
+
+As an administrator, you can create a service account token secret, which allows you to distribute a service account token to applications that must authenticate to the API.
+
+[NOTE]
+====
+It is recommended to obtain bound service account tokens using the TokenRequest API instead of using service account token secrets. The tokens obtained from the TokenRequest API are more secure than the tokens stored in secrets, because they have a bounded lifetime and are not readable by other API clients.
+
+You should create a service account token secret only if you cannot use the TokenRequest API and if the security exposure of a non-expiring token in a readable API object is acceptable to you.
+
+See the Additional references section that follows for information on creating bound service account tokens.
+====
+
+.Procedure
+
+. Create a `Secret` object in a YAML file on a control plane node:
++
+.Example `secret` object:
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-sa-sample
+  annotations:
+    kubernetes.io/service-account.name: "sa-name" <1>
+type: kubernetes.io/service-account-token <2>
+----
+<1> Specifies an existing service account name. If you are creating both the `ServiceAccount` and the `Secret` objects, create the `ServiceAccount` object first.
+<2> Specifies a service account token secret.
+
+. Use the following command to create the `Secret` object:
++
+[source,terminal]
+----
+$ oc create -f <filename>.yaml
+----
+
+. To use the secret in a pod:
+
+.. Update the pod's service account to reference the secret, as shown in the "Understanding how to create secrets" section.
+
+.. Create the pod, which consumes the secret as an environment variable or as a file (using a `secret` volume), as shown in the "Understanding how to create secrets" section.

modules/nodes-pods-secrets-creating-ssh.adoc

@@ -0,0 +1,41 @@
+// Module included in the following assemblies:
+//
+// * nodes/nodes-pods-secrets.adoc
+
+:_content-type: PROCEDURE
+[id="nodes-pods-secrets-creating-ssh_{context}"]
+= Creating an SSH authentication secret
+
+As an administrator, you can create an SSH authentication secret, which allows you to store data used for SSH authentication. When using this secret type, the `data` parameter of the `Secret` object must contain the SSH credential to use.
+
+.Procedure
+
+. Create a `Secret` object in a YAML file on a control plane node:
++
+.Example `secret` object:
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-ssh-auth
+type: kubernetes.io/ssh-auth <1>
+data:
+  ssh-privatekey: | <2>
+          MIIEpQIBAAKCAQEAulqb/Y ...
+----
+<1> Specifies an SSH authentication secret.
+<2> Specifies the SSH key/value pair as the SSH credentials to use.
+
+. Use the following command to create the `Secret` object:
++
+[source,terminal]
+----
+$ oc create -f <filename>.yaml
+----
+
+. To use the secret in a pod:
+
+.. Update the pod's service account to reference the secret, as shown in the "Understanding how to create secrets" section.
+
+.. Create the pod, which consumes the secret as an environment variable or as a file (using a `secret` volume), as shown in the "Understanding how to create secrets" section.

modules/nodes-pods-secrets-creating-tls.adoc

@@ -0,0 +1,51 @@
+// Module included in the following assemblies:
+//
+// * nodes/nodes-pods-secrets.adoc
+
+:_content-type: PROCEDURE
+[id="nodes-pods-secrets-creating-tls_{context}"]
+= Creating a TLS secret
+
+As an administrator, you can create a Transport Layer Security (TLS) secret, which allows you to store a certificate and its associated key that are typically used for TLS.  When using this type of secret, the `data` parameter of the `Secret` object must contain  the `tls.key` and the `tls.crt` keys to use. The API server does not validate the values for each key.
+
+One common use for TLS secrets is to configure encryption in transit for ingress. You can also use a TLS secret with other resources or directly in your workload.
+
+[NOTE]
+====
+You can use the `stringData` parameter to use clear text content.
+====
+
+.Procedure
+
+. Create a `Secret` object in a YAML file on a control plane node:
++
+.Example `secret` object:
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-tls
+type: kubernetes.io/tls <1>
+data:
+  tls.crt: | <2>
+        MIIC2DCCAcCgAwIBAgIBATANBgkqh ...
+  tls.key: |
+        MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...
+
+----
+<1> Specifies a TLS secret.
+<2> Specifies the `tls.key` and the `tls.crt` keys to use.
+
+. Use the following command to create the `Secret` object:
++
+[source,terminal]
+----
+$ oc create -f <filename>.yaml
+----
+
+. To use the secret in a pod:
+
+.. Update the pod's service account to reference the secret, as shown in the "Understanding how to create secrets" section.
+
+.. Create the pod, which consumes the secret as an environment variable or as a file (using a `secret` volume), as shown in the "Understanding how to create secrets" section.