DOC-767 Add secret management to RPCN in Cloud (#138)

asimms41 · web-flow · commit 0cd3c64d778e · 2024-12-03T10:36:29.000Z
* add secret management

* update style of placeholders

* address review comments

* update with review comments

* typo

* package update for Bloblang playground
diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc
@@ -68,6 +68,7 @@
 *** xref:develop:connect/configuration/error_handling.adoc[]
 *** xref:develop:connect/configuration/interpolation.adoc[]
 *** xref:develop:connect/configuration/field_paths.adoc[]
+*** xref:develop:connect/configuration/secret-management.adoc[Manage Secrets]
 *** xref:develop:connect/configuration/processing_pipelines.adoc[]
 *** xref:develop:connect/configuration/monitor-connect.adoc[Monitor Data Pipelines]
 *** xref:develop:connect/configuration/scale-pipelines.adoc[Scale Data Pipelines]
diff --git a/modules/develop/pages/connect/configuration/secret-management.adoc b/modules/develop/pages/connect/configuration/secret-management.adoc
@@ -0,0 +1,219 @@
+= Manage Secrets
+:description: Learn how to manage secrets in Redpanda Connect using the Cloud UI or Data Plane API, and how to add them to your data pipelines.
+
+Learn how to manage secrets in Redpanda Connect, and how to add them to your data pipelines without exposing them.
+
+Secrets are stored in the secret management solution of your Cloud provider and are retrieved when you run a pipeline configuration that references them.
+
+== Prerequisites
+
+* A running BYOC, Dedicated or Serverless cluster
+* On BYOC clusters only, check that secrets management is enabled:
+
+.. Log in to https://cloud.redpanda.com[Redpanda Cloud^].
+.. Go to the **Connect** page.
+.. Select the **Redpanda Connect** tab and make sure you can see a **Secrets** tab.
+
++
+If you cannot see a **Secrets** tab, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda Support^]
+
+== Manage secrets
+
+You can manage secrets from the Cloud UI or Data Plane API.
+
+=== Create a secret
+
+You can create a secret and reference it in multiple data pipelines on the same cluster.
+
+[tabs]
+=====
+Cloud UI (BYOC and Dedicated)::
++
+--
+. Log in to https://cloud.redpanda.com[Redpanda Cloud^].
+. Go to the **Connect** page.
+. Select the **Redpanda Connect** tab and then the **Secrets** tab.
+. Click **Create secret**.
+. In **Secret name**, enter a name for the secret. You cannot rename the secret once it is created.
+. In **Secret value**, enter the secret you need to add.
+. Click **Create secret**.
++
+The secret details are listed in the **Secrets** tab ready to <<add-a-secret-to-a-data-pipeline,add to your data pipelines>>.
+
+--
+
+Cloud UI (Serverless)::
++
+--
+. Log in to https://cloud.redpanda.com[Redpanda Cloud^].
+. Go to the **Connect** page.
+. Select the **Secrets** tab and click **Create secret**.
+. In **Secret name**, enter a name for the secret. You cannot rename the secret once it is created.
+. In **Secret value**, enter the secret you need to add.
+. Click **Create secret**.
++
+The secret details are listed in the **Secrets** tab ready to <<add-a-secret-to-a-data-pipeline,add to your data pipelines>>.
+
+--
+
+Data Plane API::
++
+--
+You must use a Base64-encoded secret.
+
+. xref:manage:api/cloud-api-quickstart.adoc#try-the-cloud-api[Authenticate and get the base URL] for the Data Plane API.
+. Make a request to xref:api:ROOT:cloud-api.adoc#post-/v1alpha2/secrets[`POST /v1alpha2/secrets`].
++
+[,bash]
+----
+curl -X POST "https://<dataplane-api-url>/v1alpha2/secrets" \
+ -H 'accept: application/json'\
+ -H 'authorization: Bearer <token>'\
+ -H 'content-type: application/json' \
+ -d '{"id":"<secret-name>","scopes":["SCOPE_REDPANDA_CONNECT"],"secret_data":"<secret-value>"}' 
+----
++
+You must include the following values:
+
+- `<dataplane-api-url>`: The base URL for the Data Plane API.
+- `<token>`: The API key you generated during authentication.
+- `<secret-name>`: The ID or name of the secret you want to add. Use only the following characters: `^[A-Z][A-Z0-9_]*$`.
+- `<secret-value>`: The Base64-encoded secret.
+- This scope: `"SCOPE_REDPANDA_CONNECT"`.
+
++
+The response returns the name of the secret and the scope `"SCOPE_REDPANDA_CONNECT"`.
+
+You can now <<add-a-secret-to-a-data-pipeline,add the secret to your data pipeline>>.
+
+--
+=====
+
+=== Update a secret
+
+You can only update the secret value, not its name.
+
+NOTE: Changes to secret values do not take effect until a pipeline is restarted.
+
+[tabs]
+=====
+Cloud UI (BYOC and Dedicated)::
++
+--
+. Log in to https://cloud.redpanda.com[Redpanda Cloud^].
+. Go to the **Connect** page.
+. Select the **Redpanda Connect** tab and then the **Secrets** tab.
+. Find the secret you want to update and click the edit icon.
+. Enter the new secret value and click **Update Secret**.
+. Start and stop any pipelines that reference the secret.
+
+--
+
+Cloud UI (Serverless)::
++
+--
+. Log in to https://cloud.redpanda.com[Redpanda Cloud^].
+. Go to the **Connect** page.
+. Select the **Secrets** tab.
+. Find the secret you want to update and click the edit icon.
+. Enter the new secret value and click **Update Secret**.
+. Start and stop any pipelines that reference the secret.
+
+--
+
+Data Plane API::
++
+--
+You must use a Base64-encoded secret.
+
+. xref:manage:api/cloud-api-quickstart.adoc#try-the-cloud-api[Authenticate and get the base URL] for the Data Plane API.
+. Make a request to xref:api:ROOT:cloud-api.adoc#put-/v1alpha2/secrets/-id-[`PUT /v1alpha2/secrets/\{id}`].
++
+[,bash]
+----
+curl -X PUT "https://<dataplane-api-url>/v1alpha2/secrets/<secret-name>" \
+ -H 'accept: application/json'\
+ -H 'authorization: Bearer <token>'\
+ -H 'content-type: application/json' \
+ -d '{"scopes":["SCOPE_REDPANDA_CONNECT"],"secret_data":"<secret-value>"}'
+----
++
+You must include the following values:
+
+- `<dataplane-api-url>`: The base URL for the Data Plane API.
+- `<secret-name>`: The name of the secret you want to update.
+- `<token>`: The API key you generated during authentication.
+- This scope: `"SCOPE_REDPANDA_CONNECT"`.
+- `<secret-value>`: Your new Base64-encoded secret.
+
++
+The response returns the name of the secret and the scope `"SCOPE_REDPANDA_CONNECT"`.
+
+--
+=====
+
+=== Delete a secret
+
+Before you delete a secret, make sure that you remove references to it from your data pipelines. 
+
+NOTE: Changes do not affect pipelines that are already running.
+
+
+[tabs]
+=====
+Cloud UI (BYOC and Dedicated)::
++
+--
+. Log in to https://cloud.redpanda.com[Redpanda Cloud^].
+. Go to the **Connect** page.
+. Select the **Redpanda Connect** tab and then the **Secrets** tab.
+. Find the secret you want to remove and click the delete icon.
+. Confirm your deletion.
+
+--
+
+Cloud UI (Serverless)::
++
+--
+. Log in to https://cloud.redpanda.com[Redpanda Cloud^].
+. Go to the **Connect** page.
+. Select the **Secrets** tab.
+. Find the secret you want to remove and click the delete icon.
+. Confirm your deletion.
+
+--
+
+Data Plane API::
++
+--
+
+. xref:manage:api/cloud-api-quickstart.adoc#try-the-cloud-api[Authenticate and get the base URL] for the Data Plane API.
+. Make a request to xref:api:ROOT:cloud-api.adoc#delete-/v1alpha2/secrets/-id-[`DELETE /v1alpha2/secrets/\{id}`].
++
+[,bash]
+----
+curl -X DELETE "https://<dataplane-api-url>/v1alpha2/secrets/<secret-name>" \
+ -H 'accept: application/json'\
+ -H 'authorization: Bearer <token>'\
+----
++
+You must include the following values:
+
+- `<dataplane-api-url>`: The base URL for the Data Plane API.
+- `<secret-name>`: The name of the secret you want to delete.
+- `<token>`: The API key you generated during authentication.
+--
+=====
+
+== Add a secret to a data pipeline
+
+You can add a secret to any pipeline in your cluster using the notation `${secrets.SECRET_NAME}`. In the Cloud UI, you can copy the notation from the **Secrets** tab.
+
+For example:
+
+```yml
+    sasl:
+      - mechanism: SCRAM-SHA-256
+        username: "user"
+        password: "${secrets.PASSWORD}"
+```
diff --git a/modules/develop/pages/connect/connect-quickstart.adoc b/modules/develop/pages/connect/connect-quickstart.adoc
@@ -228,6 +228,7 @@ When you've finished experimenting with your data pipeline, you can delete the p
 
 * Try one of our xref:cookbooks:index.adoc[Redpanda Connect cookbooks]. 
 * Choose xref:develop:connect/components/catalog.adoc[connectors for your use case].
+* Learn how to xref:develop:connect/configuration/secret-management.adoc[add secrets to your pipeline].
 * Learn how to xref:develop:connect/configuration/monitor-connect.adoc[monitor a data pipeline on a BYOC cluster].
 * Learn how to xref:develop:connect/configuration/scale-pipelines.adoc[manually scale resources for a pipeline on a BYOC cluster].
 * Learn how to xref:redpanda-connect:guides:getting_started.adoc[configure, test, and run a data pipeline locally].
