Remove references to setting cloud_storage_access_key and `cloud_st…

…orage_secret_key` in Kubernetes (#799)
redpanda-data · Oct 15, 2024 · 68c1021 · 68c1021
1 parent d629c25
commit 68c1021
Show file tree

Hide file tree

Showing 2 changed files with 218 additions and 164 deletions.
diff --git a/modules/manage/partials/remote-read-replicas.adoc b/modules/manage/partials/remote-read-replicas.adoc
@@ -3,6 +3,7 @@
 include::shared:partial$enterprise-license.adoc[]
 ====
 
+
 ifdef::env-kubernetes[]
 :tiered-storage-link: manage:kubernetes/storage/tiered-storage/k-tiered-storage.adoc
 :data-archiving-link: manage:kubernetes/storage/tiered-storage/k-tiered-storage.adoc#data-archiving
@@ -111,6 +112,9 @@ Amazon S3::
 
 You can configure access to Amazon S3 with either an IAM role attached to the instance or with access keys.
 
+[discrete]
+=== Use IAM roles
+
 To configure access to an S3 bucket with an IAM role:
 
 . Configure an xref:manage:security/iam-roles.adoc#configuring-iam-roles[IAM role] with read permissions for the S3 bucket.
@@ -152,14 +156,33 @@ Replace the following placeholders:
 +
 - `<region>`: The region of your S3 bucket.
 
+[discrete]
+=== Use access keys
+
 To configure access to an S3 bucket with access keys instead of an IAM role:
 
 . Grant a user the following permissions to read objects on the bucket to be used with the cluster (or on all buckets):
 +
 - `GetObject`
 - `ListBucket`
 
-. Copy the access key and secret key for the `cloud_storage_access_key` and `cloud_storage_secret_key` cluster properties.
+. Create a Secret in which to store the access key and secret key.
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: storage-secrets
+  namespace: <namespace>
+type: Opaque
+data:
+  access-key: <base64-encoded-access-key>
+  secret-key: <base64-encoded-secret-key>
+----
++
+- Replace `<base64-encoded-access-key>` with your base64-encoded access key.
+- Replace `<base64-encoded-secret-key>` with your base64-encoded secret key.
 . Override the following required cluster properties in the Helm chart:
 +
 [tabs]
@@ -171,11 +194,16 @@ To configure access to an S3 bucket with access keys instead of an IAM role:
 ----
 storage:
   tiered:
+    credentialsSecretRef:
+      accessKey:
+        name: storage-secrets
+        key: access-key
+      secretKey:
+        name: storage-secrets
+        key: secret-key
     config:
       cloud_storage_enabled: true
       cloud_storage_credentials_source: config_file
-      cloud_storage_access_key: <access-key>
-      cloud_storage_secret_key: <secret-key>
       cloud_storage_region: <region>
       cloud_storage_bucket: "none"
 ----
@@ -189,19 +217,17 @@ helm upgrade --install redpanda redpanda/redpanda --namespace <namespace> --crea
 ```bash
 helm upgrade --install redpanda redpanda/redpanda --namespace <namespace> --create-namespace \
   --set storage.tiered.config.cloud_storage_enabled=true \
+  --set storage.tiered.credentialsSecretRef.accessKey.name=storage-secrets \
+  --set storage.tiered.credentialsSecretRef.accessKey.key=access-key \
+  --set storage.tiered.credentialsSecretRef.secretKey.name=storage-secrets \
+  --set storage.tiered.credentialsSecretRef.secretKey.key=secret-key \
   --set storage.tiered.config.cloud_storage_credentials_source=config_file \
-  --set storage.tiered.config.cloud_storage_access_key=<access-key> \
-  --set storage.tiered.config.cloud_storage_secret_key=<secret-key> \
   --set storage.tiered.config.cloud_storage_region=<region> \
   --set storage.tiered.config.cloud_storage_bucket="none"
 ```
 ====
 +
-Replace the following placeholders:
-+
-- `<access-key>`: The access key for your S3 bucket.
-- `<secret-key>`: The secret key for your S3 bucket.
-- `<region>`: The region of your S3 bucket.
+Replace `<region>` with the region of your S3 bucket.
 
 --
 Google Cloud Storage::
@@ -210,8 +236,11 @@ Google Cloud Storage::
 
 You can configure access to Google Cloud Storage with either an IAM role attached to the instance or with access keys.
 
-- To configure access to Google Cloud Storage with an IAM role, override the following required cluster properties in the Helm chart:
-+
+[discrete]
+=== Use IAM roles
+
+To configure access to Google Cloud Storage with an IAM role, override the following required cluster properties in the Helm chart:
+
 [tabs]
 ====
 --values::
@@ -242,10 +271,33 @@ helm upgrade --install redpanda redpanda/redpanda --namespace <namespace> --crea
   --set storage.tiered.config.cloud_storage_bucket="none"
 ```
 ====
-+
+
 Replace `<region>` with the region of your bucket.
 
-- To configure access to Google Cloud Storage with access keys instead of an IAM role, override the following required cluster properties in the Helm chart:
+[discrete]
+=== Use access keys
+
+To configure access to Google Cloud Storage with access keys instead of an IAM role:
+
+. Create a Secret in which to store the access key and secret key.
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: storage-secrets
+  namespace: <namespace>
+type: Opaque
+data:
+  access-key: <base64-encoded-access-key>
+  secret-key: <base64-encoded-secret-key>
+----
++
+- Replace `<base64-encoded-access-key>` with your base64-encoded access key.
+- Replace `<base64-encoded-secret-key>` with your base64-encoded secret key.
+
+. Override the following required cluster properties in the Helm chart:
 +
 [tabs]
 ====
@@ -256,12 +308,17 @@ Replace `<region>` with the region of your bucket.
 ----
 storage:
   tiered:
+    credentialsSecretRef:
+      accessKey:
+        name: storage-secrets
+        key: access-key
+      secretKey:
+        name: storage-secrets
+        key: secret-key
     config:
       cloud_storage_enabled: true
       cloud_storage_credentials_source: config_file
       cloud_storage_api_endpoint: storage.googleapis.com
-      cloud_storage_access_key: <access-key>
-      cloud_storage_secret_key: <secret-key>
       cloud_storage_region: <region>
       cloud_storage_bucket: "none"
 ----
@@ -275,30 +332,44 @@ helm upgrade --install redpanda redpanda/redpanda --namespace <namespace> --crea
 ```bash
 helm upgrade --install redpanda redpanda/redpanda --namespace <namespace> --create-namespace \
   --set storage.tiered.config.cloud_storage_enabled=true \
+  --set storage.tiered.credentialsSecretRef.accessKey.name=storage-secrets \
+  --set storage.tiered.credentialsSecretRef.accessKey.key=access-key \
+  --set storage.tiered.credentialsSecretRef.secretKey.name=storage-secrets \
+  --set storage.tiered.credentialsSecretRef.secretKey.key=secret-key \
   --set storage.tiered.config.cloud_storage_credentials_source=config_file \
   --set storage.tiered.config.cloud_storage_api_endpoint=storage.googleapis.com \
-  --set storage.tiered.config.cloud_storage_access_key=<access-key> \
-  --set storage.tiered.config.cloud_storage_secret_key=<secret-key> \
   --set storage.tiered.config.cloud_storage_region=<region> \
   --set storage.tiered.config.cloud_storage_bucket="none"
 ```
 ====
 +
-Replace the following placeholders:
-+
-- `<access-key>`: The access key for your bucket.
-- `<secret-key>`: The secret key for your bucket.
-- `<region>`: The region of your bucket.
+Replace `<region>` with the region of your bucket.
 
 --
 Azure Blob Storage::
 +
 --
 
-To configure access to Azure Blob Storage, override the following required cluster properties in the Helm chart:
+To configure access to Azure Blob Storage:
 
-Replace the following placeholders:
+. Create a Secret in which to store the access key.
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: storage-secrets
+  namespace: <namespace>
+type: Opaque
+data:
+  access-key: <base64-encoded-access-key>
+----
++
+- Replace `<base64-encoded-access-key>` with your base64-encoded access key.
 
+. Override the following required cluster properties in the Helm chart:
++
 [tabs]
 ====
 --values::
@@ -308,9 +379,13 @@ Replace the following placeholders:
 ----
 storage:
   tiered:
+    credentialsSecretRef:
+      secretKey:
+        configurationKey: cloud_storage_azure_shared_key
+        name: storage-secrets
+        key: access-key
     config:
       cloud_storage_enabled: true
-      cloud_storage_azure_shared_key: <access_key>
       cloud_storage_azure_storage_account: <account-name>
       cloud_storage_azure_container: "none"
 ----
@@ -324,16 +399,15 @@ helm upgrade --install redpanda redpanda/redpanda --namespace <namespace> --crea
 ```bash
 helm upgrade --install redpanda redpanda/redpanda --namespace <namespace> --create-namespace \
   --set storage.tiered.config.cloud_storage_enabled=true \
-  --set storage.tiered.config.cloud_storage_azure_shared_key=<access_key> \
+  --set storage.tiered.credentialsSecretRef.secretKey.configurationKey=cloud_storage_azure_shared_key \
+  --set storage.tiered.credentialsSecretRef.secretKey.name=storage-secrets \
+  --set storage.tiered.credentialsSecretRef.secretKey.key=access-key \
   --set storage.tiered.config.cloud_storage_azure_storage_account=<account-name> \
   --set storage.tiered.config.cloud_storage_azure_container="none"
 ```
 ====
 
-Replace the following placeholders:
-
-- `<access-key>`: The access key for your Azure account.
-- `<account-name>`: The name of your Azure account.
+Replace `<account-name>` with the name of your Azure account.
 --
 ======
 endif::[]