diff --git a/content/for-developers/tutorials/outer-loop/deploying-secrets.md b/content/for-developers/tutorials/outer-loop/deploying-secrets.md index 2a09ea95..92390ff6 100644 --- a/content/for-developers/tutorials/outer-loop/deploying-secrets.md +++ b/content/for-developers/tutorials/outer-loop/deploying-secrets.md @@ -2,19 +2,19 @@ The following secrets are needed for running a fully functional pipeline using pipeline-as-code. Some of the secrets are auto-distributed in the build namespaces of all tenants. Organization level secrets will be deployed through the infra repository. Repository and application level secrets will be deployed through GitOps repository. -## Auto Generated Secrets +## SAAP Managed Secrets 1. `sonar-creds` - * _Purpose_: Used by `sonarqube-scan` pipeline task - * _Owner_: SAAP admins - * _Type_: Login credentials for SonarQube - * _Used for_: For running SonarQube scan in pipeline + * _Purpose_: Used by `sonarqube-scan` pipeline task. + * _Owner_: SAAP admins. + * _Type_: Login credentials for SonarQube. + * _Used for_: For running SonarQube scan in pipeline. * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in the build namespace. SonarQube credentials are not rotated and remain the same. * _Comment_: The origin of this secret is the SonarQube namespace. Secret is copied over to build namespace using an MTO template and Template Group Instance. * _Deployment Process_: The SonarQube deployed on SAAP contains a secret named `sonar-creds` in its namespace. This secret contains the username and password for SonarQube. We use a Multi Tenant Operator Template and TemplateGroupInstance to copy this secret and distribute it the build namespaces of all tenants. The Template and TemplateGroupInstance are both named `sonar-creds`. 1. `docker-reg-creds` - * _Purpose_: Used by buildah and the application itself to pull the image from the nexus registry - * _Owner_: SAAP admins + * _Purpose_: Used by buildah task and the application deployment to pull the image from the nexus registry. + * _Owner_: SAAP admins. * _Type_: Login credentials for nexus docker registry. The secret itself is of type dockerconfigjson. * _Used for_: Pulling images from the nexus registry. Needs to be deployed in all namespaces of the tenant. We distribute it using a TGI. * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in all its namespaces. @@ -23,8 +23,8 @@ The following secrets are needed for running a fully functional pipeline using p * _Purpose_: Used to pull and push charts from the Nexus Helm Registry. We use it in two places for our pipeline: 1. `stakater-helm-push` task 1. ArgoCD to fetch the helm chart - * _Owner_: SAAP Admins - * _Used for_: Pulling charts from Nexus + * _Owner_: SAAP Admins. + * _Used for_: Pulling charts from Nexus. * _Lifecycle_: Every time a new tenant is created, the secret gets deployed in the build namespace. The same secret is deployed in the `rh-openshift-gitops-instance` when SAAP is provisioned. * _Deployment Process_: Nexus comes shipped with SAAP. The `nexus3` namespace contains a secret named `helm-reg-creds`. This secret contains the username and password for the helm registry. We use a Multi Tenant Operator Template and TemplateGroupInstance to copy this secret and distribute it all namespaces of the tenants. The Template and TemplateGroupInstance are both named `helm-reg-creds`. Another TGI named `helm-reg-creds-gitops` deploys the secret in GitOps namespace so ArgoCD can fetch the charts. 1. `rox-creds` @@ -38,45 +38,41 @@ The following secrets are needed for running a fully functional pipeline using p * _Comment_: Needs to be deployed in build namespace. We deploy it using TGI. * _Deployment Process_: After StackRox is installed on the SAAP cluster. An api token is created and stored in the rox-creds secret in the `stakater-stackrox` namespaces. We then use a Template and a TemplateGroupInstance with the same name to distribute the secret in the build namespace of tenants. -## Infrastructure GitOps Credentials +## Customer Managed Secrets -1. `infra-gitops-creds` - * _Purpose_: This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. - * _Owner_: The owner of this secret will be customer's delivery engineer - * _Location_: The secret will be deployed in the `rh-openshift-gitops-instance` namespace - * _Used for_: Use only for the purpose of syncing your infra GitOps repository with ArgoCD - * _Format_: Given below is the template for this secret. The secret/external secret will need to have `argocd.argoproj.io/secret-type: repository` label on it: +### Organization Level Secrets - ```yaml - apiVersion: v1 - kind: Secret - metadata: - name: private-repo - namespace: argocd - labels: - argocd.argoproj.io/secret-type: repository - stringData: - type: git - url: git@github.com:argoproj/my-private-repository - sshPrivateKey: | - -----BEGIN OPENSSH PRIVATE KEY----- - ... - -----END OPENSSH PRIVATE KEY----- - ``` +1. `infra-gitops-creds` + * _Purpose_: This secret is added so ArgoCD can sync the repository. You can either use an ssh key or a personal access token for this purpose. + * _Owner_: The owner of this secret will be customer's delivery engineer + * _Location_: The secret will be deployed in the `rh-openshift-gitops-instance` namespace. + * _Used for_: Use only for the purpose of syncing your infra GitOps repository with ArgoCD + * _Format_: Given below is the template for this secret. The secret/external secret will need to have `argocd.argoproj.io/secret-type: repository` label on it: - * _Comment_: This secret needs to be deployed on the cluster directly. + ```yaml + apiVersion: v1 + kind: Secret + metadata: + name: private-repo + namespace: argocd + labels: + argocd.argoproj.io/secret-type: repository + stringData: + type: git + url: git@github.com:argoproj/my-private-repository + sshPrivateKey: | + -----BEGIN OPENSSH PRIVATE KEY----- + ... + -----END OPENSSH PRIVATE KEY----- + ``` -## Organization Level Secrets + * _Comment_: This secret needs to be deployed on the cluster directly. -!!! note + !!! note These secrets need to go into your Infra GitOps Repository 1. `apps-gitops-creds` - * _Purpose_: This secret is added so ArgoC - * _Used for_: Communicating with RHACS API to scan images and deployments - * _Lifecycle_: Created at the time of RHACS deployment. The secret is then copied over to build namespaces of tenants. - * _Comment_: Needs to be deployed in build namespace. We deploy it using TGI. - * _Deployment Process_: After RD can sync the `apps-gitops-config` repository. You can either use an ssh key or a personal access token for this purpose. + * _Purpose_: This secret is added so ArgoCD can sync the `apps-gitops-config` repository. * _Owner_: The owner of this secret will be customer's delivery engineer * _Location_: The secret will be deployed in the `rh-openshift-gitops-instance` namespace **through the `infra-gitops` repository** * _Format_: Will have the same format as that of `infra-gitops-creds` secret @@ -156,7 +152,7 @@ The following secrets are needed for running a fully functional pipeline using p 1. In the Repository CR so pipeline-as-code can talk to the repository 1. In create-environment task to get commit hashes 1. In TronadorConfig to allow Tronador to access the application repository - * _Owner_: The owner of this secret will be customer's delivery engineer + * _Owner_: The owner of this secret will be customer's delivery engineer. * _Location_: This secret will be deployed in build namespace of all tenants, the namespaces created by Tronador * _Deployment Process_: To deploy the git-pat-creds, follow the below-mentioned steps: 1. Navigate to your `infra-gitops-config` repository @@ -206,7 +202,7 @@ The following secrets are needed for running a fully functional pipeline using p 1. If you have correctly configured your infra repository, ArgoCD should be able to sync the changes and deploy the secret in build namespaces of the tenants -## Repository Level Secrets +### Repository Level Secrets 1. `[app-name]-ssh-creds` * _Purpose_: Used by these Tekton tasks: