Reference sensitive data from secrets and config maps #1024
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| ``` | ||
|
|
||
| **Important:** | ||
| If using a ConfigMap, each key in the ConfigMap must end with `.crt` (e.g., `my-cert.crt` or `ca-cert1.crt`). This naming convention is required for `update-ca-certificates` to parse and add each certificate to the system CA store. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.Latin] Use 'for example' instead of 'e.g.'.
There was a problem hiding this comment.
Please fix this and following instances of the same feedback. I took two years of Latin in high school, but most of our readers probably did not.
| ``` | ||
|
|
||
| **Important:** | ||
| Each key in the ConfigMap must end with `.crt` (e.g., `my-cert.crt` or `ca-cert1.crt`). This naming convention is required for `update-ca-certificates` to parse and add each certificate to the system CA store. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.Latin] Use 'for example' instead of 'e.g.'.
Deploying docs with
|
| Latest commit: |
515e8c0
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://cfbf0296.docodile.pages.dev |
| Branch Preview URL: | https://operator-secret-refs.docodile.pages.dev |
content/guides/hosting/hosting-options/self-managed/kubernetes-operator/_index.md
Outdated
Show resolved
Hide resolved
content/guides/hosting/hosting-options/self-managed/kubernetes-operator/_index.md
Outdated
Show resolved
Hide resolved
content/guides/hosting/hosting-options/self-managed/kubernetes-operator/_index.md
Outdated
Show resolved
Hide resolved
content/guides/hosting/hosting-options/self-managed/kubernetes-operator/_index.md
Outdated
Show resolved
Hide resolved
| @@ -465,28 +465,67 @@ global: | |||
| secretKey: HDKYe4Q...JAp1YyjysnX | |||
| ``` | |||
|
|
|||
| The `kmsKey` must be `null`. | |||
There was a problem hiding this comment.
I'm confused -- if it must be null, then why have the key at all? In the example for AWS above, the kmsKey is the empty string. Must it be empty for S3 and null for S3-compatible storage that is not on AWS?
| @@ -709,10 +748,13 @@ global: | |||
| oidc: | |||
| clientId: "" | |||
| secret: "" | |||
| # Only include if your IdP requires it. | |||
There was a problem hiding this comment.
Do we know of any major IdPs that do or don't require it? Okta? AAD? GCP?
| authMethod: "" | ||
| issuer: "" | ||
| ``` | ||
|
|
||
| `authMethod` is optional. |
There was a problem hiding this comment.
The comment previously seems to imply that it is not optional, either your IdP requires it (it's not optional) or it doesn't (then does it even evaluate the field?)
| metadata: | ||
| name: custom-ca-certs | ||
| data: | ||
| ca-cert1.crt: | |
There was a problem hiding this comment.
Do we have any best practices around compound certs? For example, they can become unwieldy and poor performing in a clustered environment with many nodes, if they share a compound certificate.
| -----END CERTIFICATE----- | ||
| ``` | ||
|
|
||
| **Important:** |
There was a problem hiding this comment.
Also, this is no longer the righrt way to do an admonition . Instead, use the Hugo shortcode:
{{% alert %}}
...
{{% /alert %}}
| @@ -784,7 +852,7 @@ The only valid value for `runAsGroup:` is `0`. Any other value is an error. | |||
| {{% /alert %}} | |||
|
|
|||
|
|
|||
| To configure the application pod, add a section `app` to your configuration: | |||
| Example: To configure the application pod, add a section `app` to your configuration: | |||
There was a problem hiding this comment.
| Example: To configure the application pod, add a section `app` to your configuration: | |
| For example, to configure the application pod, add a section `app` to your configuration: |
| @@ -807,7 +875,7 @@ app: | |||
| readOnlyRootFilesystem: false | |||
| allowPrivilegeEscalation: false | |||
| ``` | |||
| The same concept applies to `console`, `weave`, `otel`, `weave-trace`, `flat-run-fields-updater` and `parquet`. | |||
| The same concept applies to `console`, `weave`, `weave-trace` and `parquet`. | |||
There was a problem hiding this comment.
| The same concept applies to `console`, `weave`, `weave-trace` and `parquet`. | |
| The same concept applies to `console`, `weave`, `weave-trace` and `parquet`. |
| -----END CERTIFICATE----- | ||
| ``` | ||
|
|
||
| **Important:** |
There was a problem hiding this comment.
As above, please also update this admonition.
Description
Ticket
Does this PR fix an existing issue? If yes, provide a link here.