Conversation
initial commit update vale update placement update auth
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
ezgidemirel
left a comment
ezgidemirel
left a comment
There was a problem hiding this comment.
Thanks @tr0njavolta, this looks great! I left a couple of comments, but it explains the flow very clearly.
| name: upbound-provider-aws-iam | ||
| spec: | ||
| package: xpkg.upbound.io/upbound/provider-aws-iam:v2.2.0 | ||
| ignoreCrossplaneConstraints: true |
There was a problem hiding this comment.
no need for this line, since people will use official UXP releases
| --- | ||
| apiVersion: pkg.crossplane.io/v1 | ||
| kind: Provider | ||
| metadata: | ||
| name: upbound-provider-family-aws | ||
| spec: | ||
| package: xpkg.upbound.io/upbound/provider-family-aws:v2.2.0 | ||
| ignoreCrossplaneConstraints: true |
There was a problem hiding this comment.
no need to install family provider separately. we don't need to set the ignoreCrossplaneConstraints so it will be automatically installed
| ``` | ||
|
|
||
| ```shell | ||
| kubectl apply -f providers.yaml |
There was a problem hiding this comment.
| kubectl apply -f providers.yaml | |
| kubectl apply -f provider.yaml |
| secrets were created: | ||
| ```shell | ||
| kubectl get secret -n crossplane-system |
There was a problem hiding this comment.
| kubectl get secret -n crossplane-system | |
| kubectl get secret |
| vault policy write crossplane-policy - <<'EOF' | ||
| path "secret/data/crossplane-system/*" { | ||
| capabilities = ["read", "list"] | ||
| } | ||
| EOF |
There was a problem hiding this comment.
| vault policy write crossplane-policy - <<'EOF' | |
| path "secret/data/crossplane-system/*" { | |
| capabilities = ["read", "list"] | |
| } | |
| EOF | |
| vault policy write crossplane - <<EOF | |
| path "secret/*" { | |
| capabilities = ["create", "read", "update", "delete","list"] | |
| } | |
| path "secret/metadata/*" { | |
| capabilities = ["create", "read", "update", "delete","list"] | |
| } | |
| EOF | |
| # allow "secret-store-vault" service account in "crossplane-system" namespace to use "crossplane" policy created above | |
| vault write auth/kubernetes/role/crossplane \ | |
| bound_service_account_names="secret-store-vault" \ | |
| bound_service_account_namespaces=crossplane-system \ | |
| policies=crossplane\ | |
| ttl=24h | |
| EOF | ||
| ``` | ||
|
|
||
| ## Configure Vault Kubernetes auth |
There was a problem hiding this comment.
I wouldn't include this section to the doc. They may prefer different authentication methods based on their environments. We can simply say, token based authentication and kubernetes authentication are supported.
If they already have a Vault instance, they new how they can authenticate to it.
| <!-- vale Google.Headings = NO --> | ||
| ## Install the Secret Store add-on | ||
|
|
||
| Apply the add-on to deploy the Secrets Proxy backend: |
There was a problem hiding this comment.
we may mention that the addon package will not be installed without a valid license
3 participants
Description
Type of change
Checklist
make vale-file FILE=docs/path/to/file.mdlocally for files changed (or will fix Vale suggestions in review)Additional notes