Merge pull request #102524 from xenolinux/complete-pr-95504

xenolinux · web-flow · commit 112ff4835f65 · 2025-11-14T13:08:27.000+05:30
OSDOCS#14994: Minor SSCSI fixes from Ashwini's PR
diff --git a/modules/secrets-store-aws.adoc b/modules/secrets-store-aws.adoc
@@ -15,22 +15,22 @@ endif::[]
 [id="secrets-store-aws_{context}"]
 = Mounting secrets from {secrets-store-provider}
 
-You can use the {secrets-store-operator} to mount secrets from {secrets-store-provider} to a Container Storage Interface (CSI) volume in {product-title}. To mount secrets from {secrets-store-provider}, your cluster must be installed on AWS and use AWS Security Token Service (STS).
+You can use the {secrets-store-operator} to mount secrets from {secrets-store-provider} external secrets store to a Container Storage Interface (CSI) volume in {product-title}.
 
 .Prerequisites
 
-* Your cluster is installed on AWS and uses AWS Security Token Service (STS).
-* You installed the {secrets-store-operator}. See _Installing the {secrets-store-driver}_ for instructions.
-* You configured {secrets-store-provider} to store the required secrets.
-* You extracted and prepared the `ccoctl` binary.
-* You installed the `jq` CLI tool.
 * You have access to the cluster as a user with the `cluster-admin` role.
+* You have installed the `jq` tool.
+* You have extracted and prepared the `ccoctl` utility.
+* You have installed the cluster on {aws-first} and the cluster uses {aws-short} Security Token Service (STS).
+* You have installed the {secrets-store-operator}. For more information, see "Installing the {secrets-store-driver}".
+* You have configured {secrets-store-provider} to store the required secrets.
 
 .Procedure
 
 . Install the {secrets-store-provider} provider:
 
-.. Create a YAML file with the following configuration for the provider resources:
+.. Create a YAML file by using the following example configuration:
 +
 [IMPORTANT]
 ====
@@ -148,24 +148,23 @@ $ oc adm policy add-scc-to-user privileged -z csi-secrets-store-provider-aws -n
 $ oc apply -f aws-provider.yaml
 ----
 
-. Grant permission to allow the service account to read the AWS secret object:
+. Grant the read permission to the service account for the AWS secret object:
 
 .. Create a directory to contain the credentials request by running the following command:
 +
 [source,terminal]
 ----
-$ mkdir credentialsrequest-dir-aws
+$ mkdir <aws_creds_directory_name>
 ----
 
-.. Create a YAML file with the following configuration for the credentials request:
+.. Create a YAML file that defines the `CredentialsRequest` resource configuration. See the following example configuration:
 +
-.Example `credentialsrequest.yaml` file
 [source,yaml]
 ----
 apiVersion: cloudcredential.openshift.io/v1
 kind: CredentialsRequest
 metadata:
-  name: aws-provider-test
+  name: aws-creds-request
   namespace: openshift-cloud-credential-operator
 spec:
   providerSpec:
@@ -191,10 +190,10 @@ endif::aws-systems-manager-parameter-store[]
     name: aws-creds
     namespace: my-namespace
   serviceAccountNames:
-  - aws-provider
+  - <service_account_name>
 ----
 
-.. Retrieve the OIDC provider by running the following command:
+.. Retrieve the OpenID Connect (OIDC) provider by running the following command:
 +
 [source,terminal]
 ----
@@ -214,8 +213,8 @@ Copy the OIDC provider name `<oidc_provider_name>` from the output to use in the
 ----
 $ ccoctl aws create-iam-roles \
     --name my-role --region=<aws_region> \
-    --credentials-requests-dir=credentialsrequest-dir-aws \
-    --identity-provider-arn arn:aws:iam::<aws_account>:oidc-provider/<oidc_provider_name> --output-dir=credrequests-ccoctl-output
+    --credentials-requests-dir=<aws_creds_dir_name> \
+    --identity-provider-arn arn:aws:iam::<aws_account_id>:oidc-provider/<oidc_provider_name> --output-dir=<output_dir_name>
 ----
 +
 .Example output
diff --git a/modules/secrets-store-azure.adoc b/modules/secrets-store-azure.adoc
@@ -4,29 +4,29 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="secrets-store-azure_{context}"]
-= Mounting secrets from Azure Key Vault
+= Mounting secrets from {azure-short} Key Vault
 
-You can use the {secrets-store-operator} to mount secrets from Azure Key Vault to a Container Storage Interface (CSI) volume in {product-title}. To mount secrets from Azure Key Vault, your cluster must be installed on Microsoft Azure.
+You can use the {secrets-store-operator} to mount secrets from {azure-first} Key Vault to a Container Storage Interface (CSI) volume in {product-title}. To mount secrets from {azure-short} Key Vault.
 
 .Prerequisites
 
-* Your cluster is installed on Azure.
-* You installed the {secrets-store-operator}. See _Installing the {secrets-store-driver}_ for instructions.
-* You configured Azure Key Vault to store the required secrets.
-* You installed the Azure CLI (`az`).
+* Your have installed a cluster on {azure-short}.
 * You have access to the cluster as a user with the `cluster-admin` role.
+* You have installed the {azure-short} CLI (`az`).
+* You have installed the {secrets-store-operator}. See "Installing the {secrets-store-driver}" for instructions.
+* You have configured {azure-short} Key Vault to store the required secrets.
 
 .Procedure
 
-. Install the Azure Key Vault provider:
+. Install the {azure-short} Key Vault provider:
 
-.. Create a YAML file with the following configuration for the provider resources:
+.. Create a YAML file named `azure-provider.yaml` that defines the `ServiceAccount` resource configuration. See the following example configuration:
 +
 [IMPORTANT]
 ====
-The Azure Key Vault provider for the {secrets-store-driver} is an upstream provider.
+The {azure-short} Key Vault provider for the {secrets-store-driver} is an upstream provider.
 
-This configuration is modified from the configuration provided in the upstream link:https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/getting-started/installation/[Azure documentation] so that it works properly with {product-title}. Changes to this configuration might impact functionality.
+This configuration is modified from the configuration provided in the upstream link:https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/getting-started/installation/[{azure-short} documentation] so that it works properly with {product-title}. Changes to this configuration might impact functionality.
 ====
 +
 .Example `azure-provider.yaml` file
@@ -197,11 +197,11 @@ $ oc -n my-namespace label secret secrets-store-creds secrets-store.csi.k8s.io/u
 apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
-  name: my-azure-provider                 <1>
-  namespace: my-namespace                 <2>
+  name: my-azure-provider                 #<1>
+  namespace: my-namespace                 #<2>
 spec:
-  provider: azure                         <3>
-  parameters:                             <4>
+  provider: azure                         #<3>
+  parameters:                             #<4>
     usePodIdentity: "false"
     useVMManagedIdentity: "false"
     userAssignedIdentityID: ""
@@ -235,8 +235,8 @@ $ oc create -f secret-provider-class-azure.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: my-azure-deployment                            <1>
-  namespace: my-namespace                              <2>
+  name: my-azure-deployment                            #<1>
+  namespace: my-namespace                              #<2>
 spec:
   replicas: 1
   selector:
@@ -263,14 +263,14 @@ spec:
             driver: secrets-store.csi.k8s.io
             readOnly: true
             volumeAttributes:
-              secretProviderClass: "my-azure-provider" <3>
+              secretProviderClass: "my-azure-provider" #<3>
             nodePublishSecretRef:
-              name: secrets-store-creds                <4>
+              name: secrets-store-creds                #<4>
 ----
 <1> Specify the name for the deployment.
 <2> Specify the namespace for the deployment. This must be the same namespace as the secret provider class.
 <3> Specify the name of the secret provider class.
-<4> Specify the name of the Kubernetes secret that contains the service principal credentials to access Azure Key Vault.
+<4> Specify the name of the Kubernetes secret that contains the service principal credentials to access {azure-short} Key Vault.
 
 .. Create the `Deployment` object by running the following command:
 +
@@ -281,7 +281,7 @@ $ oc create -f deployment.yaml
 
 .Verification
 
-* Verify that you can access the secrets from Azure Key Vault in the pod volume mount:
+* Verify that you can access the secrets from {azure-short} Key Vault in the pod volume mount:
 
 .. List the secrets in the pod mount by running the following command:
 +
diff --git a/modules/secrets-store-google.adoc b/modules/secrets-store-google.adoc
@@ -10,16 +10,16 @@ You can use the {secrets-store-operator} to mount secrets from Google Secret Man
 
 .Prerequisites
 
-* You installed the {secrets-store-operator}. See _Installing the {secrets-store-driver}_ for instructions.
-* You configured Google Secret Manager to store the required secrets.
-* You created a service account key named `key.json` from your {gcp-full} service account.
 * You have access to the cluster as a user with the `cluster-admin` role.
+* You have installed the {secrets-store-operator}. See "Installing the {secrets-store-driver}" for instructions.
+* You have configured Google Secret Manager to store the required secrets.
+* You have created a service account key named `key.json` from your {gcp-full} service account.
 
 .Procedure
 
 . Install the Google Secret Manager provider:
 
-.. Create a YAML file with the following configuration for the provider resources:
+.. Create a YAML file Create a YAML file named `gcp-provider.yaml` that defines the `ServiceAccount` resource configuration. See the following example configuration:
 +
 .Example `gcp-provider.yaml` file
 [source,yaml]
@@ -151,7 +151,7 @@ $ oc adm policy add-scc-to-user privileged -z csi-secrets-store-provider-gcp -n
 $ oc apply -f gcp-provider.yaml
 ----
 
-. Grant permission to read the Google Secret Manager secret:
+. Grant a read permission to the Google Secret Manager secret:
 
 .. Create a new project by running the following command:
 +
diff --git a/modules/secrets-store-vault.adoc b/modules/secrets-store-vault.adoc
@@ -20,9 +20,9 @@ Other cloud providers might work, but have not been tested yet. Additional cloud
 
 .Prerequisites
 
-* You installed the {secrets-store-operator}. See _Installing the {secrets-store-driver}_ for instructions.
-* You installed Helm.
 * You have access to the cluster as a user with the `cluster-admin` role.
+* You have installed the {secrets-store-operator}. See "Installing the {secrets-store-driver}" for instructions.
+* You have installed Helm.
 
 .Procedure
 
@@ -228,42 +228,6 @@ $ oc exec -i vault-0 --namespace=vault -- vault write auth/kubernetes/role/csi \
 Success! Data written to: auth/kubernetes/role/csi
 ----
 
-.. Verify that all of the `vault` pods are running properly by running the following command:
-+
-[source,terminal]
-----
-$ oc get pods -n vault
-----
-+
-.Example output
-[source,terminal]
-----
-NAME                       READY   STATUS    RESTARTS   AGE
-vault-0                    1/1     Running   0          43m
-vault-csi-provider-87rgw   2/2     Running   0          19m
-vault-csi-provider-bd6hp   2/2     Running   0          19m
-vault-csi-provider-smlv7   2/2     Running   0          19m
-----
-
-.. Verify that all of the `secrets-store-csi-driver` pods are running properly by running the following command:
-+
-[source,terminal]
-----
-$ oc get pods -n openshift-cluster-csi-drivers | grep -E "secrets"
-----
-+
-.Example output
-[source,terminal]
-----
-secrets-store-csi-driver-node-46d2g                  3/3     Running   0             45m
-secrets-store-csi-driver-node-d2jjn                  3/3     Running   0             45m
-secrets-store-csi-driver-node-drmt4                  3/3     Running   0             45m
-secrets-store-csi-driver-node-j2wlt                  3/3     Running   0             45m
-secrets-store-csi-driver-node-v9xv4                  3/3     Running   0             45m
-secrets-store-csi-driver-node-vlz28                  3/3     Running   0             45m
-secrets-store-csi-driver-operator-84bd699478-fpxrw   1/1     Running   0             47m
-----
-
 . Create a secret provider class to define your secrets store provider:
 
 .. Create a YAML file that defines the `SecretProviderClass` object:
@@ -274,11 +238,11 @@ secrets-store-csi-driver-operator-84bd699478-fpxrw   1/1     Running   0
 apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
-  name: my-vault-provider                   <1>
-  namespace: my-namespace                   <2>
+  name: my-vault-provider                   #<1>
+  namespace: my-namespace                   #<2>
 spec:
-  provider: vault                           <3>
-  parameters:                               <4>
+  provider: vault                           #<3>
+  parameters:                               #<4>
     roleName: "csi"
     vaultAddress: "http://vault.vault:8200"
     objects:  |
@@ -308,8 +272,8 @@ $ oc create -f secret-provider-class-vault.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: busybox-deployment                                    <1>
-  namespace: my-namespace                                     <2>
+  name: busybox-deployment                                    #<1>
+  namespace: my-namespace                                     #<2>
   labels:
     app: busybox
 spec:
@@ -340,7 +304,7 @@ spec:
             driver: secrets-store.csi.k8s.io
             readOnly: true
             volumeAttributes:
-              secretProviderClass: "my-vault-provider"        <3>
+              secretProviderClass: "my-vault-provider"        #<3>
 ----
 <1> Specify the name for the deployment.
 <2> Specify the namespace for the deployment. This must be the same namespace as the secret provider class.
@@ -355,7 +319,43 @@ $ oc create -f deployment.yaml
 
 .Verification
 
-* Verify that you can access the secrets from your HashiCorp Vault in the pod volume mount:
+.. Verify that all of the `vault` pods are running properly by running the following command:
++
+[source,terminal]
+----
+$ oc get pods -n vault
+----
++
+.Example output
+[source,terminal]
+----
+NAME                       READY   STATUS    RESTARTS   AGE
+vault-0                    1/1     Running   0          43m
+vault-csi-provider-87rgw   2/2     Running   0          19m
+vault-csi-provider-bd6hp   2/2     Running   0          19m
+vault-csi-provider-smlv7   2/2     Running   0          19m
+----
+
+.. Verify that all of the `secrets-store-csi-driver` pods are running by running the following command:
++
+[source,terminal]
+----
+$ oc get pods -n openshift-cluster-csi-drivers | grep -E "secrets"
+----
++
+.Example output
+[source,terminal]
+----
+secrets-store-csi-driver-node-46d2g                  3/3     Running   0             45m
+secrets-store-csi-driver-node-d2jjn                  3/3     Running   0             45m
+secrets-store-csi-driver-node-drmt4                  3/3     Running   0             45m
+secrets-store-csi-driver-node-j2wlt                  3/3     Running   0             45m
+secrets-store-csi-driver-node-v9xv4                  3/3     Running   0             45m
+secrets-store-csi-driver-node-vlz28                  3/3     Running   0             45m
+secrets-store-csi-driver-operator-84bd699478-fpxrw   1/1     Running   0             47m
+----
+
+. Verify that you can access the secrets from your HashiCorp Vault in the pod volume mount:
 
 .. List the secrets in the pod mount by running the following command:
 +
diff --git a/nodes/pods/nodes-pods-secrets-store.adoc b/nodes/pods/nodes-pods-secrets-store.adoc
@@ -68,6 +68,11 @@ include::modules/secrets-store-google.adoc[leveloffset=+2]
 // Mounting secrets from HashiCorp Vault
 include::modules/secrets-store-vault.adoc[leveloffset=+2]
 
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../applications/working_with_helm_charts/installing-helm.adoc#installing-helm[Installing Helm]
+
 // Enabling synchronization of mounted content as Kubernetes secrets
 include::modules/secrets-store-sync-secrets.adoc[leveloffset=+1]
 
