Merge pull request #957 from ron1/patch-1

Simplify the In-cluster secrets example
2024-12-14 11:57:59 +00:00 · 2022-04-07 09:39:35 +00:00 · 2022-04-07 09:39:35 +00:00 · 16f27f482d
commit 16f27f482d
parent f2dfc0c4b5 37fcd49cec
1 changed files with 22 additions and 31 deletions
--- a/docs/provider-kubernetes.md
+++ b/docs/provider-kubernetes.md
@ -2,35 +2,30 @@ External Secrets Operator allows to retrieve in-cluster secrets or from a remote

 ### Authentication

-It's possible to authenticate against the Kubernetes API using client certificates, a bearer token or a service account (not implemented yet). The operator enforces that exactly one authentication method is used.
+It's possible to authenticate against the Kubernetes API using client certificates or a bearer token. Authentication using a service account has not yet been implemented. The operator enforces that exactly one authentication method is used.

 **NOTE:** `SelfSubjectAccessReview` permission is required for the service account in order to validation work properly.

 ## Example

-### In-cluster secrets using Client certificates
+### In-cluster secrets using a Token
+
+1. Create a K8s Secret with a client token for the default service account

-1. Create a K8s Secret with the encoded base64 ca and client certificates
-   
 ```
 apiVersion: v1
 kind: Secret
 metadata:
-  name: cluster-secrets
-data:
-  # Fill with your encoded base64 CA
-  certificate-authority-data: Cg==
-  # Fill with your encoded base64 Certificate
-  client-certificate-data: Cg==
-  # Fill with your encoded base64 Key
-  client-key-data: Cg==
+  name: mydefaulttoken
+  annotations:
+    kubernetes.io/service-account.name: default
+type: kubernetes.io/service-account-token
 ```
 2. Create a SecretStore

-The Servers `url` won't be present as it will default to `kubernetes.default`, add a proper value if needed. In this example the Certificate Authority is fetch using the referenced `caProvider`.
-
-The `auth` section indicates that the type `cert`  will be used for authentication, it includes the path to fetch the client certificate and key.
+The Servers `url` won't be present as it will default to `kubernetes.default`, add a proper value if needed. In this example the Certificate Authority is fetched using the referenced `caProvider`.

+The `auth` section indicates that the type `token` will be used for authentication, it includes the path to fetch the token. Set `remoteNamespace` to the name of the namespace where your target secrets reside.

 ```
 apiVersion: external-secrets.io/v1beta1
@ -39,22 +34,18 @@ metadata:
  name: example
 spec:
  provider:
-      kubernetes: 
-        server: 
-          # referenced caProvider
-          caProvider: 
-            type: Secret
-            name : cluster-secrets
-            key: certificate-authority-data
+    kubernetes:
+      server: 
+        caProvider: 
+          type: Secret
+          name: mydefaulttoken
+          key: ca.crt
        auth:
-          # referenced client certificates
-          cert:
-            clientCert: 
-                name: cluster-secrets
-                key: certificate
-            clientKey: 
-                name: cluster-secrets
-                key: key
+          token:
+            bearerToken: 
+              name: mydefaulttoken
+              key: token
+        remoteNamespace: default
 ```
 3. Create the local secret that will be synced 
              
@ -152,4 +143,4 @@ spec:
    remoteRef:
      key: secret-remote-example
      property: extra
-```
+```