Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Doc+) secure settings link K8 docs and note base64 encoded #8113

Merged
merged 5 commits into from
Nov 19, 2024
Merged

(Doc+) secure settings link K8 docs and note base64 encoded #8113

merged 5 commits into from
Nov 19, 2024

Conversation

stefnestor
Copy link
Contributor

👋🏽 @jlim0930 @paulrossmeier +ECK Dev/Docs,

If I understood y'alls call out from office hours today, this notes that k8 expects values to be base64 encoded by default. Which is a K8 assumption but one our customers ask support about. Also links the related K8 docs for more info for users.

@stefnestor
(Doc+) secure settings link K8 docs and note base64 encoded
8428aaa 
👋🏽 @jlim0930 @paulrossmeier if I understood y'alls call out from office hours today, this notes that k8 expects values to be base64 encoded by default. Which is a K8 assumption but one our customers ask support about. Also links the related K8 docs for more info for users.
@stefnestor stefnestor added >enhancement Enhancement of existing functionality >docs Documentation labels Oct 16, 2024
@stefnestor stefnestor requested a review from a team October 16, 2024 19:14
@stefnestor @kilfoyle
feedback
2121b25 
Co-authored-by: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com>
barkbay
barkbay approved these changes Oct 17, 2024
View reviewed changes
Copy link
Contributor

@barkbay barkbay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@barkbay
Copy link
Contributor

barkbay commented Oct 17, 2024

Before hitting the merge button, I took a quick look at the rest of our documentation, and I think this is the only place where we do not use stringData, I wonder if we should not change this for consistency? (and because it is less error prone?)

Change still LGTM otherwise...

@stefnestor
Copy link
Contributor Author

Thanks, @barkbay ! I'm doing the ECK training this week and am ignorant myself on how to fix it. Would you mind suggesting what you'd think it be updated to?

@barkbay
Copy link
Contributor

barkbay commented Oct 18, 2024

@stefnestor the idea would be to replace data: with stringData: in the 2 Secrets, and replace the base64 example with a "clear text" sample value, for example:

index 52fec5c61..f22006b4d 100644
--- a/docs/orchestrating-elastic-stack-applications/elasticsearch/es-secure-settings.asciidoc
+++ b/docs/orchestrating-elastic-stack-applications/elasticsearch/es-secure-settings.asciidoc
@@ -32,8 +32,20 @@ kind: Secret
 metadata:
   name: one-secure-settings-secret
 type: Opaque
-data:
-  gcs.client.default.credentials_file: RWxhc3RpYyBDbG91ZCBvbiBLOHMgKEVDSykK
+stringData:
+  gcs.client.default.credentials_file: |
+    {
+      "type": "service_account",
+      "project_id": "your-project-id",
+      "private_key_id": "...",
+      "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
+      "client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com",
+      "client_id": "...",
+      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+      "token_uri": "https://accounts.google.com/o/oauth2/token",
+      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-bucket@your-project-id.iam.gserviceaccount.com"
+    }
 ----


@@ -68,10 +80,46 @@ kind: Secret
 metadata:
   name: gcs-secure-settings
 type: Opaque
-data:
-  gcs.client.default.credentials_file: RWxhc3RpYyBDbG91ZCBvbiBLOHMgKEVDSykK
-  gcs_client_1: RWxhc3RpYyBDbG91ZCBvbiBLOHMgKEVDSykgLSBHQ1MgY2xpZW50IDEK
-  gcs_client_2: RWxhc3RpYyBDbG91ZCBvbiBLOHMgKEVDSykgLSBHQ1MgY2xpZW50IDIK
+stringData:
+  gcs.client.default.credentials_file: |
+    {
+      "type": "service_account",
+      "project_id": "project-id-to-be-used-for-default-client",
+      "private_key_id": "private key ID for default-client",
+      "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
+      "client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com",
+      "client_id": "client ID for the default client",
+      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+      "token_uri": "https://accounts.google.com/o/oauth2/token",
+      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-bucket@your-project-id.iam.gserviceaccount.com"
+    }
+  gcs_client_1: |
+    {
+      "type": "service_account",
+      "project_id": "project-id-to-be-used-for-gcs_client_1",
+      "private_key_id": "private key ID for gcs_client_1",
+      "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
+      "client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com",
+      "client_id": "client ID for the gcs_client_1 client",
+      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+      "token_uri": "https://accounts.google.com/o/oauth2/token",
+      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-bucket@your-project-id.iam.gserviceaccount.com"
+    }
+  gcs_client_2: |
+    {
+      "type": "service_account",
+      "project_id": "project-id-to-be-used-for-gcs_client_2",
+      "private_key_id": "private key ID for gcs_client_2",
+      "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
+      "client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com",
+      "client_id": "client ID for the gcs_client_2 client",
+      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+      "token_uri": "https://accounts.google.com/o/oauth2/token",
+      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-bucket@your-project-id.iam.gserviceaccount.com"
+    }
 ----

(I replaced the base64 value of Elastic Cloud on K8s (ECK) by what a JSON service account file looks like in GCP to have more realistic examples and show how to use multiple lines in yaml)

@stefnestor
Copy link
Contributor Author

Awesome, cheers 😄! Example added to PR 👌.

@kilfoyle as long as it builds, I believe this is ready for you again 🙏

@kilfoyle kilfoyle self-assigned this Oct 22, 2024
@kilfoyle
Copy link
Contributor

@elasticmachine run docs-build

@thbkrkr thbkrkr added v2.16.0 and removed >enhancement Enhancement of existing functionality labels Nov 19, 2024
@thbkrkr thbkrkr merged commit af6f3db into main Nov 19, 2024
5 checks passed
@thbkrkr thbkrkr deleted the stefnestor-patch-1 branch November 19, 2024 16:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pebrc pebrc pebrc left review comments

@kilfoyle kilfoyle kilfoyle approved these changes

@barkbay barkbay barkbay approved these changes

@thbkrkr thbkrkr thbkrkr approved these changes

Assignees

@kilfoyle kilfoyle

Labels
>docs Documentation v2.16.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@stefnestor @barkbay @kilfoyle @thbkrkr @pebrc