To enable use of Secret Store CSI driver, a new parameter "secretStore" under spec.fepChildCrVal section in the FEPClusterCR. Under secretStore.csi user should define the details to connect to external Seret store(Azure,AWS,GCP and HashiCorp Vault) and the list of secrets in that secret store. The definition of spec.fepChildCrVal.secretStore parameter will differ depending on the type of provider that is used.
spec:
…..
fepChildCrVal:
secretStore:
method: csi
csi:
providerName: azure
azureProvider:
keyvaultname:
tenantid:
credentials:
fepSecrets:
- pgadminpassword: pgadminpassword
- tdepassphrase: passphrase
- systemCertificates: systemCerts
- pguser: pgusername
- pgpassword: pgpwd
- pgdb: pgdbsecret
- pgrepluser: pgrepluser
- pgreplpassword: pgreplpassword
- pgRewinduser: pgRewinduser
- pgRewindpassword: pgRewindpassword
- pgMetricsUser: metricsuser
- pgMetricsPassword: metricspwd
- patronitls: patronicrt
- patronitlscacrt: patronica
- postgrestls: postgrescrt
- postgrestlscacrt: postgresca
- pgAdminTls: admincrt
- pgAdminTlscacrt: adminca
- pgAdminTls_privateKeyPassword: adminpvtkey
- pgRewindUserTls: rewindcrt
- pgRewindUserTlscacrt: rewindca
- pgRewindUserTls_privateKeyPassword: rwndpvtkey
- pgrepluserTls: replcrt
- pgrepluserTlscacrt: replca
- pgrepluserTls_privateKeyPassword: replpvtkey
- pgMetricsUserTls: metricscrt
- pgMetricsUserTlscacrt: metricsca
- pgMetricsUserTls_privateKeyPassword: adminpvtkey
- modelOwner: modelOwner
- modelOwnerPassword: modelOwnerPassword
- modelUser: modelUser
- modelUserPassword: modelUserPassword
- loadUser: loadUser
- loadUserPassword: loadUserPassword
fepCustomCerts:
- userName:user1
userCrt: user1crt
userCa: user1ca
- userName: mydbuser
userCrt: mydbusercrt
userCa: mydbusercaNote: The parameters which are in black in fepSecrets are mandatory.
spec:
…..
fepChildCrVal:
secretStore:
method: csi
csi:
providerName: aws
awsProvider:
region:
roleName:
fepSecrets:
- pgadminpassword: pgadminpassword
- tdepassphrase: passphrase
- systemCertificates: systemCerts
- pguser: pgusername
- pgpassword: pgpwd
- pgdb: pgdbsecret
- pgrepluser: pgrepluser
- pgreplpassword: pgreplpassword
- pgRewinduser: pgRewinduser
- pgRewindpassword: pgRewindpassword
- pgMetricsUser: metricsuser
- pgMetricsPassword: metricspwd
- patronitls: patronicrt
- patronitlscacrt: patronica
- postgrestls: postgrescrt
- postgrestlscacrt: postgresca
- pgAdminTls: admincrt
- pgAdminTlscacrt: adminca
- pgAdminTls_privateKeyPassword: adminpvtkey
- pgRewindUserTls: rewindcrt
- pgRewindUserTlscacrt: rewindca
- pgRewindUserTls_privateKeyPassword: rwndpvtkey
- pgrepluserTls: replcrt
- pgrepluserTlscacrt: replca
- pgrepluserTls_privateKeyPassword: replpvtkey
- pgMetricsUserTls: metricscrt
- pgMetricsUserTlscacrt: metricsca
- pgMetricsUserTls_privateKeyPassword: adminpvtkey
- modelOwner: modelOwner
- modelOwnerPassword: modelOwnerPassword
- modelUser: modelUser
- modelUserPassword: modelUserPassword
- loadUser: loadUser
- loadUserPassword: loadUserPassword
fepCustomCerts:
- userName:user1
userCrt: user1crt
userCa: user1ca
- userName: mydbuser
userCrt: mydbusercrt
userCa: mydbusercaNote: The parameters which are in black in fepSecrets are mandatory.
spec:
…..
fepChildCrVal:
secretStore:
method: csi
csi:
providerName: gcp
gcpProvider:
credentials:
fepSecrets:
- pgadminpassword: pgadminpassword
- tdepassphrase: passphrase
- systemCertificates: systemCerts
- pguser: pgusername
- pgpassword: pgpwd
- pgdb: pgdbsecret
- pgrepluser: pgrepluser
- pgreplpassword: pgreplpassword
- pgRewinduser: pgRewinduser
- pgRewindpassword: pgRewindpassword
- pgMetricsUser: metricsuser
- pgMetricsPassword: metricspwd
- patronitls: patronicrt
- patronitlscacrt: patronica
- postgrestls: postgrescrt
- postgrestlscacrt: postgresca
- pgAdminTls: admincrt
- pgAdminTlscacrt: adminca
- pgAdminTls_privateKeyPassword: adminpvtkey
- pgRewindUserTls: rewindcrt
- pgRewindUserTlscacrt: rewindca
- pgRewindUserTls_privateKeyPassword: rwndpvtkey
- pgrepluserTls: replcrt
- pgrepluserTlscacrt: replca
- pgrepluserTls_privateKeyPassword: replpvtkey
- pgMetricsUserTls: metricscrt
- pgMetricsUserTlscacrt: metricsca
- pgMetricsUserTls_privateKeyPassword: adminpvtkey
- modelOwner: modelOwner
- modelOwnerPassword: modelOwnerPassword
- modelUser: modelUser
- modelUserPassword: modelUserPassword
- loadUser: loadUser
- loadUserPassword: loadUserPassword
fepCustomCerts:
- userName:user1
userCrt: user1crt
userCa: user1ca
- userName: mydbuser
userCrt: mydbusercrt
userCa: mydbusercaNote: The parameters which are in black in fepSecrets are mandatory.
spec:
…..
fepChildCrVal:
secretStore:
method: csi
csi:
providerName: vault
vaultProvider:
roleName: "database"
vaultAddress: "http://vault-url-addr:8765"
fepSecrets:
- pgadminpassword: pgadminpassword
- tdepassphrase: passphrase
- systemCertificates: systemCerts
- pguser: pgusername
- pgpassword: pgpwd
- pgdb: pgdbsecret
- pgrepluser: pgrepluser
- pgreplpassword: pgreplpassword
- pgRewinduser: pgRewinduser
- pgRewindpassword: pgRewindpassword
- pgMetricsUser: metricsuser
- pgMetricsPassword: metricspwd
- patronitls: patronicrt
- patronitlscacrt: patronica
- postgrestls: postgrescrt
- postgrestlscacrt: postgresca
- pgAdminTls: admincrt
- pgAdminTlscacrt: adminca
- pgAdminTls_privateKeyPassword: adminpvtkey
- pgRewindUserTls: rewindcrt
- pgRewindUserTlscacrt: rewindca
- pgRewindUserTls_privateKeyPassword: rwndpvtkey
- pgrepluserTls: replcrt
- pgrepluserTlscacrt: replca
- pgrepluserTls_privateKeyPassword: replpvtkey
- pgMetricsUserTls: metricscrt
- pgMetricsUserTlscacrt: metricsca
- pgMetricsUserTls_privateKeyPassword: adminpvtkey
- modelOwner: modelOwner
- modelOwnerPassword: modelOwnerPassword
- modelUser: modelUser
- modelUserPassword: modelUserPassword
- loadUser: loadUser
- loadUserPassword: loadUserPassword
fepCustomCerts:
- userName:user1
userCrt: user1crt
userCa: user1ca
- userName: mydbuser
userCrt: mydbusercrt
userCa: mydbusercaNote: The parameters which are in black in fepSecrets are mandatory.