Merge pull request #191 from stakater/refactor-secret-docs

Refactor

content/for-delivery-engineers/tutorials/01-configure-infra-gitops-config/configure-infra-gitops-repo.md

@@ -9,21 +9,22 @@ You can name these two repositories anything you want but make sure the names ar
 
 Let's set these two repositories up!!
 
-Objective:
+## Objective
 
-Create your first tenant
+* Configure Infra Repository.
+* Create your first tenant.
 
-Key Results:
+## Key Results
 
-- Create GitOps repository
-- Configure Tenant operator resources
-- Configure ArgoCD
+* Create GitOps repository
+* Configure Tenant operator resources
+* Configure ArgoCD
 
 ## Infra GitOps Config
 
 The cluster scoped infrastructural configurations are deployed through this repository.
 
-To make things easier, we have created a [template](https://github.com/stakater/infra-gitops-config.git) that you can use to create your infra repository.
+To make things easier, we have created a [template](https://github.com/NordMart/infra-gitops-config.git) that you can use to create your infra repository.
 
 Team Stakater will create a root [Tenant](https://docs.stakater.com/mto/main/customresources.html#2-tenant), which will then create a root AppProject.
 This AppProject will be used to sync all the Applications in `Infra Gitops Config` and it will provide visibility of these Applications in ArgoCD UI to customer cluster admins.
@@ -32,9 +33,45 @@ This AppProject will be used to sync all the Applications in `Infra Gitops Confi
 
 > Follow along GitHub/GitLab documentation for configuring other organization specific requirements set for source code repositories.
 
-1. Create a secret with read permissions over this repository. Navigate to following section for more info [Configure Repository Secret for ArgoCD](../../how-to-guides/configure-repository-secret/configure-repository-secret.md).
-
-> **Note: Provide this secret (PAT/SSH private key) and the infra repo URL to stakater-admin for it to be deployed with your ArgoCD instance.**
+1. Create an external secret on the cluster with read permissions over this repository.
+
+   ```yaml
+      apiVersion: external-secrets.io/v1beta1
+      kind: ExternalSecret
+      metadata:
+        name: infra-gitops-creds
+        namespace: rh-openshift-gitops-instance
+      spec:
+        refreshInterval: 1m
+        secretStoreRef:
+          name: tenant-vault-shared-secret-store
+          kind: SecretStore
+        data:
+          - remoteRef:
+              key: git-pat-creds
+              property: username
+            secretKey: username
+          - remoteRef:
+              key: git-pat-creds
+              property: password
+            secretKey: password
+        target:
+          name: infra-gitops-creds
+          template:
+            metadata:
+              labels:
+                argocd.argoproj.io/secret-type: repository
+            data:
+              name: infra-gitops-creds
+              password: "{{ '{{' }} .password | toString {{ '}}' }}"
+              username: "{{ '{{' }} .username | toString {{ '}}' }}"
+              project: "{{ nordmart_tenant_name }}"
+              type: git
+              url: "https://github.com/{{ YOUR_ORGANIZATION }}/infra-gitops-config.git"
+   ```
+
+   !!! note
+   This ExternalSecret uses the personal access token we created in the earlier tutorial.
 
 1. Now let's copy the structure that we saw in the [template](https://github.com/stakater/infra-gitops-config.git). Add a folder bearing your cluster's name say `dev` at the root of the repository that you just created.
     > If you plan on using this repository for multiple clusters, add a folder for each cluster.
@@ -100,7 +137,7 @@ Open up the `argocd-apps` folder and add the following file to it:
       namespace: rh-openshift-gitops-instance
     spec:
       destination:
-        namespace: openshift-gitops
+        namespace: rh-openshift-gitops-instance
         server: 'https://kubernetes.default.svc'
       source:
         path: CLUSTER_NAME/tenant-operator-config

content/for-delivery-engineers/tutorials/02-configure-apps-gitops-config/configure-apps-gitops-repo.md

@@ -221,107 +221,121 @@ Lets proceed by adding a tenant to the `apps-gitops-config` repository.
 
 ## Linking Apps GitOps with Infra GitOps
 
-> You will need to do this once per `apps-gitops-config` repository.
-
 1. We need to create ArgoCD applications that will deploy the apps of apps structure defined in our `apps-gitops-config` repository.
 
 1. Suppose we want to deploy our application workloads of our dev (CLUSTER_NAME) cluster. We can create an ArgoCD application for `apps-gitops-config` repository pointing to `argocd-apps/dev (argocd-apps/CLUSTER_NAME)` inside `cluster/argocd-apps/` folder in `infra-gitops-config` repository.
 
-   ```yaml
-   apiVersion: argoproj.io/v1alpha1
-   kind: Application
-   metadata:
-     name: apps-gitops-repo
-     namespace: rh-openshift-gitops-instance
-   spec:
-     destination:
-       namespace: openshift-gitops
-       server: 'https://kubernetes.default.svc'
-     project: root-tenant
-     source:
-       path: argocd-apps/dev
-       repoURL: 'APPS_GITOPS_REPO_URL'
-       targetRevision: HEAD
-     syncPolicy:
-       automated:
-         prune: true
-         selfHeal: true
-   ```
-
-    > Find the template file [here](https://github.com/stakater/infra-gitops-config/blob/main/CLUSTER_NAME/argocd-apps/apps-gitops-config.yamlSample)
+    ```yaml
+      apiVersion: argoproj.io/v1alpha1
+      kind: Application
+      metadata:
+        name: apps-gitops-config
+        namespace: rh-openshift-gitops-instance
+      spec:
+        destination:
+          namespace: rh-openshift-gitops-instance
+          server: 'https://kubernetes.default.svc'
+        project: root-tenant
+        source:
+          path: argocd-apps/dev
+          repoURL: 'APPS_GITOPS_REPO_URL'
+          targetRevision: HEAD
+        syncPolicy:
+          automated:
+            prune: true
+            selfHeal: true
+    ```
+
+    > Find the template file [here](https://github.com/NordMart/infra-gitops-config/blob/main/cluster-name/argocd-apps/apps-gitops-config.yaml)
 
 1. We need to add this resource inside `argocd-apps` folder in `dev/argocd-apps (CLUSTER_NAME/argocd-apps)`.
 
-   ```bash
-   ├── dev
-       └── argocd-apps
-           └── apps-gitops-config.yaml
-   ```
-
-1. Now lets add the secret required by ArgoCD for reading `apps-gitops-config` repository. Lets add a folder called `argocd-secrets` at `cluster/`. This will contain secrets required by ArgoCD for authentication over repositories.
-
-   ```bash
-   ├── dev
-       ├── argocd-apps
-       |   └── apps-gitops-config.yaml
-       └── argocd-secrets
-   ```
-
-1. Add a secret in Vault at `root-tenant/<repo-name>` path depending upon whether you configure SSH or Token Access. Add a external secret custom resource in `cluster/argocd-secrets/<repo-name>.yaml` folder. Use the following template :
-
-   ```yaml
-   # Name: apps-gitops-config-external-secret.yaml (<repo-name>-external-secret.yaml)
-   # Path: dev/argocd-secrets/
-   apiVersion: external-secrets.io/v1beta1
-   kind: ExternalSecret
-   metadata:
-     name: <repo-name>
-     namespace: argocd-ns
-   spec:
-     secretStoreRef:
-       name: root-tenant-secret-store
-       kind: SecretStore
-     refreshInterval: "1m"
-     target:
-       name: <repo-name>
-       creationPolicy: 'Owner'
-     dataFrom:
-       - key: <repo-name>
-   ```
-
-1. Add an ArgoCD application pointing to this directory `dev/argocd-secrets/` inside `dev/argocd-apps/apps-gitops-config-external-secret.yaml`.
-
-   ```yaml
-   # Name: argocd-secrets.yaml (FOLDER_NAME.yaml)
-   # Path: dev/argocd-apps/
-   apiVersion: argoproj.io/v1alpha1
-   kind: Application
-   metadata:
-     name: argocd-secrets
-     namespace: openshift-gitops
-   spec:
-     destination:
-       namespace: openshift-gitops
-       server: 'https://kubernetes.default.svc'
-     project: root-tenant
-     source:
-       path: dev/argocd-secrets/
-       repoURL: 'INFRA_GITOPS_REPO_URL'
-       targetRevision: HEAD
-     syncPolicy:
-       automated:
-         prune: true
-         selfHeal: true
-   ```
-
-   ```bash
-   ├── dev
-       ├── argocd-apps
-       |   ├── argocd-secrets.yaml
-       |   └── apps-gitops-config.yaml
-       └── argocd-secrets
-           └── apps-gitops-config-external-secret.yaml
-   ```
+    ```bash
+      ├── dev
+          └── argocd-apps
+              └── apps-gitops-config.yaml
+    ```
+
+1. Now lets add the secret required by ArgoCD for reading `apps-gitops-config` repository. Lets add a folder called `gitops-repositories` at `cluster/`. This will contain secrets required by ArgoCD for authentication over repositories.
+
+    ```bash
+      ├── dev
+          ├── argocd-apps
+          |   └── apps-gitops-config.yaml
+          └── gitops-repositories
+    ```
+
+1. Add an external secret custom resource in `cluster/gitops-repositories/apps-gitops-creds.yaml` folder. We have already stored the secret value in Vault. Use the following template :
+
+     ```yaml
+       apiVersion: external-secrets.io/v1beta1
+       kind: ExternalSecret
+       metadata:
+         name: apps-gitops-creds
+         namespace: rh-openshift-gitops-instance
+       spec:
+         refreshInterval: 1m0s
+         secretStoreRef:
+           name: tenant-vault-shared-secret-store
+           kind: SecretStore
+         data:
+         - remoteRef:
+             key: git-pat-creds
+             property: username
+           secretKey: username
+         - remoteRef:
+             key: git-pat-creds
+             property: password
+           secretKey: password
+         target:
+           name: apps-gitops-creds
+           template:
+             metadata:
+               labels:
+                 argocd.argoproj.io/secret-type: repository
+             data:
+               name: apps-gitops-creds
+               password: "{{ .password | toString }}"
+               username: "{{ .username | toString }}"
+               project: TENANT_NAME
+               type: git
+               url: "https://github.com/DESTINATION_ORG/apps-gitops-config.git"
+     ```
+
+1. Add an ArgoCD application pointing to this directory `dev/gitops-repositories/` inside `dev/argocd-apps/gitops-repositories.yaml`.
+
+    ```yaml
+      apiVersion: argoproj.io/v1alpha1
+      kind: Application
+      metadata:
+         name: gitops-repositories
+         namespace: rh-openshift-gitops-instance
+         finalizers:
+         - resources-finalizer.argocd.argoproj.io
+      spec:
+        destination:
+         server: 'https://kubernetes.default.svc'
+      source:
+        path: cluster-name/gitops-repositories
+        repoURL: 'https://github.com/DESTINATION_ORG/infra-gitops-config.git'
+        targetRevision: main
+        directory:
+          recurse: true
+      project: default
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+    ```
+
+     ```bash
+     ├── dev
+         ├── argocd-apps
+         |   ├── gitops-repositories.yaml
+         |   └── apps-gitops-config.yaml
+         └── gitops-repositories
+             └── apps-gitops-creds.yaml
+     ```
 
 1. Login to ArgoCD and check if the secret is deployed by opening `argocd-secrets` application in `infra-gitops-config` application.
 

content/for-delivery-engineers/tutorials/04-preparing-pac-env/adding-github-token.md

@@ -62,6 +62,10 @@ You can check secrets documentation to read more on these secrets.
 ### Adding Token to Vault
 
 Now that we have created the GitHub Token, we will store it in Vault.
+
+   !!! note
+   The delivery engineer should be part of the root-tenant. Please contact SAAP team if you are unable to access Vault using OIDC method
+
 Login to Vault to view <your-tenant> path.
 
 1. Access Vault from `Forecastle` console, search `Vault` and open the `Vault` tile.
@@ -88,60 +92,3 @@ Login to Vault to view <your-tenant> path.
    Hit save.
 
      <div style="text-align:center"><img src="images/git-pat-creds.png" /></div>
-
-### Adding External Secret
-
-Since we want the `git-pat-creds` secret to be deployed in all of the tenant namespaces, we will use a multi-tenant-operator template to deploy it.
-
-1. Open up the `infra-gitops-config` repository that we have already bootstrapped.
-
-1. Open the `tenant-operator-config` folder and create a `templates` folder inside it.
-
-     <div style="text-align:center"><img src="images/template.png" /></div>
-
-1. Now create a file named `git-pat-creds-template.yaml` and add the following content.
-
-     ```yaml
-     apiVersion: tenantoperator.stakater.com/v1alpha1
-     kind: Template
-     metadata:
-       name: git-pat-creds
-     resources:
-       manifests:
-         - apiVersion: external-secrets.io/v1beta1
-           kind: ExternalSecret
-           metadata:
-             name: git-pat-creds
-           spec:
-             dataFrom:
-               - extract:
-                   conversionStrategy: Default
-                   key: git-pat-creds
-             refreshInterval: 1m0s
-             secretStoreRef:
-               kind: SecretStore
-               name: tenant-vault-shared-secret-store
-             target:
-               name: git-pat-creds
-     ```
-
-1. Create another file named `git-pat-creds-tgi.yaml` and add the below content.
-
-     ```yaml
-        apiVersion: tenantoperator.stakater.com/v1alpha1
-        kind: TemplateGroupInstance
-        metadata:
-          name: git-pat-creds
-        spec:
-          template: git-pat-creds
-          selector:
-            matchExpressions:
-              - key: stakater.com/kind
-                operator: In
-                values: [ build, pr ]
-          sync: true
-     ```
-
-1. Lets see our Template and TGI in ArgoCD. Open up ArgoCD and look for `tenant-operator-config` application. You should be able to see your Template and TGI deployed.
-
-     <div style="text-align:center"><img src="images/tgi-and-template.png" /></div>