Manage secrets with a third-party credential manager

Learn how to create a StormForge Agent secret and enable third-party credential management

3 minute read

By default, Optimize Live uses Helm to create and update its credentials Secret. However, if you would like to use a third-party credential manager (for example, to rotate secrets), you can choose to disable Helm management of the credentials secret.

When Helm management of the credentials secret is disabled, you must:

Create the stormforge-system namespace before you install the agent.
Create the stormforge-agent-auth secret, and populate it with the required credentials, before you install the agent.
Maintain the stormforge-agent-auth secret yourself, manually or with a third-party credential manager.

Note

If you are not using a third-party credential management tool, you do not need to follow the steps in this guide. Instead, follow the steps in the Install topic. You still have to create an access credential (as described in the Install topic), but StormForge will create and manage the secret for you.

Before you begin, make sure that the StormForge CLI tool is installed.

Steps

Log in to your StormForge account.
```
stormforge login
```
Generate an access credential and save the output to a file.
- Replace CREDENTIAL_NAME with a name that will help you identify the credential (such as the name of the cluster you’re installing on).
- Replace CREDENTIAL_FILE with a filename that will help you identify the file that contains the credential.
```
stormforge auth create CREDENTIAL_NAME > CREDENTIAL_FILE
```
The credential file will look something like this:
```
stormforge:
   address: https://api.stormforge.io/
authorization:
   issuer: https://api.stormforge.io/
   clientID: CREDENTIAL_NAME 
   clientSecret: CREDENTIAL_SECRET
```

Create a StormForge Agent secret and save it to a file.

Replace CLUSTER_NAME with the name of the cluster you’re installing the Agent on.
Replace CREDENTIAL_FILE with the filename from the previous step.

Replace SECRET_FILE with a filename that will help you to identify the secret (for example, stormforge-agent-auth).

helm template stormforge-agent oci://registry.stormforge.io/library/stormforge-agent \
  -n stormforge-system \
  -s templates/auth-secret.yaml \
  -f CREDENTIAL_FILE \
  --set clusterName=CLUSTER_NAME \
| grep -vi -e app.kubernetes.io/managed-by -e app.kubernetes.io/version -e helm.sh/chart \
> SECRET_FILE

The secret file will look something like this:

---
# Source: stormforge-agent/templates/auth-secret.yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: "stormforge-agent-auth"
  namespace: "stormforge-system"
  labels:
    app.kubernetes.io/name: stormforge-agent
    app.kubernetes.io/instance: stormforge-agent
data:
  STORMFORGE_CLIENT_ID: "**********"
  STORMFORGE_CLIENT_SECRET: "**********"
  STORMFORGE_ISSUER: "**********"
  STORMFORGE_SERVER: "**********"

Create the stormforge-system namespace and then apply the secret.
- Replace SECRET_FILE with the name of the file that contains the secret that you generated in the previous step.
```
kubectl create namespace stormforge-system
kubectl apply -f SECRET_FILE -n stormforge-system
```
When you’re ready to install Optimize Live, include --set manageAuthSecret=false to indicate to Optimize Live that you or a third-party credential management tool will manage the secret.
- Replace CLUSTER_NAME with the name of the cluster (lowercase, no underscore) you’re installing the Agent on.
```
helm install stormforge-agent oci://registry.stormforge.io/library/stormforge-agent \
  --namespace stormforge-system \
  --set clusterName=CLUSTER_NAME \
  --set manageAuthSecret=false
```

stormforge auth command (CLI reference)

Last modified August 21, 2024

Manage secrets with a third-party credential manager

Note

Steps

Related topics