Manage secrets with a third-party credential manager

Learn how to create a StormForge Agent secret and enable third-party credential management

2 minute read

By default, Optimize Live provides built-in secret generation and can manage secrets securely. However, if you use a third-party credential manager (for example, to rotate secrets), you must generate the StormForge Agent secret manually, apply it to the stormforge-system namespace, and then update the stormforge-agent Helm chart.

Note

If you are not using a third-party credential management tool, you do not need to follow the steps in this guide. Instead, follow the steps in the Install topic. You still have to create an access credential (as described in the Install topic), but StormForge will create and manage the secret for you.

Before you begin, make sure that the StormForge CLI tool is installed.

Steps

Log in to your StormForge account.
```
stormforge login
```
Generate an access credential and save the output to a file.
- Replace CREDENTIAL_NAME with a name that will help you identify the credential (such as the name of the cluster you’re installing on).
- Replace CREDENTIAL_FILE with a filename that will help you identify the file that contains the credential.
```
stormforge auth create CREDENTIAL_NAME > CREDENTIAL_FILE
```
The credential file will look something like this:
```
stormforge:
   address: https://api.stormforge.io/
authorization:
   issuer: https://api.stormforge.io/
   clientID: CREDENTIAL_NAME 
   clientSecret: CREDENTIAL_SECRET
```

Create a StormForge Agent secret and save it to a file.

Replace CLUSTER_NAME with the name of the cluster (lowercase, no underscore) you’re installing the Agent on.
Replace CREDENTIAL_FILE with the filename from the previous step.

Replace SECRET_FILE with a filename that will help you to identify the secret (for example, stormforge-agent-auth).

helm template stormforge-agent oci://registry.stormforge.io/library/stormforge-agent \
-s templates/auth-secret.yaml \
-f CREDENTIAL_FILE \
--set clusterName=CLUSTER_NAME \
| grep -v -i helm \
> SECRET_FILE

The secret file will look something like this:

---
# Source: stormforge-agent/templates/auth-secret.yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: "stormforge-agent-auth"
namespace: "stormforge-system"
labels:
    app.kubernetes.io/name: stormforge-agent
    app.kubernetes.io/instance: stormforge-agent
    component: agent
    app.kubernetes.io/version: "2.7.0"
data:
STORMFORGE_CLIENT_ID: "OWI3YTJkODZmMTIyNDQ0N2JlYzUxMjA2NDg4M2ZmMmU="
STORMFORGE_CLIENT_SECRET: "cXYzcGNxZzN0LlhSQXE3XzRrQUcuRFRUcl8="
STORMFORGE_ISSUER: "aHR0cHM6Ly9hcGkuc3Rvcm1mb3JnZS5pby8="
STORMFORGE_SERVER: "aHR0cHM6Ly9hcGkuc3Rvcm1mb3JnZS5pby8="

Create the stormforge-system namespace and then apply the secret.
- Replace SECRET_FILE with the name of the file that contains the secret that you generated in the previous step.
```
kubectl create namespace stormforge-system
kubectl apply -f SECRET_FILE -n stormforge-system
```
When you’re ready to install Optimize Live, include --set manageAuthSecret=false to indicate to Optimize Live that a third-party credential managemment tool will manage the secret.
- Replace CREDENTIAL_FILE with the filename from the previous step.
- Replace CLUSTER_NAME with the name of the cluster (lowercase, no underscore) you’re installing the Agent on.
```
    helm install stormforge-agent oci://registry.stormforge.io/library/stormforge-agent \
    --namespace stormforge-system \
    --create-namespace \
    --values CREDENTIAL_FILE \
    --set clusterName=CLUSTER_NAME \
    --set manageAuthSecret=false
```

Related topics

stormforge auth command (CLI reference)

Last modified March 1, 2024