Manage secrets with a third-party credential manager

Learn how to create a StormForge Agent secret and enable third-party credential management

By default, Optimize Live provides built-in secret generation and can manage secrets securely. However, if you use a third-party credential manager (for example, to rotate secrets), you must generate the StormForge Agent secret manually, apply it to the stormforge-system namespace, and then update the stormforge-agent Helm chart.

Before you begin, make sure that the StormForge CLI tool is installed.

Steps

  1. Log in to your StormForge account.

    stormforge login
    
  2. Generate an access credential and save the output to a file.

    • Replace CREDENTIAL_NAME with a name that will help you identify the credential (such as the name of the cluster you’re installing on).
    • Replace CREDENTIAL_FILE with a filename that will help you identify the file that contains the credential.
    stormforge auth create CREDENTIAL_NAME > CREDENTIAL_FILE
    

    The credential file will look something like this:

    stormforge:
       address: https://api.stormforge.io/
    authorization:
       issuer: https://api.stormforge.io/
       clientID: CREDENTIAL_NAME 
       clientSecret: CREDENTIAL_SECRET
    
  3. Create a StormForge Agent secret and save it to a file.

    • Replace CLUSTER_NAME with the name of the cluster (lowercase, no underscore) you’re installing the Agent on.
    • Replace CREDENTIAL_FILE with the filename from the previous step.
    • Replace SECRET_FILE with a filename that will help you to identify the secret (for example, stormforge-agent-auth).
      helm template stormforge-agent oci://registry.stormforge.io/library/stormforge-agent \
      -s templates/auth-secret.yaml \
      -f CREDENTIAL_FILE \
      --set clusterName=CLUSTER_NAME \
      | grep -v -i helm \
      > SECRET_FILE
      

    The secret file will look something like this:

    ---
    # Source: stormforge-agent/templates/auth-secret.yaml
    apiVersion: v1
    kind: Secret
    type: Opaque
    metadata:
    name: "stormforge-agent-auth"
    namespace: "stormforge-system"
    labels:
        app.kubernetes.io/name: stormforge-agent
        app.kubernetes.io/instance: stormforge-agent
        component: agent
        app.kubernetes.io/version: "2.7.0"
    data:
    STORMFORGE_CLIENT_ID: "**********"
    STORMFORGE_CLIENT_SECRET: "**********"
    STORMFORGE_ISSUER: "**********"
    STORMFORGE_SERVER: "**********"
    
  4. Create the stormforge-system namespace and then apply the secret.

    • Replace SECRET_FILE with the name of the file that contains the secret that you generated in the previous step.
    kubectl create namespace stormforge-system
    kubectl apply -f SECRET_FILE -n stormforge-system
    
  5. When you’re ready to install Optimize Live, include --set manageAuthSecret=false to indicate to Optimize Live that a third-party credential management tool will manage the secret.

    • Replace CREDENTIAL_FILE with the filename from the previous step.
    • Replace CLUSTER_NAME with the name of the cluster (lowercase, no underscore) you’re installing the Agent on.
        helm install stormforge-agent oci://registry.stormforge.io/library/stormforge-agent \
        --namespace stormforge-system \
        --create-namespace \
        --values CREDENTIAL_FILE \
        --set clusterName=CLUSTER_NAME \
        --set manageAuthSecret=false
    

Related topics

Last modified May 9, 2024