RHDEVDOCS-6450: Content creation for Vault documentation

Author: Dhruv-Soni11

modules/gitops-configure-hashicorp-vault-as-a-secrets-provider-on-openshift-with-gitops.adoc

@@ -0,0 +1,34 @@
+// Module is included in the following assemblies:
+//
+// * securing_openshift_gitops/managing-secrets-securely-using-sscsid-with-gitops.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="gitops-configure-hashicorp-vault-as-a-secrets-provider-on-openshift-with-gitops_{context}"]
+= Configure HashiCorp Vault as a secrets provider on OpenShift with GitOps
+
+You can configure HashiCorp Vault as a secrets provider by using the Secrets Store CSI Driver Operator on the {OCP}. When combined with GitOps workflows managed by Argo CD, this setup enables you to securely retrieve secrets from Vault and inject it into your applications running on OpenShift.
+
+Structure the {gitops-shortname} repository and configure the Vault CSI provider to integrate with the Secrets Store CSI Driver in {OCP}.
+
+The following sample {gitops-shortname} repository layout is used for integrating Vault with your application.
+
+.Example directory structure in {gitops-shortname} repository
+----
+├── config
+│   ├── argocd # <1>
+│   │   ├── vault-secret-provider-app.yaml
+│   │   ├── ...
+│── environments 
+│   ├── dev
+│   │   ├── apps
+│   │   │   ├── demo-app
+│   │   │       ├── manifest # <2>
+│   │   │       |    ├── secretProviderClass.yaml
+│   │   │       |    ├── serviceAccount.yaml
+│   │   │       |    ├── deployment.yaml
+│   │   │       ├── argocd # <3>
+│   │   │            ├── demo-app.yaml
+----
+<1> `config/argocd/` - Stores Argo CD Application definitions for cluster-wide tools like the Vault CSI provider.
+<2> `environments/<env>/apps/<app-name>/manifest/`: Contains Kubernetes manifests specific to an application in a particular environment.
+<3> `environments/<env>/apps/<app-name>/argocd/`: Contains the Argo CD Application definition that deploys the application and its resources.

modules/gitops-installing-and-configuring-vault-to-store-a-secret.adoc

@@ -0,0 +1,104 @@
+// Module is included in the following assemblies:
+//
+// * securing_openshift_gitops/managing-secrets-securely-using-sscsid-with-gitops.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="gitops-installing-and-configuring-vault-to-store-a-secret_{context}"]
+= Installing the Vault CSI Provider using {gitops-shortname}
+
+After deploying Vault using Argo CD and applying the necessary SCC permissions and DaemonSet patches, initialize Vault, unseal it, and configure Kubernetes authentication to enable secure secret storage and access.
+
+.Procedure
+
+. Access the Vault Pod.
+
+.. If Vault is running within your {OCP} cluster, for example, as the `vault-0` pod in the `vault-csi-provider` namespace, run the following command to access the Vault CLI inside the pod:
++
+[source,terminal]
+----
+$ oc exec -it vault-0 -n vault-csi-provider -- /bin/sh
+----
+
+. Initializing Vault.
+
+.. If your Vault instance is not yet initialized, run the following command:
++
+[source,terminal]
+----
+$ vault operator init
+----
++
+As a result the following output is displayed.
++
+[source,output]
+----
+5 Unseal Keys - required to unseal the Vault.
+Initial Root Token - required to log in and configure Vault.
+----
++
+[IMPORTANT]
+====
+Store these credentials securely. At least 3 out of 5 unseal keys are required to unseal Vault. If the keys are lost, access to stored secrets is permanently blocked.
+====
+
+. Unsealing Vault.
+
+.. Vault starts in a sealed state. Run the following commands to use three of the five Unseal Keys obtained in the earlier step:
++
+[source,terminal]
+----
+$ vault operator unseal <Unseal Key 1>
+  vault operator unseal <Unseal Key 2>
+  vault operator unseal <Unseal Key 3>
+----
++
+Once unsealed, the Vault becomes active and ready for use.
+
+. Logging into Vault.
+
+.. To use the root token to log in to Vault, run the following command:
++
+[source,terminal]
+----
+$ vault login <Initial Root Token>
+----
++
+This provides administrator access to enable and configure secret engines and authentication methods.
+
+. Enabling Kubernetes Authentication in Vault.
+
+.. Run the following command to enable Kubernetes authentication in Vault.
++
+[source,terminal]
+----
+$ vault auth enable kubernetes
+----
++
+This allows Kubernetes workloads, for example, pods, to authenticate with Vault using their service accounts.
+
+. Configure Kubernetes authentication method in Vault.
+
+.. To configure Vault for communicating with the Kubernetes API, run the following command:
++
+[source,terminal]
+----
+$ vault write auth/kubernetes/config \
+issuer="https://kubernetes.default.svc" \
+token_reviewer_jwt="$(cat/var/run/secrets/kubernetes.io/serviceaccount/token)" \
+kubernetes_host="https://${KUBERNETES_PORT_443_TCP_ADDR}:443" \
+kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+----
++
+As a result the following output is displayed.
++
+[source,output]
+----
+Success! Data written to: auth/kubernetes/config
+----
++
+Explanation for the Parameters:
+`issuer`: The Kubernetes token issuer URL.
+`token_reviewer_jwt`: A JSON Web Token (JWT) that Vault uses to call the Kubernetes TokenReview API and validate service account tokens.
+`kubernetes_host`: The URL that Vault uses to communicate with the Kubernetes API server.
+`kubernetes_ca_cert`: The CA certificate that Vault uses for secure communication with the Kubernetes API server.
+

modules/gitops-installing-the-vault-csi-provider-using-gitops.adoc

@@ -0,0 +1,115 @@
+// Module is included in the following assemblies:
+//
+// * securing_openshift_gitops/managing-secrets-securely-using-sscsid-with-gitops.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="gitops-installing-the-vault-csi-provider-using-gitops_{context}"]
+= Installing the Vault CSI Provider using {gitops-shortname}
+
+Install the Vault CSI provider by deploying an Argo CD Application that uses HashiCorp's official Helm chart. This method follows {gitops-shortname} best practices by managing the installation declaratively through a version-controlled Argo CD Application resource.
+
+.Prerequisites
+
+* You are logged in to the OpenShift Container Platform cluster as an administrator.
+* You have access to the {OCP} web console.
+* The link:https://docs.openshift.com/container-platform/latest/nodes/pods/nodes-pods-secrets-store.html#persistent-storage-csi-secrets-store-driver-install_nodes-pods-secrets-store[SSCSI Driver Operator] is installed on your cluster.
+* The {gitops-title} Operator is installed on your cluster.
+* You have a {gitops-shortname} repository ready to use the secrets.
+
+.Procedure
+
+. Creating the Argo CD Application resource for the Vault CSI Provider.
+
+.. Create an Argo CD Application resource to deploy the Vault CSI provider. Add this resource to your {gitops-shortname} repository, for example, `config/argocd/vault-secret-provider-app.yaml`:
++
+.Example `vault-secret-provider-app.yaml` file
+[source,yaml]
+----
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault-secret-provider-app
+  namespace: openshift-gitops
+spec:
+  destination:
+    namespace: vault-csi-provider
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    repoURL: https://helm.releases.hashicorp.com
+    chart: vault
+    targetRevision: 0.30.0
+    helm:
+      releaseName: vault
+      values: |
+        csi:
+          enabled: true
+        server:
+          enabled: true
+          dataStorage:
+             enabled: false
+        injector:
+          enabled: false
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
+  ignoreDifferences:
+  - kind: DaemonSet
+    group: apps
+    jsonPointers:
+      - /spec/template/spec/containers/0/securityContext/privileged
+
+----
++
+[NOTE]
+====
+The `server.enabled: true` and `dataStorage.enabled: false` settings in the Helm values deploy a HashiCorp Vault server instance using ephemeral storage. This setup is suitable for development or testing environments. For production, you can enable `dataStorage` with a persistent volume (PV) or use an external Vault cluster and set `server.enabled` to `false`. If a Vault server is already deployed, you can set `server.enabled` to `false`.
+====
+
+. Apply the `vault-secret-provider-app.yaml` file from the {gitops-shortname} repository to your cluster:
++
+[source,terminal]
+----
+$ oc apply -f vault-secret-provider-app.yaml
+----
++
+After deploying the Vault CSI provider, the `vault-csi-provider` DaemonSet may fail to run. This issue occurs because {OCP} restricts privileged containers by default. In addition, the Vault CSI provider and the Secrets Store CSI Driver require access to `hostPath` mounts, which {OCP} blocks unless the pods run as privileged.
+
+.. To resolve permission issues in {OCP}:
+
+... Patch the `vault-csi-provider` DaemonSet to run its containers as privileged:
++
+[source,terminal]
+----
+$ oc patch daemonset vault-csi-provider -n vault-csi-provider --type=json --patch='[{"op":"add","path":"/spec/template/spec/containers/0/securityContext","value":{"privileged":true}}]
+----
+
+... Grant the Secrets Store CSI Driver service account access to the privileged Security Context Constraints (SCC) in {OCP}.
++
+[source,terminal]
+----
+$ oc adm policy add-scc-to-user privileged \ system:serviceaccount:openshift-cluster-csi-drivers:secrets-store-csi-driver-operator
+----
+
+... Grant the Vault CSI Provider service account access to the privileged Security Context Constraints (SCC) in {OCP}.
++
+[source,terminal]
+----
+$ oc adm policy add-scc-to-user privileged \
+system:serviceaccount:vault-csi-provider:vault-csi-provider
+----
++
+[NOTE]
+====
+If `server.enabled` is set to `true` in the Helm chart, the Vault server pods run with specific user IDs (UIDs) or group IDs (GIDs) that {OCP} blocks by default.
+====
+
+... Grant the Vault server service account the required Security Context Constraints (SCC) permissions.
++
+[source,terminal]
+----
+$ oc adm policy add-scc-to-user anyuid  system:serviceaccount:vault-csi-provider:vault
+----

modules/gitops-managing-secrets-using-sscsid-with-gitops-overview.adoc

@@ -34,6 +34,7 @@ The following secrets store providers are available for use with the Secrets Sto
 * AWS Secrets Manager
 * AWS Systems Manager Parameter Store
 * Microsoft Azure Key Vault
+* HashiCorp Vault
 
 As an example, consider that you are using AWS Secrets Manager as your secrets store provider with the SSCSI Driver Operator. The following example shows the directory structure in {gitops-shortname} repository that is ready to use the secrets from AWS Secrets Manager:
 

securing_openshift_gitops/managing-secrets-securely-using-sscsid-with-gitops.adoc

@@ -28,10 +28,19 @@ include::modules/gitops-managing-secrets-using-sscsid-with-gitops-overview.adoc[
 include::modules/gitops-storing-aws-secret-manager-resources-in-gitops-repository.adoc[leveloffset=+1]
 
 // Configuring SSCSI driver to mount secrets from AWS Secrets Manager
-include::modules/gitops-configuring-sscsi-driver-to-mount-secrets-from-aws-secrets-manager.adoc[leveloffset=+1]
+include::modules/gitops-configuring-sscsi-driver-to-mount-secrets-from-aws-secrets-manager.adoc[leveloffset=+2]
 
 // Configuring GitOps managed resources to use mounted secrets
-include::modules/gitops-configuring-gitops-managed-resources-to-use-mounted-secrets.adoc[leveloffset=+1]
+include::modules/gitops-configuring-gitops-managed-resources-to-use-mounted-secrets.adoc[leveloffset=+2]
+
+// Configure HashiCorp Vault as a secrets provider on OpenShift with GitOps
+include::modules/gitops-configure-hashicorp-vault-as-a-secrets-provider-on-openshift-with-gitops.adoc[leveloffset=+1]
+
+// Installing the Vault CSI Provider using GitOps
+include::modules/gitops-installing-the-vault-csi-provider-using-gitops.adoc[leveloffset=+2]
+
+// Installing and configuring Vault to store a Secret
+include::modules/gitops-installing-and-configuring-vault-to-store-a-secret.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 [id="additional-resources_{context}"]