Skip to content

Commit f4d27ad

Browse files
kaitlynmichaelkaitlynmichael
authored
added secrets DOC-6382 (#3140)
1 parent ae6a496 commit f4d27ad

1 file changed

Lines changed: 18 additions & 0 deletions

File tree

  • content/operate/kubernetes/security

content/operate/kubernetes/security/vault.md

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,12 @@ When Vault integration is enabled, all secrets referenced in Redis Enterprise cu
2828
| | [Proxy certificate]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) | [`proxyCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for proxy |
2929
| | [Syncer certificate]({{< relref "/operate/kubernetes/active-active" >}}) | [`syncerCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for Active-Active syncer |
3030
| | [LDAP client certificate]({{< relref "/operate/kubernetes/security/ldap" >}}) | [`ldapClientCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for LDAP client authentication |
31+
| | [CPINE certificate]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) | [`cpInternodeEncryptionCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | TLS certificate for Control Plane Internode Encryption (CPINE) |
32+
| | [DPINE certificate]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) | [`dpInternodeEncryptionCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | TLS certificate for Data Plane Internode Encryption (DPINE) |
33+
| | [SSO service certificate]({{< relref "/operate/kubernetes/security/sso" >}}) | [`ssoServiceCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | Service Provider (SP) certificate for SAML SSO |
34+
| | [SSO issuer certificate]({{< relref "/operate/kubernetes/security/sso" >}}) | [`ssoIssuerCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | Identity Provider (IdP) public certificate for SAML SSO |
35+
| | [SSO IdP metadata]({{< relref "/operate/kubernetes/security/sso" >}}) | [`idpMetadataSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specssosaml" >}}) | SAML Identity Provider metadata XML |
36+
| | [LDAP bind credentials]({{< relref "/operate/kubernetes/security/ldap" >}}) | [`bindCredentialsSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specldap" >}}) | Credentials for authenticating to the LDAP server |
3137
| | [User-defined module credentials]({{< relref "/operate/kubernetes/re-databases/modules" >}}) | [`credentialsSecret`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specuserdefinedmodulessourcehttps" >}}) | Credentials for downloading user-defined modules from authenticated repositories |
3238
| **Database secrets** | | | |
3339
| | [Database passwords]({{< relref "/operate/kubernetes/networking/database-connectivity/#credentials-and-secrets-management" >}}) | Various | Passwords for Redis databases |
@@ -44,6 +50,9 @@ When Vault integration is enabled, all secrets referenced in Redis Enterprise cu
4450
| | [Active-Active database secrets]({{< relref "/operate/kubernetes/active-active" >}}) | [`globalConfigurations`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_active_active_database_api#redisenterpriseactiveactivedatabasespec" >}}) | All secret names specified in REAADB global configurations |
4551
{{</table-scrollable>}}
4652

53+
{{<note>}}
54+
The SSO Service Provider (SP) metadata secret (`spMetadataSecretName`) is **not** managed by Vault. This secret is operator-generated and is not written to Vault. To retrieve SP metadata when using Vault, fetch it directly from the Redis Enterprise Server API (`GET /v1/cluster/sso/saml/metadata/sp`).
55+
{{</note>}}
4756

4857
For complete details on supported secrets, see the [`RedisEnterpriseCluster` API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}) and [`RedisEnterpriseDatabase` API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}).
4958

@@ -395,6 +404,15 @@ spec:
395404
proxyCertificateSecretName: <VAULT_SECRET_NAME>
396405
syncerCertificateSecretName: <VAULT_SECRET_NAME>
397406
ldapClientCertificateSecretName: <VAULT_SECRET_NAME>
407+
cpInternodeEncryptionCertificateSecretName: <VAULT_SECRET_NAME>
408+
dpInternodeEncryptionCertificateSecretName: <VAULT_SECRET_NAME>
409+
ssoServiceCertificateSecretName: <VAULT_SECRET_NAME>
410+
ssoIssuerCertificateSecretName: <VAULT_SECRET_NAME>
411+
ldap:
412+
bindCredentialsSecretName: <VAULT_SECRET_NAME>
413+
sso:
414+
saml:
415+
idpMetadataSecretName: <VAULT_SECRET_NAME>
398416
# Vault configuration
399417
clusterCredentialSecretType: vault
400418
clusterCredentialSecretRole: redis-enterprise-rec-<K8S_NAMESPACE>

0 commit comments

Comments
 (0)