From 7313375e77e6bce547339fe67f817595954cbda5 Mon Sep 17 00:00:00 2001 From: Christopher Tauchen Date: Thu, 30 Jan 2025 15:24:11 +0000 Subject: [PATCH] Adds changes from GH#1837 to all products and versions --- calico-cloud/reference/resources/bgppeer.mdx | 72 +++++++++++++++++++ .../reference/resources/bgppeer.mdx | 72 +++++++++++++++++++ .../reference/resources/bgppeer.mdx | 72 +++++++++++++++++++ .../reference/resources/bgppeer.mdx | 72 +++++++++++++++++++ .../reference/resources/bgppeer.mdx | 72 +++++++++++++++++++ .../reference/resources/bgppeer.mdx | 72 +++++++++++++++++++ .../reference/resources/bgppeer.mdx | 72 +++++++++++++++++++ .../reference/resources/bgppeer.mdx | 72 +++++++++++++++++++ .../reference/resources/bgppeer.mdx | 72 +++++++++++++++++++ .../reference/resources/bgppeer.mdx | 72 +++++++++++++++++++ .../reference/resources/bgppeer.mdx | 72 +++++++++++++++++++ .../reference/resources/bgppeer.mdx | 72 +++++++++++++++++++ 12 files changed, 864 insertions(+) diff --git a/calico-cloud/reference/resources/bgppeer.mdx b/calico-cloud/reference/resources/bgppeer.mdx index f0ab7745aa..a0fbebee5f 100644 --- a/calico-cloud/reference/resources/bgppeer.mdx +++ b/calico-cloud/reference/resources/bgppeer.mdx @@ -88,6 +88,78 @@ secret must be in the same namespace as the $[nodecontainer] pod. | name | The name of the secret | string | | key | The key within the secret | string | +:::warning + +$[prodname] must be able to read the referenced secret. + +This means that the `calico-node` ServiceAccount must have permissions to `list, get, watch` the secret referenced in the KeyRef. + +In practice, this can be done by creating a Role (which allows to `list, get, watch` the secret) and a RoleBinding (which grants the Role's permission to the `calico-node` ServiceAccount). + +Example: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: bgp-passwords-reader + namespace: calico-system +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["bgp-passwords"] + verbs: ["list", "watch", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: calico-read-bgp-passwords + namespace: calico-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: bgp-passwords-reader +subjects: + - kind: ServiceAccount + name: calico-node + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "bgp-passwords" + namespace: calico-system +data: + peer_a_pw: "base64-encoded Password for Peer A" + peer_b_pw: "base64-encoded Password for Peer B" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-a" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_a_pw" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-b" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_b_pw" +``` + +::: + ## Peer scopes BGP Peers can exist at either global or node-specific scope. A peer's scope diff --git a/calico-cloud_versioned_docs/version-20-2/reference/resources/bgppeer.mdx b/calico-cloud_versioned_docs/version-20-2/reference/resources/bgppeer.mdx index 7dcebf7f4a..8583226dcb 100644 --- a/calico-cloud_versioned_docs/version-20-2/reference/resources/bgppeer.mdx +++ b/calico-cloud_versioned_docs/version-20-2/reference/resources/bgppeer.mdx @@ -88,6 +88,78 @@ secret must be in the same namespace as the $[nodecontainer] pod. | name | The name of the secret | string | | key | The key within the secret | string | +:::warning + +$[prodname] must be able to read the referenced secret. + +This means that the `calico-node` ServiceAccount must have permissions to `list, get, watch` the secret referenced in the KeyRef. + +In practice, this can be done by creating a Role (which allows to `list, get, watch` the secret) and a RoleBinding (which grants the Role's permission to the `calico-node` ServiceAccount). + +Example: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: bgp-passwords-reader + namespace: calico-system +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["bgp-passwords"] + verbs: ["list", "watch", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: calico-read-bgp-passwords + namespace: calico-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: bgp-passwords-reader +subjects: + - kind: ServiceAccount + name: calico-node + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "bgp-passwords" + namespace: calico-system +data: + peer_a_pw: "base64-encoded Password for Peer A" + peer_b_pw: "base64-encoded Password for Peer B" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-a" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_a_pw" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-b" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_b_pw" +``` + +::: + ## Peer scopes BGP Peers can exist at either global or node-specific scope. A peer's scope diff --git a/calico-enterprise/reference/resources/bgppeer.mdx b/calico-enterprise/reference/resources/bgppeer.mdx index 2086bf76a4..d1447533cc 100644 --- a/calico-enterprise/reference/resources/bgppeer.mdx +++ b/calico-enterprise/reference/resources/bgppeer.mdx @@ -90,6 +90,78 @@ secret must be in the same namespace as the $[nodecontainer] pod. | name | The name of the secret | string | | key | The key within the secret | string | +:::warning + +$[prodname] must be able to read the referenced secret. + +This means that the `calico-node` ServiceAccount must have permissions to `list, get, watch` the secret referenced in the KeyRef. + +In practice, this can be done by creating a Role (which allows to `list, get, watch` the secret) and a RoleBinding (which grants the Role's permission to the `calico-node` ServiceAccount). + +Example: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: bgp-passwords-reader + namespace: calico-system +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["bgp-passwords"] + verbs: ["list", "watch", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: calico-read-bgp-passwords + namespace: calico-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: bgp-passwords-reader +subjects: + - kind: ServiceAccount + name: calico-node + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "bgp-passwords" + namespace: calico-system +data: + peer_a_pw: "base64-encoded Password for Peer A" + peer_b_pw: "base64-encoded Password for Peer B" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-a" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_a_pw" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-b" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_b_pw" +``` + +::: + ## Peer scopes BGP Peers can exist at either global or node-specific scope. A peer's scope diff --git a/calico-enterprise_versioned_docs/version-3.17/reference/resources/bgppeer.mdx b/calico-enterprise_versioned_docs/version-3.17/reference/resources/bgppeer.mdx index 768e29e718..e497576e89 100644 --- a/calico-enterprise_versioned_docs/version-3.17/reference/resources/bgppeer.mdx +++ b/calico-enterprise_versioned_docs/version-3.17/reference/resources/bgppeer.mdx @@ -90,6 +90,78 @@ secret must be in the same namespace as the $[nodecontainer] pod. | name | The name of the secret | string | | key | The key within the secret | string | +:::warning + +$[prodname] must be able to read the referenced secret. + +This means that the `calico-node` ServiceAccount must have permissions to `list, get, watch` the secret referenced in the KeyRef. + +In practice, this can be done by creating a Role (which allows to `list, get, watch` the secret) and a RoleBinding (which grants the Role's permission to the `calico-node` ServiceAccount). + +Example: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: bgp-passwords-reader + namespace: calico-system +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["bgp-passwords"] + verbs: ["list", "watch", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: calico-read-bgp-passwords + namespace: calico-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: bgp-passwords-reader +subjects: + - kind: ServiceAccount + name: calico-node + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "bgp-passwords" + namespace: calico-system +data: + peer_a_pw: "base64-encoded Password for Peer A" + peer_b_pw: "base64-encoded Password for Peer B" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-a" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_a_pw" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-b" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_b_pw" +``` + +::: + ## Peer scopes BGP Peers can exist at either global or node-specific scope. A peer's scope diff --git a/calico-enterprise_versioned_docs/version-3.18-2/reference/resources/bgppeer.mdx b/calico-enterprise_versioned_docs/version-3.18-2/reference/resources/bgppeer.mdx index 49214719cf..b7b045b8fa 100644 --- a/calico-enterprise_versioned_docs/version-3.18-2/reference/resources/bgppeer.mdx +++ b/calico-enterprise_versioned_docs/version-3.18-2/reference/resources/bgppeer.mdx @@ -90,6 +90,78 @@ secret must be in the same namespace as the $[nodecontainer] pod. | name | The name of the secret | string | | key | The key within the secret | string | +:::warning + +$[prodname] must be able to read the referenced secret. + +This means that the `calico-node` ServiceAccount must have permissions to `list, get, watch` the secret referenced in the KeyRef. + +In practice, this can be done by creating a Role (which allows to `list, get, watch` the secret) and a RoleBinding (which grants the Role's permission to the `calico-node` ServiceAccount). + +Example: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: bgp-passwords-reader + namespace: calico-system +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["bgp-passwords"] + verbs: ["list", "watch", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: calico-read-bgp-passwords + namespace: calico-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: bgp-passwords-reader +subjects: + - kind: ServiceAccount + name: calico-node + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "bgp-passwords" + namespace: calico-system +data: + peer_a_pw: "base64-encoded Password for Peer A" + peer_b_pw: "base64-encoded Password for Peer B" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-a" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_a_pw" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-b" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_b_pw" +``` + +::: + ## Peer scopes BGP Peers can exist at either global or node-specific scope. A peer's scope diff --git a/calico-enterprise_versioned_docs/version-3.19-2/reference/resources/bgppeer.mdx b/calico-enterprise_versioned_docs/version-3.19-2/reference/resources/bgppeer.mdx index 17edef1536..a299766c01 100644 --- a/calico-enterprise_versioned_docs/version-3.19-2/reference/resources/bgppeer.mdx +++ b/calico-enterprise_versioned_docs/version-3.19-2/reference/resources/bgppeer.mdx @@ -90,6 +90,78 @@ secret must be in the same namespace as the $[nodecontainer] pod. | name | The name of the secret | string | | key | The key within the secret | string | +:::warning + +$[prodname] must be able to read the referenced secret. + +This means that the `calico-node` ServiceAccount must have permissions to `list, get, watch` the secret referenced in the KeyRef. + +In practice, this can be done by creating a Role (which allows to `list, get, watch` the secret) and a RoleBinding (which grants the Role's permission to the `calico-node` ServiceAccount). + +Example: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: bgp-passwords-reader + namespace: calico-system +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["bgp-passwords"] + verbs: ["list", "watch", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: calico-read-bgp-passwords + namespace: calico-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: bgp-passwords-reader +subjects: + - kind: ServiceAccount + name: calico-node + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "bgp-passwords" + namespace: calico-system +data: + peer_a_pw: "base64-encoded Password for Peer A" + peer_b_pw: "base64-encoded Password for Peer B" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-a" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_a_pw" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-b" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_b_pw" +``` + +::: + ## Peer scopes BGP Peers can exist at either global or node-specific scope. A peer's scope diff --git a/calico-enterprise_versioned_docs/version-3.20-1/reference/resources/bgppeer.mdx b/calico-enterprise_versioned_docs/version-3.20-1/reference/resources/bgppeer.mdx index 9b18a304d9..d519e2db1c 100644 --- a/calico-enterprise_versioned_docs/version-3.20-1/reference/resources/bgppeer.mdx +++ b/calico-enterprise_versioned_docs/version-3.20-1/reference/resources/bgppeer.mdx @@ -90,6 +90,78 @@ secret must be in the same namespace as the $[nodecontainer] pod. | name | The name of the secret | string | | key | The key within the secret | string | +:::warning + +$[prodname] must be able to read the referenced secret. + +This means that the `calico-node` ServiceAccount must have permissions to `list, get, watch` the secret referenced in the KeyRef. + +In practice, this can be done by creating a Role (which allows to `list, get, watch` the secret) and a RoleBinding (which grants the Role's permission to the `calico-node` ServiceAccount). + +Example: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: bgp-passwords-reader + namespace: calico-system +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["bgp-passwords"] + verbs: ["list", "watch", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: calico-read-bgp-passwords + namespace: calico-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: bgp-passwords-reader +subjects: + - kind: ServiceAccount + name: calico-node + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "bgp-passwords" + namespace: calico-system +data: + peer_a_pw: "base64-encoded Password for Peer A" + peer_b_pw: "base64-encoded Password for Peer B" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-a" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_a_pw" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-b" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_b_pw" +``` + +::: + ## Peer scopes BGP Peers can exist at either global or node-specific scope. A peer's scope diff --git a/calico-enterprise_versioned_docs/version-3.20-2/reference/resources/bgppeer.mdx b/calico-enterprise_versioned_docs/version-3.20-2/reference/resources/bgppeer.mdx index cd43dc3b97..c9473d2ef1 100644 --- a/calico-enterprise_versioned_docs/version-3.20-2/reference/resources/bgppeer.mdx +++ b/calico-enterprise_versioned_docs/version-3.20-2/reference/resources/bgppeer.mdx @@ -90,6 +90,78 @@ secret must be in the same namespace as the $[nodecontainer] pod. | name | The name of the secret | string | | key | The key within the secret | string | +:::warning + +$[prodname] must be able to read the referenced secret. + +This means that the `calico-node` ServiceAccount must have permissions to `list, get, watch` the secret referenced in the KeyRef. + +In practice, this can be done by creating a Role (which allows to `list, get, watch` the secret) and a RoleBinding (which grants the Role's permission to the `calico-node` ServiceAccount). + +Example: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: bgp-passwords-reader + namespace: calico-system +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["bgp-passwords"] + verbs: ["list", "watch", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: calico-read-bgp-passwords + namespace: calico-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: bgp-passwords-reader +subjects: + - kind: ServiceAccount + name: calico-node + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "bgp-passwords" + namespace: calico-system +data: + peer_a_pw: "base64-encoded Password for Peer A" + peer_b_pw: "base64-encoded Password for Peer B" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-a" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_a_pw" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-b" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_b_pw" +``` + +::: + ## Peer scopes BGP Peers can exist at either global or node-specific scope. A peer's scope diff --git a/calico_versioned_docs/version-3.26/reference/resources/bgppeer.mdx b/calico_versioned_docs/version-3.26/reference/resources/bgppeer.mdx index cefd475ffa..346815fa16 100644 --- a/calico_versioned_docs/version-3.26/reference/resources/bgppeer.mdx +++ b/calico_versioned_docs/version-3.26/reference/resources/bgppeer.mdx @@ -89,6 +89,78 @@ secret must be in the same namespace as the $[nodecontainer] pod. | name | The name of the secret | string | | key | The key within the secret | string | +:::warning + +$[prodname] must be able to read the referenced secret. + +This means that the `calico-node` ServiceAccount must have permissions to `list, get, watch` the secret referenced in the KeyRef. + +In practice, this can be done by creating a Role (which allows to `list, get, watch` the secret) and a RoleBinding (which grants the Role's permission to the `calico-node` ServiceAccount). + +Example: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: bgp-passwords-reader + namespace: calico-system # Or kube-system if installed using manifests. +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["bgp-passwords"] + verbs: ["list", "watch", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: calico-read-bgp-passwords + namespace: calico-system # Or kube-system if installed using manifests. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: bgp-passwords-reader +subjects: + - kind: ServiceAccount + name: calico-node + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "bgp-passwords" + namespace: calico-system # Or kube-system if installed using manifests. +data: + peer_a_pw: "base64-encoded Password for Peer A" + peer_b_pw: "base64-encoded Password for Peer B" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-a" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_a_pw" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-b" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_b_pw" +``` + +::: + ## Peer scopes BGP Peers can exist at either global or node-specific scope. A peer's scope diff --git a/calico_versioned_docs/version-3.27/reference/resources/bgppeer.mdx b/calico_versioned_docs/version-3.27/reference/resources/bgppeer.mdx index e47c879d37..72061b1d12 100644 --- a/calico_versioned_docs/version-3.27/reference/resources/bgppeer.mdx +++ b/calico_versioned_docs/version-3.27/reference/resources/bgppeer.mdx @@ -89,6 +89,78 @@ secret must be in the same namespace as the $[nodecontainer] pod. | name | The name of the secret | string | | key | The key within the secret | string | +:::warning + +$[prodname] must be able to read the referenced secret. + +This means that the `calico-node` ServiceAccount must have permissions to `list, get, watch` the secret referenced in the KeyRef. + +In practice, this can be done by creating a Role (which allows to `list, get, watch` the secret) and a RoleBinding (which grants the Role's permission to the `calico-node` ServiceAccount). + +Example: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: bgp-passwords-reader + namespace: calico-system # Or kube-system if installed using manifests. +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["bgp-passwords"] + verbs: ["list", "watch", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: calico-read-bgp-passwords + namespace: calico-system # Or kube-system if installed using manifests. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: bgp-passwords-reader +subjects: + - kind: ServiceAccount + name: calico-node + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "bgp-passwords" + namespace: calico-system # Or kube-system if installed using manifests. +data: + peer_a_pw: "base64-encoded Password for Peer A" + peer_b_pw: "base64-encoded Password for Peer B" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-a" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_a_pw" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-b" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_b_pw" +``` + +::: + ## Peer scopes BGP Peers can exist at either global or node-specific scope. A peer's scope diff --git a/calico_versioned_docs/version-3.28/reference/resources/bgppeer.mdx b/calico_versioned_docs/version-3.28/reference/resources/bgppeer.mdx index a8b0809dbd..04b3b89cfc 100644 --- a/calico_versioned_docs/version-3.28/reference/resources/bgppeer.mdx +++ b/calico_versioned_docs/version-3.28/reference/resources/bgppeer.mdx @@ -89,6 +89,78 @@ secret must be in the same namespace as the $[nodecontainer] pod. | name | The name of the secret | string | | key | The key within the secret | string | +:::warning + +$[prodname] must be able to read the referenced secret. + +This means that the `calico-node` ServiceAccount must have permissions to `list, get, watch` the secret referenced in the KeyRef. + +In practice, this can be done by creating a Role (which allows to `list, get, watch` the secret) and a RoleBinding (which grants the Role's permission to the `calico-node` ServiceAccount). + +Example: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: bgp-passwords-reader + namespace: calico-system # Or kube-system if installed using manifests. +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["bgp-passwords"] + verbs: ["list", "watch", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: calico-read-bgp-passwords + namespace: calico-system # Or kube-system if installed using manifests. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: bgp-passwords-reader +subjects: + - kind: ServiceAccount + name: calico-node + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "bgp-passwords" + namespace: calico-system # Or kube-system if installed using manifests. +data: + peer_a_pw: "base64-encoded Password for Peer A" + peer_b_pw: "base64-encoded Password for Peer B" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-a" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_a_pw" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-b" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_b_pw" +``` + +::: + ## Peer scopes BGP Peers can exist at either global or node-specific scope. A peer's scope diff --git a/calico_versioned_docs/version-3.29/reference/resources/bgppeer.mdx b/calico_versioned_docs/version-3.29/reference/resources/bgppeer.mdx index eee6454bcb..a87c028030 100644 --- a/calico_versioned_docs/version-3.29/reference/resources/bgppeer.mdx +++ b/calico_versioned_docs/version-3.29/reference/resources/bgppeer.mdx @@ -89,6 +89,78 @@ secret must be in the same namespace as the $[nodecontainer] pod. | name | The name of the secret | string | | key | The key within the secret | string | +:::warning + +$[prodname] must be able to read the referenced secret. + +This means that the `calico-node` ServiceAccount must have permissions to `list, get, watch` the secret referenced in the KeyRef. + +In practice, this can be done by creating a Role (which allows to `list, get, watch` the secret) and a RoleBinding (which grants the Role's permission to the `calico-node` ServiceAccount). + +Example: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: bgp-passwords-reader + namespace: calico-system # Or kube-system if installed using manifests. +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["bgp-passwords"] + verbs: ["list", "watch", "get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: calico-read-bgp-passwords + namespace: calico-system # Or kube-system if installed using manifests. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: bgp-passwords-reader +subjects: + - kind: ServiceAccount + name: calico-node + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "bgp-passwords" + namespace: calico-system # Or kube-system if installed using manifests. +data: + peer_a_pw: "base64-encoded Password for Peer A" + peer_b_pw: "base64-encoded Password for Peer B" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-a" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_a_pw" + +--- +apiVersion: crd.projectcalico.org/v1 +kind: BGPPeer +metadata: + name: "peer-b" +spec: + password: + secretKeyRef: + name: "bgp-passwords" + key: "peer_b_pw" +``` + +::: + ## Peer scopes BGP Peers can exist at either global or node-specific scope. A peer's scope