Step 2: Enable security in Portworx


This document guides you through editing the Portworx manifest YAML file as shown in the Enabling authorization section example.

This procedure instructs Kubernetes to create and provide Portworx with environment variables whose values are retrieved securely from the Secret object created in the Generate shared secrets section.

Prerequisites

  • If you do not already have a manifest, visit PX-Central to generate and download a deployment YAML for your configuration.
  • You must have a value for the token issuer. The issuer is a string value which must identify the token generator. This value will be used by Portworx to identify the token generator. In the examples below the issuer is set to portworx.com, but you are encouraged to change it.

Using Portworx DaemonSet

If you are deploying Portworx without the Portworx operator, then perform the following steps to enable security in Portworx:

  1. Add issuer to the portworx DaemonSet under portworx/oci-monitor container args:

       ... "-jwt_issuer", "portworx.com"]
    
  2. Add references to the shared keys as environment variables to portworx/oci-monitor:

        - name: "PORTWORX_AUTH_JWT_SHAREDSECRET"
          valueFrom:
            secretKeyRef:
              name: pxkeys
              key: shared-secret
        - name: "PORTWORX_AUTH_SYSTEM_KEY"
          valueFrom:
            secretKeyRef:
              name: pxkeys
              key: system-secret
        - name: "PORTWORX_AUTH_STORK_KEY"
          valueFrom:
            secretKeyRef:
              name: pxkeys
              key: stork-secret
  3. Add references to the shared key to openstorage/stork:

        - name: "PX_SHARED_SECRET"
          valueFrom:
            secretKeyRef:
              name: pxkeys
              key: stork-secret
  4. You can now apply the manifest and wait until Portworx is ready.

Once you’ve enabled security in Portworx, continue to the Generate tokens section.



Last edited: Monday, Oct 19, 2020