Create a Kubernetes Secret for VAST Block CSI Driver

Create a Kubernetes secret to keep VMS user credentials or authentication token that VAST Block CSI Driver uses to communicate with the VAST cluster. You need to supply the name of the secret when creating the driver's Helm chart configuration file.

You can create one or more Kubernetes secrets that can be specified individually per storage class or snapshot class. Each of these Kubernetes secrets specifies the VAST cluster to connect to and the VMS user credentials or authentication token, enabling you to provision volumes on multiple VAST clusters or using multiple VMS users on the same VAST cluster.

Tip
The secret can be used not only when there are multiple VAST clusters, but also anytime when the secretName and secretNamespace parameters in the Helm chart configuration file (values.yaml) are specified within a storage class or under StorageClassDefaults.

Do either of the following:

Create a Secret with a VMS Authentication Token

Note
VMS authentication tokens are supported with VAST Cluster 5.3 or later.

To create a Kubernetes secret with the VMS user's authentication token:

Create a YAML file with the following content:
```
apiVersion: v1
kind: Secret
metadata:
  name: <secret name>
type: Opaque
data:
  endpoint: <VAST cluster hostname>
  tenant: <VAST tenant name>
  token: <VMS user's token>
  sslCert: <path to SSL certificate>
  passphrase: <LUKS passphrase>
```
Where:
- (Required) name is the name of the Kubernetes secret.
- (Required) endpoint sets the hostname FQDN or IP address of the VMS URL of the VAST cluster where you want to provision block volumes.
- (Optional) tenant lets you connect to a particular VAST cluster tenant. Supplying a tenant requires that the VMS user has a user type of Tenant Admin for the specified tenant (in VAST Web UI: Administrators -> Managers -> open manager details -> User type: Tenant Admin).
  Note
  The tenant parameter is supported starting with VAST Block CSI Driver 2.6.3.
- (Required) token is the VMS authentication token of the VMS user to connect to the VAST cluster. The token must be Base64-encoded.
- (Optional) sslCert is only required if you are using SSL encryption with a self-signed SSL certificate. It specifies the path to the SSL certificate.
- (Optional) passphrase enables LUKS-based host encryption and sets the LUKS passphrase to be used to encrypt and decrypt the block device. This parameter is available starting with VAST CSI 2.6.3.
Apply the YAML file:
```
kubectl apply -f <path to the YAML file>
```
Note
If you are creating the secret in a namespace that is different from the namespace used to install the driver's Helm chart, specify the secret's namespace on the command: -n <secret's namespace>.

Alternatively, you can create a secret with the following command:

kubectl create secret generic <secret name> \
    --from-literal=endpoint='vms.example.com' \
    --from-literal=tenant='<VAST tenant name>' \
    --from-literal=token='<VMS user token>' \
    --from-file=ssl_cert='<path to SSL certificate>' \
    --from-literal=passphrase='<LUKS passphrase>' \
    -n <secret's namespace>

For example:

kubectl create secret generic vast-mgmt \
    --from-literal=endpoint='vms.example.com' \
    --from-literal=tenant='Operations' \
    --from-literal=token='xxxxxxxxxххххххххххххххххххххххххххххххх' \
    --from-file=ssl_cert='VastCerts/RootCA.crt' \
    -n secret_namespace

Create a Secret with VMS User Credentials

To create a Kubernetes secret with VMS user credentials:

Create a YAML file with the following content:
```
apiVersion: v1
kind: Secret
metadata:
  name: <secret name>
type: Opaque
data:
  endpoint: <VAST cluster hostname>
  tenant: <VAST tenant name>
  username: <VMS user's username>
  password: <VMS user's password>
  sslCert: <path to SSL certificate>
  passphrase: <LUKS passphrase>
```
Where:
- (Required) name is the name of the Kubernetes secret.
- (Required) endpoint sets the hostname FQDN or IP address of the VMS URL of the VAST cluster where you want to provision block volumes.
- (Optional) tenant lets you connect to a particular VAST cluster tenant. Supplying a tenant requires that the VMS user has a user type of Tenant Admin for the specified tenant (in VAST Web UI: Administrators -> Managers -> open manager details -> User type: Tenant Admin).
  Note
  The tenant parameter is supported starting with VAST Block CSI Driver 2.6.3.
- (Required) username is the username of the VMS user to connect to the VAST cluster. The username must be Base64-encoded.
- (Required) password is the password for the VMS user connecting to the VAST cluster. The password must be Base64-encoded.
- (Optional) sslCert is only required if you are using SSL encryption with a self-signed SSL certificate. It specifies the path to the SSL certificate.
- (Optional) passphrase enables LUKS-based host encryption and sets the LUKS passphrase to be used to encrypt and decrypt the block device. This parameter is available starting with VAST CSI 2.6.3.
Apply the YAML file:
```
kubectl apply -f <path to the YAML file>
```
Note
If you are creating the secret in a namespace that is different from the namespace used to install the driver's Helm chart, specify the secret's namespace on the command: -n <secret's namespace>.

Alternatively, you can create a secret with the following command:

kubectl create secret generic <secret name> \
    --from-literal=endpoint='vms.example.com' \
    --from-literal=tenant='<VAST tenant name>' \
    --from-literal=username='<VMS user's username>' \
    --from-literal=password='<VMS user's password>' \
    --from-file=ssl_cert='<path to SSL certificate>' \
    --from-literal=passphrase='<LUKS passphrase>' \
    -n <secret's namespace>

For example:

kubectl create secret generic vast-mgmt \
    --from-literal=endpoint='vms.example.com' \
    --from-literal=tenant='Operations' \
    --from-literal=username='user1' \
    --from-literal=password='xxxxxxxxx' \
    --from-file=ssl_cert='VastCerts/RootCA.crt' \
    -n secret_namespace