NGINXaaS: add docs for Secret Manager integration

content/nginxaas-google/monitoring/access-management.md → content/nginxaas-google/getting-started/access-management.md

@@ -1,6 +1,6 @@
 ---
 title: Identity and access management
-weight: 100
+weight: 600
 toc: true
 nd-docs: DOCS-000
 url: /nginxaas/google/getting-started/access-management/
@@ -10,7 +10,13 @@ nd-product: NGOOGL
 
 
 
-F5 NGINXaaS for Google Cloud (NGINXaaS) uses Workload Identity Federation (WIF) to integrate with Google Cloud services. For example, with WIF configured, your NGINXaaS deployment can export logs and metrics to Cloud Monitoring in your Google project. To learn more, see [Google's Workload Identity Federation documentation](https://cloud.google.com/iam/docs/workload-identity-federation).
+F5 NGINXaaS for Google Cloud (NGINXaaS) uses Workload Identity Federation (WIF) to integrate with Google Cloud services. For example, with WIF configured, your NGINXaaS deployment can perform the following integrations:
+
+ - export logs to Cloud Logging
+ - export metrics to Cloud Monitoring
+ - fetch secrets from Secret Manager
+
+To learn more, see [Google's Workload Identity Federation documentation](https://cloud.google.com/iam/docs/workload-identity-federation).
 
 ## Prerequisites
 
@@ -32,34 +38,74 @@ F5 NGINXaaS for Google Cloud (NGINXaaS) uses Workload Identity Federation (WIF)
 
 ### Grant access to the WIF principal with your desired roles
 
-In the [Google Cloud Console](https://console.cloud.google.com/),
-1. Select your google project you want to grant access on. For example, to grant access to export logs to a Google project, `$LOG_PROJECT_ID`, or to export metrics to a Google project, `$METRIC_PROJECT_ID`, go to that project.
+Depending on your use case, you will need to grant certain roles on specific resources. See [Google's documentation on granting access](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#access) for more information.
+
+{{< details summary="Grant access to export logs to a Google project">}}
+
+To grant access to export logs to a Google project, `$LOG_PROJECT_ID`, in the [Google Cloud Console](https://console.cloud.google.com/),
+
+1. Go to the `$LOG_PROJECT_ID` project.
+1. Go to the **IAM** page.
+1. Select **Grant Access**.
+1. Enter your principal, for example, `principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID`.
+1. Assign the **Logs Writer** role.
+
+Alternatively, to use the Google Cloud CLI, you can run the following `gcloud` command.
+
+```bash
+gcloud projects add-iam-policy-binding "$LOG_PROJECT_ID" \
+    --member="principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID" \
+    --role='roles/logging.logWriter'
+```
+
+{{< /details >}}
+
+{{< details summary="Grant access to export metrics to a Google project">}}
+
+To grant access to export metrics to a Google project, `$METRIC_PROJECT_ID` in the [Google Cloud Console](https://console.cloud.google.com/),
+
+1. Go to the `$METRIC_PROJECT_ID` project.
 1. Go to the **IAM** page.
 1. Select **Grant Access**.
 1. Enter your principal, for example, `principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID`.
-1. Assign roles. For example,
-    - To grant access to export logs, add the **Logs Writer** role.
-    - To grant access to export metrics, add the **Monitoring Metric Writer** role.
-
-Alternatively, to use the Google Cloud CLI, you can run the following `gcloud` commands.
-- To grant access to export logs to a Google project, `$LOG_PROJECT_ID`,
-    ```bash
-    gcloud projects add-iam-policy-binding "$LOG_PROJECT_ID" \
-        --member="principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID" \
-        --role='roles/logging.logWriter'
-    ```
-- To grant access to export metrics to a Google project, `$METRIC_PROJECT_ID`,
-    ```bash
-    gcloud projects add-iam-policy-binding "$METRIC_PROJECT_ID" \
-        --member="principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID" \
-        --role='roles/monitoring.metricWriter'
-    ```
-
-See [Google's documentation on granting access](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#access) for more information.
+1. Assign the **Monitoring Metric Writer** role.
+
+Alternatively, to use the Google Cloud CLI, you can run the following `gcloud` command.
+
+```bash
+gcloud projects add-iam-policy-binding "$METRIC_PROJECT_ID" \
+    --member="principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID" \
+    --role='roles/monitoring.metricWriter'
+```
+
+{{< /details >}}
+
+{{< details summary="Grant access to fetch a secret from Secret Manager">}}
+
+To grant access to fetch a secret, `$SECRET_ID`, in the [Google Cloud Console](https://console.cloud.google.com/),
+
+1. Go to the secret, `$SECRET_ID`, in Secret Manager.
+1. Select the **Permissions** tab.
+1. Select **Grant Access**.
+1. Enter your principal, for example, `principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID`.
+1. Assign the **Secret Manager Secret Accessor** role.
+
+Alternatively, to use the Google Cloud CLI, you can run the following `gcloud` command.
+
+```bash
+gcloud secrets add-iam-policy-binding "$SECRET_ID" \
+    --member="principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID" \
+    --role='roles/secretmanager.secretAccessor'
+```
+
+If you have more than one secret that you would like fetched, you will need to grant access on each secret or grant access on the project your secrets are in.
+
+{{< /details >}}
 
 ### Update your NGINXaaS deployment with the name of your workload identity pool provider
 
 In the NGINXaaS Console,
+
 1. On the navigation menu, select **Deployments**.
 1. Select the deployment you want to update and select **Edit**.
 1. Enter your provider name, for example, `projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>`, under **Workload Identity Pool Provider Name**.

content/nginxaas-google/getting-started/ssl-tls-certificates/overview.md

@@ -25,7 +25,7 @@ NGINX supports the following certificate formats:
 
 - PEM format certificates.
 
-NGINXaaS allows you to upload these certificates as text and as files.
+NGINXaaS allows you to upload these certificates as text, as files, and as secrets from [Secret Manager](https://docs.cloud.google.com/secret-manager/docs/overview).
 
 Encrypt your certificates, keys, and PEM files using one of these standards:
 
@@ -36,5 +36,5 @@ Encrypt your certificates, keys, and PEM files using one of these standards:
 
 Add a certificate to your NGINXaaS deployment using your preferred client tool:
 
+- TODO: add link for Secret Manager
 - [Add certificates using the NGINXaaS Console]({{< ref "/nginxaas-google/getting-started/ssl-tls-certificates/ssl-tls-certificates-console.md" >}})
-

content/nginxaas-google/getting-started/ssl-tls-certificates/ssl-tls-certificates-secret-manager.md

@@ -0,0 +1,46 @@
+---
+title: Add certificates from Secret Manager
+weight: 75
+toc: true
+nd-docs: DOCS-000
+url: /nginxaas/google/getting-started/ssl-tls-certificates/ssl-tls-certificates-secret-manager/
+nd-content-type: how-to
+nd-product: NGOOGL
+---
+
+F5 NGINXaaS for Google Cloud (NGINXaaS) can fetch secrets directly from [Secret Manager](https://docs.cloud.google.com/secret-manager/docs/overview) to use as certificates in your NGINX configuration.
+
+## Prerequisites
+
+If you haven't already done so, complete the following prerequisites:
+
+- Enable the [Secret Manager API](https://docs.cloud.google.com/secret-manager/docs/configuring-secret-manager#enable-the-secret-manager-api).
+- Configure Workload Identity Federation (WIF). See [our documentation on setting up WIF]({{< ref "/nginxaas-google/getting-started/access-management.md#configure-wif" >}}) for exact steps.
+
+## Add an SSL/TLS certificate to Secret Manager
+
+If you do not have a certificate in one of our [accepted formats]({{< ref "/nginxaas-google/getting-started/ssl-tls-certificates/overview.md#supported-certificate-types-and-formats" >}}) in Secret Manager, follow Google's [instructions on adding a secret to Secret Manager](https://docs.cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#create-secret-console)
+
+## Use a Secret Manager certificate in an NGINX configuration
+
+To add your Secret Manager certificate to an NGINX configuration in the NGINXaaS console,
+
+- Select **Configurations** in the left menu.
+- Select the ellipsis (three dots) next to the configuration you want to edit, and select **Edit**.
+- Select **Continue** to open the configuration editor.
+- In your configuration, select {{< icon "plus">}} **Add File** and either choose **Google Secret Manager** as the type.
+- Provide the required path information:
+    {{< table >}}
+
+   | Field                       | Description                  | Note |
+   |---------------------------- | ---------------------------- | ---- |
+   | Google Secret ID       | This resource name of the secret in Secret Manager | The resource name must match the format `projects/$PROJECT_ID/secrets/$SECRET_ID/versions/$VERSION` where `$VERSION` can be a specific version or an alias such as `latest`. |
+   | File Path               | This path can match one or more ssl_certificate or ssl_certificate_key directive file arguments in your NGINX configuration. | The path must be unique within the same deployment. |
+
+    {{< /table >}}
+- Update the NGINX configuration to reference the certificate you just added by the path value.
+- Select **Continue** and then **Save** to save your changes.
+
+## What's next
+
+[Upload an NGINX Configuration]({{< ref "/nginxaas-google/getting-started/nginx-configuration/nginx-configuration-console.md" >}})

content/nginxaas-google/monitoring/enable-monitoring.md

@@ -13,7 +13,7 @@ Monitoring your application's performance is crucial for maintaining its reliabi
 ## Prerequisites
 
 - Enable the [Cloud Monitoring API](https://cloud.google.com/monitoring/api/enable-api).
-- Configure Workload Identity Federation (WIF). See [our documentation on setting up WIF]({{< ref "/nginxaas-google/monitoring/access-management.md#configure-wif" >}}) for exact steps.
+- Configure Workload Identity Federation (WIF). See [our documentation on setting up WIF]({{< ref "/nginxaas-google/getting-started/access-management.md#configure-wif" >}}) for exact steps.
 - Grant a project-level role or grant your principal access to the `roles/monitoring.viewer` role. See [Google's documentation on controlling access to Cloud Monitoring with IAM](https://cloud.google.com/monitoring/access-control).
 
 ## Export NGINXaaS metrics to a Google Cloud Project

content/nginxaas-google/monitoring/enable-nginx-logs.md

@@ -13,7 +13,7 @@ F5 NGINXaaS for Google (NGINXaaS) supports integrating with Google Cloud service
 ## Prerequisites
 
 - Enable the [Cloud Logging API](https://docs.cloud.google.com/logging/docs/api/enable-api).
-- Configure Workload Identity Federation (WIF). See [our documentation on setting up WIF]({{< ref "/nginxaas-google/monitoring/access-management.md#configure-wif" >}}) for exact steps.
+- Configure Workload Identity Federation (WIF). See [our documentation on setting up WIF]({{< ref "/nginxaas-google/getting-started/access-management.md#configure-wif" >}}) for exact steps.
 - Grant a project-level role or grant your principal access to the `roles/logging.viewer` role. See [Google's documentation on controlling access to Cloud Logging with IAM](https://cloud.google.com/logging/docs/access-control).
 
 ## Setting up error logs

go.mod

@@ -2,4 +2,4 @@ module github.com/nginxinc/docs
 
 go 1.19
 
-require github.com/nginxinc/nginx-hugo-theme/v2 v2.0.0 // indirect
+require github.com/nginxinc/nginx-hugo-theme/v2 v2.0.3 // indirect

go.sum

@@ -1,2 +1,4 @@
 github.com/nginxinc/nginx-hugo-theme/v2 v2.0.0 h1:Kgh/zeBP7vgPyXowPL2v9MTlRs0CDe31G+bvp7WbH34=
 github.com/nginxinc/nginx-hugo-theme/v2 v2.0.0/go.mod h1:TAmEMc0T/RKTQ0pI4LROWoUmyLXstrRmM2jE2ErdxWY=
+github.com/nginxinc/nginx-hugo-theme/v2 v2.0.3 h1:2hLeYJ/I3gDmT5aqdjFPclxePJHBpEvQ4zbU/aIJmMU=
+github.com/nginxinc/nginx-hugo-theme/v2 v2.0.3/go.mod h1:TAmEMc0T/RKTQ0pI4LROWoUmyLXstrRmM2jE2ErdxWY=