docs: improved README

akijakya · akijakya · commit ecb377af5837 · 2023-10-25T16:47:12.000+02:00
Signed-off-by: András Jáky &lt;ajaky@cisco.com&gt;
diff --git a/Makefile b/Makefile
@@ -87,7 +87,6 @@ up: ## Start kind development environment
 		--set podsFailurePolicy=Fail \
 		--set vaultEnv.tag=latest \
 		--namespace bank-vaults-infra
-	kind load docker-image ghcr.io/bank-vaults/vault-secrets-reloader:dev --name $(TEST_KIND_CLUSTER)
 
 .PHONY: down
 down: ## Destroy kind development environment
@@ -125,6 +124,7 @@ generate: gen-helm-docs ## Generate manifests, code, and docs resources
 
 .PHONY: deploy
 deploy: ## Deploy manager resources to the K8s cluster
+	kind load docker-image $(IMG) --name $(TEST_KIND_CLUSTER)
 	kubectl create namespace bank-vaults-infra --dry-run=client -o yaml | kubectl apply -f -
 	$(HELM) upgrade --install vault-secrets-reloader deploy/charts/vault-secrets-reloader \
 		--set image.tag=dev \
diff --git a/README.md b/README.md
@@ -87,6 +87,27 @@ helm upgrade --install vault-secrets-reloader deploy/charts/vault-secrets-reload
     --namespace bank-vaults-infra
 ```
 
+Reloader needs to access the Vault instance on its own, so make sure you set the correct environment variables through
+the chart, also use a time interval (in Go Duration format) that works best for your use case for collecting data from
+the workloads and for the actual reloading, for example:
+
+```shell
+helm upgrade --install vault-secrets-reloader oci://ghcr.io/bank-vaults/vault-secrets-reloader \
+    --set collectorSyncPeriod=2h \
+    --set reloaderRunPeriod=4h \
+    --set env.VAULT_ADDR=[URL for Vault]
+    --set env.VAULT_PATH=[Auth path]
+    --set env.VAULT_ROLE=[Auth role]
+    --set env.VAULT_AUTH_METHOD=[Auth method]
+    # other environmental variables needed for the auth method of your choice
+    --namespace bank-vaults-infra --create-namespace
+```
+
+Vault also needs to be configured with an auth method for the Reloader to use, additionally it is advised to create a
+role and policy that allows the Reloader to `read` and `list` secrets from Vault. An example for that can be found in
+this repository in the [example Bank-Vaults Operator CR
+file](https://github.com/bank-vaults/vault-secrets-reloader/blob/main/e2e/deploy/vault/vault.yaml#L102).
+
 Now that we have the Bank-Vaults ecosystem running in our kind cluster, we can try out the Reloader in action:
 
 ```shell
diff --git a/e2e/deploy/vault/vault.yaml b/e2e/deploy/vault/vault.yaml
@@ -105,6 +105,7 @@ spec:
         rules: path "secret/*" {
           capabilities = ["create", "read", "update", "delete", "list"]
           }
+      # define a new policy for the Reloader
       - name: read_secrets
         rules: path "secret/*" {
           capabilities = ["read", "list"]
@@ -135,7 +136,7 @@ spec:
           - name: reloader
             bound_service_account_names: ["vault-secrets-reloader"]
             bound_service_account_namespaces: ["bank-vaults-infra"]
-            policies: ["read_secrets"]
+            policies: ["read_secrets"]  # use the read_secrets policy in the reloader role
             ttl: 1h
 
     secrets:
