doc(object-storage): add sections on configuring secrets for the helm chart

Fixes deis/workflow#101

Author: Aaron Schlesinger

src/installing-workflow/configuring-object-storage.md

@@ -52,6 +52,10 @@ The builder reads credentials from the below locations on the filesystem.
 - Key: `/var/run/secrets/object/store/access-key-id`
 - Secret `/var/run/secrets/object/store/access-key-secret`
 
+### Helm Chart
+
+If you are using the [Helm Chart for Workflow][helm-chart], put your credentials in the [`minio-user` secret][minio-user-secret] (under `access-key-id` and `access-secret-key`) before you `helm install`. For more information, see the [installation instructions][helm-install] for more details on using Helm.
+
 ### A Note on Google Cloud Storage
 
 Google Cloud Storage (GCS) can interoperate with the S3 API using a feature called [interoperability](https://cloud.google.com/storage/docs/interoperability). If you choose to use GCS for object storage, you'll have to turn on this interoperability mode. In order to do so, please follow the steps at https://cloud.google.com/storage/docs/migrating?hl=en_US#migration-simple.
@@ -76,20 +80,47 @@ The slugbuilder reads credentials from the below locations on the filesystem.
 - Key: `/var/run/secrets/object/store/access-key-id`
 - Secret `/var/run/secrets/object/store/access-key-secret`
 
+### Helm Chart
+
+If you are using the [Helm Chart for Workflow][helm-chart], put your credentials in the [`minio-user` secret][minio-user-secret] (under `access-key-id` and `access-secret-key`) before you `helm install`. For more information, see the [installation instructions][helm-install] for more details on using Helm.
 
 ## [deis/slugrunner](https://github.com/deis/slugrunner)
 
 ### Environment Variables
 
 The slugrunner uses the `SLUG_URL` environment variable to determine where to download the slug (that it will run) from.
 
+Note that if you are using slugrunner inside a Deis cluster, the [controller](https://github.com/deis/controller) handles all configuration and lifecycle management for you. The remainder of this section only applies if you intend to run the slugrunner as a standalone component.
+
 ### Credentials
 
 The slugrunner reads credentials from the below locations on the filesystem.
 
 - Key: `/var/run/secrets/object/store/access-key-id`
 - Secret: `/var/run/secrets/object/store/access-key-secret`
 
+### Helm Chart
+
+The [Helm Chart for Workflow][helm-chart] contains no manifest for the slugrunner. As noted above, the controller handles all configuration and lifecycle management for you.
+
+If, however, you wish to run the slugrunner as a standalone component, you can use the [`minio-user` secret][minio-user-secret] to easily provide your pods with the credentials information they need. To do so, put your credentials information into the `access-key-id` and `access-secret-key` fields, and mount the secret like this:
+
+Under the `spec.template.spec.volumes` section:
+
+```yaml
+- name: minio-user
+  secret:
+    secretName: minio-user
+```
+
+Under the `spec.template.spec.containers[0].volumeMounts` section:
+
+```yaml
+- name: minio-user
+  mountPath: /var/run/secrets/object/store
+  readOnly: true
+```
+
 ## [deis/controller](https://github.com/deis/controller)
 
 When the controller needs to launch or scale a new buildpack application, it uses a [replication controller](http://kubernetes.io/docs/user-guide/replication-controller/). Since the slugrunner needs to download the slug to run, it needs the object storage location of the slug and the object storage credentials.
@@ -150,3 +181,7 @@ You'll also need to add two environment variables to the https://github.com/deis
 - name: DEIS_MINIO_SERVICE_PORT
   value: "443"
 ```
+
+[helm-chart]: https://github.com/deis/charts/tree/master/workflow-dev
+[minio-user-secret]: https://github.com/deis/charts/blob/master/workflow-dev/manifests/deis-minio-secret-user.yaml
+[helm-install]: https://github.com/deis/workflow/blob/master/src/installing-workflow/installing-deis-workflow.md