|
|
@@ -2053,46 +2053,46 @@
|
|
|
<ul class="md-nav__list">
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#pre-requirements" class="md-nav__link">
|
|
|
+ <a href="#prerequisites" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Pre-requirements
|
|
|
+ Prerequisites
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#certificate-for-conjur-server" class="md-nav__link">
|
|
|
+ <a href="#conjur-server-certificate" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Certificate for Conjur server
|
|
|
+ Conjur server certificate
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#external-secret-store-definition-with-apikey-authentication" class="md-nav__link">
|
|
|
+ <a href="#external-secret-store-with-apikey-authentication" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- External Secret Store Definition with ApiKey Authentication
|
|
|
+ External secret store with apiKey authentication
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
- <nav class="md-nav" aria-label="External Secret Store Definition with ApiKey Authentication">
|
|
|
+ <nav class="md-nav" aria-label="External secret store with apiKey authentication">
|
|
|
<ul class="md-nav__list">
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#create-external-secret-store-definition" class="md-nav__link">
|
|
|
+ <a href="#step-1-create-an-external-secret-store" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Create External Secret Store Definition
|
|
|
+ Step 1: Create an external secret store
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#create-kubernetes-secrets" class="md-nav__link">
|
|
|
+ <a href="#step-2-create-kubernetes-secrets" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Create Kubernetes Secrets
|
|
|
+ Step 2: Create Kubernetes secrets
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
@@ -2106,67 +2106,76 @@
|
|
|
<li class="md-nav__item">
|
|
|
<a href="#external-secret-store-with-jwt-authentication" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- External Secret Store with JWT Authentication
|
|
|
+ External secret store with JWT authentication
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
- <nav class="md-nav" aria-label="External Secret Store with JWT Authentication">
|
|
|
+ <nav class="md-nav" aria-label="External secret store with JWT authentication">
|
|
|
<ul class="md-nav__list">
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#create-external-secret-store-definition_1" class="md-nav__link">
|
|
|
+ <a href="#step-1-define-an-external-secret-store" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Create External Secret Store Definition
|
|
|
+ Step 1: Define an external secret store
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
- </ul>
|
|
|
- </nav>
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#step-2-define-an-external-secret" class="md-nav__link">
|
|
|
+ <span class="md-ellipsis">
|
|
|
+ Step 2: Define an external secret
|
|
|
+ </span>
|
|
|
+ </a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#create-external-secret-definition" class="md-nav__link">
|
|
|
+ <a href="#step-3-create-the-external-secrets-store" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Create External Secret Definition
|
|
|
+ Step 3: Create the external secrets store
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#create-the-external-secrets-store" class="md-nav__link">
|
|
|
+ <a href="#step-4-create-the-external-secret" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Create the External Secrets Store
|
|
|
+ Step 4: Create the external secret
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#create-the-external-secret" class="md-nav__link">
|
|
|
+ <a href="#step-5-get-the-k8s-secret" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Create the External Secret
|
|
|
+ Step 5: Get the K8s secret
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#getting-the-k8s-secret" class="md-nav__link">
|
|
|
+ <a href="#see-also" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Getting the K8S Secret
|
|
|
+ See also
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#support" class="md-nav__link">
|
|
|
+ <a href="#license" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Support
|
|
|
+ License
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
@@ -3951,46 +3960,46 @@
|
|
|
<ul class="md-nav__list">
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#pre-requirements" class="md-nav__link">
|
|
|
+ <a href="#prerequisites" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Pre-requirements
|
|
|
+ Prerequisites
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#certificate-for-conjur-server" class="md-nav__link">
|
|
|
+ <a href="#conjur-server-certificate" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Certificate for Conjur server
|
|
|
+ Conjur server certificate
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#external-secret-store-definition-with-apikey-authentication" class="md-nav__link">
|
|
|
+ <a href="#external-secret-store-with-apikey-authentication" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- External Secret Store Definition with ApiKey Authentication
|
|
|
+ External secret store with apiKey authentication
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
- <nav class="md-nav" aria-label="External Secret Store Definition with ApiKey Authentication">
|
|
|
+ <nav class="md-nav" aria-label="External secret store with apiKey authentication">
|
|
|
<ul class="md-nav__list">
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#create-external-secret-store-definition" class="md-nav__link">
|
|
|
+ <a href="#step-1-create-an-external-secret-store" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Create External Secret Store Definition
|
|
|
+ Step 1: Create an external secret store
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#create-kubernetes-secrets" class="md-nav__link">
|
|
|
+ <a href="#step-2-create-kubernetes-secrets" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Create Kubernetes Secrets
|
|
|
+ Step 2: Create Kubernetes secrets
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
@@ -4004,67 +4013,76 @@
|
|
|
<li class="md-nav__item">
|
|
|
<a href="#external-secret-store-with-jwt-authentication" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- External Secret Store with JWT Authentication
|
|
|
+ External secret store with JWT authentication
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
- <nav class="md-nav" aria-label="External Secret Store with JWT Authentication">
|
|
|
+ <nav class="md-nav" aria-label="External secret store with JWT authentication">
|
|
|
<ul class="md-nav__list">
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#create-external-secret-store-definition_1" class="md-nav__link">
|
|
|
+ <a href="#step-1-define-an-external-secret-store" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Create External Secret Store Definition
|
|
|
+ Step 1: Define an external secret store
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
- </ul>
|
|
|
- </nav>
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#step-2-define-an-external-secret" class="md-nav__link">
|
|
|
+ <span class="md-ellipsis">
|
|
|
+ Step 2: Define an external secret
|
|
|
+ </span>
|
|
|
+ </a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#create-external-secret-definition" class="md-nav__link">
|
|
|
+ <a href="#step-3-create-the-external-secrets-store" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Create External Secret Definition
|
|
|
+ Step 3: Create the external secrets store
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#create-the-external-secrets-store" class="md-nav__link">
|
|
|
+ <a href="#step-4-create-the-external-secret" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Create the External Secrets Store
|
|
|
+ Step 4: Create the external secret
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#create-the-external-secret" class="md-nav__link">
|
|
|
+ <a href="#step-5-get-the-k8s-secret" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Create the External Secret
|
|
|
+ Step 5: Get the K8s secret
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#getting-the-k8s-secret" class="md-nav__link">
|
|
|
+ <a href="#see-also" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Getting the K8S Secret
|
|
|
+ See also
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li class="md-nav__item">
|
|
|
- <a href="#support" class="md-nav__link">
|
|
|
+ <a href="#license" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
- Support
|
|
|
+ License
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
@@ -4096,27 +4114,21 @@
|
|
|
<h1>CyberArk Conjur</h1>
|
|
|
|
|
|
<h2 id="conjur-provider">Conjur Provider</h2>
|
|
|
-<p>The following sections outline what is needed to get your external-secrets Conjur provider setup.</p>
|
|
|
-<h3 id="pre-requirements">Pre-requirements</h3>
|
|
|
-<p>This section contains the list of the pre-requirements before installing the Conjur Provider.</p>
|
|
|
+<p>This section describes how to set up the Conjur provider for External Secrets Operator (ESO). For a working example, see the <a href="https://github.com/conjurdemos/Accelerator-K8s-External-Secrets">Accelerator-K8s-External-Secrets repo</a>.</p>
|
|
|
+<h3 id="prerequisites">Prerequisites</h3>
|
|
|
+<p>Before installing the Conjur provider, you need:</p>
|
|
|
<ul>
|
|
|
-<li>Running Conjur Server<ul>
|
|
|
-<li>These items will be needed in order to configure the secret-store<ul>
|
|
|
-<li>Conjur endpoint - include the scheme but no trailing '/', ex: https://myapi.example.com</li>
|
|
|
-<li>Conjur authentication info (hostid, apikey, jwt service id, etc)</li>
|
|
|
-<li>Conjur must be configured to support your authentication method (<code>apikey</code> is supported by default, <code>jwt</code> requires additional configuration)</li>
|
|
|
-<li>Certificate for Conjur server is OPTIONAL -- But, <strong>when using a self-signed cert when setting up your Conjur server, it is strongly recommended to populate "caBundle" with self-signed cert in the secret-store definition</strong></li>
|
|
|
-</ul>
|
|
|
-</li>
|
|
|
-</ul>
|
|
|
-</li>
|
|
|
-<li>Kubernetes cluster<ul>
|
|
|
-<li>External Secrets Operator is installed</li>
|
|
|
+<li>A running Conjur Server, with:<ul>
|
|
|
+<li>An accessible Conjur endpoint (for example: <code>https://myapi.example.com</code>).</li>
|
|
|
+<li>Your configured Conjur authentication info (such as <code>hostid</code>, <code>apikey</code>, or JWT service ID). For more information on configuring Conjur, see <a href="https://docs.cyberark.com/conjur-open-source/Latest/en/Content/Operations/Policy/policy-statement-ref.htm">Policy statement reference</a>.</li>
|
|
|
+<li>Support for your authentication method (<code>apikey</code> is supported by default, <code>jwt</code> requires additional configuration).</li>
|
|
|
+<li><strong>Optional</strong>: Conjur server certificate (see <a href="#conjur-server-certificate">below</a>).</li>
|
|
|
</ul>
|
|
|
</li>
|
|
|
+<li>A Kubernetes cluster with ESO installed.</li>
|
|
|
</ul>
|
|
|
-<h3 id="certificate-for-conjur-server">Certificate for Conjur server</h3>
|
|
|
-<p>When using a self-signed cert when setting up your Conjur server, it is strongly recommended to populate "caBundle" with self-signed cert in the secret-store definition. The certificate CA must be referenced on the secret-store definition using either a <code>caBundle</code> or <code>caProvider</code> as below:</p>
|
|
|
+<h3 id="conjur-server-certificate">Conjur server certificate</h3>
|
|
|
+<p>If you set up your Conjur server with a self-signed certificate, we recommend that you populate the <code>caBundle</code> field with the Conjur self-signed certificate in the secret-store definition. The certificate CA must be referenced in the secret-store definition using either <code>caBundle</code> or <code>caProvider</code>:</p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="l l-Scalar l-Scalar-Plain">....</span>
|
|
|
<span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
|
|
|
<span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
|
|
|
@@ -4128,20 +4140,24 @@
|
|
|
<span class="w"> </span><span class="nt">caBundle</span><span class="p">:</span><span class="w"> </span><span class="s">"<base64</span><span class="nv"> </span><span class="s">encoded</span><span class="nv"> </span><span class="s">cabundle>"</span>
|
|
|
|
|
|
<span class="w"> </span><span class="c1"># [OPTIONAL] caProvider:</span>
|
|
|
-<span class="w"> </span><span class="c1"># Instead of caBundle you can also specify a caProvider</span>
|
|
|
-<span class="w"> </span><span class="c1"># this will retrieve the cert from a Secret or ConfigMap</span>
|
|
|
+<span class="w"> </span><span class="c1"># Instead of caBundle you can also specify a caProvider,</span>
|
|
|
+<span class="w"> </span><span class="c1"># which retrieves the cert from a Secret or ConfigMap</span>
|
|
|
<span class="w"> </span><span class="nt">caProvider</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s">"Secret"</span><span class="w"> </span><span class="c1"># Can be Secret or ConfigMap</span>
|
|
|
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">"<name</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">secret</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">configmap>"</span>
|
|
|
<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">"<key</span><span class="nv"> </span><span class="s">inside</span><span class="nv"> </span><span class="s">secret</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">configmap>"</span>
|
|
|
-<span class="w"> </span><span class="c1"># namespace is mandatory for ClusterSecretStore and not relevant for SecretStore</span>
|
|
|
+<span class="w"> </span><span class="c1"># namespace is required for ClusterSecretStore</span>
|
|
|
+<span class="w"> </span><span class="c1"># but not relevant for SecretStore</span>
|
|
|
<span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s">"my-cert-secret-namespace"</span>
|
|
|
<span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">....</span>
|
|
|
</code></pre></div>
|
|
|
-<h3 id="external-secret-store-definition-with-apikey-authentication">External Secret Store Definition with ApiKey Authentication</h3>
|
|
|
-<p>This method uses a combination of the Conjur <code>hostid</code> and <code>apikey</code> to authenticate to Conjur. This method is the simplest to setup and use as your Conjur instance requires no special setup.</p>
|
|
|
-<h4 id="create-external-secret-store-definition">Create External Secret Store Definition</h4>
|
|
|
-<p>Recommend to save as filename: <code>conjur-secret-store.yaml</code></p>
|
|
|
+<h3 id="external-secret-store-with-apikey-authentication">External secret store with apiKey authentication</h3>
|
|
|
+<p>This method uses a Conjur <code>hostid</code> and <code>apikey</code> to authenticate with Conjur. It is the simplest method to set up and use because your Conjur instance requires no additional configuration.</p>
|
|
|
+<h4 id="step-1-create-an-external-secret-store">Step 1: Create an external secret store</h4>
|
|
|
+<div class="admonition tip">
|
|
|
+<p class="admonition-title">Tip</p>
|
|
|
+<p>Save as the file as: <code>conjur-secret-store.yaml</code></p>
|
|
|
+</div>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
|
|
|
<span class="nt">metadata</span><span class="p">:</span>
|
|
|
@@ -4164,29 +4180,37 @@
|
|
|
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur-creds</span>
|
|
|
<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apikey</span>
|
|
|
</code></pre></div>
|
|
|
-<h4 id="create-kubernetes-secrets">Create Kubernetes Secrets</h4>
|
|
|
-<p>In order for the ESO <strong>Conjur</strong> provider to connect to the Conjur server using the <code>apikey</code> creds, these creds should be stored as k8s secrets. Please refer to <a href="https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret">https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret</a> for various methods to create secrets. Here is one way to do it using <code>kubectl</code></p>
|
|
|
-<p><strong><em>NOTE</em></strong>: "conjur-creds" is the "name" used in "userRef" and "apikeyRef" in the conjur-secret-store definition</p>
|
|
|
+<h4 id="step-2-create-kubernetes-secrets">Step 2: Create Kubernetes secrets</h4>
|
|
|
+<p>To connect to the Conjur server, the <strong>ESO Conjur provider</strong> needs to retrieve the <code>apikey</code> credentials from K8s secrets.</p>
|
|
|
+<div class="admonition note">
|
|
|
+<p class="admonition-title">Note</p>
|
|
|
+<p>For more information about how to create K8s secrets, see <a href="https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret">Creating a secret</a>.</p>
|
|
|
+</div>
|
|
|
+<p>Here is an example of how to create K8s secrets using the <code>kubectl</code> command:</p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="c1"># This is all one line</span>
|
|
|
kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>conjur-creds<span class="w"> </span>--from-literal<span class="o">=</span><span class="nv">hostid</span><span class="o">=</span>MYCONJURHOSTID<span class="w"> </span>--from-literal<span class="o">=</span><span class="nv">apikey</span><span class="o">=</span>MYAPIKEY
|
|
|
|
|
|
<span class="c1"># Example:</span>
|
|
|
<span class="c1"># kubectl -n external-secrets create secret generic conjur-creds --from-literal=hostid=host/data/app1/host001 --from-literal=apikey=321blahblah</span>
|
|
|
</code></pre></div>
|
|
|
-<h3 id="external-secret-store-with-jwt-authentication">External Secret Store with JWT Authentication</h3>
|
|
|
-<p>This method uses JWT tokens to authenticate with Conjur. The following methods for retrieving the JWT token for authentication are supported:</p>
|
|
|
+<div class="admonition note">
|
|
|
+<p class="admonition-title">Note</p>
|
|
|
+<p><code>conjur-creds</code> is the <code>name</code> defined in the <code>userRef</code> and <code>apikeyRef</code> fields of the <code>conjur-secret-store.yml</code> file.</p>
|
|
|
+</div>
|
|
|
+<h3 id="external-secret-store-with-jwt-authentication">External secret store with JWT authentication</h3>
|
|
|
+<p>This method uses JWT tokens to authenticate with Conjur. You can use the following methods to retrieve a JWT token for authentication:</p>
|
|
|
<ul>
|
|
|
-<li>JWT token from a referenced Kubernetes Service Account</li>
|
|
|
+<li>JWT token from a referenced Kubernetes service account</li>
|
|
|
<li>JWT token stored in a Kubernetes secret</li>
|
|
|
</ul>
|
|
|
-<h4 id="create-external-secret-store-definition_1">Create External Secret Store Definition</h4>
|
|
|
-<p>When using JWT authentication the following must be specified in the <code>SecretStore</code>:</p>
|
|
|
+<h4 id="step-1-define-an-external-secret-store">Step 1: Define an external secret store</h4>
|
|
|
+<p>When you use JWT authentication, the following must be specified in the <code>SecretStore</code>:</p>
|
|
|
<ul>
|
|
|
<li><code>account</code> - The name of the Conjur account</li>
|
|
|
-<li><code>serviceId</code> - The ID of the JWT Authenticator <code>WebService</code> configured in Conjur that will be used to authenticate the JWT token</li>
|
|
|
+<li><code>serviceId</code> - The ID of the JWT Authenticator <code>WebService</code> configured in Conjur that is used to authenticate the JWT token</li>
|
|
|
</ul>
|
|
|
-<p>You can then choose to either retrieve the JWT token using a Service Account reference or from a Kubernetes Secret.</p>
|
|
|
-<p>To use a JWT token from a referenced Kubernetes Service Account, the following secret store definition can be used:</p>
|
|
|
+<p>You can retrieve the JWT token from either a referenced service account or a Kubernetes secret.</p>
|
|
|
+<p>For example, to retrieve a JWT token from a referenced Kubernetes service account, the following secret store definition can be used:</p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
|
|
|
<span class="nt">metadata</span><span class="p">:</span>
|
|
|
@@ -4202,14 +4226,20 @@ kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span c
|
|
|
<span class="w"> </span><span class="nt">jwt</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="c1"># conjur account</span>
|
|
|
<span class="w"> </span><span class="nt">account</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
|
|
|
-<span class="w"> </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span><span class="w"> </span><span class="c1"># The authn-jwt service ID</span>
|
|
|
-<span class="w"> </span><span class="nt">serviceAccountRef</span><span class="p">:</span><span class="w"> </span><span class="c1"># Service account to retrieve JWT token for</span>
|
|
|
+<span class="w"> </span><span class="c1"># The authn-jwt service ID</span>
|
|
|
+<span class="w"> </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span>
|
|
|
+<span class="w"> </span><span class="c1"># Service account to retrieve JWT token for</span>
|
|
|
+<span class="w"> </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-service-account</span>
|
|
|
-<span class="w"> </span><span class="nt">audiences</span><span class="p">:</span><span class="w"> </span><span class="c1"># [OPTIONAL] audiences to include in JWT token</span>
|
|
|
+<span class="w"> </span><span class="c1"># [OPTIONAL] audiences to include in JWT token</span>
|
|
|
+<span class="w"> </span><span class="nt">audiences</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://conjur.company.com</span>
|
|
|
</code></pre></div>
|
|
|
-<p>This is only supported in Kubernetes 1.22 and above as it uses the <a href="https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/">TokenRequest API</a> to get the JWT token from the referenced service account. Audiences can be set as required by the <a href="https://docs.conjur.org/Latest/en/Content/Integrations/k8s-ocp/k8s-jwt-authn.htm">Conjur JWT authenticator</a>.</p>
|
|
|
-<p>Alternatively, a secret containing a valid JWT token can be referenced as follows:</p>
|
|
|
+<div class="admonition important">
|
|
|
+<p class="admonition-title">Important</p>
|
|
|
+<p>This method is only supported in Kubernetes 1.22 and above as it uses the <a href="https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/">TokenRequest API</a> to get the JWT token from the referenced service account. Audiences can be defined in the <a href="https://docs.conjur.org/Latest/en/Content/Integrations/k8s-ocp/k8s-jwt-authn.htm">Conjur JWT authenticator</a>.</p>
|
|
|
+</div>
|
|
|
+<p>Alternatively, here is an example where a secret containing a valid JWT token is referenced:</p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
|
|
|
<span class="nt">metadata</span><span class="p">:</span>
|
|
|
@@ -4225,18 +4255,20 @@ kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span c
|
|
|
<span class="w"> </span><span class="nt">jwt</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="c1"># conjur account</span>
|
|
|
<span class="w"> </span><span class="nt">account</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
|
|
|
-<span class="w"> </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span><span class="w"> </span><span class="c1"># The authn-jwt service ID</span>
|
|
|
-<span class="w"> </span><span class="nt">secretRef</span><span class="p">:</span><span class="w"> </span><span class="c1"># Secret containing a valid JWT token</span>
|
|
|
+<span class="w"> </span><span class="c1"># The authn-jwt service ID</span>
|
|
|
+<span class="w"> </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span>
|
|
|
+<span class="w"> </span><span class="c1"># Secret containing a valid JWT token</span>
|
|
|
+<span class="w"> </span><span class="nt">secretRef</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-secret</span>
|
|
|
<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">token</span>
|
|
|
</code></pre></div>
|
|
|
-<p>This secret must contain a JWT token that identifies your Conjur host. The secret must contain a JWT token consumable by a configured Conjur JWT authenticator and must satisfy all <a href="https://docs.conjur.org/Latest/en/Content/Operations/Services/cjr-authn-jwt-guidelines.htm#Best">Conjur JWT guidelines</a>. This can be a JWT created by an external JWT issuer or the Kubernetes api server itself. Such a with Kubernetes Service Account token can be created using the below command:</p>
|
|
|
+<p>The JWT token must identify your Conjur host, be compatible with your configured Conjur JWT authenticator, and meet all the <a href="https://docs.conjur.org/Latest/en/Content/Operations/Services/cjr-authn-jwt-guidelines.htm#Best">Conjur JWT guidelines</a>.</p>
|
|
|
+<p>You can use an external JWT issuer or the Kubernetes API server to create the token. For example, a Kubernetes service account token can be created with this command:</p>
|
|
|
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>token<span class="w"> </span>my-service-account<span class="w"> </span>--audience<span class="o">=</span><span class="s1">'https://conjur.company.com'</span><span class="w"> </span>--duration<span class="o">=</span>3600s
|
|
|
</code></pre></div>
|
|
|
-<p>Save the <code>SecretStore</code> definition as filename <code>conjur-secret-store.yaml</code> as referenced in later steps.</p>
|
|
|
-<h3 id="create-external-secret-definition">Create External Secret Definition</h3>
|
|
|
-<p>Important note: <strong>Creds must live in the same namespace as a SecretStore - the secret store may only reference secrets from the same namespace.</strong> When using a ClusterSecretStore this limitation is lifted and the creds can live in any namespace.</p>
|
|
|
-<p>Recommend to save as filename: <code>conjur-external-secret.yaml</code></p>
|
|
|
+<p>Save the secret store file as <code>conjur-secret-store.yaml</code> (the filename used in subsequent steps).</p>
|
|
|
+<h4 id="step-2-define-an-external-secret">Step 2: Define an external secret</h4>
|
|
|
+<p>Save the external secret file as: <code>conjur-external-secret.yaml</code></p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
|
|
|
<span class="nt">metadata</span><span class="p">:</span>
|
|
|
@@ -4252,8 +4284,12 @@ kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span c
|
|
|
<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">data/app1/secret00</span>
|
|
|
</code></pre></div>
|
|
|
-<h3 id="create-the-external-secrets-store">Create the External Secrets Store</h3>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this will create the store configuration in the "external-secrets" namespace, adjust this to your own situation</span>
|
|
|
+<div class="admonition important">
|
|
|
+<p class="admonition-title">Important</p>
|
|
|
+<p>Unless you are using a <a href="../../api/clustersecretstore/">ClusterSecretStore</a>, credentials must reside in the same namespace as the SecretStore.</p>
|
|
|
+</div>
|
|
|
+<h4 id="step-3-create-the-external-secrets-store">Step 3: Create the external secrets store</h4>
|
|
|
+<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: creates the store in the "external-secrets" namespace, update the value as needed</span>
|
|
|
<span class="c1">#</span>
|
|
|
kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>-f<span class="w"> </span>conjur-secret-store.yaml
|
|
|
|
|
|
@@ -4262,8 +4298,8 @@ kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> <
|
|
|
<span class="c1"># If there is a need to delete the external secretstore</span>
|
|
|
<span class="c1"># kubectl delete secretstore -n external-secrets conjur</span>
|
|
|
</code></pre></div>
|
|
|
-<h3 id="create-the-external-secret">Create the External Secret</h3>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this will create the external-secret configuration in the "external-secrets" namespace, adjust this to your own situation</span>
|
|
|
+<h4 id="step-4-create-the-external-secret">Step 4: Create the external secret</h4>
|
|
|
+<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: creates the external-secret in the "external-secrets" namespace, update the value as needed</span>
|
|
|
<span class="c1">#</span>
|
|
|
kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>-f<span class="w"> </span>conjur-external-secret.yaml
|
|
|
|
|
|
@@ -4272,17 +4308,22 @@ kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> <
|
|
|
<span class="c1"># If there is a need to delete the external secret</span>
|
|
|
<span class="c1"># kubectl delete externalsecret -n external-secrets conjur</span>
|
|
|
</code></pre></div>
|
|
|
-<h3 id="getting-the-k8s-secret">Getting the K8S Secret</h3>
|
|
|
+<h4 id="step-5-get-the-k8s-secret">Step 5: Get the K8s secret</h4>
|
|
|
<ul>
|
|
|
-<li>Login to your Conjur server and verify that your secret exists</li>
|
|
|
-<li>Review the value of your Kubernetes secret to see that it contains the same value from Conjur</li>
|
|
|
+<li>Log in to your Conjur server and verify that your secret exists</li>
|
|
|
+<li>Review the value of your Kubernetes secret to verify that it contains the same value as the Conjur server</li>
|
|
|
</ul>
|
|
|
<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this command will reveal the stored secret in plain text</span>
|
|
|
<span class="c1">#</span>
|
|
|
<span class="c1"># Assuming the secret name is "secret00", this will show the value</span>
|
|
|
kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>conjur<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.secret00}"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>--decode<span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="nb">echo</span>
|
|
|
</code></pre></div>
|
|
|
-<h3 id="support">Support</h3>
|
|
|
+<h3 id="see-also">See also</h3>
|
|
|
+<ul>
|
|
|
+<li><a href="https://github.com/conjurdemos/Accelerator-K8s-External-Secrets">Accelerator-K8s-External-Secrets repo</a></li>
|
|
|
+<li><a href="https://docs.cyberark.com/conjur-open-source/Latest/en/Content/Operations/Services/cjr-authn-jwt-guidelines.htm">Configure Conjur JWT authentication</a></li>
|
|
|
+</ul>
|
|
|
+<h3 id="license">License</h3>
|
|
|
<p>Copyright (c) 2023 CyberArk Software Ltd. All rights reserved.</p>
|
|
|
<p>Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
you may not use this file except in compliance with the License.
|