Browse Source

Deployed 47c0f6c7 to main with MkDocs 1.5.3 and mike 1.2.0.dev0

shuheiktgw 2 years ago
parent
commit
1a544dbf7e

+ 150 - 109
main/provider/conjur/index.html

@@ -2053,46 +2053,46 @@
       <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#pre-requirements" class="md-nav__link">
+  <a href="#prerequisites" class="md-nav__link">
     <span class="md-ellipsis">
-      Pre-requirements
+      Prerequisites
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#certificate-for-conjur-server" class="md-nav__link">
+  <a href="#conjur-server-certificate" class="md-nav__link">
     <span class="md-ellipsis">
-      Certificate for Conjur server
+      Conjur server certificate
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#external-secret-store-definition-with-apikey-authentication" class="md-nav__link">
+  <a href="#external-secret-store-with-apikey-authentication" class="md-nav__link">
     <span class="md-ellipsis">
-      External Secret Store Definition with ApiKey Authentication
+      External secret store with apiKey authentication
     </span>
   </a>
   
-    <nav class="md-nav" aria-label="External Secret Store Definition with ApiKey Authentication">
+    <nav class="md-nav" aria-label="External secret store with apiKey authentication">
       <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#create-external-secret-store-definition" class="md-nav__link">
+  <a href="#step-1-create-an-external-secret-store" class="md-nav__link">
     <span class="md-ellipsis">
-      Create External Secret Store Definition
+      Step 1: Create an external secret store
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#create-kubernetes-secrets" class="md-nav__link">
+  <a href="#step-2-create-kubernetes-secrets" class="md-nav__link">
     <span class="md-ellipsis">
-      Create Kubernetes Secrets
+      Step 2: Create Kubernetes secrets
     </span>
   </a>
   
@@ -2106,67 +2106,76 @@
           <li class="md-nav__item">
   <a href="#external-secret-store-with-jwt-authentication" class="md-nav__link">
     <span class="md-ellipsis">
-      External Secret Store with JWT Authentication
+      External secret store with JWT authentication
     </span>
   </a>
   
-    <nav class="md-nav" aria-label="External Secret Store with JWT Authentication">
+    <nav class="md-nav" aria-label="External secret store with JWT authentication">
       <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#create-external-secret-store-definition_1" class="md-nav__link">
+  <a href="#step-1-define-an-external-secret-store" class="md-nav__link">
     <span class="md-ellipsis">
-      Create External Secret Store Definition
+      Step 1: Define an external secret store
     </span>
   </a>
   
 </li>
         
-      </ul>
-    </nav>
+          <li class="md-nav__item">
+  <a href="#step-2-define-an-external-secret" class="md-nav__link">
+    <span class="md-ellipsis">
+      Step 2: Define an external secret
+    </span>
+  </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#create-external-secret-definition" class="md-nav__link">
+  <a href="#step-3-create-the-external-secrets-store" class="md-nav__link">
     <span class="md-ellipsis">
-      Create External Secret Definition
+      Step 3: Create the external secrets store
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#create-the-external-secrets-store" class="md-nav__link">
+  <a href="#step-4-create-the-external-secret" class="md-nav__link">
     <span class="md-ellipsis">
-      Create the External Secrets Store
+      Step 4: Create the external secret
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#create-the-external-secret" class="md-nav__link">
+  <a href="#step-5-get-the-k8s-secret" class="md-nav__link">
     <span class="md-ellipsis">
-      Create the External Secret
+      Step 5: Get the K8s secret
     </span>
   </a>
   
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
         
           <li class="md-nav__item">
-  <a href="#getting-the-k8s-secret" class="md-nav__link">
+  <a href="#see-also" class="md-nav__link">
     <span class="md-ellipsis">
-      Getting the K8S Secret
+      See also
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#support" class="md-nav__link">
+  <a href="#license" class="md-nav__link">
     <span class="md-ellipsis">
-      Support
+      License
     </span>
   </a>
   
@@ -3951,46 +3960,46 @@
       <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#pre-requirements" class="md-nav__link">
+  <a href="#prerequisites" class="md-nav__link">
     <span class="md-ellipsis">
-      Pre-requirements
+      Prerequisites
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#certificate-for-conjur-server" class="md-nav__link">
+  <a href="#conjur-server-certificate" class="md-nav__link">
     <span class="md-ellipsis">
-      Certificate for Conjur server
+      Conjur server certificate
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#external-secret-store-definition-with-apikey-authentication" class="md-nav__link">
+  <a href="#external-secret-store-with-apikey-authentication" class="md-nav__link">
     <span class="md-ellipsis">
-      External Secret Store Definition with ApiKey Authentication
+      External secret store with apiKey authentication
     </span>
   </a>
   
-    <nav class="md-nav" aria-label="External Secret Store Definition with ApiKey Authentication">
+    <nav class="md-nav" aria-label="External secret store with apiKey authentication">
       <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#create-external-secret-store-definition" class="md-nav__link">
+  <a href="#step-1-create-an-external-secret-store" class="md-nav__link">
     <span class="md-ellipsis">
-      Create External Secret Store Definition
+      Step 1: Create an external secret store
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#create-kubernetes-secrets" class="md-nav__link">
+  <a href="#step-2-create-kubernetes-secrets" class="md-nav__link">
     <span class="md-ellipsis">
-      Create Kubernetes Secrets
+      Step 2: Create Kubernetes secrets
     </span>
   </a>
   
@@ -4004,67 +4013,76 @@
           <li class="md-nav__item">
   <a href="#external-secret-store-with-jwt-authentication" class="md-nav__link">
     <span class="md-ellipsis">
-      External Secret Store with JWT Authentication
+      External secret store with JWT authentication
     </span>
   </a>
   
-    <nav class="md-nav" aria-label="External Secret Store with JWT Authentication">
+    <nav class="md-nav" aria-label="External secret store with JWT authentication">
       <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#create-external-secret-store-definition_1" class="md-nav__link">
+  <a href="#step-1-define-an-external-secret-store" class="md-nav__link">
     <span class="md-ellipsis">
-      Create External Secret Store Definition
+      Step 1: Define an external secret store
     </span>
   </a>
   
 </li>
         
-      </ul>
-    </nav>
+          <li class="md-nav__item">
+  <a href="#step-2-define-an-external-secret" class="md-nav__link">
+    <span class="md-ellipsis">
+      Step 2: Define an external secret
+    </span>
+  </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#create-external-secret-definition" class="md-nav__link">
+  <a href="#step-3-create-the-external-secrets-store" class="md-nav__link">
     <span class="md-ellipsis">
-      Create External Secret Definition
+      Step 3: Create the external secrets store
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#create-the-external-secrets-store" class="md-nav__link">
+  <a href="#step-4-create-the-external-secret" class="md-nav__link">
     <span class="md-ellipsis">
-      Create the External Secrets Store
+      Step 4: Create the external secret
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#create-the-external-secret" class="md-nav__link">
+  <a href="#step-5-get-the-k8s-secret" class="md-nav__link">
     <span class="md-ellipsis">
-      Create the External Secret
+      Step 5: Get the K8s secret
     </span>
   </a>
   
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
         
           <li class="md-nav__item">
-  <a href="#getting-the-k8s-secret" class="md-nav__link">
+  <a href="#see-also" class="md-nav__link">
     <span class="md-ellipsis">
-      Getting the K8S Secret
+      See also
     </span>
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#support" class="md-nav__link">
+  <a href="#license" class="md-nav__link">
     <span class="md-ellipsis">
-      Support
+      License
     </span>
   </a>
   
@@ -4096,27 +4114,21 @@
   <h1>CyberArk Conjur</h1>
 
 <h2 id="conjur-provider">Conjur Provider</h2>
-<p>The following sections outline what is needed to get your external-secrets Conjur provider setup.</p>
-<h3 id="pre-requirements">Pre-requirements</h3>
-<p>This section contains the list of the pre-requirements before installing the Conjur Provider.</p>
+<p>This section describes how to set up the Conjur provider for External Secrets Operator (ESO). For a working example, see the <a href="https://github.com/conjurdemos/Accelerator-K8s-External-Secrets">Accelerator-K8s-External-Secrets repo</a>.</p>
+<h3 id="prerequisites">Prerequisites</h3>
+<p>Before installing the Conjur provider, you need:</p>
 <ul>
-<li>Running Conjur Server<ul>
-<li>These items will be needed in order to configure the secret-store<ul>
-<li>Conjur endpoint - include the scheme but no trailing '/', ex: https://myapi.example.com</li>
-<li>Conjur authentication info (hostid, apikey, jwt service id, etc)</li>
-<li>Conjur must be configured to support your authentication method (<code>apikey</code> is supported by default, <code>jwt</code> requires additional configuration)</li>
-<li>Certificate for Conjur server is OPTIONAL -- But, <strong>when using a self-signed cert when setting up your Conjur server, it is strongly recommended to populate "caBundle" with self-signed cert in the secret-store definition</strong></li>
-</ul>
-</li>
-</ul>
-</li>
-<li>Kubernetes cluster<ul>
-<li>External Secrets Operator is installed</li>
+<li>A running Conjur Server, with:<ul>
+<li>An accessible Conjur endpoint (for example: <code>https://myapi.example.com</code>).</li>
+<li>Your configured Conjur authentication info (such as <code>hostid</code>, <code>apikey</code>, or JWT service ID). For more information on configuring Conjur, see <a href="https://docs.cyberark.com/conjur-open-source/Latest/en/Content/Operations/Policy/policy-statement-ref.htm">Policy statement reference</a>.</li>
+<li>Support for your authentication method (<code>apikey</code> is supported by default, <code>jwt</code> requires additional configuration).</li>
+<li><strong>Optional</strong>: Conjur server certificate (see <a href="#conjur-server-certificate">below</a>).</li>
 </ul>
 </li>
+<li>A Kubernetes cluster with ESO installed.</li>
 </ul>
-<h3 id="certificate-for-conjur-server">Certificate for Conjur server</h3>
-<p>When using a self-signed cert when setting up your Conjur server, it is strongly recommended to populate "caBundle" with self-signed cert in the secret-store definition. The certificate CA must be referenced on the secret-store definition using either a <code>caBundle</code> or <code>caProvider</code> as below:</p>
+<h3 id="conjur-server-certificate">Conjur server certificate</h3>
+<p>If you set up your Conjur server with a self-signed certificate, we recommend that you populate the <code>caBundle</code> field with the Conjur self-signed certificate in the secret-store definition. The certificate CA must be referenced in the secret-store definition using either <code>caBundle</code> or <code>caProvider</code>:</p>
 <div class="highlight"><pre><span></span><code><span class="l l-Scalar l-Scalar-Plain">....</span>
 <span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
 <span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
@@ -4128,20 +4140,24 @@
 <span class="w">      </span><span class="nt">caBundle</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&lt;base64</span><span class="nv"> </span><span class="s">encoded</span><span class="nv"> </span><span class="s">cabundle&gt;&quot;</span>
 
 <span class="w">      </span><span class="c1"># [OPTIONAL] caProvider:</span>
-<span class="w">      </span><span class="c1"># Instead of caBundle you can also specify a caProvider</span>
-<span class="w">      </span><span class="c1"># this will retrieve the cert from a Secret or ConfigMap</span>
+<span class="w">      </span><span class="c1"># Instead of caBundle you can also specify a caProvider,</span>
+<span class="w">      </span><span class="c1"># which retrieves the cert from a Secret or ConfigMap</span>
 <span class="w">      </span><span class="nt">caProvider</span><span class="p">:</span>
 <span class="w">        </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;Secret&quot;</span><span class="w"> </span><span class="c1"># Can be Secret or ConfigMap</span>
 <span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&lt;name</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">secret</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">configmap&gt;&quot;</span>
 <span class="w">        </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&lt;key</span><span class="nv"> </span><span class="s">inside</span><span class="nv"> </span><span class="s">secret</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">configmap&gt;&quot;</span>
-<span class="w">        </span><span class="c1"># namespace is mandatory for ClusterSecretStore and not relevant for SecretStore</span>
+<span class="w">        </span><span class="c1"># namespace is required for ClusterSecretStore</span>
+<span class="w">        </span><span class="c1"># but not relevant for SecretStore</span>
 <span class="w">        </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-cert-secret-namespace&quot;</span>
 <span class="w">  </span><span class="l l-Scalar l-Scalar-Plain">....</span>
 </code></pre></div>
-<h3 id="external-secret-store-definition-with-apikey-authentication">External Secret Store Definition with ApiKey Authentication</h3>
-<p>This method uses a combination of the Conjur <code>hostid</code> and <code>apikey</code> to authenticate to Conjur. This method is the simplest to setup and use as your Conjur instance requires no special setup.</p>
-<h4 id="create-external-secret-store-definition">Create External Secret Store Definition</h4>
-<p>Recommend to save as filename: <code>conjur-secret-store.yaml</code></p>
+<h3 id="external-secret-store-with-apikey-authentication">External secret store with apiKey authentication</h3>
+<p>This method uses a Conjur <code>hostid</code> and <code>apikey</code> to authenticate with Conjur. It is the simplest method to set up and use because your Conjur instance requires no additional configuration.</p>
+<h4 id="step-1-create-an-external-secret-store">Step 1: Create an external secret store</h4>
+<div class="admonition tip">
+<p class="admonition-title">Tip</p>
+<p>Save as the file as: <code>conjur-secret-store.yaml</code></p>
+</div>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -4164,29 +4180,37 @@
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur-creds</span>
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apikey</span>
 </code></pre></div>
-<h4 id="create-kubernetes-secrets">Create Kubernetes Secrets</h4>
-<p>In order for the ESO <strong>Conjur</strong> provider to connect to the Conjur server using the <code>apikey</code> creds, these creds should be stored as k8s secrets.  Please refer to <a href="https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret">https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret</a> for various methods to create secrets.  Here is one way to do it using <code>kubectl</code></p>
-<p><strong><em>NOTE</em></strong>: "conjur-creds" is the "name" used in "userRef" and "apikeyRef" in the conjur-secret-store definition</p>
+<h4 id="step-2-create-kubernetes-secrets">Step 2: Create Kubernetes secrets</h4>
+<p>To connect to the Conjur server, the <strong>ESO Conjur provider</strong> needs to retrieve the <code>apikey</code> credentials from K8s secrets.</p>
+<div class="admonition note">
+<p class="admonition-title">Note</p>
+<p>For more information about how to create K8s secrets, see <a href="https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret">Creating a secret</a>.</p>
+</div>
+<p>Here is an example of how to create K8s secrets using the <code>kubectl</code> command:</p>
 <div class="highlight"><pre><span></span><code><span class="c1"># This is all one line</span>
 kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>conjur-creds<span class="w"> </span>--from-literal<span class="o">=</span><span class="nv">hostid</span><span class="o">=</span>MYCONJURHOSTID<span class="w"> </span>--from-literal<span class="o">=</span><span class="nv">apikey</span><span class="o">=</span>MYAPIKEY
 
 <span class="c1"># Example:</span>
 <span class="c1"># kubectl -n external-secrets create secret generic conjur-creds --from-literal=hostid=host/data/app1/host001 --from-literal=apikey=321blahblah</span>
 </code></pre></div>
-<h3 id="external-secret-store-with-jwt-authentication">External Secret Store with JWT Authentication</h3>
-<p>This method uses JWT tokens to authenticate with Conjur. The following methods for retrieving the JWT token for authentication are supported:</p>
+<div class="admonition note">
+<p class="admonition-title">Note</p>
+<p><code>conjur-creds</code> is the <code>name</code> defined in the <code>userRef</code> and <code>apikeyRef</code> fields of the <code>conjur-secret-store.yml</code> file.</p>
+</div>
+<h3 id="external-secret-store-with-jwt-authentication">External secret store with JWT authentication</h3>
+<p>This method uses JWT tokens to authenticate with Conjur. You can use the following methods to retrieve a JWT token for authentication:</p>
 <ul>
-<li>JWT token from a referenced Kubernetes Service Account</li>
+<li>JWT token from a referenced Kubernetes service account</li>
 <li>JWT token stored in a Kubernetes secret</li>
 </ul>
-<h4 id="create-external-secret-store-definition_1">Create External Secret Store Definition</h4>
-<p>When using JWT authentication the following must be specified in the <code>SecretStore</code>:</p>
+<h4 id="step-1-define-an-external-secret-store">Step 1: Define an external secret store</h4>
+<p>When you use JWT authentication, the following must be specified in the <code>SecretStore</code>:</p>
 <ul>
 <li><code>account</code> -  The name of the Conjur account</li>
-<li><code>serviceId</code> - The ID of the JWT Authenticator <code>WebService</code> configured in Conjur that will be used to authenticate the JWT token</li>
+<li><code>serviceId</code> - The ID of the JWT Authenticator <code>WebService</code> configured in Conjur that is used to authenticate the JWT token</li>
 </ul>
-<p>You can then choose to either retrieve the JWT token using a Service Account reference or from a Kubernetes Secret.</p>
-<p>To use a JWT token from a referenced Kubernetes Service Account, the following secret store definition can be used:</p>
+<p>You can retrieve the JWT token from either a referenced service account or a Kubernetes secret.</p>
+<p>For example, to retrieve a JWT token from a referenced Kubernetes service account, the following secret store definition can be used:</p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -4202,14 +4226,20 @@ kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span c
 <span class="w">        </span><span class="nt">jwt</span><span class="p">:</span>
 <span class="w">          </span><span class="c1"># conjur account</span>
 <span class="w">          </span><span class="nt">account</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
-<span class="w">          </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span><span class="w"> </span><span class="c1"># The authn-jwt service ID</span>
-<span class="w">          </span><span class="nt">serviceAccountRef</span><span class="p">:</span><span class="w"> </span><span class="c1"># Service account to retrieve JWT token for</span>
+<span class="w">          </span><span class="c1"># The authn-jwt service ID</span>
+<span class="w">          </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span>
+<span class="w">          </span><span class="c1"># Service account to retrieve JWT token for</span>
+<span class="w">          </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-service-account</span>
-<span class="w">            </span><span class="nt">audiences</span><span class="p">:</span><span class="w">  </span><span class="c1"># [OPTIONAL] audiences to include in JWT token</span>
+<span class="w">            </span><span class="c1"># [OPTIONAL] audiences to include in JWT token</span>
+<span class="w">            </span><span class="nt">audiences</span><span class="p">:</span>
 <span class="w">              </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://conjur.company.com</span>
 </code></pre></div>
-<p>This is only supported in Kubernetes 1.22 and above as it uses the <a href="https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/">TokenRequest API</a> to get the JWT token from the referenced service account. Audiences can be set as required by the <a href="https://docs.conjur.org/Latest/en/Content/Integrations/k8s-ocp/k8s-jwt-authn.htm">Conjur JWT authenticator</a>.</p>
-<p>Alternatively, a secret containing a valid JWT token can be referenced as follows:</p>
+<div class="admonition important">
+<p class="admonition-title">Important</p>
+<p>This method is only supported in Kubernetes 1.22 and above as it uses the <a href="https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/">TokenRequest API</a> to get the JWT token from the referenced service account. Audiences can be defined in the <a href="https://docs.conjur.org/Latest/en/Content/Integrations/k8s-ocp/k8s-jwt-authn.htm">Conjur JWT authenticator</a>.</p>
+</div>
+<p>Alternatively, here is an example where a secret containing a valid JWT token is referenced:</p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -4225,18 +4255,20 @@ kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span c
 <span class="w">        </span><span class="nt">jwt</span><span class="p">:</span>
 <span class="w">          </span><span class="c1"># conjur account</span>
 <span class="w">          </span><span class="nt">account</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
-<span class="w">          </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span><span class="w"> </span><span class="c1"># The authn-jwt service ID</span>
-<span class="w">          </span><span class="nt">secretRef</span><span class="p">:</span><span class="w"> </span><span class="c1"># Secret containing a valid JWT token</span>
+<span class="w">          </span><span class="c1"># The authn-jwt service ID</span>
+<span class="w">          </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span>
+<span class="w">          </span><span class="c1"># Secret containing a valid JWT token</span>
+<span class="w">          </span><span class="nt">secretRef</span><span class="p">:</span>
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-secret</span>
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">token</span>
 </code></pre></div>
-<p>This secret must contain a JWT token that identifies your Conjur host. The secret must contain a JWT token consumable by a configured Conjur JWT authenticator and must satisfy all <a href="https://docs.conjur.org/Latest/en/Content/Operations/Services/cjr-authn-jwt-guidelines.htm#Best">Conjur JWT guidelines</a>. This can be a JWT created by an external JWT issuer or the Kubernetes api server itself. Such a with Kubernetes Service Account token can be created using the below command:</p>
+<p>The JWT token must identify your Conjur host, be compatible with your configured Conjur JWT authenticator, and meet all the <a href="https://docs.conjur.org/Latest/en/Content/Operations/Services/cjr-authn-jwt-guidelines.htm#Best">Conjur JWT guidelines</a>.</p>
+<p>You can use an external JWT issuer or the Kubernetes API server to create the token. For example, a Kubernetes service account token can be created with this command:</p>
 <div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>token<span class="w"> </span>my-service-account<span class="w"> </span>--audience<span class="o">=</span><span class="s1">&#39;https://conjur.company.com&#39;</span><span class="w"> </span>--duration<span class="o">=</span>3600s
 </code></pre></div>
-<p>Save the <code>SecretStore</code> definition as filename <code>conjur-secret-store.yaml</code> as referenced in later steps.</p>
-<h3 id="create-external-secret-definition">Create External Secret Definition</h3>
-<p>Important note: <strong>Creds must live in the same namespace as a SecretStore  - the secret store may only reference secrets from the same namespace.</strong>  When using a ClusterSecretStore this limitation is lifted and the creds can live in any namespace.</p>
-<p>Recommend to save as filename: <code>conjur-external-secret.yaml</code></p>
+<p>Save the secret store file as <code>conjur-secret-store.yaml</code> (the filename used in subsequent steps).</p>
+<h4 id="step-2-define-an-external-secret">Step 2: Define an external secret</h4>
+<p>Save the external secret file as: <code>conjur-external-secret.yaml</code></p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -4252,8 +4284,12 @@ kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span c
 <span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">data/app1/secret00</span>
 </code></pre></div>
-<h3 id="create-the-external-secrets-store">Create the External Secrets Store</h3>
-<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this will create the store configuration in the &quot;external-secrets&quot; namespace, adjust this to your own situation</span>
+<div class="admonition important">
+<p class="admonition-title">Important</p>
+<p>Unless you are using a <a href="../../api/clustersecretstore/">ClusterSecretStore</a>, credentials must reside in the same namespace as the SecretStore.</p>
+</div>
+<h4 id="step-3-create-the-external-secrets-store">Step 3: Create the external secrets store</h4>
+<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: creates the store in the &quot;external-secrets&quot; namespace, update the value as needed</span>
 <span class="c1">#</span>
 kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>-f<span class="w"> </span>conjur-secret-store.yaml
 
@@ -4262,8 +4298,8 @@ kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> <
 <span class="c1"># If there is a need to delete the external secretstore</span>
 <span class="c1"># kubectl delete secretstore -n external-secrets conjur</span>
 </code></pre></div>
-<h3 id="create-the-external-secret">Create the External Secret</h3>
-<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this will create the external-secret configuration in the &quot;external-secrets&quot; namespace, adjust this to your own situation</span>
+<h4 id="step-4-create-the-external-secret">Step 4: Create the external secret</h4>
+<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: creates the external-secret in the &quot;external-secrets&quot; namespace, update the value as needed</span>
 <span class="c1">#</span>
 kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>-f<span class="w"> </span>conjur-external-secret.yaml
 
@@ -4272,17 +4308,22 @@ kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> <
 <span class="c1"># If there is a need to delete the external secret</span>
 <span class="c1"># kubectl delete externalsecret -n external-secrets conjur</span>
 </code></pre></div>
-<h3 id="getting-the-k8s-secret">Getting the K8S Secret</h3>
+<h4 id="step-5-get-the-k8s-secret">Step 5: Get the K8s secret</h4>
 <ul>
-<li>Login to your Conjur server and verify that your secret exists</li>
-<li>Review the value of your Kubernetes secret to see that it contains the same value from Conjur</li>
+<li>Log in to your Conjur server and verify that your secret exists</li>
+<li>Review the value of your Kubernetes secret to verify that it contains the same value as the Conjur server</li>
 </ul>
 <div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this command will reveal the stored secret in plain text</span>
 <span class="c1">#</span>
 <span class="c1"># Assuming the secret name is &quot;secret00&quot;, this will show the value</span>
 kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>conjur<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">&quot;{.data.secret00}&quot;</span><span class="w">  </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>--decode<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="nb">echo</span>
 </code></pre></div>
-<h3 id="support">Support</h3>
+<h3 id="see-also">See also</h3>
+<ul>
+<li><a href="https://github.com/conjurdemos/Accelerator-K8s-External-Secrets">Accelerator-K8s-External-Secrets repo</a></li>
+<li><a href="https://docs.cyberark.com/conjur-open-source/Latest/en/Content/Operations/Services/cjr-authn-jwt-guidelines.htm">Configure Conjur JWT authentication</a></li>
+</ul>
+<h3 id="license">License</h3>
 <p>Copyright (c) 2023 CyberArk Software Ltd. All rights reserved.</p>
 <p>Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

File diff suppressed because it is too large
+ 0 - 0
main/search/search_index.json


BIN
main/sitemap.xml.gz


+ 4 - 3
main/snippets/conjur-ca-bundle.yaml

@@ -9,12 +9,13 @@ spec:
       caBundle: "<base64 encoded cabundle>"
 
       # [OPTIONAL] caProvider:
-      # Instead of caBundle you can also specify a caProvider
-      # this will retrieve the cert from a Secret or ConfigMap
+      # Instead of caBundle you can also specify a caProvider,
+      # which retrieves the cert from a Secret or ConfigMap
       caProvider:
         type: "Secret" # Can be Secret or ConfigMap
         name: "<name of secret or configmap>"
         key: "<key inside secret or configmap>"
-        # namespace is mandatory for ClusterSecretStore and not relevant for SecretStore
+        # namespace is required for ClusterSecretStore
+        # but not relevant for SecretStore
         namespace: "my-cert-secret-namespace"
   ....

+ 4 - 2
main/snippets/conjur-secret-store-jwt-secret-ref.yaml

@@ -13,7 +13,9 @@ spec:
         jwt:
           # conjur account
           account: conjur
-          serviceID: my-jwt-auth-service # The authn-jwt service ID
-          secretRef: # Secret containing a valid JWT token
+          # The authn-jwt service ID
+          serviceID: my-jwt-auth-service
+          # Secret containing a valid JWT token
+          secretRef:
             name: my-jwt-secret
             key: token

+ 6 - 3
main/snippets/conjur-secret-store-jwt-service-account-ref.yaml

@@ -13,9 +13,12 @@ spec:
         jwt:
           # conjur account
           account: conjur
-          serviceID: my-jwt-auth-service # The authn-jwt service ID
-          serviceAccountRef: # Service account to retrieve JWT token for
+          # The authn-jwt service ID
+          serviceID: my-jwt-auth-service
+          # Service account to retrieve JWT token for
+          serviceAccountRef:
             name: my-service-account
-            audiences:  # [OPTIONAL] audiences to include in JWT token
+            # [OPTIONAL] audiences to include in JWT token
+            audiences:
               - https://conjur.company.com
 

Some files were not shown because too many files changed in this diff