Browse Source

Deployed 47c0f6c7 to main with MkDocs 1.5.3 and mike 1.2.0.dev0

shuheiktgw 2 years ago
parent
commit
1a544dbf7e

+ 150 - 109
main/provider/conjur/index.html

@@ -2053,46 +2053,46 @@
       <ul class="md-nav__list">
       <ul class="md-nav__list">
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#pre-requirements" class="md-nav__link">
+  <a href="#prerequisites" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Pre-requirements
+      Prerequisites
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#certificate-for-conjur-server" class="md-nav__link">
+  <a href="#conjur-server-certificate" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Certificate for Conjur server
+      Conjur server certificate
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#external-secret-store-definition-with-apikey-authentication" class="md-nav__link">
+  <a href="#external-secret-store-with-apikey-authentication" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      External Secret Store Definition with ApiKey Authentication
+      External secret store with apiKey authentication
     </span>
     </span>
   </a>
   </a>
   
   
-    <nav class="md-nav" aria-label="External Secret Store Definition with ApiKey Authentication">
+    <nav class="md-nav" aria-label="External secret store with apiKey authentication">
       <ul class="md-nav__list">
       <ul class="md-nav__list">
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#create-external-secret-store-definition" class="md-nav__link">
+  <a href="#step-1-create-an-external-secret-store" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Create External Secret Store Definition
+      Step 1: Create an external secret store
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#create-kubernetes-secrets" class="md-nav__link">
+  <a href="#step-2-create-kubernetes-secrets" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Create Kubernetes Secrets
+      Step 2: Create Kubernetes secrets
     </span>
     </span>
   </a>
   </a>
   
   
@@ -2106,67 +2106,76 @@
           <li class="md-nav__item">
           <li class="md-nav__item">
   <a href="#external-secret-store-with-jwt-authentication" class="md-nav__link">
   <a href="#external-secret-store-with-jwt-authentication" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      External Secret Store with JWT Authentication
+      External secret store with JWT authentication
     </span>
     </span>
   </a>
   </a>
   
   
-    <nav class="md-nav" aria-label="External Secret Store with JWT Authentication">
+    <nav class="md-nav" aria-label="External secret store with JWT authentication">
       <ul class="md-nav__list">
       <ul class="md-nav__list">
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#create-external-secret-store-definition_1" class="md-nav__link">
+  <a href="#step-1-define-an-external-secret-store" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Create External Secret Store Definition
+      Step 1: Define an external secret store
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
-      </ul>
-    </nav>
+          <li class="md-nav__item">
+  <a href="#step-2-define-an-external-secret" class="md-nav__link">
+    <span class="md-ellipsis">
+      Step 2: Define an external secret
+    </span>
+  </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#create-external-secret-definition" class="md-nav__link">
+  <a href="#step-3-create-the-external-secrets-store" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Create External Secret Definition
+      Step 3: Create the external secrets store
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#create-the-external-secrets-store" class="md-nav__link">
+  <a href="#step-4-create-the-external-secret" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Create the External Secrets Store
+      Step 4: Create the external secret
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#create-the-external-secret" class="md-nav__link">
+  <a href="#step-5-get-the-k8s-secret" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Create the External Secret
+      Step 5: Get the K8s secret
     </span>
     </span>
   </a>
   </a>
   
   
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#getting-the-k8s-secret" class="md-nav__link">
+  <a href="#see-also" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Getting the K8S Secret
+      See also
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#support" class="md-nav__link">
+  <a href="#license" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Support
+      License
     </span>
     </span>
   </a>
   </a>
   
   
@@ -3951,46 +3960,46 @@
       <ul class="md-nav__list">
       <ul class="md-nav__list">
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#pre-requirements" class="md-nav__link">
+  <a href="#prerequisites" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Pre-requirements
+      Prerequisites
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#certificate-for-conjur-server" class="md-nav__link">
+  <a href="#conjur-server-certificate" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Certificate for Conjur server
+      Conjur server certificate
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#external-secret-store-definition-with-apikey-authentication" class="md-nav__link">
+  <a href="#external-secret-store-with-apikey-authentication" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      External Secret Store Definition with ApiKey Authentication
+      External secret store with apiKey authentication
     </span>
     </span>
   </a>
   </a>
   
   
-    <nav class="md-nav" aria-label="External Secret Store Definition with ApiKey Authentication">
+    <nav class="md-nav" aria-label="External secret store with apiKey authentication">
       <ul class="md-nav__list">
       <ul class="md-nav__list">
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#create-external-secret-store-definition" class="md-nav__link">
+  <a href="#step-1-create-an-external-secret-store" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Create External Secret Store Definition
+      Step 1: Create an external secret store
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#create-kubernetes-secrets" class="md-nav__link">
+  <a href="#step-2-create-kubernetes-secrets" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Create Kubernetes Secrets
+      Step 2: Create Kubernetes secrets
     </span>
     </span>
   </a>
   </a>
   
   
@@ -4004,67 +4013,76 @@
           <li class="md-nav__item">
           <li class="md-nav__item">
   <a href="#external-secret-store-with-jwt-authentication" class="md-nav__link">
   <a href="#external-secret-store-with-jwt-authentication" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      External Secret Store with JWT Authentication
+      External secret store with JWT authentication
     </span>
     </span>
   </a>
   </a>
   
   
-    <nav class="md-nav" aria-label="External Secret Store with JWT Authentication">
+    <nav class="md-nav" aria-label="External secret store with JWT authentication">
       <ul class="md-nav__list">
       <ul class="md-nav__list">
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#create-external-secret-store-definition_1" class="md-nav__link">
+  <a href="#step-1-define-an-external-secret-store" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Create External Secret Store Definition
+      Step 1: Define an external secret store
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
-      </ul>
-    </nav>
+          <li class="md-nav__item">
+  <a href="#step-2-define-an-external-secret" class="md-nav__link">
+    <span class="md-ellipsis">
+      Step 2: Define an external secret
+    </span>
+  </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#create-external-secret-definition" class="md-nav__link">
+  <a href="#step-3-create-the-external-secrets-store" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Create External Secret Definition
+      Step 3: Create the external secrets store
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#create-the-external-secrets-store" class="md-nav__link">
+  <a href="#step-4-create-the-external-secret" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Create the External Secrets Store
+      Step 4: Create the external secret
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#create-the-external-secret" class="md-nav__link">
+  <a href="#step-5-get-the-k8s-secret" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Create the External Secret
+      Step 5: Get the K8s secret
     </span>
     </span>
   </a>
   </a>
   
   
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#getting-the-k8s-secret" class="md-nav__link">
+  <a href="#see-also" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Getting the K8S Secret
+      See also
     </span>
     </span>
   </a>
   </a>
   
   
 </li>
 </li>
         
         
           <li class="md-nav__item">
           <li class="md-nav__item">
-  <a href="#support" class="md-nav__link">
+  <a href="#license" class="md-nav__link">
     <span class="md-ellipsis">
     <span class="md-ellipsis">
-      Support
+      License
     </span>
     </span>
   </a>
   </a>
   
   
@@ -4096,27 +4114,21 @@
   <h1>CyberArk Conjur</h1>
   <h1>CyberArk Conjur</h1>
 
 
 <h2 id="conjur-provider">Conjur Provider</h2>
 <h2 id="conjur-provider">Conjur Provider</h2>
-<p>The following sections outline what is needed to get your external-secrets Conjur provider setup.</p>
-<h3 id="pre-requirements">Pre-requirements</h3>
-<p>This section contains the list of the pre-requirements before installing the Conjur Provider.</p>
+<p>This section describes how to set up the Conjur provider for External Secrets Operator (ESO). For a working example, see the <a href="https://github.com/conjurdemos/Accelerator-K8s-External-Secrets">Accelerator-K8s-External-Secrets repo</a>.</p>
+<h3 id="prerequisites">Prerequisites</h3>
+<p>Before installing the Conjur provider, you need:</p>
 <ul>
 <ul>
-<li>Running Conjur Server<ul>
-<li>These items will be needed in order to configure the secret-store<ul>
-<li>Conjur endpoint - include the scheme but no trailing '/', ex: https://myapi.example.com</li>
-<li>Conjur authentication info (hostid, apikey, jwt service id, etc)</li>
-<li>Conjur must be configured to support your authentication method (<code>apikey</code> is supported by default, <code>jwt</code> requires additional configuration)</li>
-<li>Certificate for Conjur server is OPTIONAL -- But, <strong>when using a self-signed cert when setting up your Conjur server, it is strongly recommended to populate "caBundle" with self-signed cert in the secret-store definition</strong></li>
-</ul>
-</li>
-</ul>
-</li>
-<li>Kubernetes cluster<ul>
-<li>External Secrets Operator is installed</li>
+<li>A running Conjur Server, with:<ul>
+<li>An accessible Conjur endpoint (for example: <code>https://myapi.example.com</code>).</li>
+<li>Your configured Conjur authentication info (such as <code>hostid</code>, <code>apikey</code>, or JWT service ID). For more information on configuring Conjur, see <a href="https://docs.cyberark.com/conjur-open-source/Latest/en/Content/Operations/Policy/policy-statement-ref.htm">Policy statement reference</a>.</li>
+<li>Support for your authentication method (<code>apikey</code> is supported by default, <code>jwt</code> requires additional configuration).</li>
+<li><strong>Optional</strong>: Conjur server certificate (see <a href="#conjur-server-certificate">below</a>).</li>
 </ul>
 </ul>
 </li>
 </li>
+<li>A Kubernetes cluster with ESO installed.</li>
 </ul>
 </ul>
-<h3 id="certificate-for-conjur-server">Certificate for Conjur server</h3>
-<p>When using a self-signed cert when setting up your Conjur server, it is strongly recommended to populate "caBundle" with self-signed cert in the secret-store definition. The certificate CA must be referenced on the secret-store definition using either a <code>caBundle</code> or <code>caProvider</code> as below:</p>
+<h3 id="conjur-server-certificate">Conjur server certificate</h3>
+<p>If you set up your Conjur server with a self-signed certificate, we recommend that you populate the <code>caBundle</code> field with the Conjur self-signed certificate in the secret-store definition. The certificate CA must be referenced in the secret-store definition using either <code>caBundle</code> or <code>caProvider</code>:</p>
 <div class="highlight"><pre><span></span><code><span class="l l-Scalar l-Scalar-Plain">....</span>
 <div class="highlight"><pre><span></span><code><span class="l l-Scalar l-Scalar-Plain">....</span>
 <span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
 <span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
 <span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 <span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
@@ -4128,20 +4140,24 @@
 <span class="w">      </span><span class="nt">caBundle</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&lt;base64</span><span class="nv"> </span><span class="s">encoded</span><span class="nv"> </span><span class="s">cabundle&gt;&quot;</span>
 <span class="w">      </span><span class="nt">caBundle</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&lt;base64</span><span class="nv"> </span><span class="s">encoded</span><span class="nv"> </span><span class="s">cabundle&gt;&quot;</span>
 
 
 <span class="w">      </span><span class="c1"># [OPTIONAL] caProvider:</span>
 <span class="w">      </span><span class="c1"># [OPTIONAL] caProvider:</span>
-<span class="w">      </span><span class="c1"># Instead of caBundle you can also specify a caProvider</span>
-<span class="w">      </span><span class="c1"># this will retrieve the cert from a Secret or ConfigMap</span>
+<span class="w">      </span><span class="c1"># Instead of caBundle you can also specify a caProvider,</span>
+<span class="w">      </span><span class="c1"># which retrieves the cert from a Secret or ConfigMap</span>
 <span class="w">      </span><span class="nt">caProvider</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">caProvider</span><span class="p">:</span>
 <span class="w">        </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;Secret&quot;</span><span class="w"> </span><span class="c1"># Can be Secret or ConfigMap</span>
 <span class="w">        </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;Secret&quot;</span><span class="w"> </span><span class="c1"># Can be Secret or ConfigMap</span>
 <span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&lt;name</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">secret</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">configmap&gt;&quot;</span>
 <span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&lt;name</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">secret</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">configmap&gt;&quot;</span>
 <span class="w">        </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&lt;key</span><span class="nv"> </span><span class="s">inside</span><span class="nv"> </span><span class="s">secret</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">configmap&gt;&quot;</span>
 <span class="w">        </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&lt;key</span><span class="nv"> </span><span class="s">inside</span><span class="nv"> </span><span class="s">secret</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">configmap&gt;&quot;</span>
-<span class="w">        </span><span class="c1"># namespace is mandatory for ClusterSecretStore and not relevant for SecretStore</span>
+<span class="w">        </span><span class="c1"># namespace is required for ClusterSecretStore</span>
+<span class="w">        </span><span class="c1"># but not relevant for SecretStore</span>
 <span class="w">        </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-cert-secret-namespace&quot;</span>
 <span class="w">        </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-cert-secret-namespace&quot;</span>
 <span class="w">  </span><span class="l l-Scalar l-Scalar-Plain">....</span>
 <span class="w">  </span><span class="l l-Scalar l-Scalar-Plain">....</span>
 </code></pre></div>
 </code></pre></div>
-<h3 id="external-secret-store-definition-with-apikey-authentication">External Secret Store Definition with ApiKey Authentication</h3>
-<p>This method uses a combination of the Conjur <code>hostid</code> and <code>apikey</code> to authenticate to Conjur. This method is the simplest to setup and use as your Conjur instance requires no special setup.</p>
-<h4 id="create-external-secret-store-definition">Create External Secret Store Definition</h4>
-<p>Recommend to save as filename: <code>conjur-secret-store.yaml</code></p>
+<h3 id="external-secret-store-with-apikey-authentication">External secret store with apiKey authentication</h3>
+<p>This method uses a Conjur <code>hostid</code> and <code>apikey</code> to authenticate with Conjur. It is the simplest method to set up and use because your Conjur instance requires no additional configuration.</p>
+<h4 id="step-1-create-an-external-secret-store">Step 1: Create an external secret store</h4>
+<div class="admonition tip">
+<p class="admonition-title">Tip</p>
+<p>Save as the file as: <code>conjur-secret-store.yaml</code></p>
+</div>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 <span class="nt">metadata</span><span class="p">:</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -4164,29 +4180,37 @@
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur-creds</span>
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur-creds</span>
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apikey</span>
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apikey</span>
 </code></pre></div>
 </code></pre></div>
-<h4 id="create-kubernetes-secrets">Create Kubernetes Secrets</h4>
-<p>In order for the ESO <strong>Conjur</strong> provider to connect to the Conjur server using the <code>apikey</code> creds, these creds should be stored as k8s secrets.  Please refer to <a href="https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret">https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret</a> for various methods to create secrets.  Here is one way to do it using <code>kubectl</code></p>
-<p><strong><em>NOTE</em></strong>: "conjur-creds" is the "name" used in "userRef" and "apikeyRef" in the conjur-secret-store definition</p>
+<h4 id="step-2-create-kubernetes-secrets">Step 2: Create Kubernetes secrets</h4>
+<p>To connect to the Conjur server, the <strong>ESO Conjur provider</strong> needs to retrieve the <code>apikey</code> credentials from K8s secrets.</p>
+<div class="admonition note">
+<p class="admonition-title">Note</p>
+<p>For more information about how to create K8s secrets, see <a href="https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret">Creating a secret</a>.</p>
+</div>
+<p>Here is an example of how to create K8s secrets using the <code>kubectl</code> command:</p>
 <div class="highlight"><pre><span></span><code><span class="c1"># This is all one line</span>
 <div class="highlight"><pre><span></span><code><span class="c1"># This is all one line</span>
 kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>conjur-creds<span class="w"> </span>--from-literal<span class="o">=</span><span class="nv">hostid</span><span class="o">=</span>MYCONJURHOSTID<span class="w"> </span>--from-literal<span class="o">=</span><span class="nv">apikey</span><span class="o">=</span>MYAPIKEY
 kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>conjur-creds<span class="w"> </span>--from-literal<span class="o">=</span><span class="nv">hostid</span><span class="o">=</span>MYCONJURHOSTID<span class="w"> </span>--from-literal<span class="o">=</span><span class="nv">apikey</span><span class="o">=</span>MYAPIKEY
 
 
 <span class="c1"># Example:</span>
 <span class="c1"># Example:</span>
 <span class="c1"># kubectl -n external-secrets create secret generic conjur-creds --from-literal=hostid=host/data/app1/host001 --from-literal=apikey=321blahblah</span>
 <span class="c1"># kubectl -n external-secrets create secret generic conjur-creds --from-literal=hostid=host/data/app1/host001 --from-literal=apikey=321blahblah</span>
 </code></pre></div>
 </code></pre></div>
-<h3 id="external-secret-store-with-jwt-authentication">External Secret Store with JWT Authentication</h3>
-<p>This method uses JWT tokens to authenticate with Conjur. The following methods for retrieving the JWT token for authentication are supported:</p>
+<div class="admonition note">
+<p class="admonition-title">Note</p>
+<p><code>conjur-creds</code> is the <code>name</code> defined in the <code>userRef</code> and <code>apikeyRef</code> fields of the <code>conjur-secret-store.yml</code> file.</p>
+</div>
+<h3 id="external-secret-store-with-jwt-authentication">External secret store with JWT authentication</h3>
+<p>This method uses JWT tokens to authenticate with Conjur. You can use the following methods to retrieve a JWT token for authentication:</p>
 <ul>
 <ul>
-<li>JWT token from a referenced Kubernetes Service Account</li>
+<li>JWT token from a referenced Kubernetes service account</li>
 <li>JWT token stored in a Kubernetes secret</li>
 <li>JWT token stored in a Kubernetes secret</li>
 </ul>
 </ul>
-<h4 id="create-external-secret-store-definition_1">Create External Secret Store Definition</h4>
-<p>When using JWT authentication the following must be specified in the <code>SecretStore</code>:</p>
+<h4 id="step-1-define-an-external-secret-store">Step 1: Define an external secret store</h4>
+<p>When you use JWT authentication, the following must be specified in the <code>SecretStore</code>:</p>
 <ul>
 <ul>
 <li><code>account</code> -  The name of the Conjur account</li>
 <li><code>account</code> -  The name of the Conjur account</li>
-<li><code>serviceId</code> - The ID of the JWT Authenticator <code>WebService</code> configured in Conjur that will be used to authenticate the JWT token</li>
+<li><code>serviceId</code> - The ID of the JWT Authenticator <code>WebService</code> configured in Conjur that is used to authenticate the JWT token</li>
 </ul>
 </ul>
-<p>You can then choose to either retrieve the JWT token using a Service Account reference or from a Kubernetes Secret.</p>
-<p>To use a JWT token from a referenced Kubernetes Service Account, the following secret store definition can be used:</p>
+<p>You can retrieve the JWT token from either a referenced service account or a Kubernetes secret.</p>
+<p>For example, to retrieve a JWT token from a referenced Kubernetes service account, the following secret store definition can be used:</p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 <span class="nt">metadata</span><span class="p">:</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -4202,14 +4226,20 @@ kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span c
 <span class="w">        </span><span class="nt">jwt</span><span class="p">:</span>
 <span class="w">        </span><span class="nt">jwt</span><span class="p">:</span>
 <span class="w">          </span><span class="c1"># conjur account</span>
 <span class="w">          </span><span class="c1"># conjur account</span>
 <span class="w">          </span><span class="nt">account</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
 <span class="w">          </span><span class="nt">account</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
-<span class="w">          </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span><span class="w"> </span><span class="c1"># The authn-jwt service ID</span>
-<span class="w">          </span><span class="nt">serviceAccountRef</span><span class="p">:</span><span class="w"> </span><span class="c1"># Service account to retrieve JWT token for</span>
+<span class="w">          </span><span class="c1"># The authn-jwt service ID</span>
+<span class="w">          </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span>
+<span class="w">          </span><span class="c1"># Service account to retrieve JWT token for</span>
+<span class="w">          </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-service-account</span>
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-service-account</span>
-<span class="w">            </span><span class="nt">audiences</span><span class="p">:</span><span class="w">  </span><span class="c1"># [OPTIONAL] audiences to include in JWT token</span>
+<span class="w">            </span><span class="c1"># [OPTIONAL] audiences to include in JWT token</span>
+<span class="w">            </span><span class="nt">audiences</span><span class="p">:</span>
 <span class="w">              </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://conjur.company.com</span>
 <span class="w">              </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://conjur.company.com</span>
 </code></pre></div>
 </code></pre></div>
-<p>This is only supported in Kubernetes 1.22 and above as it uses the <a href="https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/">TokenRequest API</a> to get the JWT token from the referenced service account. Audiences can be set as required by the <a href="https://docs.conjur.org/Latest/en/Content/Integrations/k8s-ocp/k8s-jwt-authn.htm">Conjur JWT authenticator</a>.</p>
-<p>Alternatively, a secret containing a valid JWT token can be referenced as follows:</p>
+<div class="admonition important">
+<p class="admonition-title">Important</p>
+<p>This method is only supported in Kubernetes 1.22 and above as it uses the <a href="https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/">TokenRequest API</a> to get the JWT token from the referenced service account. Audiences can be defined in the <a href="https://docs.conjur.org/Latest/en/Content/Integrations/k8s-ocp/k8s-jwt-authn.htm">Conjur JWT authenticator</a>.</p>
+</div>
+<p>Alternatively, here is an example where a secret containing a valid JWT token is referenced:</p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 <span class="nt">metadata</span><span class="p">:</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -4225,18 +4255,20 @@ kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span c
 <span class="w">        </span><span class="nt">jwt</span><span class="p">:</span>
 <span class="w">        </span><span class="nt">jwt</span><span class="p">:</span>
 <span class="w">          </span><span class="c1"># conjur account</span>
 <span class="w">          </span><span class="c1"># conjur account</span>
 <span class="w">          </span><span class="nt">account</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
 <span class="w">          </span><span class="nt">account</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
-<span class="w">          </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span><span class="w"> </span><span class="c1"># The authn-jwt service ID</span>
-<span class="w">          </span><span class="nt">secretRef</span><span class="p">:</span><span class="w"> </span><span class="c1"># Secret containing a valid JWT token</span>
+<span class="w">          </span><span class="c1"># The authn-jwt service ID</span>
+<span class="w">          </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span>
+<span class="w">          </span><span class="c1"># Secret containing a valid JWT token</span>
+<span class="w">          </span><span class="nt">secretRef</span><span class="p">:</span>
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-secret</span>
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-secret</span>
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">token</span>
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">token</span>
 </code></pre></div>
 </code></pre></div>
-<p>This secret must contain a JWT token that identifies your Conjur host. The secret must contain a JWT token consumable by a configured Conjur JWT authenticator and must satisfy all <a href="https://docs.conjur.org/Latest/en/Content/Operations/Services/cjr-authn-jwt-guidelines.htm#Best">Conjur JWT guidelines</a>. This can be a JWT created by an external JWT issuer or the Kubernetes api server itself. Such a with Kubernetes Service Account token can be created using the below command:</p>
+<p>The JWT token must identify your Conjur host, be compatible with your configured Conjur JWT authenticator, and meet all the <a href="https://docs.conjur.org/Latest/en/Content/Operations/Services/cjr-authn-jwt-guidelines.htm#Best">Conjur JWT guidelines</a>.</p>
+<p>You can use an external JWT issuer or the Kubernetes API server to create the token. For example, a Kubernetes service account token can be created with this command:</p>
 <div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>token<span class="w"> </span>my-service-account<span class="w"> </span>--audience<span class="o">=</span><span class="s1">&#39;https://conjur.company.com&#39;</span><span class="w"> </span>--duration<span class="o">=</span>3600s
 <div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>token<span class="w"> </span>my-service-account<span class="w"> </span>--audience<span class="o">=</span><span class="s1">&#39;https://conjur.company.com&#39;</span><span class="w"> </span>--duration<span class="o">=</span>3600s
 </code></pre></div>
 </code></pre></div>
-<p>Save the <code>SecretStore</code> definition as filename <code>conjur-secret-store.yaml</code> as referenced in later steps.</p>
-<h3 id="create-external-secret-definition">Create External Secret Definition</h3>
-<p>Important note: <strong>Creds must live in the same namespace as a SecretStore  - the secret store may only reference secrets from the same namespace.</strong>  When using a ClusterSecretStore this limitation is lifted and the creds can live in any namespace.</p>
-<p>Recommend to save as filename: <code>conjur-external-secret.yaml</code></p>
+<p>Save the secret store file as <code>conjur-secret-store.yaml</code> (the filename used in subsequent steps).</p>
+<h4 id="step-2-define-an-external-secret">Step 2: Define an external secret</h4>
+<p>Save the external secret file as: <code>conjur-external-secret.yaml</code></p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 <span class="nt">metadata</span><span class="p">:</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -4252,8 +4284,12 @@ kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span c
 <span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 <span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">data/app1/secret00</span>
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">data/app1/secret00</span>
 </code></pre></div>
 </code></pre></div>
-<h3 id="create-the-external-secrets-store">Create the External Secrets Store</h3>
-<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this will create the store configuration in the &quot;external-secrets&quot; namespace, adjust this to your own situation</span>
+<div class="admonition important">
+<p class="admonition-title">Important</p>
+<p>Unless you are using a <a href="../../api/clustersecretstore/">ClusterSecretStore</a>, credentials must reside in the same namespace as the SecretStore.</p>
+</div>
+<h4 id="step-3-create-the-external-secrets-store">Step 3: Create the external secrets store</h4>
+<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: creates the store in the &quot;external-secrets&quot; namespace, update the value as needed</span>
 <span class="c1">#</span>
 <span class="c1">#</span>
 kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>-f<span class="w"> </span>conjur-secret-store.yaml
 kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>-f<span class="w"> </span>conjur-secret-store.yaml
 
 
@@ -4262,8 +4298,8 @@ kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> <
 <span class="c1"># If there is a need to delete the external secretstore</span>
 <span class="c1"># If there is a need to delete the external secretstore</span>
 <span class="c1"># kubectl delete secretstore -n external-secrets conjur</span>
 <span class="c1"># kubectl delete secretstore -n external-secrets conjur</span>
 </code></pre></div>
 </code></pre></div>
-<h3 id="create-the-external-secret">Create the External Secret</h3>
-<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this will create the external-secret configuration in the &quot;external-secrets&quot; namespace, adjust this to your own situation</span>
+<h4 id="step-4-create-the-external-secret">Step 4: Create the external secret</h4>
+<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: creates the external-secret in the &quot;external-secrets&quot; namespace, update the value as needed</span>
 <span class="c1">#</span>
 <span class="c1">#</span>
 kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>-f<span class="w"> </span>conjur-external-secret.yaml
 kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>-f<span class="w"> </span>conjur-external-secret.yaml
 
 
@@ -4272,17 +4308,22 @@ kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> <
 <span class="c1"># If there is a need to delete the external secret</span>
 <span class="c1"># If there is a need to delete the external secret</span>
 <span class="c1"># kubectl delete externalsecret -n external-secrets conjur</span>
 <span class="c1"># kubectl delete externalsecret -n external-secrets conjur</span>
 </code></pre></div>
 </code></pre></div>
-<h3 id="getting-the-k8s-secret">Getting the K8S Secret</h3>
+<h4 id="step-5-get-the-k8s-secret">Step 5: Get the K8s secret</h4>
 <ul>
 <ul>
-<li>Login to your Conjur server and verify that your secret exists</li>
-<li>Review the value of your Kubernetes secret to see that it contains the same value from Conjur</li>
+<li>Log in to your Conjur server and verify that your secret exists</li>
+<li>Review the value of your Kubernetes secret to verify that it contains the same value as the Conjur server</li>
 </ul>
 </ul>
 <div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this command will reveal the stored secret in plain text</span>
 <div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this command will reveal the stored secret in plain text</span>
 <span class="c1">#</span>
 <span class="c1">#</span>
 <span class="c1"># Assuming the secret name is &quot;secret00&quot;, this will show the value</span>
 <span class="c1"># Assuming the secret name is &quot;secret00&quot;, this will show the value</span>
 kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>conjur<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">&quot;{.data.secret00}&quot;</span><span class="w">  </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>--decode<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="nb">echo</span>
 kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>conjur<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">&quot;{.data.secret00}&quot;</span><span class="w">  </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>--decode<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="nb">echo</span>
 </code></pre></div>
 </code></pre></div>
-<h3 id="support">Support</h3>
+<h3 id="see-also">See also</h3>
+<ul>
+<li><a href="https://github.com/conjurdemos/Accelerator-K8s-External-Secrets">Accelerator-K8s-External-Secrets repo</a></li>
+<li><a href="https://docs.cyberark.com/conjur-open-source/Latest/en/Content/Operations/Services/cjr-authn-jwt-guidelines.htm">Configure Conjur JWT authentication</a></li>
+</ul>
+<h3 id="license">License</h3>
 <p>Copyright (c) 2023 CyberArk Software Ltd. All rights reserved.</p>
 <p>Copyright (c) 2023 CyberArk Software Ltd. All rights reserved.</p>
 <p>Licensed under the Apache License, Version 2.0 (the "License");
 <p>Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 you may not use this file except in compliance with the License.

File diff suppressed because it is too large
+ 0 - 0
main/search/search_index.json


BIN
main/sitemap.xml.gz


+ 4 - 3
main/snippets/conjur-ca-bundle.yaml

@@ -9,12 +9,13 @@ spec:
       caBundle: "<base64 encoded cabundle>"
       caBundle: "<base64 encoded cabundle>"
 
 
       # [OPTIONAL] caProvider:
       # [OPTIONAL] caProvider:
-      # Instead of caBundle you can also specify a caProvider
-      # this will retrieve the cert from a Secret or ConfigMap
+      # Instead of caBundle you can also specify a caProvider,
+      # which retrieves the cert from a Secret or ConfigMap
       caProvider:
       caProvider:
         type: "Secret" # Can be Secret or ConfigMap
         type: "Secret" # Can be Secret or ConfigMap
         name: "<name of secret or configmap>"
         name: "<name of secret or configmap>"
         key: "<key inside secret or configmap>"
         key: "<key inside secret or configmap>"
-        # namespace is mandatory for ClusterSecretStore and not relevant for SecretStore
+        # namespace is required for ClusterSecretStore
+        # but not relevant for SecretStore
         namespace: "my-cert-secret-namespace"
         namespace: "my-cert-secret-namespace"
   ....
   ....

+ 4 - 2
main/snippets/conjur-secret-store-jwt-secret-ref.yaml

@@ -13,7 +13,9 @@ spec:
         jwt:
         jwt:
           # conjur account
           # conjur account
           account: conjur
           account: conjur
-          serviceID: my-jwt-auth-service # The authn-jwt service ID
-          secretRef: # Secret containing a valid JWT token
+          # The authn-jwt service ID
+          serviceID: my-jwt-auth-service
+          # Secret containing a valid JWT token
+          secretRef:
             name: my-jwt-secret
             name: my-jwt-secret
             key: token
             key: token

+ 6 - 3
main/snippets/conjur-secret-store-jwt-service-account-ref.yaml

@@ -13,9 +13,12 @@ spec:
         jwt:
         jwt:
           # conjur account
           # conjur account
           account: conjur
           account: conjur
-          serviceID: my-jwt-auth-service # The authn-jwt service ID
-          serviceAccountRef: # Service account to retrieve JWT token for
+          # The authn-jwt service ID
+          serviceID: my-jwt-auth-service
+          # Service account to retrieve JWT token for
+          serviceAccountRef:
             name: my-service-account
             name: my-service-account
-            audiences:  # [OPTIONAL] audiences to include in JWT token
+            # [OPTIONAL] audiences to include in JWT token
+            audiences:
               - https://conjur.company.com
               - https://conjur.company.com
 
 

Some files were not shown because too many files changed in this diff