Accueil Explorer Aide
Connexion
logic855
/
helm-external-secrets
miroir de https://github.com/external-secrets/external-secrets
1
0
Fork 0
Fichiers Tickets 0 Wiki
Parcourir la source

Deployed 78899a891 to main with MkDocs 1.6.1 and mike 1.2.0.dev0

Skarlso il y a 2 mois
Parent
2deb40d3bc
commit
343c7f0d8f
3 fichiers modifiés avec 86 ajouts et 1 suppressions
Vue séparée Afficher les stats Diff
  1. 45 1
      main/provider/hashicorp-vault/index.html
  2. 0 0
      main/search/search_index.json
  3. 41 0
      main/snippets/vault-cert-store.yaml

+ 45 - 1
main/provider/hashicorp-vault/index.html
Voir le fichier 

@@ -6129,7 +6129,51 @@ or <code>Kind=ClusterSecretStore</code> resource.</p>
 
 set of AWS Programmatic access credentials stored in a <code>Kind=Secret</code> and referenced by the
 
 <code>secretRef</code> or by getting the authentication token from an <a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IRSA</a> enabled service account</p>
 
 <h4 id="tls-certificates-authentication">TLS certificates authentication</h4>
 
-<p><a href="https://developer.hashicorp.com/vault/docs/auth/cert">TLS certificates auth method</a>  allows authentication using SSL/TLS client certificates which are either signed by a CA or self-signed. SSL/TLS client certificates are defined as having an ExtKeyUsage extension with the usage set to either ClientAuth or Any.</p>
 
+<p><a href="https://developer.hashicorp.com/vault/docs/auth/cert">TLS certificates auth method</a> allows authentication using SSL/TLS client certificates which are either signed by a CA or self-signed. SSL/TLS client certificates are defined as having an ExtKeyUsage extension with the usage set to either ClientAuth or Any.</p>
 
+<p>To use TLS certificate authentication, create a <code>kubernetes.io/tls</code> Secret containing the client certificate and private key, then reference it in the SecretStore. The Secret keys must be <code>tls.crt</code> and <code>tls.key</code>. If your Vault server uses a custom or private CA, also configure <code>caProvider</code> or <code>caBundle</code> so that ESO can verify the server certificate.</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault-tls-cert</span>
 
+<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
 
+<span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.io/tls</span>
 
+<span class="nt">stringData</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">tls.crt</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span>
 
+<span class="w">    </span><span class="no">-----BEGIN CERTIFICATE-----</span>
 
+<span class="w">    </span><span class="no">&lt;your-client-certificate&gt;</span>
 
+<span class="w">    </span><span class="no">-----END CERTIFICATE-----</span>
 
+<span class="w">  </span><span class="nt">tls.key</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span>
 
+<span class="w">    </span><span class="no">-----BEGIN PRIVATE KEY-----</span>
 
+<span class="w">    </span><span class="no">&lt;your-client-private-key&gt;</span>
 
+<span class="w">    </span><span class="no">-----END PRIVATE KEY-----</span>
 
+<span class="nn">---</span>
 
+<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterSecretStore</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault-cert-auth</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">vault</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;https://vault.example.com&quot;</span>
 
+<span class="w">      </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;secret&quot;</span>
 
+<span class="w">      </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;v2&quot;</span>
 
+<span class="w">      </span><span class="nt">caProvider</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;ConfigMap&quot;</span>
 
+<span class="w">        </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;external-secrets&quot;</span>
 
+<span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;vault-ca-bundle&quot;</span>
 
+<span class="w">        </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;ca.crt&quot;</span>
 
+<span class="w">      </span><span class="nt">auth</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">cert</span><span class="p">:</span>
 
+<span class="w">          </span><span class="nt">clientCert</span><span class="p">:</span>
 
+<span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault-tls-cert</span>
 
+<span class="w">            </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;external-secrets&quot;</span>
 
+<span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tls.crt</span>
 
+<span class="w">          </span><span class="nt">secretRef</span><span class="p">:</span>
 
+<span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault-tls-cert</span>
 
+<span class="w">            </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;external-secrets&quot;</span>
 
+<span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tls.key</span>
 
+</code></pre></div>
 
+<p><strong>NOTE:</strong> For a <code>ClusterSecretStore</code>, you must specify <code>namespace</code> in both <code>clientCert</code> and <code>secretRef</code> to indicate where the TLS Secret resides.</p>
 
 <h3 id="mutual-authentication-mtls">Mutual authentication (mTLS)</h3>
 
 <p>Under specific compliance requirements, the Vault server can be set up to enforce mutual authentication from clients across all APIs by configuring the server with <code>tls_require_and_verify_client_cert = true</code>. This configuration differs fundamentally from the <a href="#tls-certificates-authentication">TLS certificates auth method</a>. While the TLS certificates auth method allows the issuance of a Vault token through the <code>/v1/auth/cert/login</code> API, the mTLS configuration solely focuses on TLS transport layer authentication and lacks any authorization-related capabilities. It's important to note that the Vault token must still be included in the request, following any of the supported authentication methods mentioned earlier.</p>
 
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>

Fichier diff supprimé car celui-ci est trop grand
+ 0 - 0
main/search/search_index.json


+ 41 - 0
main/snippets/vault-cert-store.yaml
Voir le fichier 

@@ -0,0 +1,41 @@
 
+apiVersion: v1
 
+kind: Secret
 
+metadata:
 
+  name: vault-tls-cert
 
+  namespace: external-secrets
 
+type: kubernetes.io/tls
 
+stringData:
 
+  tls.crt: |
 
+    -----BEGIN CERTIFICATE-----
 
+    <your-client-certificate>
 
+    -----END CERTIFICATE-----
 
+  tls.key: |
 
+    -----BEGIN PRIVATE KEY-----
 
+    <your-client-private-key>
 
+    -----END PRIVATE KEY-----
 
+---
 
+apiVersion: external-secrets.io/v1
 
+kind: ClusterSecretStore
 
+metadata:
 
+  name: vault-cert-auth
 
+spec:
 
+  provider:
 
+    vault:
 
+      server: "https://vault.example.com"
 
+      path: "secret"
 
+      version: "v2"
 
+      caProvider:
 
+        type: "ConfigMap"
 
+        namespace: "external-secrets"
 
+        name: "vault-ca-bundle"
 
+        key: "ca.crt"
 
+      auth:
 
+        cert:
 
+          clientCert:
 
+            name: vault-tls-cert
 
+            namespace: "external-secrets"
 
+            key: tls.crt
 
+          secretRef:
 
+            name: vault-tls-cert
 
+            namespace: "external-secrets"
 
+            key: tls.key

Certains fichiers n'ont pas été affichés car il y a eu trop de fichiers modifiés dans ce diff