Просмотр исходного кода

Deployed dfb816dac to main with MkDocs 1.6.1 and mike 2.2.0

alekc 1 день назад
Родитель
Сommit
4c4de2fefa

+ 2 - 2
main/introduction/stability-support/index.html

@@ -5719,12 +5719,12 @@ As of version 0.14.x , this is the only kubernetes version that we will guarante
 </tr>
 <tr>
 <td>Beyondtrust</td>
-<td style="text-align: center;">x</td>
 <td style="text-align: center;"></td>
 <td style="text-align: center;"></td>
 <td style="text-align: center;"></td>
-<td style="text-align: center;">x</td>
 <td style="text-align: center;"></td>
+<td style="text-align: center;">x</td>
+<td style="text-align: center;">x</td>
 <td style="text-align: center;"></td>
 </tr>
 <tr>

+ 76 - 77
main/provider/beyondtrust/index.html

@@ -3031,6 +3031,8 @@
       <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
       
       
+        
+      
       
         <label class="md-nav__link md-nav__link--active" for="__toc">
           
@@ -3073,6 +3075,8 @@
   
   
   
+    
+  
   
     <label class="md-nav__title" for="__toc">
       <span class="md-nav__icon md-icon"></span>
@@ -3081,18 +3085,6 @@
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
       
         <li class="md-nav__item">
-  <a href="#beyondtrust-password-safe" class="md-nav__link">
-    <span class="md-ellipsis">
-      
-        BeyondTrust Password Safe
-      
-    </span>
-  </a>
-  
-    <nav class="md-nav" aria-label="BeyondTrust Password Safe">
-      <ul class="md-nav__list">
-        
-          <li class="md-nav__item">
   <a href="#prerequisites" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -3102,8 +3094,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#authentication" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -3113,8 +3105,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#client-certificate" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -3124,8 +3116,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#creating-a-secretstore" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -3135,8 +3127,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#creating-an-externalsecret" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -3146,8 +3138,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#get-the-k8s-secret" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -3157,8 +3149,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#creating-a-secret" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -3168,8 +3160,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#creating-an-clustersecretstore" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -3179,8 +3171,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#creating-an-pushsecret" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -3190,9 +3182,15 @@
   </a>
   
 </li>
-        
-      </ul>
-    </nav>
+      
+        <li class="md-nav__item">
+  <a href="#limitations" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Limitations
+      
+    </span>
+  </a>
   
 </li>
       
@@ -5023,6 +5021,8 @@
   
   
   
+    
+  
   
     <label class="md-nav__title" for="__toc">
       <span class="md-nav__icon md-icon"></span>
@@ -5031,18 +5031,6 @@
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
       
         <li class="md-nav__item">
-  <a href="#beyondtrust-password-safe" class="md-nav__link">
-    <span class="md-ellipsis">
-      
-        BeyondTrust Password Safe
-      
-    </span>
-  </a>
-  
-    <nav class="md-nav" aria-label="BeyondTrust Password Safe">
-      <ul class="md-nav__list">
-        
-          <li class="md-nav__item">
   <a href="#prerequisites" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -5052,8 +5040,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#authentication" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -5063,8 +5051,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#client-certificate" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -5074,8 +5062,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#creating-a-secretstore" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -5085,8 +5073,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#creating-an-externalsecret" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -5096,8 +5084,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#get-the-k8s-secret" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -5107,8 +5095,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#creating-a-secret" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -5118,8 +5106,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#creating-an-clustersecretstore" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -5129,8 +5117,8 @@
   </a>
   
 </li>
-        
-          <li class="md-nav__item">
+      
+        <li class="md-nav__item">
   <a href="#creating-an-pushsecret" class="md-nav__link">
     <span class="md-ellipsis">
       
@@ -5140,9 +5128,15 @@
   </a>
   
 </li>
-        
-      </ul>
-    </nav>
+      
+        <li class="md-nav__item">
+  <a href="#limitations" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Limitations
+      
+    </span>
+  </a>
   
 </li>
       
@@ -5166,16 +5160,14 @@
   
 
 
-  <h1>BeyondTrust</h1>
-
-<h2 id="beyondtrust-password-safe">BeyondTrust Password Safe</h2>
+<h1 id="beyondtrust-password-safe">BeyondTrust Password Safe</h1>
 <p>External Secrets Operator integrates with <a href="https://www.beyondtrust.com/docs/beyondinsight-password-safe/">BeyondTrust Password Safe</a>.</p>
 <p>Warning: The External Secrets Operator secure usage involves taking several measures. Please see <a href="https://external-secrets.io/latest/guides/security-best-practices/">Security Best Practices</a> for more information.</p>
 <p>Warning: If the BT provider secret is deleted it will still exist in the Kubernetes secrets.</p>
-<h3 id="prerequisites">Prerequisites</h3>
+<h2 id="prerequisites">Prerequisites</h2>
 <p>The BT provider supports retrieval of a secret from BeyondInsight/Password Safe versions 23.1 or greater.</p>
 <p>For this provider to retrieve a secret the Password Safe/Secrets Safe instance must be preconfigured with the secret in question and authorized to read it.</p>
-<h3 id="authentication">Authentication</h3>
+<h2 id="authentication">Authentication</h2>
 <p>BeyondTrust <a href="https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/admin/configure-api-registration.htm">OAuth Authentication</a>.</p>
 <ol>
 <li>Create an API access registration in BeyondInsight</li>
@@ -5195,7 +5187,7 @@ kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="
 <p>If you're using API Key authentication:
 <div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>bt-apikey<span class="w"> </span>--from-literal<span class="w"> </span><span class="nv">ApiKey</span><span class="o">=</span><span class="s2">&quot;&lt;your apikey&gt;&quot;</span>
 </code></pre></div></p>
-<h3 id="client-certificate">Client Certificate</h3>
+<h2 id="client-certificate">Client Certificate</h2>
 <p>If using <code>retrievalType: MANAGED_ACCOUNT</code>, you will also need to download the pfx certificate from Secrets Safe, extract that certificate and create two Kubernetes secrets.</p>
 <div class="highlight"><pre><span></span><code>openssl<span class="w"> </span>pkcs12<span class="w"> </span>-in<span class="w"> </span>client_certificate.pfx<span class="w"> </span>-nocerts<span class="w"> </span>-out<span class="w"> </span>ps_key.pem<span class="w"> </span>-nodes
 openssl<span class="w"> </span>pkcs12<span class="w"> </span>-in<span class="w"> </span>client_certificate.pfx<span class="w"> </span>-clcerts<span class="w"> </span>-nokeys<span class="w"> </span>-out<span class="w"> </span>ps_cert.pem
@@ -5213,7 +5205,7 @@ openssl<span class="w"> </span>pkcs12<span class="w"> </span>-in<span class="w">
 kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>bt-certificate<span class="w"> </span>--from-file<span class="o">=</span><span class="nv">ClientCertificate</span><span class="o">=</span>./ps_cert.pem
 kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>bt-certificatekey<span class="w"> </span>--from-file<span class="o">=</span><span class="nv">ClientCertificateKey</span><span class="o">=</span>./ps_key.pem
 </code></pre></div>
-<h3 id="creating-a-secretstore">Creating a SecretStore</h3>
+<h2 id="creating-a-secretstore">Creating a SecretStore</h2>
 <p>You can follow the below example to create a <code>SecretStore</code> resource.
 You can also use a <code>ClusterSecretStore</code> allowing you to reference secrets from all namespaces. <a href="https://external-secrets.io/latest/api/clustersecretstore/">ClusterSecretStore</a></p>
 <div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>secret-store.yml
@@ -5226,8 +5218,10 @@ You can also use a <code>ClusterSecretStore</code> allowing you to reference sec
 <span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 <span class="w">    </span><span class="nt">beyondtrust</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">server</span><span class="p">:</span>
-<span class="w">        </span><span class="nt">apiUrl</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://example.com:443/BeyondTrust/api/public/v3/</span>
+<span class="w">        </span><span class="nt">apiUrl</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://example.com/BeyondTrust/api/public/v3/</span>
 <span class="w">        </span><span class="nt">retrievalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">MANAGED_ACCOUNT</span><span class="w">  </span><span class="c1"># or SECRET</span>
+<span class="w">        </span><span class="nt">separator</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;/&quot;</span><span class="w"> </span><span class="c1"># folder separator used to split remoteRef.key paths; defaults to &quot;/&quot;</span>
+<span class="w">        </span><span class="nt">decrypt</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"> </span><span class="c1"># SECRET retrievalType only: when false the password field is omitted; defaults to true</span>
 <span class="w">        </span><span class="nt">verifyCA</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
 <span class="w">        </span><span class="nt">clientTimeOutSeconds</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">45</span>
 <span class="w">        </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;3.0&quot;</span><span class="w"> </span><span class="c1"># The recommended version is 3.1. If no version is specified, the default API version 3.0 will be used.</span>
@@ -5253,9 +5247,10 @@ You can also use a <code>ClusterSecretStore</code> allowing you to reference sec
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bt-apikey</span>
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ApiKey</span>
 </code></pre></div>
-<h3 id="creating-an-externalsecret">Creating an ExternalSecret</h3>
+<h2 id="creating-an-externalsecret">Creating an ExternalSecret</h2>
 <p>You can follow the below example to create a <code>ExternalSecret</code> resource. Secrets can be referenced by path.
 You can also use a <code>ClusterExternalSecret</code> allowing you to reference secrets from all namespaces.</p>
+<p><code>remoteRef.key</code> is the secret or managed-account path. Path segments are joined by the <code>separator</code> configured on the store (default <code>/</code>), for example <code>system01/managed_account01</code>. Reference each secret explicitly under <code>data</code>; <code>dataFrom</code> is not supported (see Limitations).</p>
 <div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>external-secret.yml
 </code></pre></div>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
@@ -5275,11 +5270,11 @@ You can also use a <code>ClusterExternalSecret</code> allowing you to reference
 <span class="w">     </span><span class="nt">remoteRef</span><span class="p">:</span>
 <span class="w">       </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">system01/managed_account01</span>
 </code></pre></div>
-<h3 id="get-the-k8s-secret">Get the K8s secret</h3>
+<h2 id="get-the-k8s-secret">Get the K8s secret</h2>
 <div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this command will reveal the stored secret in plain text</span>
 kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>my-beyondtrust-secret<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">&quot;{.data.secretKey}&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>--decode<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="nb">echo</span>
 </code></pre></div>
-<h3 id="creating-a-secret">Creating a Secret</h3>
+<h2 id="creating-a-secret">Creating a Secret</h2>
 <p>The following example shows how to create a Kubernetes <code>Secret</code> that will later be pushed to BeyondTrust.</p>
 <div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>beyondtrust-secret.yml
 </code></pre></div>
@@ -5291,7 +5286,7 @@ kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w">
 <span class="nt">stringData</span><span class="p">:</span>
 <span class="w">  </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">S3cr3tP@ss</span>
 </code></pre></div>
-<h3 id="creating-an-clustersecretstore">Creating an ClusterSecretStore</h3>
+<h2 id="creating-an-clustersecretstore">Creating an ClusterSecretStore</h2>
 <p>The following example demonstrates how to create a <code>ClusterSecretStore</code> configured to use the BeyondTrust provider.</p>
 <div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>beyondtrust-cluster-secret-store.yml
 </code></pre></div>
@@ -5323,10 +5318,10 @@ kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w">
 <span class="w">      </span><span class="nt">retrievalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">MANAGED_ACCOUNT</span>
 <span class="w">      </span><span class="nt">verifyCA</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
 <span class="w">      </span><span class="nt">clientTimeOutSeconds</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">45</span>
-<span class="w">      </span><span class="nt">apiUrl</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://example.test.com/BeyondTrust/</span>
+<span class="w">      </span><span class="nt">apiUrl</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://example.com/BeyondTrust/api/public/v3/</span>
 <span class="w">      </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;3.1&quot;</span>
 </code></pre></div>
-<h3 id="creating-an-pushsecret">Creating an PushSecret</h3>
+<h2 id="creating-an-pushsecret">Creating an PushSecret</h2>
 <p>The example below demonstrates how to create a <code>PushSecret</code> resource to push secret data to BeyondTrust.</p>
 <div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>beyondtrust-push-secret.yml
 </code></pre></div>
@@ -5354,7 +5349,6 @@ kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w">
 <span class="w">        </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fhernandez</span>
 <span class="w">        </span><span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret Title Description</span>
 <span class="w">        </span><span class="nt">file_name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">credentials.txt</span><span class="w"> </span><span class="c1"># only for FILE secret_type</span>
-<span class="w">        </span><span class="nt">notes</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;Example</span><span class="nv"> </span><span class="s">Notes&quot;</span>
 <span class="w">        </span><span class="nt">folder_name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">folder1</span>
 <span class="w">        </span><span class="nt">owner_id</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span>
 <span class="w">        </span><span class="nt">group_id</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span>
@@ -5365,6 +5359,11 @@ kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w">
 <span class="w">            </span><span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;454&quot;</span>
 <span class="w">            </span><span class="nt">credential_id</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;25&quot;</span>
 </code></pre></div>
+<h2 id="limitations">Limitations</h2>
+<ul>
+<li>The provider reads individual secrets via <code>data[].remoteRef.key</code> and writes via <code>PushSecret</code>. <code>dataFrom.extract</code> and <code>dataFrom.find</code> are not implemented (<code>GetSecretMap</code> and <code>GetAllSecrets</code> return "not implemented"), so reference each secret explicitly by key.</li>
+<li><code>PushSecret</code> with <code>deletionPolicy: Delete</code> is not supported. Removing the <code>PushSecret</code> or <code>ExternalSecret</code> does not delete the secret in BeyondTrust, because the <code>DeleteSecret</code> operation is not implemented.</li>
+</ul>
 
 
 

Разница между файлами не показана из-за своего большого размера
+ 0 - 0
main/search/search_index.json


+ 1 - 1
main/snippets/beyondtrust-cluster-secret-store.yaml

@@ -26,5 +26,5 @@ spec:
       retrievalType: MANAGED_ACCOUNT
       verifyCA: true
       clientTimeOutSeconds: 45
-      apiUrl: https://example.test.com/BeyondTrust/
+      apiUrl: https://example.com/BeyondTrust/api/public/v3/
       apiVersion: "3.1"

+ 0 - 1
main/snippets/beyondtrust-push-secret.yaml

@@ -22,7 +22,6 @@ spec:
         username: fhernandez
         description: Secret Title Description
         file_name: credentials.txt # only for FILE secret_type
-        notes: "Example Notes"
         folder_name: folder1
         owner_id: 1
         group_id: 1

+ 0 - 35
main/snippets/beyondtrust-secret-store.yaml

@@ -1,35 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: SecretStore
-metadata:
- name: secretstore-beyondtrust
-spec:
- provider:
-   beyondtrust:
-    auth:
-      certificate:
-        secretRef:
-            name: bt-certificate
-            key: ClientCertificate
-      certificateKey:
-        secretRef:
-            name: bt-certificatekey
-            key: ClientCertificateKey
-      clientSecret:
-        secretRef:
-          name: bt-secret
-          key: ClientSecret
-      clientId:
-        secretRef:
-          name: bt-id
-          key: ClientId
-      apiKey:
-        secretRef:
-          name: bt-apikey
-          key: ApiKey
-    server:
-      retrievalType: MANAGED_ACCOUNT
-      verifyCA: true
-      clientTimeOutSeconds: 45
-      apiUrl: https://example.ps-dev.beyondtrustcloud.com:443/BeyondTrust/api/public/v3/
-      apiVersion: "3.1"
-      decrypt: true

Некоторые файлы не были показаны из-за большого количества измененных файлов