|
@@ -3031,6 +3031,8 @@
|
|
|
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
|
|
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
|
|
|
|
|
<label class="md-nav__link md-nav__link--active" for="__toc">
|
|
<label class="md-nav__link md-nav__link--active" for="__toc">
|
|
|
|
|
|
|
@@ -3073,6 +3075,8 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
|
|
|
|
|
<label class="md-nav__title" for="__toc">
|
|
<label class="md-nav__title" for="__toc">
|
|
|
<span class="md-nav__icon md-icon"></span>
|
|
<span class="md-nav__icon md-icon"></span>
|
|
@@ -3081,18 +3085,6 @@
|
|
|
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
|
|
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
|
|
|
|
|
|
|
|
<li class="md-nav__item">
|
|
<li class="md-nav__item">
|
|
|
- <a href="#beyondtrust-password-safe" class="md-nav__link">
|
|
|
|
|
- <span class="md-ellipsis">
|
|
|
|
|
-
|
|
|
|
|
- BeyondTrust Password Safe
|
|
|
|
|
-
|
|
|
|
|
- </span>
|
|
|
|
|
- </a>
|
|
|
|
|
-
|
|
|
|
|
- <nav class="md-nav" aria-label="BeyondTrust Password Safe">
|
|
|
|
|
- <ul class="md-nav__list">
|
|
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
<a href="#prerequisites" class="md-nav__link">
|
|
<a href="#prerequisites" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -3102,8 +3094,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#authentication" class="md-nav__link">
|
|
<a href="#authentication" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -3113,8 +3105,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#client-certificate" class="md-nav__link">
|
|
<a href="#client-certificate" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -3124,8 +3116,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#creating-a-secretstore" class="md-nav__link">
|
|
<a href="#creating-a-secretstore" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -3135,8 +3127,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#creating-an-externalsecret" class="md-nav__link">
|
|
<a href="#creating-an-externalsecret" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -3146,8 +3138,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#get-the-k8s-secret" class="md-nav__link">
|
|
<a href="#get-the-k8s-secret" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -3157,8 +3149,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#creating-a-secret" class="md-nav__link">
|
|
<a href="#creating-a-secret" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -3168,8 +3160,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#creating-an-clustersecretstore" class="md-nav__link">
|
|
<a href="#creating-an-clustersecretstore" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -3179,8 +3171,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#creating-an-pushsecret" class="md-nav__link">
|
|
<a href="#creating-an-pushsecret" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -3190,9 +3182,15 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- </ul>
|
|
|
|
|
- </nav>
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
|
|
+ <a href="#limitations" class="md-nav__link">
|
|
|
|
|
+ <span class="md-ellipsis">
|
|
|
|
|
+
|
|
|
|
|
+ Limitations
|
|
|
|
|
+
|
|
|
|
|
+ </span>
|
|
|
|
|
+ </a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
|
|
|
|
@@ -5023,6 +5021,8 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
|
|
|
|
|
<label class="md-nav__title" for="__toc">
|
|
<label class="md-nav__title" for="__toc">
|
|
|
<span class="md-nav__icon md-icon"></span>
|
|
<span class="md-nav__icon md-icon"></span>
|
|
@@ -5031,18 +5031,6 @@
|
|
|
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
|
|
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
|
|
|
|
|
|
|
|
<li class="md-nav__item">
|
|
<li class="md-nav__item">
|
|
|
- <a href="#beyondtrust-password-safe" class="md-nav__link">
|
|
|
|
|
- <span class="md-ellipsis">
|
|
|
|
|
-
|
|
|
|
|
- BeyondTrust Password Safe
|
|
|
|
|
-
|
|
|
|
|
- </span>
|
|
|
|
|
- </a>
|
|
|
|
|
-
|
|
|
|
|
- <nav class="md-nav" aria-label="BeyondTrust Password Safe">
|
|
|
|
|
- <ul class="md-nav__list">
|
|
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
<a href="#prerequisites" class="md-nav__link">
|
|
<a href="#prerequisites" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -5052,8 +5040,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#authentication" class="md-nav__link">
|
|
<a href="#authentication" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -5063,8 +5051,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#client-certificate" class="md-nav__link">
|
|
<a href="#client-certificate" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -5074,8 +5062,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#creating-a-secretstore" class="md-nav__link">
|
|
<a href="#creating-a-secretstore" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -5085,8 +5073,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#creating-an-externalsecret" class="md-nav__link">
|
|
<a href="#creating-an-externalsecret" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -5096,8 +5084,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#get-the-k8s-secret" class="md-nav__link">
|
|
<a href="#get-the-k8s-secret" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -5107,8 +5095,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#creating-a-secret" class="md-nav__link">
|
|
<a href="#creating-a-secret" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -5118,8 +5106,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#creating-an-clustersecretstore" class="md-nav__link">
|
|
<a href="#creating-an-clustersecretstore" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -5129,8 +5117,8 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- <li class="md-nav__item">
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
<a href="#creating-an-pushsecret" class="md-nav__link">
|
|
<a href="#creating-an-pushsecret" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
<span class="md-ellipsis">
|
|
|
|
|
|
|
@@ -5140,9 +5128,15 @@
|
|
|
</a>
|
|
</a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
-
|
|
|
|
|
- </ul>
|
|
|
|
|
- </nav>
|
|
|
|
|
|
|
+
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
|
|
+ <a href="#limitations" class="md-nav__link">
|
|
|
|
|
+ <span class="md-ellipsis">
|
|
|
|
|
+
|
|
|
|
|
+ Limitations
|
|
|
|
|
+
|
|
|
|
|
+ </span>
|
|
|
|
|
+ </a>
|
|
|
|
|
|
|
|
</li>
|
|
</li>
|
|
|
|
|
|
|
@@ -5166,16 +5160,14 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- <h1>BeyondTrust</h1>
|
|
|
|
|
-
|
|
|
|
|
-<h2 id="beyondtrust-password-safe">BeyondTrust Password Safe</h2>
|
|
|
|
|
|
|
+<h1 id="beyondtrust-password-safe">BeyondTrust Password Safe</h1>
|
|
|
<p>External Secrets Operator integrates with <a href="https://www.beyondtrust.com/docs/beyondinsight-password-safe/">BeyondTrust Password Safe</a>.</p>
|
|
<p>External Secrets Operator integrates with <a href="https://www.beyondtrust.com/docs/beyondinsight-password-safe/">BeyondTrust Password Safe</a>.</p>
|
|
|
<p>Warning: The External Secrets Operator secure usage involves taking several measures. Please see <a href="https://external-secrets.io/latest/guides/security-best-practices/">Security Best Practices</a> for more information.</p>
|
|
<p>Warning: The External Secrets Operator secure usage involves taking several measures. Please see <a href="https://external-secrets.io/latest/guides/security-best-practices/">Security Best Practices</a> for more information.</p>
|
|
|
<p>Warning: If the BT provider secret is deleted it will still exist in the Kubernetes secrets.</p>
|
|
<p>Warning: If the BT provider secret is deleted it will still exist in the Kubernetes secrets.</p>
|
|
|
-<h3 id="prerequisites">Prerequisites</h3>
|
|
|
|
|
|
|
+<h2 id="prerequisites">Prerequisites</h2>
|
|
|
<p>The BT provider supports retrieval of a secret from BeyondInsight/Password Safe versions 23.1 or greater.</p>
|
|
<p>The BT provider supports retrieval of a secret from BeyondInsight/Password Safe versions 23.1 or greater.</p>
|
|
|
<p>For this provider to retrieve a secret the Password Safe/Secrets Safe instance must be preconfigured with the secret in question and authorized to read it.</p>
|
|
<p>For this provider to retrieve a secret the Password Safe/Secrets Safe instance must be preconfigured with the secret in question and authorized to read it.</p>
|
|
|
-<h3 id="authentication">Authentication</h3>
|
|
|
|
|
|
|
+<h2 id="authentication">Authentication</h2>
|
|
|
<p>BeyondTrust <a href="https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/admin/configure-api-registration.htm">OAuth Authentication</a>.</p>
|
|
<p>BeyondTrust <a href="https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/admin/configure-api-registration.htm">OAuth Authentication</a>.</p>
|
|
|
<ol>
|
|
<ol>
|
|
|
<li>Create an API access registration in BeyondInsight</li>
|
|
<li>Create an API access registration in BeyondInsight</li>
|
|
@@ -5195,7 +5187,7 @@ kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="
|
|
|
<p>If you're using API Key authentication:
|
|
<p>If you're using API Key authentication:
|
|
|
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>bt-apikey<span class="w"> </span>--from-literal<span class="w"> </span><span class="nv">ApiKey</span><span class="o">=</span><span class="s2">"<your apikey>"</span>
|
|
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>bt-apikey<span class="w"> </span>--from-literal<span class="w"> </span><span class="nv">ApiKey</span><span class="o">=</span><span class="s2">"<your apikey>"</span>
|
|
|
</code></pre></div></p>
|
|
</code></pre></div></p>
|
|
|
-<h3 id="client-certificate">Client Certificate</h3>
|
|
|
|
|
|
|
+<h2 id="client-certificate">Client Certificate</h2>
|
|
|
<p>If using <code>retrievalType: MANAGED_ACCOUNT</code>, you will also need to download the pfx certificate from Secrets Safe, extract that certificate and create two Kubernetes secrets.</p>
|
|
<p>If using <code>retrievalType: MANAGED_ACCOUNT</code>, you will also need to download the pfx certificate from Secrets Safe, extract that certificate and create two Kubernetes secrets.</p>
|
|
|
<div class="highlight"><pre><span></span><code>openssl<span class="w"> </span>pkcs12<span class="w"> </span>-in<span class="w"> </span>client_certificate.pfx<span class="w"> </span>-nocerts<span class="w"> </span>-out<span class="w"> </span>ps_key.pem<span class="w"> </span>-nodes
|
|
<div class="highlight"><pre><span></span><code>openssl<span class="w"> </span>pkcs12<span class="w"> </span>-in<span class="w"> </span>client_certificate.pfx<span class="w"> </span>-nocerts<span class="w"> </span>-out<span class="w"> </span>ps_key.pem<span class="w"> </span>-nodes
|
|
|
openssl<span class="w"> </span>pkcs12<span class="w"> </span>-in<span class="w"> </span>client_certificate.pfx<span class="w"> </span>-clcerts<span class="w"> </span>-nokeys<span class="w"> </span>-out<span class="w"> </span>ps_cert.pem
|
|
openssl<span class="w"> </span>pkcs12<span class="w"> </span>-in<span class="w"> </span>client_certificate.pfx<span class="w"> </span>-clcerts<span class="w"> </span>-nokeys<span class="w"> </span>-out<span class="w"> </span>ps_cert.pem
|
|
@@ -5213,7 +5205,7 @@ openssl<span class="w"> </span>pkcs12<span class="w"> </span>-in<span class="w">
|
|
|
kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>bt-certificate<span class="w"> </span>--from-file<span class="o">=</span><span class="nv">ClientCertificate</span><span class="o">=</span>./ps_cert.pem
|
|
kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>bt-certificate<span class="w"> </span>--from-file<span class="o">=</span><span class="nv">ClientCertificate</span><span class="o">=</span>./ps_cert.pem
|
|
|
kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>bt-certificatekey<span class="w"> </span>--from-file<span class="o">=</span><span class="nv">ClientCertificateKey</span><span class="o">=</span>./ps_key.pem
|
|
kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>bt-certificatekey<span class="w"> </span>--from-file<span class="o">=</span><span class="nv">ClientCertificateKey</span><span class="o">=</span>./ps_key.pem
|
|
|
</code></pre></div>
|
|
</code></pre></div>
|
|
|
-<h3 id="creating-a-secretstore">Creating a SecretStore</h3>
|
|
|
|
|
|
|
+<h2 id="creating-a-secretstore">Creating a SecretStore</h2>
|
|
|
<p>You can follow the below example to create a <code>SecretStore</code> resource.
|
|
<p>You can follow the below example to create a <code>SecretStore</code> resource.
|
|
|
You can also use a <code>ClusterSecretStore</code> allowing you to reference secrets from all namespaces. <a href="https://external-secrets.io/latest/api/clustersecretstore/">ClusterSecretStore</a></p>
|
|
You can also use a <code>ClusterSecretStore</code> allowing you to reference secrets from all namespaces. <a href="https://external-secrets.io/latest/api/clustersecretstore/">ClusterSecretStore</a></p>
|
|
|
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>secret-store.yml
|
|
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>secret-store.yml
|
|
@@ -5226,8 +5218,10 @@ You can also use a <code>ClusterSecretStore</code> allowing you to reference sec
|
|
|
<span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
|
|
<span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="nt">beyondtrust</span><span class="p">:</span>
|
|
<span class="w"> </span><span class="nt">beyondtrust</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="nt">server</span><span class="p">:</span>
|
|
<span class="w"> </span><span class="nt">server</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">apiUrl</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://example.com:443/BeyondTrust/api/public/v3/</span>
|
|
|
|
|
|
|
+<span class="w"> </span><span class="nt">apiUrl</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://example.com/BeyondTrust/api/public/v3/</span>
|
|
|
<span class="w"> </span><span class="nt">retrievalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">MANAGED_ACCOUNT</span><span class="w"> </span><span class="c1"># or SECRET</span>
|
|
<span class="w"> </span><span class="nt">retrievalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">MANAGED_ACCOUNT</span><span class="w"> </span><span class="c1"># or SECRET</span>
|
|
|
|
|
+<span class="w"> </span><span class="nt">separator</span><span class="p">:</span><span class="w"> </span><span class="s">"/"</span><span class="w"> </span><span class="c1"># folder separator used to split remoteRef.key paths; defaults to "/"</span>
|
|
|
|
|
+<span class="w"> </span><span class="nt">decrypt</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span><span class="w"> </span><span class="c1"># SECRET retrievalType only: when false the password field is omitted; defaults to true</span>
|
|
|
<span class="w"> </span><span class="nt">verifyCA</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
|
|
<span class="w"> </span><span class="nt">verifyCA</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
|
|
|
<span class="w"> </span><span class="nt">clientTimeOutSeconds</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">45</span>
|
|
<span class="w"> </span><span class="nt">clientTimeOutSeconds</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">45</span>
|
|
|
<span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="s">"3.0"</span><span class="w"> </span><span class="c1"># The recommended version is 3.1. If no version is specified, the default API version 3.0 will be used.</span>
|
|
<span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="s">"3.0"</span><span class="w"> </span><span class="c1"># The recommended version is 3.1. If no version is specified, the default API version 3.0 will be used.</span>
|
|
@@ -5253,9 +5247,10 @@ You can also use a <code>ClusterSecretStore</code> allowing you to reference sec
|
|
|
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bt-apikey</span>
|
|
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bt-apikey</span>
|
|
|
<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ApiKey</span>
|
|
<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ApiKey</span>
|
|
|
</code></pre></div>
|
|
</code></pre></div>
|
|
|
-<h3 id="creating-an-externalsecret">Creating an ExternalSecret</h3>
|
|
|
|
|
|
|
+<h2 id="creating-an-externalsecret">Creating an ExternalSecret</h2>
|
|
|
<p>You can follow the below example to create a <code>ExternalSecret</code> resource. Secrets can be referenced by path.
|
|
<p>You can follow the below example to create a <code>ExternalSecret</code> resource. Secrets can be referenced by path.
|
|
|
You can also use a <code>ClusterExternalSecret</code> allowing you to reference secrets from all namespaces.</p>
|
|
You can also use a <code>ClusterExternalSecret</code> allowing you to reference secrets from all namespaces.</p>
|
|
|
|
|
+<p><code>remoteRef.key</code> is the secret or managed-account path. Path segments are joined by the <code>separator</code> configured on the store (default <code>/</code>), for example <code>system01/managed_account01</code>. Reference each secret explicitly under <code>data</code>; <code>dataFrom</code> is not supported (see Limitations).</p>
|
|
|
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>external-secret.yml
|
|
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>external-secret.yml
|
|
|
</code></pre></div>
|
|
</code></pre></div>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
|
|
@@ -5275,11 +5270,11 @@ You can also use a <code>ClusterExternalSecret</code> allowing you to reference
|
|
|
<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
|
|
<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">system01/managed_account01</span>
|
|
<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">system01/managed_account01</span>
|
|
|
</code></pre></div>
|
|
</code></pre></div>
|
|
|
-<h3 id="get-the-k8s-secret">Get the K8s secret</h3>
|
|
|
|
|
|
|
+<h2 id="get-the-k8s-secret">Get the K8s secret</h2>
|
|
|
<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this command will reveal the stored secret in plain text</span>
|
|
<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this command will reveal the stored secret in plain text</span>
|
|
|
kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>my-beyondtrust-secret<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.secretKey}"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>--decode<span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="nb">echo</span>
|
|
kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>my-beyondtrust-secret<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.secretKey}"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>--decode<span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="nb">echo</span>
|
|
|
</code></pre></div>
|
|
</code></pre></div>
|
|
|
-<h3 id="creating-a-secret">Creating a Secret</h3>
|
|
|
|
|
|
|
+<h2 id="creating-a-secret">Creating a Secret</h2>
|
|
|
<p>The following example shows how to create a Kubernetes <code>Secret</code> that will later be pushed to BeyondTrust.</p>
|
|
<p>The following example shows how to create a Kubernetes <code>Secret</code> that will later be pushed to BeyondTrust.</p>
|
|
|
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>beyondtrust-secret.yml
|
|
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>beyondtrust-secret.yml
|
|
|
</code></pre></div>
|
|
</code></pre></div>
|
|
@@ -5291,7 +5286,7 @@ kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w">
|
|
|
<span class="nt">stringData</span><span class="p">:</span>
|
|
<span class="nt">stringData</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">S3cr3tP@ss</span>
|
|
<span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">S3cr3tP@ss</span>
|
|
|
</code></pre></div>
|
|
</code></pre></div>
|
|
|
-<h3 id="creating-an-clustersecretstore">Creating an ClusterSecretStore</h3>
|
|
|
|
|
|
|
+<h2 id="creating-an-clustersecretstore">Creating an ClusterSecretStore</h2>
|
|
|
<p>The following example demonstrates how to create a <code>ClusterSecretStore</code> configured to use the BeyondTrust provider.</p>
|
|
<p>The following example demonstrates how to create a <code>ClusterSecretStore</code> configured to use the BeyondTrust provider.</p>
|
|
|
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>beyondtrust-cluster-secret-store.yml
|
|
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>beyondtrust-cluster-secret-store.yml
|
|
|
</code></pre></div>
|
|
</code></pre></div>
|
|
@@ -5323,10 +5318,10 @@ kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w">
|
|
|
<span class="w"> </span><span class="nt">retrievalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">MANAGED_ACCOUNT</span>
|
|
<span class="w"> </span><span class="nt">retrievalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">MANAGED_ACCOUNT</span>
|
|
|
<span class="w"> </span><span class="nt">verifyCA</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
|
|
<span class="w"> </span><span class="nt">verifyCA</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
|
|
|
<span class="w"> </span><span class="nt">clientTimeOutSeconds</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">45</span>
|
|
<span class="w"> </span><span class="nt">clientTimeOutSeconds</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">45</span>
|
|
|
-<span class="w"> </span><span class="nt">apiUrl</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://example.test.com/BeyondTrust/</span>
|
|
|
|
|
|
|
+<span class="w"> </span><span class="nt">apiUrl</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://example.com/BeyondTrust/api/public/v3/</span>
|
|
|
<span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="s">"3.1"</span>
|
|
<span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="s">"3.1"</span>
|
|
|
</code></pre></div>
|
|
</code></pre></div>
|
|
|
-<h3 id="creating-an-pushsecret">Creating an PushSecret</h3>
|
|
|
|
|
|
|
+<h2 id="creating-an-pushsecret">Creating an PushSecret</h2>
|
|
|
<p>The example below demonstrates how to create a <code>PushSecret</code> resource to push secret data to BeyondTrust.</p>
|
|
<p>The example below demonstrates how to create a <code>PushSecret</code> resource to push secret data to BeyondTrust.</p>
|
|
|
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>beyondtrust-push-secret.yml
|
|
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>beyondtrust-push-secret.yml
|
|
|
</code></pre></div>
|
|
</code></pre></div>
|
|
@@ -5354,7 +5349,6 @@ kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w">
|
|
|
<span class="w"> </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fhernandez</span>
|
|
<span class="w"> </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fhernandez</span>
|
|
|
<span class="w"> </span><span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret Title Description</span>
|
|
<span class="w"> </span><span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret Title Description</span>
|
|
|
<span class="w"> </span><span class="nt">file_name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">credentials.txt</span><span class="w"> </span><span class="c1"># only for FILE secret_type</span>
|
|
<span class="w"> </span><span class="nt">file_name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">credentials.txt</span><span class="w"> </span><span class="c1"># only for FILE secret_type</span>
|
|
|
-<span class="w"> </span><span class="nt">notes</span><span class="p">:</span><span class="w"> </span><span class="s">"Example</span><span class="nv"> </span><span class="s">Notes"</span>
|
|
|
|
|
<span class="w"> </span><span class="nt">folder_name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">folder1</span>
|
|
<span class="w"> </span><span class="nt">folder_name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">folder1</span>
|
|
|
<span class="w"> </span><span class="nt">owner_id</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span>
|
|
<span class="w"> </span><span class="nt">owner_id</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span>
|
|
|
<span class="w"> </span><span class="nt">group_id</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span>
|
|
<span class="w"> </span><span class="nt">group_id</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span>
|
|
@@ -5365,6 +5359,11 @@ kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w">
|
|
|
<span class="w"> </span><span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="s">"454"</span>
|
|
<span class="w"> </span><span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="s">"454"</span>
|
|
|
<span class="w"> </span><span class="nt">credential_id</span><span class="p">:</span><span class="w"> </span><span class="s">"25"</span>
|
|
<span class="w"> </span><span class="nt">credential_id</span><span class="p">:</span><span class="w"> </span><span class="s">"25"</span>
|
|
|
</code></pre></div>
|
|
</code></pre></div>
|
|
|
|
|
+<h2 id="limitations">Limitations</h2>
|
|
|
|
|
+<ul>
|
|
|
|
|
+<li>The provider reads individual secrets via <code>data[].remoteRef.key</code> and writes via <code>PushSecret</code>. <code>dataFrom.extract</code> and <code>dataFrom.find</code> are not implemented (<code>GetSecretMap</code> and <code>GetAllSecrets</code> return "not implemented"), so reference each secret explicitly by key.</li>
|
|
|
|
|
+<li><code>PushSecret</code> with <code>deletionPolicy: Delete</code> is not supported. Removing the <code>PushSecret</code> or <code>ExternalSecret</code> does not delete the secret in BeyondTrust, because the <code>DeleteSecret</code> operation is not implemented.</li>
|
|
|
|
|
+</ul>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|