Browse Source

deploy: 4a1d43f1ed3a06387f3b5521ac873a7a81ca8e3d

paul-the-alien[bot] 5 years ago
parent
commit
53686916e5

+ 84 - 0
provider-hashicorp-vault/index.html

@@ -580,6 +580,20 @@
     Kubernetes authentication
   </a>
   
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#ldap-authentication" class="md-nav__link">
+    LDAP authentication
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#jwtoidc-authentication" class="md-nav__link">
+    JWT/OIDC authentication
+  </a>
+  
 </li>
         
       </ul>
@@ -757,6 +771,20 @@
     Kubernetes authentication
   </a>
   
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#ldap-authentication" class="md-nav__link">
+    LDAP authentication
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#jwtoidc-authentication" class="md-nav__link">
+    JWT/OIDC authentication
+  </a>
+  
 </li>
         
       </ul>
@@ -893,6 +921,62 @@ options of optaining credentials for vault:</p>
             <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
             <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;vault&quot;</span>
 </pre></div>
+
+<h4 id="ldap-authentication">LDAP authentication</h4>
+<p><a href="https://www.vaultproject.io/docs/auth/ldap">LDAP authentication</a> uses
+username/password pair to get an access token. Username is stored directly in
+a <code>Kind=SecretStore</code> or <code>Kind=ClusterSecretStore</code> resource, password is stored
+in a <code>Kind=Secret</code> referenced by the <code>secretRef</code>.</p>
+<div class="highlight"><pre><span></span><span class="nt">apiVerson</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
+  <span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
+<span class="nt">spec</span><span class="p">:</span>
+  <span class="nt">provider</span><span class="p">:</span>
+    <span class="nt">vault</span><span class="p">:</span>
+      <span class="nt">server</span><span class="p">:</span> <span class="s">&quot;https://vault.acme.org&quot;</span>
+      <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;secret&quot;</span>
+      <span class="nt">version</span><span class="p">:</span> <span class="s">&quot;v2&quot;</span>
+      <span class="nt">auth</span><span class="p">:</span>
+        <span class="c1"># VaultLdap authenticates with Vault using the LDAP auth mechanism</span>
+        <span class="c1"># https://www.vaultproject.io/docs/auth/ldap</span>
+        <span class="nt">ldap</span><span class="p">:</span>
+          <span class="c1"># LDAP username</span>
+          <span class="nt">username</span><span class="p">:</span> <span class="s">&quot;username&quot;</span>
+          <span class="nt">secretRef</span><span class="p">:</span>
+            <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-secret&quot;</span>
+            <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
+            <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;ldap-password&quot;</span>
+</pre></div>
+
+<h4 id="jwtoidc-authentication">JWT/OIDC authentication</h4>
+<p><a href="https://www.vaultproject.io/docs/auth/jwt">JWT/OIDC</a> uses a
+<a href="https://jwt.io/">JWT</a> token stored in a <code>Kind=Secret</code> and referenced by the
+<code>secretRef</code>. Optionally a <code>role</code> field can be defined in a <code>Kind=SecretStore</code>
+or <code>Kind=ClusterSecretStore</code> resource.</p>
+<div class="highlight"><pre><span></span><span class="nt">apiVerson</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
+  <span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
+<span class="nt">spec</span><span class="p">:</span>
+  <span class="nt">provider</span><span class="p">:</span>
+    <span class="nt">vault</span><span class="p">:</span>
+      <span class="nt">server</span><span class="p">:</span> <span class="s">&quot;https://vault.acme.org&quot;</span>
+      <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;secret&quot;</span>
+      <span class="nt">version</span><span class="p">:</span> <span class="s">&quot;v2&quot;</span>
+      <span class="nt">auth</span><span class="p">:</span>
+        <span class="c1"># VaultJwt authenticates with Vault using the JWT/OIDC auth mechanism</span>
+        <span class="c1"># https://www.vaultproject.io/docs/auth/jwt</span>
+        <span class="nt">jwt</span><span class="p">:</span>
+          <span class="c1"># JWT role configured in a Vault server, optional.</span>
+          <span class="nt">role</span><span class="p">:</span> <span class="s">&quot;vault-jwt-role&quot;</span>
+          <span class="nt">secretRef</span><span class="p">:</span>
+            <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-secret&quot;</span>
+            <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
+            <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;jwt-token&quot;</span>
+</pre></div>
                 
                   
                 

File diff suppressed because it is too large
+ 0 - 0
search/search_index.json


BIN
sitemap.xml.gz


+ 21 - 0
snippets/vault-jwt-store.yaml

@@ -0,0 +1,21 @@
+apiVerson: external-secrets.io/v1alpha1
+kind: SecretStore
+metadata:
+  name: vault-backend
+  namespace: example
+spec:
+  provider:
+    vault:
+      server: "https://vault.acme.org"
+      path: "secret"
+      version: "v2"
+      auth:
+        # VaultJwt authenticates with Vault using the JWT/OIDC auth mechanism
+        # https://www.vaultproject.io/docs/auth/jwt
+        jwt:
+          # JWT role configured in a Vault server, optional.
+          role: "vault-jwt-role"
+          secretRef:
+            name: "my-secret"
+            namespace: "secret-admin"
+            key: "jwt-token"

+ 21 - 0
snippets/vault-ldap-store.yaml

@@ -0,0 +1,21 @@
+apiVerson: external-secrets.io/v1alpha1
+kind: SecretStore
+metadata:
+  name: vault-backend
+  namespace: example
+spec:
+  provider:
+    vault:
+      server: "https://vault.acme.org"
+      path: "secret"
+      version: "v2"
+      auth:
+        # VaultLdap authenticates with Vault using the LDAP auth mechanism
+        # https://www.vaultproject.io/docs/auth/ldap
+        ldap:
+          # LDAP username
+          username: "username"
+          secretRef:
+            name: "my-secret"
+            namespace: "secret-admin"
+            key: "ldap-password"

+ 123 - 2
spec/index.html

@@ -1962,8 +1962,9 @@ resource is used as the app role secret.</p>
 <a href="#external-secrets.io/v1alpha1.VaultProvider">VaultProvider</a>)
 </p>
 <p>
-<p>Configuration used to authenticate with a Vault server.
-Only one of <code>tokenSecretRef</code>, <code>appRole</code> or <code>kubernetes</code> may be specified.</p>
+<p>VaultAuth is the configuration used to authenticate with a Vault server.
+Only one of <code>tokenSecretRef</code>, <code>appRole</code>,  <code>kubernetes</code>, <code>ldap</code> or <code>jwt</code>
+can be specified.</p>
 </p>
 <table>
 <thead>
@@ -2015,6 +2016,81 @@ VaultKubernetesAuth
 token stored in the named Secret resource to the Vault server.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>ldap</code></br>
+<em>
+<a href="#external-secrets.io/v1alpha1.VaultLdapAuth">
+VaultLdapAuth
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Ldap authenticates with Vault by passing username/password pair using
+the LDAP authentication method</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>jwt</code></br>
+<em>
+<a href="#external-secrets.io/v1alpha1.VaultJwtAuth">
+VaultJwtAuth
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Jwt authenticates with Vault by passing role and JWT token using the
+JWT/OIDC authentication method</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="external-secrets.io/v1alpha1.VaultJwtAuth">VaultJwtAuth
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1alpha1.VaultAuth">VaultAuth</a>)
+</p>
+<p>
+<p>VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
+method, with the role name and token stored in a Kubernetes Secret resource.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>role</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Role is a JWT role to authenticate using the JWT/OIDC Vault
+authentication method</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>secretRef</code></br>
+<em>
+github.com/external-secrets/external-secrets/apis/meta/v1.SecretKeySelector
+</em>
+</td>
+<td>
+<p>SecretRef to a key in a Secret resource containing JWT token to
+authenticate with Vault using the JWT/OIDC authentication method</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="external-secrets.io/v1alpha1.VaultKVStoreVersion">VaultKVStoreVersion
@@ -2112,6 +2188,51 @@ Kubernetes ServiceAccount with a set of Vault policies.</p>
 </tr>
 </tbody>
 </table>
+<h3 id="external-secrets.io/v1alpha1.VaultLdapAuth">VaultLdapAuth
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1alpha1.VaultAuth">VaultAuth</a>)
+</p>
+<p>
+<p>VaultLdapAuth authenticates with Vault using the LDAP authentication method,
+with the username and password stored in a Kubernetes Secret resource.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>username</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Username is a LDAP user name used to authenticate using the LDAP Vault
+authentication method</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>secretRef</code></br>
+<em>
+github.com/external-secrets/external-secrets/apis/meta/v1.SecretKeySelector
+</em>
+</td>
+<td>
+<p>SecretRef to a key in a Secret resource containing password for the LDAP
+user used to authenticate with Vault using the LDAP authentication
+method</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="external-secrets.io/v1alpha1.VaultProvider">VaultProvider
 </h3>
 <p>

Some files were not shown because too many files changed in this diff