|
|
@@ -68,7 +68,7 @@
|
|
|
<div data-md-component="skip">
|
|
|
|
|
|
|
|
|
- <a href="#macro-syntax-error" class="md-skip">
|
|
|
+ <a href="#keeper-security" class="md-skip">
|
|
|
Skip to content
|
|
|
</a>
|
|
|
|
|
|
@@ -1461,13 +1461,161 @@
|
|
|
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
|
|
|
|
|
|
|
|
|
-
|
|
|
|
|
|
+ <label class="md-nav__link md-nav__link--active" for="__toc">
|
|
|
+ Keeper Security
|
|
|
+ <span class="md-nav__icon md-icon"></span>
|
|
|
+ </label>
|
|
|
|
|
|
<a href="./" class="md-nav__link md-nav__link--active">
|
|
|
Keeper Security
|
|
|
</a>
|
|
|
|
|
|
+
|
|
|
+
|
|
|
+<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+ <label class="md-nav__title" for="__toc">
|
|
|
+ <span class="md-nav__icon md-icon"></span>
|
|
|
+ Table of contents
|
|
|
+ </label>
|
|
|
+ <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#keeper-security" class="md-nav__link">
|
|
|
+ Keeper Security
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#authentication" class="md-nav__link">
|
|
|
+ Authentication
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="Authentication">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#secrets-manager-configuration-smc" class="md-nav__link">
|
|
|
+ Secrets Manager Configuration (SMC)
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="Secrets Manager Configuration (SMC)">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#creating-secrets-manager-configuration" class="md-nav__link">
|
|
|
+ Creating Secrets Manager Configuration
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#important-note-about-this-documentation" class="md-nav__link">
|
|
|
+ Important note about this documentation
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="Important note about this documentation">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#update-secret-store" class="md-nav__link">
|
|
|
+ Update secret store
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#external-secrets" class="md-nav__link">
|
|
|
+ External Secrets
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="External Secrets">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#behavior" class="md-nav__link">
|
|
|
+ Behavior
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#creating-external-secret" class="md-nav__link">
|
|
|
+ Creating external secret
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#limitations" class="md-nav__link">
|
|
|
+ Limitations
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#push-secrets" class="md-nav__link">
|
|
|
+ Push Secrets
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="Push Secrets">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#behavior_1" class="md-nav__link">
|
|
|
+ Behavior
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#creating-push-secret" class="md-nav__link">
|
|
|
+ Creating push secret
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#limitations_1" class="md-nav__link">
|
|
|
+ Limitations
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+
|
|
|
+</nav>
|
|
|
+
|
|
|
</li>
|
|
|
|
|
|
|
|
|
@@ -1818,8 +1966,142 @@
|
|
|
|
|
|
|
|
|
|
|
|
-
|
|
|
|
|
|
+ <label class="md-nav__title" for="__toc">
|
|
|
+ <span class="md-nav__icon md-icon"></span>
|
|
|
+ Table of contents
|
|
|
+ </label>
|
|
|
+ <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#keeper-security" class="md-nav__link">
|
|
|
+ Keeper Security
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#authentication" class="md-nav__link">
|
|
|
+ Authentication
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="Authentication">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#secrets-manager-configuration-smc" class="md-nav__link">
|
|
|
+ Secrets Manager Configuration (SMC)
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="Secrets Manager Configuration (SMC)">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#creating-secrets-manager-configuration" class="md-nav__link">
|
|
|
+ Creating Secrets Manager Configuration
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#important-note-about-this-documentation" class="md-nav__link">
|
|
|
+ Important note about this documentation
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="Important note about this documentation">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#update-secret-store" class="md-nav__link">
|
|
|
+ Update secret store
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#external-secrets" class="md-nav__link">
|
|
|
+ External Secrets
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="External Secrets">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#behavior" class="md-nav__link">
|
|
|
+ Behavior
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#creating-external-secret" class="md-nav__link">
|
|
|
+ Creating external secret
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#limitations" class="md-nav__link">
|
|
|
+ Limitations
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#push-secrets" class="md-nav__link">
|
|
|
+ Push Secrets
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="Push Secrets">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#behavior_1" class="md-nav__link">
|
|
|
+ Behavior
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#creating-push-secret" class="md-nav__link">
|
|
|
+ Creating push secret
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#limitations_1" class="md-nav__link">
|
|
|
+ Limitations
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
|
|
|
</nav>
|
|
|
</div>
|
|
|
@@ -1836,11 +2118,195 @@
|
|
|
</a>
|
|
|
|
|
|
|
|
|
-<h1 id="macro-syntax-error"><em>Macro Syntax Error</em></h1>
|
|
|
-<p><em>Line 34 in Markdown file:</em> <strong>unexpected '.'</strong>
|
|
|
-<div class="highlight"><pre><span></span><code>
|
|
|
+ <h1>Keeper Security</h1>
|
|
|
+
|
|
|
+<h2 id="keeper-security">Keeper Security</h2>
|
|
|
+<p>External Secrets Operator integrates with <a href="https://www.keepersecurity.com/">Keeper Security</a> for secret management by using <a href="https://docs.keeper.io/secrets-manager/secrets-manager/about">Keeper Secrets Manager</a>.</p>
|
|
|
+<h2 id="authentication">Authentication</h2>
|
|
|
+<h3 id="secrets-manager-configuration-smc">Secrets Manager Configuration (SMC)</h3>
|
|
|
+<p>KSM can authenticate using <em>One Time Access Token</em> or <em>Secret Manager Configuration</em>. In order to work with External Secret Operator we need to configure a Secret Manager Configuration.</p>
|
|
|
+<h4 id="creating-secrets-manager-configuration">Creating Secrets Manager Configuration</h4>
|
|
|
+<p>You can find the documentation for the Secret Manager Configuration creation <a href="https://docs.keeper.io/secrets-manager/secrets-manager/about/secrets-manager-configuration">here</a>. Make sure you add the proper permissions to your device in order to be able to read and write secrets</p>
|
|
|
+<p>Once you have created your SMC, you will get a config.json file or a base64 json encoded string containing the following keys:</p>
|
|
|
+<ul>
|
|
|
+<li><code>hostname</code></li>
|
|
|
+<li><code>clientId</code></li>
|
|
|
+<li><code>privateKey</code></li>
|
|
|
+<li><code>serverPublicKeyId</code></li>
|
|
|
+<li><code>appKey</code></li>
|
|
|
+<li><code>appOwnerPublicKey</code></li>
|
|
|
+</ul>
|
|
|
+<p>This base64 encoded jsong string will be required to create your secretStores</p>
|
|
|
+<h2 id="important-note-about-this-documentation">Important note about this documentation</h2>
|
|
|
+<p><em><strong>The KepeerSecurity calls the entries in vaults 'Records'. These docs use the same term.</strong></em></p>
|
|
|
+<h3 id="update-secret-store">Update secret store</h3>
|
|
|
+<p>Be sure the <code>keepersecurity</code> provider is listed in the <code>Kind=SecretStore</code></p>
|
|
|
+<div class="highlight"><pre><span></span><code><span class="nn">---</span><span class="w"></span>
|
|
|
+<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span><span class="w"></span>
|
|
|
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span><span class="w"></span>
|
|
|
+<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">keeper</span><span class="w"></span>
|
|
|
+<span class="nt">spec</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">keepersecurity</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">keepersecurity.eu</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">authRef</span><span class="p">:</span><span class="w"> </span><span class="c1"># Refer to a kubernetes secret which holds the base64 encoded json string for the configuration</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">keeper-configuration</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">auth</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">folderID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1qdsiewFW-U</span><span class="w"> </span><span class="c1"># Folder ID where the secrets can be pushed. It requires write permissions</span><span class="w"></span>
|
|
|
+</code></pre></div>
|
|
|
+<p><strong>NOTE 1:</strong> <code>folderID</code> target the folder ID where the secrets should be pushed to. It requires write permissions within the folder</p>
|
|
|
+<p><strong>NOTE 2:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> for <code>SecretAccessKeyRef</code> with the namespace of the secret that we just created.</p>
|
|
|
+<h2 id="external-secrets">External Secrets</h2>
|
|
|
+<h3 id="behavior">Behavior</h3>
|
|
|
+<ul>
|
|
|
+<li>How a Record is equated to an ExternalSecret:<ul>
|
|
|
+<li><code>remoteRef.key</code> is equated to a Record's ID</li>
|
|
|
+<li><code>remoteRef.property</code> is equated to one of the following options:<ul>
|
|
|
+<li>Fields: <a href="https://docs.keeper.io/secrets-manager/secrets-manager/about/field-record-types">Record's field's Type</a></li>
|
|
|
+<li>CustomFields: Record's field's Label</li>
|
|
|
+<li>Files: Record's file's Name</li>
|
|
|
+<li>If empty, defaults to the complete Record in JSON format</li>
|
|
|
+</ul>
|
|
|
+</li>
|
|
|
+<li><code>remoteRef.version</code> is currently not supported.</li>
|
|
|
+</ul>
|
|
|
+</li>
|
|
|
+<li><code>dataFrom</code>:<ul>
|
|
|
+<li><code>find.path</code> is currently not supported.</li>
|
|
|
+<li><code>find.name.regexp</code> is equated to one of the following options:<ul>
|
|
|
+<li>Fields: Record's field's Type</li>
|
|
|
+<li>CustomFields: Record's field's Label</li>
|
|
|
+<li>Files: Record's file's Name</li>
|
|
|
+</ul>
|
|
|
+</li>
|
|
|
+<li><code>find.tags</code> are not supported at this time.</li>
|
|
|
+</ul>
|
|
|
+</li>
|
|
|
+</ul>
|
|
|
+<h3 id="creating-external-secret">Creating external secret</h3>
|
|
|
+<p>To create a kubernetes secret from the GCP Secret Manager secret a <code>Kind=ExternalSecret</code> is needed.</p>
|
|
|
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span><span class="w"></span>
|
|
|
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span><span class="w"></span>
|
|
|
+<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span><span class="w"></span>
|
|
|
+<span class="nt">spec</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h</span><span class="w"> </span><span class="c1"># rate SecretManager pulls KeeperSrucity</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span><span class="w"> </span><span class="c1"># name of the SecretStore (or kind specified)</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span><span class="w"> </span><span class="c1"># name of the k8s Secret to be created</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">dataFrom</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">extract</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OqPt3Vd37My7G8rTb-8Q</span><span class="w"> </span><span class="c1"># ID of the Keeper Record</span><span class="w"></span>
|
|
|
+<span class="nn">---</span><span class="w"></span>
|
|
|
+<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span><span class="w"></span>
|
|
|
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span><span class="w"></span>
|
|
|
+<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">regcred</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span><span class="w"></span>
|
|
|
+<span class="nt">spec</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1m</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">keeper</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterSecretStore</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">regcred</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.io/dockerconfigjson</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">.dockerconfigjson</span><span class="p">:</span><span class="w"> </span><span class="s">"{\"auths\":{\"registry.example.com\":{\"username\":\"{{</span><span class="nv"> </span><span class="s">.username</span><span class="nv"> </span><span class="s">}}\",\"password\":\"{{</span><span class="nv"> </span><span class="s">.password</span><span class="nv"> </span><span class="s">}}\",\"auth\":\"{{(printf</span><span class="nv"> </span><span class="s">\"%s:%s\"</span><span class="nv"> </span><span class="s">.username</span><span class="nv"> </span><span class="s">.password)</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">b64enc</span><span class="nv"> </span><span class="s">}}\"}}}"</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OqPt3Vd37My7G8rTb-8Q</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">login</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OqPt3Vd37My7G8rTb-8Q</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span><span class="w"></span>
|
|
|
+<span class="nn">---</span><span class="w"></span>
|
|
|
+<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span><span class="w"></span>
|
|
|
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span><span class="w"></span>
|
|
|
+<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">config</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span><span class="w"></span>
|
|
|
+<span class="nt">spec</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1m</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">keeper</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterSecretStore</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">credentials</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.login</span><span class="nv"> </span><span class="s">}}"</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.password</span><span class="nv"> </span><span class="s">}}"</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">login</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OqPt3Vd37My7G8rTb-8Q</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">login</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OqPt3Vd37My7G8rTb-8Q</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span><span class="w"></span>
|
|
|
+</code></pre></div>
|
|
|
+<p>The operator will fetch the Keeper Secret Manager secret and inject it as a <code>Kind=Secret</code>
|
|
|
+<div class="highlight"><pre><span></span><code>kubectl get secret secret-to-be-created -n <namespace> | -o jsonpath='{.data.dev-secret-test}' | base64 -d
|
|
|
+</code></pre></div></p>
|
|
|
+<h2 id="limitations">Limitations</h2>
|
|
|
+<p>There are some limitations using this provider.</p>
|
|
|
+<ul>
|
|
|
+<li>Keeper Secret Manager does not work with <code>General</code> Records types nor legacy non-typed records</li>
|
|
|
+<li>Using tags <code>find.tags</code> is not supported by KSM</li>
|
|
|
+<li>Using path <code>find.path</code> is not supported at the moment</li>
|
|
|
+</ul>
|
|
|
+<h2 id="push-secrets">Push Secrets</h2>
|
|
|
+<p>Push Secret will only work with a custom KeeperSecurity Record type <code>ExternalSecret</code></p>
|
|
|
+<h3 id="behavior_1">Behavior</h3>
|
|
|
+<ul>
|
|
|
+<li><code>selector</code>:</li>
|
|
|
+<li><code>secret.name</code>: name of the kubernetes secret to be pushed</li>
|
|
|
+<li><code>data.match</code>:</li>
|
|
|
+<li><code>secretKey</code>: key on the selected secret to be pushed</li>
|
|
|
+<li><code>remoteRef.remoteKey</code>: Secret and key to be created on the remote provider<ul>
|
|
|
+<li>Format: SecretName/SecretKey</li>
|
|
|
+</ul>
|
|
|
+</li>
|
|
|
+</ul>
|
|
|
+<h3 id="creating-push-secret">Creating push secret</h3>
|
|
|
+<p>To create a Keeper Security record from kubernetes a <code>Kind=PushSecret</code> is needed.</p>
|
|
|
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span><span class="w"></span>
|
|
|
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span><span class="w"></span>
|
|
|
+<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span><span class="w"></span>
|
|
|
+<span class="nt">spec</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">secretStoreRefs</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">keeper</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="s">"1h"</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">secret</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-name</span><span class="w"> </span><span class="c1"># k8s secret to be pushed</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-key</span><span class="w"> </span><span class="c1"># k8s key within the secret to be pushed</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">remote-secret-name/remote-secret-key</span><span class="w"> </span><span class="c1"># This will create a record called "remote-secret-name" with a key "remote-secret-key"</span><span class="w"></span>
|
|
|
</code></pre></div>
|
|
|
-```</p>
|
|
|
+<h3 id="limitations_1">Limitations</h3>
|
|
|
+<ul>
|
|
|
+<li>Only possible to push one key per secret at the moment</li>
|
|
|
+<li>If the record with the selected name exists but the key does not exists the record can not be updated. See <a href="https://github.com/Keeper-Security/secrets-manager-go/issues/17">Ability to add custom fields to existing secret #17</a></li>
|
|
|
+</ul>
|
|
|
|
|
|
|
|
|
</article>
|
moolen