External Secrets Operator integrates with Delinea Secret Server.
You need a username, password and a fully qualified Secret Server tenant URL to authenticate i.e. https://yourTenantName.secretservercloud.com.
Both username and password can be specified either directly in the SecretStore, or by referencing a kubernetes secret.
To acquire a username and password, refer to the user management documentation.
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: secret-server-store
spec:
provider:
secretserver:
serverURL: <SERVER_URL>
username:
value: <USERNAME>
password:
secretRef:
name: <NAME_OF_KUBE_SECRET>
key: <KEY_IN_KUBE_SECRET>
Both username and password can either be specified directly via the value field or can reference a kubernetes secret.
Secrets must be referenced by ID. Getting a specific version of a secret is not yet supported.
Note that because all Secret Server secrets are JSON objects, you must specify remoteRef.property. You can access nested values or arrays using gjson syntax.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: secret-server-external-secret
spec:
refreshInterval: 15s
secretStoreRef:
kind: SecretStore
name: secret-server-store
data:
- secretKey: SecretServerValue #<KEY_IN_KUBE_SECRET>
remoteRef:
key: "52622" #<SECRET_ID>
property: "Items.0.ItemValue" #<GJSON_PROPERTY>
Using the json formatted secret below to retrieve the "ItemValue" for "FieldName" .. "Data"
spec.data.remoteRef.key = 52622 (id of the secret)
spec.data.remoteRef.property = Items.0.ItemValue (gjson path )
{
"Name": "external secret testing",
"FolderID": 73,
"ID": 52622,
"SiteID": 1,
"SecretTemplateID": 6098,
"SecretPolicyID": -1,
"PasswordTypeWebScriptID": -1,
"LauncherConnectAsSecretID": -1,
"CheckOutIntervalMinutes": -1,
"Active": true,
"CheckedOut": false,
"CheckOutEnabled": false,
"AutoChangeEnabled": false,
"CheckOutChangePasswordEnabled": false,
"DelayIndexing": false,
"EnableInheritPermissions": true,
"EnableInheritSecretPolicy": true,
"ProxyEnabled": false,
"RequiresComment": false,
"SessionRecordingEnabled": false,
"WebLauncherRequiresIncognitoMode": false,
"Items": [
{
"ItemID": 280265,
"FieldID": 439,
"FileAttachmentID": 0,
"FieldName": "Data",
"Slug": "data",
"FieldDescription": "json text field",
"Filename": "",
"ItemValue": "{\"key\":\"value\"}",
"IsFile": false,
"IsNotes": false,
"IsPassword": false
}
]
}