delinea.md 2.3 KB

Delinea DevOps Secrets Vault

External Secrets Operator integrates with Delinea DevOps Secrets Vault.

Please note that the Delinea Secret Server product is not covered by this provider. ESO integrates with Secret Server through the separate Secret Server provider.

Creating a SecretStore

You need client ID, client secret and tenant to authenticate with DSV. Both client ID and client secret can be specified either directly in the config, or by referencing a kubernetes secret.

To acquire client ID and client secret, refer to the policy management and client management documentation.

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: secret-store
spec:
  provider:
    delinea:
      tenant: <TENANT>
      tld: <TLD>
      clientId:
        value: <CLIENT_ID>
      clientSecret:
        secretRef:
          name: <NAME_OF_KUBE_SECRET>
          key: <KEY_IN_KUBE_SECRET>

Both clientId and clientSecret can either be specified directly via the value field or can reference a kubernetes secret.

The tenant field must correspond to the host name / site name of your DevOps vault. If you selected a region other than the US you must also specify the TLD, e.g. tld: eu.

If required, the URL template (urlTemplate) can be customized as well.

Referencing Secrets

Secrets can be referenced by path. Getting a specific version of a secret is not yet supported.

Because all DSV secrets are JSON objects, omitting remoteRef.property returns the whole secret as a JSON object. To extract a single field, set remoteRef.property; nested values and arrays are addressable with gjson syntax.

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
    name: secret
spec:
    refreshInterval: 1h0m0s
    secretStoreRef:
        kind: SecretStore
        name: secret-store
    data:
      - secretKey: <KEY_IN_KUBE_SECRET>
        remoteRef:
          key: <SECRET_PATH>
          property: <JSON_PROPERTY>