mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
4dfa4d2622
* chore: bump BeyondTrust/go-client-library-passwordsafe version v0.9.1 Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * feat: add ApiKey attribute to BeyondtrustAuth Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore: update docs with ApiKey reference, add extra help comments Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * feat: conditionally using API Key or Client Credentials Auth on BeyondTrust provider Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * test: Add API key tests for BeyondTrust provider Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore: add apiKey to spec.md Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore: make reviewable files Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore: ensured fmt Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore: update APIKey variable case Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore: fix typo Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore: fix typo Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore: fix typo Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump watchdog from 5.0.3 to 6.0.0 in /hack/api-docs (#4067) Bumps [watchdog](https://github.com/gorakhargosh/watchdog) from 5.0.3 to 6.0.0. - [Release notes](https://github.com/gorakhargosh/watchdog/releases) - [Changelog](https://github.com/gorakhargosh/watchdog/blob/master/changelog.rst) - [Commits](https://github.com/gorakhargosh/watchdog/compare/v5.0.3...v6.0.0) --- updated-dependencies: - dependency-name: watchdog dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump pymdown-extensions in /hack/api-docs (#4068) Bumps [pymdown-extensions](https://github.com/facelessuser/pymdown-extensions) from 10.11.2 to 10.12. - [Release notes](https://github.com/facelessuser/pymdown-extensions/releases) - [Commits](https://github.com/facelessuser/pymdown-extensions/compare/10.11.2...10.12) --- updated-dependencies: - dependency-name: pymdown-extensions dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump mkdocs-material in /hack/api-docs (#4069) Bumps [mkdocs-material](https://github.com/squidfunk/mkdocs-material) from 9.5.42 to 9.5.43. - [Release notes](https://github.com/squidfunk/mkdocs-material/releases) - [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG) - [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.5.42...9.5.43) --- updated-dependencies: - dependency-name: mkdocs-material dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump softprops/action-gh-release from 2.0.8 to 2.0.9 (#4070) Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.0.8 to 2.0.9. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](c062e08bd5...e7a8f85e1c) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore: move inactive maintainers to emeritus (#4073) Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore: update dependencies (#4071) * update dependencies Signed-off-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> * removed updating sigs.k8s.io/structured-merge-diff/v4 because that broke compilation and fixed two lint issues Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> --------- Signed-off-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Co-authored-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * Update VaultAppRole documentation to show/use roleRef in its examples (#4035) Signed-off-by: Mike Tougeron <tougeron@adobe.com> Co-authored-by: Gustavo Fernandes de Carvalho <17139678+gusfcarvalho@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * feat: add option to configure topic information for GCM (#4055) * feat: add option to configure topic information for GCM Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> * fix the comparison logic for updates to include topics Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> --------- Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * feat: add AWS STS Session token generator (#4041) * feat: add AWS STS Session token generator Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> * version update for the generated CRD Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> --------- Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(helm): Add extra labels to the validating webhooks (#4074) It should add a bunch of app.kubernetes.io labels Signed-off-by: Miguel Sacristán Izcue <miguel_tete17@hotmail.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * Reduce refreshInterval example for ACR (#4078) The old example used a `refreshInterval` value of 12h for the ACR access token. This change reduces that to 3h instead, since that is the expiration time for Service Principal authentication tokens: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#service-principal Service principals are not the only way to authenticate towards ACR. In fact, two other ways (`managedIdentity` and `workloadIdentity`) are also outlined in the docs. I was unable to find any documentation in Azure for the default expiration time for those tokens, so as far as I know it is always 3 hours. Thus I think we should reflect this in our examples. Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * Fix PushSecret lookup in keepersecurity provider (#4077) * Fixed Keeper Security custom record type name in docs Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> * Fixed Keeper records lookup in PushSecret Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> * Improved Keeper record lookup to search only for records of the expected type Improved PushSecret and DeleteSecret Fixed "nil pointer dereference" errors Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> * Fixed tests Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> * chore(helm): Add extra labels to the validating webhooks (#4074) It should add a bunch of app.kubernetes.io labels Signed-off-by: Miguel Sacristán Izcue <miguel_tete17@hotmail.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> * Added tests for secrets with multiple matches Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> --------- Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> Signed-off-by: Miguel Sacristán Izcue <miguel_tete17@hotmail.com> Co-authored-by: Tete17 <miguel_tete17@hotmail.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * Add ability to use RetrySettings in the VaultDynamicSecret generator (#4076) Signed-off-by: Oleksij Samorukov <samm@net-art.cz> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore: make reviewable format Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * refactor: reduced complexity in NewClient Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * refactor: reduced function parameters Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump golang from 1.23.2 to 1.23.3 (#4089) Bumps golang from 1.23.2 to 1.23.3. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump packaging from 24.1 to 24.2 in /hack/api-docs (#4090) Bumps [packaging](https://github.com/pypa/packaging) from 24.1 to 24.2. - [Release notes](https://github.com/pypa/packaging/releases) - [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/packaging/compare/24.1...24.2) --- updated-dependencies: - dependency-name: packaging dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump mkdocs-material in /hack/api-docs (#4091) Bumps [mkdocs-material](https://github.com/squidfunk/mkdocs-material) from 9.5.43 to 9.5.44. - [Release notes](https://github.com/squidfunk/mkdocs-material/releases) - [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG) - [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.5.43...9.5.44) --- updated-dependencies: - dependency-name: mkdocs-material dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * Update docs for ExternalSecrets's refreshInterval (#4097) Fixes #4079 Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump zipp from 3.20.2 to 3.21.0 in /hack/api-docs (#4092) Bumps [zipp](https://github.com/jaraco/zipp) from 3.20.2 to 3.21.0. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.20.2...v3.21.0) --- updated-dependencies: - dependency-name: zipp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump regex from 2024.9.11 to 2024.11.6 in /hack/api-docs (#4093) Bumps [regex](https://github.com/mrabarnett/mrab-regex) from 2024.9.11 to 2024.11.6. - [Changelog](https://github.com/mrabarnett/mrab-regex/blob/hg/changelog.txt) - [Commits](https://github.com/mrabarnett/mrab-regex/compare/2024.9.11...2024.11.6) --- updated-dependencies: - dependency-name: regex dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump golang from 1.23.2-bookworm to 1.23.3-bookworm in /e2e (#4094) Bumps golang from 1.23.2-bookworm to 1.23.3-bookworm. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * update dependencies (#4096) Signed-off-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump github/codeql-action from 3.27.0 to 3.27.1 (#4088) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.0 to 3.27.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](662472033e...4f3212b617) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * Fix typo in webhook.md (#4100) Signed-off-by: Stas Alekseev <100800+salekseev@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * docs: reformat pushsecrets documentation to be a list (#4102) * reformat pushsecrets documentation to be a list Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com> * Use sections instead of a list Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com> --------- Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * fix: refresh interval values (#4111) Signed-off-by: Gustavo <gustavo@externalsecrets.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * Sign helm chart artifact in ghcr.io (#4098) * Install cosign for signing helm charts Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Fix helm push failing when GITHUB_REPOSITORY_OWNER contains Uppercase alphabets Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Sign helm chart in oci registry using cosign Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Add permissions required for cosign signing and provenance attestations Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Log helm push output Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Attest build provenance for helm artifact Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Format: break code block Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Reformat: Remove temp variable Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Verify signed helm chart after signing it Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Remove unnecessary helm action changes for external-secrets repository Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> --------- Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump distroless/static from `cc226ca` to `f4a57e8` (#4112) Bumps distroless/static from `cc226ca` to `f4a57e8`. --- updated-dependencies: - dependency-name: distroless/static dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump golang from `0974259` to `c694a4d` (#4113) Bumps golang from `0974259` to `c694a4d`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump alpine from `beefdbd` to `1e42bbe` (#4114) Bumps alpine from `beefdbd` to `1e42bbe`. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump github/codeql-action from 3.27.1 to 3.27.4 (#4115) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.1 to 3.27.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](4f3212b617...ea9e4e3799) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2 (#4116) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.6.0 to 5.0.2. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](b9fd7d16f6...5c47607acb) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0 (#4117) Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.0.9 to 2.1.0. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](e7a8f85e1c...01570a1f39) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump alpine from `beefdbd` to `1e42bbe` in /hack/api-docs (#4118) Bumps alpine from `beefdbd` to `1e42bbe`. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump alpine from `beefdbd` to `1e42bbe` in /e2e (#4119) Bumps alpine from `beefdbd` to `1e42bbe`. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore(deps): bump golang from `0e3377d` to `3f3b9da` in /e2e (#4120) Bumps golang from `0e3377d` to `3f3b9da`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * fix: re-enable signing helm release (#4109) Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * update dependencies (#4122) Signed-off-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> Co-authored-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * Update apis/externalsecrets/v1beta1/secretstore_beyondtrust_types.go Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * Update apis/externalsecrets/v1beta1/secretstore_beyondtrust_types.go Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * Update apis/externalsecrets/v1beta1/secretstore_beyondtrust_types.go Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * Update apis/externalsecrets/v1beta1/secretstore_beyondtrust_types.go Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * Update pkg/provider/beyondtrust/provider.go Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * chore: fix linter errors Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * refactor: split credentials/certificate reading functionality Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> * style: apply make fmt Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> --------- Signed-off-by: Diego Tejada <dtejada@beyondtrust.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> Signed-off-by: Mike Tougeron <tougeron@adobe.com> Signed-off-by: Miguel Sacristán Izcue <miguel_tete17@hotmail.com> Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com> Signed-off-by: Ivan Dimov <78815270+idimov-keeper@users.noreply.github.com> Signed-off-by: Oleksij Samorukov <samm@net-art.cz> Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: Stas Alekseev <100800+salekseev@users.noreply.github.com> Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com> Signed-off-by: Gustavo <gustavo@externalsecrets.com> Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Co-authored-by: eso-service-account-app[bot] <85832941+eso-service-account-app[bot]@users.noreply.github.com> Co-authored-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> Co-authored-by: Mike Tougeron <mtougeron@users.noreply.github.com> Co-authored-by: Gustavo Fernandes de Carvalho <17139678+gusfcarvalho@users.noreply.github.com> Co-authored-by: Tete17 <miguel_tete17@hotmail.com> Co-authored-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com> Co-authored-by: idimov-keeper <78815270+idimov-keeper@users.noreply.github.com> Co-authored-by: Alex Samorukov <samm@net-art.cz> Co-authored-by: Stas Alekseev <100800+salekseev@users.noreply.github.com> Co-authored-by: Tobi <22715034+twobiers@users.noreply.github.com> Co-authored-by: Arun Murugan <arunmurugan.official@gmail.com> Co-authored-by: Moritz Johner <moolen@users.noreply.github.com>
4.6 KiB
4.6 KiB
BeyondTrust Password Safe
External Secrets Operator integrates with BeyondTrust Password Safe.
Warning: The External Secrets Operator secure usage involves taking several measures. Please see Security Best Practices for more information.
Warning: If the BT provider secret is deleted it will still exist in the Kubernetes secrets.
Prerequisites
The BT provider supports retrieval of a secret from BeyondInsight/Password Safe versions 23.1 or greater.
For this provider to retrieve a secret the Password Safe/Secrets Safe instance must be preconfigured with the secret in question and authorized to read it.
Authentication
BeyondTrust OAuth Authentication.
- Create an API access registration in BeyondInsight
- Create or use an existing Secrets Safe Group
- Create or use an existing Application User
- Add API registration to the Application user
- Add the user to the group
- Add the Secrets Safe Feature to the group
NOTE: The ClientID and ClientSecret must be stored in a Kubernetes secret in order for the SecretStore to read the configuration.
If you're using client credentials authentication:
kubectl create secret generic bt-secret --from-literal ClientSecret="<your secret>"
kubectl create secret generic bt-id --from-literal ClientId="<your ID>"
If you're using API Key authentication:
kubectl create secret generic bt-apikey --from-literal ApiKey="<your apikey>"
Client Certificate
If using retrievalType: MANAGED_ACCOUNT, you will also need to download the pfx certificate from Secrets Safe, extract that certificate and create two Kubernetes secrets.
openssl pkcs12 -in client_certificate.pfx -nocerts -out ps_key.pem -nodes
openssl pkcs12 -in client_certificate.pfx -clcerts -nokeys -out ps_cert.pem
# Copy the text from the ps_key.pem to a file.
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
# Copy the text from the ps_cert.pem to a file.
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
kubectl create secret generic bt-certificate --from-file=ClientCertificate=./ps_cert.pem
kubectl create secret generic bt-certificatekey --from-file=ClientCertificateKey=./ps_key.pem
Creating a SecretStore
You can follow the below example to create a SecretStore resource.
You can also use a ClusterSecretStore allowing you to reference secrets from all namespaces. ClusterSecretStore
kubectl apply -f secret-store.yml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: secretstore-beyondtrust
spec:
provider:
beyondtrust:
server:
apiUrl: https://example.com:443/BeyondTrust/api/public/v3/
retrievalType: MANAGED_ACCOUNT # or SECRET
verifyCA: true
clientTimeOutSeconds: 45
auth:
certificate: # omit certificates if retrievalType is SECRET
secretRef:
name: bt-certificate
key: ClientCertificate
certificateKey:
secretRef:
name: bt-certificatekey
key: ClientCertificateKey
clientSecret: # define this section if using client credentials authentication
secretRef:
name: bt-secret
key: ClientSecret
clientId: # define this section if using client credentials authentication
secretRef:
name: bt-id
key: ClientId
apiKey: # define this section if using Api Key authentication
secretRef:
name: bt-apikey
key: ApiKey
Creating an ExternalSecret
You can follow the below example to create a ExternalSecret resource. Secrets can be referenced by path.
You can also use a ClusterExternalSecret allowing you to reference secrets from all namespaces.
kubectl apply -f external-secret.yml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: beyondtrust-external-secret
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: secretstore-beyondtrust
target:
name: my-beyondtrust-secret # name of secret to create in k8s secrets (etcd)
creationPolicy: Owner
data:
- secretKey: secretKey
remoteRef:
key: system01/managed_account01
Get the K8s secret
# WARNING: this command will reveal the stored secret in plain text
kubectl get secret my-beyondtrust-secret -o jsonpath="{.data.secretKey}" | base64 --decode && echo