From 14d4b47c029194ec18ff1eefda524f5dbe00629a Mon Sep 17 00:00:00 2001 From: Hayden Roszell Date: Wed, 3 Jul 2024 20:06:19 +0100 Subject: [PATCH] chore(docs): Translate doc structure for compatibility with doctool and upgrade bootstrap workflow --- .../workflows/keyfactor-merge-store-types.yml | 27 - .../workflows/keyfactor-release-workflow.yml | 20 + .../workflows/keyfactor-starter-workflow.yml | 28 - README.md | 1815 +++++++++-------- docs/k8scert.md | 210 ++ docs/k8scluster.md | 210 ++ docs/k8sjks.md | 210 ++ docs/k8sns.md | 210 ++ docs/k8spkcs12.md | 214 ++ docs/k8ssecret.md | 212 ++ docs/k8stlssecr.md | 214 ++ docsource/k8scert.md | 108 + docsource/k8scluster.md | 108 + docsource/k8sjks.md | 108 + docsource/k8sns.md | 108 + docsource/k8spkcs12.md | 112 + docsource/k8ssecret.md | 110 + docsource/k8stlssecr.md | 112 + docsource/overview.md | 24 + integration-manifest.json | 865 +++----- 20 files changed, 3481 insertions(+), 1544 deletions(-) delete mode 100644 .github/workflows/keyfactor-merge-store-types.yml create mode 100644 .github/workflows/keyfactor-release-workflow.yml delete mode 100644 .github/workflows/keyfactor-starter-workflow.yml create mode 100644 docs/k8scert.md create mode 100644 docs/k8scluster.md create mode 100644 docs/k8sjks.md create mode 100644 docs/k8sns.md create mode 100644 docs/k8spkcs12.md create mode 100644 docs/k8ssecret.md create mode 100644 docs/k8stlssecr.md create mode 100644 docsource/k8scert.md create mode 100644 docsource/k8scluster.md create mode 100644 docsource/k8sjks.md create mode 100644 docsource/k8sns.md create mode 100644 docsource/k8spkcs12.md create mode 100644 docsource/k8ssecret.md create mode 100644 docsource/k8stlssecr.md create mode 100644 docsource/overview.md diff --git a/.github/workflows/keyfactor-merge-store-types.yml b/.github/workflows/keyfactor-merge-store-types.yml deleted file mode 100644 index c70659f..0000000 --- a/.github/workflows/keyfactor-merge-store-types.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Keyfactor Merge Cert Store Types -on: [workflow_dispatch] - -jobs: - get-manifest-properties: - runs-on: windows-latest - outputs: - update_catalog: ${{ steps.read-json.outputs.update_catalog }} - integration_type: ${{ steps.read-json.outputs.integration_type }} - steps: - - uses: actions/checkout@v3 - - name: Store json - id: read-json - shell: pwsh - run: | - $json = Get-Content integration-manifest.json | ConvertFrom-Json - $myvar = $json.update_catalog - echo "update_catalog=$myvar" | Out-File -FilePath $Env:GITHUB_OUTPUT -Encoding utf8 -Append - $myvar = $json.integration_type - echo "integration_type=$myvar" | Out-File -FilePath $Env:GITHUB_OUTPUT -Encoding utf8 -Append - - call-update-store-types-workflow: - needs: get-manifest-properties - if: needs.get-manifest-properties.outputs.integration_type == 'orchestrator' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') - uses: Keyfactor/actions/.github/workflows/update-store-types.yml@main - secrets: - token: ${{ secrets.UPDATE_STORE_TYPES }} diff --git a/.github/workflows/keyfactor-release-workflow.yml b/.github/workflows/keyfactor-release-workflow.yml new file mode 100644 index 0000000..3071ff4 --- /dev/null +++ b/.github/workflows/keyfactor-release-workflow.yml @@ -0,0 +1,20 @@ +name: Keyfactor Release Workflow + +on: + workflow_dispatch: + pull_request: + types: [opened, closed, synchronize, edited, reopened] + push: + create: + branches: + - 'release-*.*' + +jobs: + call-starter-workflow: + uses: keyfactor/actions/.github/workflows/starter.yml@v3 + secrets: + token: ${{ secrets.V2BUILDTOKEN}} + APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} + gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} + gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} + \ No newline at end of file diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml deleted file mode 100644 index 4a52481..0000000 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Starter Workflow -on: [workflow_dispatch, push, pull_request] - -jobs: - call-create-github-release-workflow: - uses: Keyfactor/actions/.github/workflows/github-release.yml@main - - call-dotnet-build-and-release-workflow: - needs: [call-create-github-release-workflow] - uses: Keyfactor/actions/.github/workflows/dotnet-build-and-release.yml@main - with: - release_version: ${{ needs.call-create-github-release-workflow.outputs.release_version }} - release_url: ${{ needs.call-create-github-release-workflow.outputs.release_url }} - release_dir: kubernetes-orchestrator-extension\bin\Release - secrets: - token: ${{ secrets.PRIVATE_PACKAGE_ACCESS }} - - call-generate-readme-workflow: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: Keyfactor/actions/.github/workflows/generate-readme.yml@main - secrets: - token: ${{ secrets.APPROVE_README_PUSH }} - - call-update-catalog-workflow: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: Keyfactor/actions/.github/workflows/update-catalog.yml@main - secrets: - token: ${{ secrets.SDK_SYNC_PAT }} \ No newline at end of file diff --git a/README.md b/README.md index 56ffdcb..1744257 100644 --- a/README.md +++ b/README.md @@ -1,926 +1,981 @@ -# Kubernetes Orchestrator Extension - -The Kubernetes Orchestrator allows for the remote management of certificate stores defined in a Kubernetes cluster. The following types of Kubernetes resources are supported: kubernetes secrets of `kubernetes.io/tls` or `Opaque` and kubernetes certificates `certificates.k8s.io/v1` - -#### Integration status: Production - Ready for use in production environments. - - -## About the Keyfactor Universal Orchestrator Extension - -This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications. - -The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme. - -The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator. - - - - -## Support for Kubernetes Orchestrator Extension - -Kubernetes Orchestrator Extension is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. - -###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. - - - ---- - +

+ Kubernetes Universal Orchestrator Extension +

+ +

+ +Integration Status: production +Release +Issues +GitHub Downloads (all assets, all releases) +

+

+ + + Support + + · + + Installation + + · + + License + + · + + Related Integrations + +

-## Keyfactor Version Supported +## Overview -The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.1 +The Kubernetes Universal Orchestrator extension is designed to facilitate the remote management of cryptographic certificates within a Kubernetes cluster. Kubernetes employs certificates for various purposes such as securing communication channels between components (e.g., kube-apiserver, kubelet, etcd), authenticating users and services, and ensuring the integrity of the system. -## Platform Specific Notes +### Certificate Store Types -The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running. -| Operation | Win | Linux | -|-----|-----|------| -|Supports Management Add|✓ |✓ | -|Supports Management Remove|✓ |✓ | -|Supports Create Store|✓ |✓ | -|Supports Discovery|✓ |✓ | -|Supports Renrollment| | | -|Supports Inventory|✓ |✓ | +This extension provides support for several types of Certificate Stores, each adapted to different Kubernetes resources and use cases: +**K8SCert**: Manages Kubernetes certificates of type `certificates.k8s.io/v1`. These certificates are typically used for Kubernetes admission and webhook servers. For provisioning, refer to the [k8s-csr-signer](https://github.com/Keyfactor/k8s-csr-signer) documentation. -## PAM Integration +**K8SSecret**: Handles Kubernetes secrets of type `Opaque`. These secrets can store arbitrary data but are primarily used to manage certificate and private key pairs. The orchestrator focuses on fields named `certificates` and `private_keys`. -This orchestrator extension has the ability to connect to a variety of supported PAM providers to allow for the retrieval of various client hosted secrets right from the orchestrator server itself. This eliminates the need to set up the PAM integration on Keyfactor Command which may be in an environment that the client does not want to have access to their PAM provider. +**K8STLSSecret**: Manages Kubernetes secrets of type `kubernetes.io/tls`. These secrets specifically store SSL/TLS certificates and their corresponding private keys. They must include `tls.crt` and `tls.key` fields. -The secrets that this orchestrator extension supports for use with a PAM Provider are: +**K8SCluster**: This type allows managing a cluster’s secrets of types `Opaque` and `kubernetes.io/tls` across all Kubernetes namespaces. It acts as a container that encompasses `K8SSecret` and `K8STLSSecret` stores. -| Name | Description | -|----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| ServerUsername | Must be set to `kubeconfig` if used. If you do not set it to `kubeconfig` the `ServerPassword` will be ignored. | -| ServerPassword | Must be set if `ServerUsername` is provided. The service account credentials for the Universal Orchestrator to use. Must be in `kubeconfig` format. For more information review [Kubernetes service account](https://github.com/Keyfactor/kubernetes-orchestrator/blob/main/scripts/kubernetes/README.md) docs and scripts. | - +**K8SNS**: Manages all secrets of type `Opaque` and `kubernetes.io/tls` within a specific namespace. Similar to `K8SCluster`, it acts as a container but is limited to a specific namespace. -It is not necessary to use a PAM Provider for all of the secrets available above. If a PAM Provider should not be used, simply enter in the actual value to be used, as normal. +**K8SJKS**: Works with Kubernetes secrets of type `Opaque` that contain one or more Java Keystore (JKS) files. Each keystore within the secret requires unique credentials and is managed individually. -If a PAM Provider will be used for one of the fields above, start by referencing the [Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam). The GitHub repo for the PAM Provider to be used contains important information such as the format of the `json` needed. What follows is an example but does not reflect the `json` values for all PAM Providers as they have different "instance" and "initialization" parameter names and values. +**K8SPKCS12**: Manages Kubernetes secrets of type `Opaque` that contain PKCS12 files. Like `K8SJKS`, these cannot be managed at cluster or namespace levels due to needing unique credentials. -
General PAM Provider Configuration -

+In summary, the Kubernetes Universal Orchestrator extension offers a versatile approach to managing certificates and keys within a Kubernetes cluster, ensuring secure communication and authentication across components and services. +## Compatibility +This integration is compatible with Keyfactor Universal Orchestrator version 10.1 and later. -### Example PAM Provider Setup +## Support +The Kubernetes Universal Orchestrator extension is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. + +> To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. -To use a PAM Provider to resolve a field, in this example the __Server Password__ will be resolved by the `Hashicorp-Vault` provider, first install the PAM Provider extension from the [Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) on the Universal Orchestrator. +## Installation +Before installing the Kubernetes Universal Orchestrator extension, it's recommended to install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command. -Next, complete configuration of the PAM Provider on the UO by editing the `manifest.json` of the __PAM Provider__ (e.g. located at extensions/Hashicorp-Vault/manifest.json). The "initialization" parameters need to be entered here: +The Kubernetes Universal Orchestrator extension implements 7 Certificate Store Types. Depending on your use case, you may elect to install one, or all of these Certificate Store Types. An overview for each type is linked below: +* [K8SCert](docs/k8scert.md) +* [K8SCluster](docs/k8scluster.md) +* [K8SJKS](docs/k8sjks.md) +* [K8SNS](docs/k8sns.md) +* [K8SPKCS12](docs/k8spkcs12.md) +* [K8SSecret](docs/k8ssecret.md) +* [K8STLSSecr](docs/k8stlssecr.md) -~~~ json - "Keyfactor:PAMProviders:Hashicorp-Vault:InitializationInfo": { - "Host": "http://127.0.0.1:8200", - "Path": "v1/secret/data", - "Token": "xxxxxx" - } -~~~ +

K8SCert -After these values are entered, the Orchestrator needs to be restarted to pick up the configuration. Now the PAM Provider can be used on other Orchestrator Extensions. -### Use the PAM Provider -With the PAM Provider configured as an extenion on the UO, a `json` object can be passed instead of an actual value to resolve the field with a PAM Provider. Consult the [Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) for the specific format of the `json` object. +1. Follow the [requirements section](docs/k8scert.md#requirements) to configure a Service Account and grant necessary API permissions. -To have the __Server Password__ field resolved by the `Hashicorp-Vault` provider, the corresponding `json` object from the `Hashicorp-Vault` extension needs to be copied and filed in with the correct information: +
Requirements -~~~ json -{"Secret":"my-kv-secret","Key":"myServerPassword"} -~~~ + ### Security Considerations + For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must + be able to authenticate with the cluster. This is done by providing the extension with a service account + token that has the appropriate permissions to perform the desired operations. The service account token + can be provided to the extension in one of two ways: + - As a raw JSON file that contains the service account credentials + - As a base64 encoded string that contains the service account credentials -This text would be entered in as the value for the __Server Password__, instead of entering in the actual password. The Orchestrator will attempt to use the PAM Provider to retrieve the __Server Password__. If PAM should not be used, just directly enter in the value for the field. -

-
- - - - ---- - - -## Table of Contents -- [Keyfactor Version Supported](#keyfactor-version-supported) -- [Platform Specific Notes](#platform-specific-notes) -- [PAM Integration](#pam-integration) -- [Overview](#overview) - * [K8SCert](#k8scert) - * [K8SSecret](#k8ssecret) - * [K8STLSSecret](#k8stlssecret) - * [K8SJKS](#k8sjks) -- [Versioning](#versioning) -- [Security Considerations](#security-considerations) - * [Service Account Setup](#service-account-setup) -- [Kubernetes Orchestrator Extension Installation](#kubernetes-orchestrator-extension-installation) -- [Certificate Store Types](#certificate-store-types) - * [Configuration Information](#configuration-information) - + [Note about StorePath](#note-about-storepath) - + [Common Values](#common-values) - - [UI Basic Tab](#ui-basic-tab) - - [UI Advanced Tab](#ui-advanced-tab) - - [Custom Fields Tab](#custom-fields-tab) - - [Kube Secret Types](#kube-secret-types) - - [Entry Parameters Tab:](#entry-parameters-tab-) - * [K8SSecret Store Type](#k8ssecret-store-type) - + [kfutil Create K8SSecret Store Type](#kfutil-create-k8ssecret-store-type) - + [UI Configuration](#ui-configuration) - - [UI Basic Tab](#ui-basic-tab-1) - - [UI Advanced Tab](#ui-advanced-tab-1) - - [UI Custom Fields Tab](#ui-custom-fields-tab) - - [UI Entry Parameters Tab:](#ui-entry-parameters-tab-) - * [K8STLSSecr Store Type](#k8stlssecr-store-type) - + [kfutil Create K8STLSSecr Store Type](#kfutil-create-k8stlssecr-store-type) - + [UI Configuration](#ui-configuration-1) - - [UI Basic Tab](#ui-basic-tab-2) - - [UI Advanced Tab](#ui-advanced-tab-2) - - [UI Custom Fields Tab](#ui-custom-fields-tab-1) - - [UI Entry Parameters Tab:](#ui-entry-parameters-tab--1) - * [K8SPKCS12 Store Type](#k8spkcs12-store-type) - + [kfutil Create K8SPKCS12 Store Type](#kfutil-create-k8spkcs12-store-type) - + [UI Configuration](#ui-configuration-2) - - [UI Basic Tab](#ui-basic-tab-3) - - [UI Advanced Tab](#ui-advanced-tab-3) - - [UI Custom Fields Tab](#ui-custom-fields-tab-2) - - [UI Entry Parameters Tab:](#ui-entry-parameters-tab--2) - * [K8SJKS Store Type](#k8sjks-store-type) - + [Storepath Patterns](#storepath-patterns) - + [Alias Patterns](#alias-patterns) - + [kfutil Create K8SJKS Store Type](#kfutil-create-k8sjks-store-type) - + [UI Configuration](#ui-configuration-3) - - [UI Basic Tab](#ui-basic-tab-4) - - [UI Advanced Tab](#ui-advanced-tab-4) - - [UI Custom Fields Tab](#ui-custom-fields-tab-3) - - [UI Entry Parameters Tab:](#ui-entry-parameters-tab--3) - * [K8SCluster Store Type](#k8scluster-store-type) - + [Storepath Patterns](#storepath-patterns-1) - + [Alias Patterns](#alias-patterns-1) - + [kfutil Create K8SCluster Store Type](#kfutil-create-k8scluster-store-type) - + [UI Configuration](#ui-configuration-4) - - [UI Basic Tab](#ui-basic-tab-5) - - [UI Advanced Tab](#ui-advanced-tab-5) - - [UI Custom Fields Tab](#ui-custom-fields-tab-4) - - [UI Entry Parameters Tab:](#ui-entry-parameters-tab--4) - * [K8SNS Store Type](#k8sns-store-type) - + [Storepath Patterns](#storepath-patterns-2) - + [Alias Patterns](#alias-patterns-2) - + [kfutil Create K8SNS Store Type](#kfutil-create-k8sns-store-type) - + [UI Configuration](#ui-configuration-5) - - [UI Basic Tab](#ui-basic-tab-6) - - [UI Advanced Tab](#ui-advanced-tab-6) - - [UI Custom Fields Tab](#ui-custom-fields-tab-5) - - [UI Entry Parameters Tab:](#ui-entry-parameters-tab--5) - * [K8SCert Store Type](#k8scert-store-type) - + [UI Configuration](#ui-configuration-6) - - [UI Basic Tab](#ui-basic-tab-7) - - [UI Advanced Tab](#ui-advanced-tab-7) - - [UI Custom Fields Tab](#ui-custom-fields-tab-6) - - [UI Entry Parameters Tab:](#ui-entry-parameters-tab--6) -- [Creating Certificate Stores and Scheduling Discovery Jobs](#creating-certificate-stores-and-scheduling-discovery-jobs) -- [Certificate Discovery](#certificate-discovery) - * [K8SNS Discovery](#k8sns-discovery) - * [K8SPKCS12 and K8SJKS Discovery](#k8spkcs12-and-k8sjks-discovery) -- [Certificate Inventory](#certificate-inventory) -- [Certificate Management](#certificate-management) - * [K8STLSSecr & K8SSecret](#k8stlssecr---k8ssecret) - + [Opaque & tls secret w/o ca.crt](#opaque---tls-secret-w-o-cacrt) - + [Opaque & tls secret w/ ca.crt](#opaque---tls-secret-w--cacrt) - + [Opaque & tls secret w/o private key](#opaque---tls-secret-w-o-private-key) - * [K8SJKS & K8SPKCS12](#k8sjks---k8spkcs12) -- [Development](#development) -- [License](#license) - - -## Keyfactor Version Supported - -The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.1 - -| Keyfactor Version | Universal Orchestrator Framework Version | Supported | -|-------------------|------------------------------------------|--------------| -| 10.2.1 | 10.1, 10.2 | ✓ | -| 10.1.1 | 10.1, 10.2 | ✓ | -| 10.0.0 | 10.1, 10.2 | ✓ | -| 9.10.1 | Not supported on KF 9.X.X | x | -| 9.5.0 | Not supported on KF 9.X.X | x | - -## Platform Specific Notes - -The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. -The certificate operations supported by a capability may vary based what platform the capability is installed on. -See the store type specific sections below for more details on specific cababilities based on Kubernetes resource type. - -## PAM Integration - -This orchestrator extension has the ability to connect to a variety of supported PAM providers to -allow for the retrieval of various client hosted secrets right from the orchestrator server itself. -This eliminates the need to set up the PAM integration on Keyfactor Command which may be in an -environment that the client does not want to have access to their PAM provider. - -The secrets that this orchestrator extension supports for use with a PAM Provider are: - -| Name | Description | -|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| ServerPassword | This is a raw JSON file that contains service account credentials to interact with the Kubernetes APIs. See the service account setup guide for permission details. | -| ServerUsername | This is a static value that must be set to `kubeconfig`. | - - -It is not necessary to implement all of the secrets available to be managed by a PAM provider. -For each value that you want managed by a PAM provider, simply enter the key value inside your -specific PAM provider that will hold this value into the corresponding field when setting up -the certificate store, discovery job, or API call. - -Setting up a PAM provider for use involves adding an additional section to the manifest.json -file for this extension as well as setting up the PAM provider you will be using. Each of -these steps is specific to the PAM provider you will use and are documented in the specific -GitHub repo for that provider. For a list of Keyfactor supported PAM providers, please -reference the [Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam). - ---- - - -## Overview -The Kubernetes Orchestrator Extension is an integration that can remotely manage certificate -resources in a Kubernetes cluster. The certificate store types that can be managed in the -current version are: -- K8SCert - Kubernetes certificates of type `certificates.k8s.io/v1` -- K8SSecret - Kubernetes secrets of type `Opaque` -- K8STLSSecret - Kubernetes secrets of type `kubernetes.io/tls` -- K8SCluster - This allows for a single store to manage a k8s cluster's secrets or type `Opaque` and `kubernetes.io/tls`. -This can be thought of as a container of `K8SSecret` and `K8STLSSecret` stores across all k8s namespaces. -- K8SNS - This allows for a single store to manage a k8s namespace's secrets or type `Opaque` and `kubernetes.io/tls`. -This can be thought of as a container of `K8SSecret` and `K8STLSSecret` stores for a single k8s namespace. -- K8SJKS - Kubernetes secrets of type `Opaque` that contain one or more Java Keystore(s). These cannot be managed at the -cluster or namespace level as they should all require unique credentials. -- K8SPKCS12 - Kubernetes secrets of type `Opaque` that contain one or more PKCS12(s). These cannot be managed at the -cluster or namespace level as they should all require unique credentials. - -This orchestrator extension makes use of the Kubernetes API by using a service account -to communicate remotely with certificate stores. The service account must have the correct permissions -in order to perform the desired operations. For more information on the required permissions, see the -[service account setup guide](#service-account-setup). - -### K8SCert -The K8SCert store type is used to manage Kubernetes certificates of type `certificates.k8s.io/v1`. -To provision these certs use the [k8s-csr-signer](https://github.com/Keyfactor/k8s-csr-signer) -documentation for more information. - -### K8SSecret -The K8SSecret store type is used to manage Kubernetes secrets of type `Opaque`. These secrets can have any -arbitrary fields, but except for the `tls.crt` and `tls.key` fields, these are reserved for the `kubernetes.io/tls` -secret type. -**NOTE**: The orchestrator will only manage the fields named `certificates` and `private_keys` in the -secret. Any other fields will be ignored. - -### K8STLSSecret -The K8STLSSecret store type is used to manage Kubernetes secrets of type `kubernetes.io/tls`. These secrets -must have the `tls.crt` and `tls.key` fields and may only contain a single key and single certificate. - -### K8SJKS -The K8SJKS store type is used to manage Kubernetes secrets of type `Opaque`. These secrets -must have a field that ends in `.jks`. The orchestrator will inventory and manage using a *custom alias* of the following -pattern: `/`. For example, if the secret has a field named `mykeystore.jks` and -the keystore contains a certificate with an alias of `mycert`, the orchestrator will manage the certificate using the -alias `mykeystore.jks/mycert`. - -### K8SPKCS12 -The K8SPKCS12 store type is used to manage Kubernetes secrets of type `Opaque`. These secrets -must have a field that ends in `.p12`, `.pkcs12`, `.pfx`. The orchestrator will inventory and manage using a -*custom alias* of the following pattern: `/`. For example, if the secret has a -field named `mykeystore.p12` and the keystore contains a certificate with an alias of `mycert`, the orchestrator will -manage the certificate using the alias `mykeystore.p12/mycert`. - -## Versioning - -The version number of a the Kubernetes Orchestrator Extension can be verified by right clicking on the -`Kyefactor.Orchestrators.K8S.dll` file in the `///Extensions/Kubernetes` installation folder, -selecting Properties, and then clicking on the Details tab. - -## Security Considerations -For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must -be able to authenticate with the cluster. This is done by providing the extension with a service account -token that has the appropriate permissions to perform the desired operations. The service account token -can be provided to the extension in one of two ways: -- As a raw JSON file that contains the service account credentials -- As a base64 encoded string that contains the service account credentials - -### Service Account Setup -To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: -```yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: keyfactor - namespace: keyfactor ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: keyfactor -rules: -- apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests"] - verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] -- apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: keyfactor -roleRef: - apiGroup: rbac.authorization.k8s.io + #### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole - name: keyfactor -subjects: -- kind: ServiceAccount - name: keyfactor - namespace: keyfactor -``` - -## Kubernetes Orchestrator Extension Installation -1. Create the certificate store types you wish to manage. Please refer to the individual sections - devoted to each supported store type under "Certificate Store Types" later in this README. -2. Stop the Keyfactor Universal Orchestrator Service for the orchestrator you plan to install this - extension to run on. -3. In the Keyfactor Orchestrator installation folder (by convention usually - C:\Program Files\Keyfactor\Keyfactor Orchestrator), find the "Extensions" folder. Underneath that, - create a new folder named "Kubernetes". You may choose to use a different name if you wish. -4. Download the latest version of the Kubernetes orchestrator extension from - [GitHub](https://github.com/Keyfactor/kubernetes-orchestrator). Click on the "Latest" release - link on the right hand side of the main page and download the first zip file. -5. Copy the contents of the download installation zip file to the folder created in Step 3. -6. (Optional) If you decide to create one or more certificate store types with short names different - than the suggested values (please see the individual certificate store type sections in "Certificate - Store Types" later in this README for more information regarding certificate store types), edit the - manifest.json file in the folder you created in step 3, and modify each "ShortName" in each - "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the respective - certificate store type. If you created it with the suggested values, this step can be skipped. -7. Modify the config.json file (See the "Configuration File Setup" section later in this README) -8. Start the Keyfactor Universal Orchestrator Service. -9. Create the certificate store types you wish to manage. Please refer to the individual sections - devoted to each supported store type under [Certificate Store Types](#certificate-store-types) later in this README. -10. (Optional) Run certificate discovery jobs to populate the certificate stores with existing - certificates. See the [Certificate Store Discovery](#certificate-store-discovery) section later in this README for more - information. - -## Certificate Store Types - -When setting up the certificate store types you wish the Kubernetes Orchestrator Extension to -manage, there are some common settings that will be the same for all supported types. -To create a new Certificate Store Type in Keyfactor Command, first click on settings -`(the gear icon on the top right) => Certificate Store Types => Add`. Alternatively, -there are cURL scripts for all of the currently implemented certificate store types -in the Certificate Store Type cURL Scripts folder in this repo if you wish to automate -the creation of the desired store types. - -### Configuration Information -Below is a table of the common values that should be used for all certificate store types. - -#### Note about StorePath -A Keyfactor Command certificate store `StorePath` for the K8S orchestrator extension can follow the following formats: - -| Pattern | Description | -|-----------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------| -| `secretName` | The name of the secret to use. This assumes `KubeNamespace` is defined or `default` and will be the `secret` or `cert` name on k8s. | -| `namespace/secretName` | If `KubeNamespace` or `KubeSecretName` are not set, then the path will be split by `/` and the values will be parsed according to the pattern. | -| `clusterName/namespace/secretName` | Same as above, clusterName is purely informational | -| `clusterName/namespace/secretType/secretName` | Considered a `full` path, this is what discovery will return as `StorePath` | - -#### Common Values -##### UI Basic Tab -| Field Name | Required | Description | Value | -|-------------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------| -| Name | ✓ | The display name you wish to use for the new Certificate Store Type. | Depends on store type. | -| ShortName | ✓ | The short name you wish to use for the new Certificate Store Type. | Depends on store type. | -| Custom Capability | ✓ | Whether or not the certificate store type supports custom capabilities. | Checked [x] | -| Supported Job Types | ✓ | The job types supported by the certificate store type. | Depends on store type. | -| Needs Server | ✓ | Must be set to true or checked. NOTE: If using this `ServerUsername` must be equal to `kubeconfig` and `ServerPassword` will be the kubeconfig file in JSON format | Checked [x] | -| Blueprint Allowed | | Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. | Unchecked [ ] | -| Uses PowerShell | | Whether or not the certificate store type uses PowerShell. | Unchecked [ ] | -| Requires Store Password | | Whether or not the certificate store type requires a password. | Unchecked [ ] | -| Supports Entry Password | | Whether or not the certificate store type supports entry passwords. | Unchecked [ ] | - -##### UI Advanced Tab -| Field Name | Required | Description | Value | -|-----------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------|------------------------| -| Store Path Type | | The type of path the certificate store type uses. | Freeform | -| Supports Custom Alias | | Whether or not the certificate store type supports custom aliases. | Depends on store type. | -| Private Key Handling | | Whether or not the certificate store type supports private key handling. | Depends on store type. | -| PFX Password Style | | The password style used by the certificate store type. | Default | - -##### Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | Description | -|------------------|---------------------------|--------|----------|---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------| -| KubeNamespace | Kube Namespace | String | | | This field overrides implied `Store Path` value. The Kubernetes namespace the store will reside. This will override the value parsed from `storepath`. | -| KubeSecretName | Kube Secret Name | String | | | This field overrides implied `Store Path` value. The Kubernetes secret or certificate resource name. | -| KubeSecretType | Kube Secret Type | String | ✓ | | Must be one of the following `secret`, `secret_tls` or `cert`. See [kube-secret-types](#kube-secret-types). | -| IncludeCertChain | Include Certificate Chain | Bool | | `true` | Will default to `true` if not set. Set this to `false` if you do not want certificate chains deployed. | -| SeparateChain | SeparateChain | Bool | | `false` | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for `Opaque` and `tls` secrets. | - -##### Kube Secret Types -- `secret` - A generic secret of type `Opaque`. Must contain a key of one of the following values: [ `cert`, `certficate`, `certs`,`certificates` ] to be inventoried. -- `tls_secret` - A secret of type `kubernetes.io/tls`. Must contain the following keys: [ `tls.crt`, `tls.key` ] to be inventoried. -- `cert` - A certificate `certificates.k8s.io/v1` resource. Must contain the following keys: [ `csr`, `cert` ] to be inventoried. - -##### Entry Parameters Tab: -- See specific certificate store type instructions below - -### K8SSecret Store Type - -#### kfutil Create K8SSecret Store Type - -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. -kfuti -```bash -kfutil login -kfutil store-types create --name K8SSecret -``` - -#### UI Configuration - -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|----------|-------------------------------------------| -| Name | ✓ | `K8SSecret` | -| ShortName | ✓ | `K8SSecret` | -| Custom Capability | ✓ | Checked [x] + `K8SSecret` | -| Supported Job Types | ✓ | Inventory, Add, Remove, Create, Discovery | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | | Unchecked [ ] | -| Supports Entry Password | | Unchecked [ ] | - -**NOTE:** If using PAM, `server_username` must be equal to `kubeconfig` and `server_password` will be the kubeconfig file in JSON format. - -![k8ssecret_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8ssecret_basic.png) - -##### UI Advanced Tab -| Field Name | Required | Value | -|-----------------------|----------|-----------| -| Store Path Type | | Freeform | -| Supports Custom Alias | | Forbidden | -| Private Key Handling | | Optional | -| PFX Password Style | | Default | - -![k8ssecret_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8ssecret_advanced.png) - -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | Description | -|------------------|---------------------------|--------|----------|---------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| KubeNamespace | Kube Namespace | String | | `default` | The K8S namespace the `Opaque` secret lives. This will override any value inferred in the `Store Path` | -| KubeSecretName | Kube Secret Name | String | ✓ | | The name of the K8S `Opaque` secret. This will override any value inferred in the `Store Path` | -| KubeSecretType | Kube Secret Type | String | ✓ | `secret` | | -| IncludeCertChain | Include Certificate Chain | Bool | | `true` | Will default to `true` if not set. If set to `false` only leaf cert will be deployed. | -| SeparateChain | SeparateChain | Bool | | `false` | Will default to `false` if not set. `true` will deploy leaf cert to `tls.crt` and the rest of the cert chain to `ca.crt`. If set to `false` the full chain is deployed to `tls.crt` | - -![k8ssecret_custom_fields.png](docs%2Fscreenshots%2Fstore_types%2Fk8ssecret_custom_fields.png) - -##### UI Entry Parameters Tab: -Empty - -### K8STLSSecr Store Type - -#### kfutil Create K8STLSSecr Store Type - -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. - -```bash -kfutil login -kfutil store-types create --name K8STLSSecr -``` - -#### UI Configuration - -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|----------|-------------------------------------------| -| Name | ✓ | `K8STLSSecr` | -| ShortName | ✓ | `K8STLSSecr` | -| Custom Capability | ✓ | Checked [x] + `K8STLSSecr` | -| Supported Job Types | ✓ | Inventory, Add, Remove, Create, Discovery | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | | Unchecked [ ] | -| Supports Entry Password | | Unchecked [ ] | - -![k8sstlssecr_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8sstlssecr_basic.png) - -##### UI Advanced Tab -| Field Name | Required | Value | Comments | -|-----------------------|----------|-----------|-----------------------------------------------------| -| Store Path Type | | Freeform | | -| Supports Custom Alias | | Forbidden | pattern: `/` | -| Private Key Handling | | Optional | | -| PFX Password Style | | Default | | - -![k8sstlssecr_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8sstlssecr_advanced.png) - -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | Description | -|------------------|----------------------------|--------|----------|---------------|-------------------------------------------------------------------------------------------------------------------------------------------------| -| KubeNamespace | Kube Namespace | String | | | The K8S namespace the `tls` secret lives. This will override any value inferred in the `Store Path` | -| KubeSecretName | Kube Secret Name | String | | | The name of the K8S `tls` secret. This will override any value inferred in the `Store Path` | -| KubeSecretType | Kube Secret Type | String | ✓ | `tls_secret` | | -| IncludeCertChain | Include Certificate Chain | Bool | | `true` | If set to `false` only leaf cert will be deployed. | -| SeparateChain | SeparateChain | Bool | | `true` | `true` will deploy leaf cert to `tls.crt` and the rest of the cert chain to `ca.crt`. If set to `false` the full chain is deployed to `tls.crt` | - - -![k8sstlssecr_custom_fields.png](docs%2Fscreenshots%2Fstore_types%2Fk8sstlssecr_custom_fields.png) - -##### UI Entry Parameters Tab: -Empty - -### K8SPKCS12 Store Type - -#### kfutil Create K8SPKCS12 Store Type - -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. - -```bash -kfutil login -kfutil store-types create --name K8SPKCS12 -``` - -#### UI Configuration - -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|-----------|-------------------------------------------| -| Name | ✓ | `K8SPKCS12` | -| ShortName | ✓ | `K8SPKCS12` | -| Custom Capability | ✓ | Checked [x] + `K8SPKCS12` | -| Supported Job Types | ✓ | Inventory, Add, Remove, Create, Discovery | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | ✓ | Checked [x] | -| Supports Entry Password | | Unchecked [ ] | - -![k8spkcs12_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8spkcs12_basic.png) - -##### UI Advanced Tab -| Field Name | Required | Value | -|-----------------------|----------|-----------| -| Store Path Type | | Freeform | -| Supports Custom Alias | | Forbidden | -| Private Key Handling | | Optional | -| PFX Password Style | | Default | - -![k8spkcs12_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8spkcs12_advanced.png) - -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | Description | -|--------------------------|-----------------------------|--------|----------|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------| -| KubeNamespace | Kube Namespace | String | | | K8S namespace the PKCS12 secret lives. This will override any value inferred in the `Store Path` | -| KubeSecretName | Kube Secret Name | String | | | The K8S secret name that contains PKCS12 data. This will override any value inferred in the `Store Path` | -| KubeSecretType | Kube Secret Type | String | ✓ | `pkcs12` | This must be set to `pkcs12`. | -| CertificateDataFieldName | Certificate Data Field Name | String | ✓ | `.p12` | The K8S secret field name to source the PKCS12 data from. You can provide an extension `.p12` or `.pfx` for a secret with a key `example.p12` | -| PasswordFieldName | Password Field Name | String | | `password` | If sourcing the PKCS12 password from a K8S secret this is the field it will look for the password in. | -| PasswordIsK8SSecret | Password Is K8S Secret | Bool | ✓ | `false` | If you want to use the PKCS12 secret or a separate secret specific in `KubeSecretPasswordPath` set this to `true` | -| StorePassword | Kube Secret Password | Secret | | | If you want to specify the PKCS12 password on the store in Command use this. | -| StorePasswordPath | Kube Secret Password Path | String | | | Source PKCS12 password from a separate K8S secret. Pattern: `namespace_name/secret_name` | - - -![k8spkcs12_custom_fields.png](docs%2Fscreenshots%2Fstore_types%2Fk8spkcs12_custom_fields.png) - -##### UI Entry Parameters Tab: -Empty - -### K8SJKS Store Type - -#### Storepath Patterns -- `namespace_name/secret_name` -- `namespace_name/secrets/secret_name` -- `cluster_name/namespace_name/secrets/secret_name` - -#### Alias Patterns -- `k8s_secret_field_name/keystore_alias` - -#### kfutil Create K8SJKS Store Type - -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. - -```bash -kfutil login -kfutil store-types create --name K8SJKS -``` - -#### UI Configuration - -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|----------|-------------------------------------------| -| Name | ✓ | `K8SJKS` | -| ShortName | ✓ | `K8SJKS` | -| Custom Capability | ✓ | Checked [x] + `K8SJKS` | -| Supported Job Types | ✓ | Inventory, Add, Remove, Create, Discovery | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | | Unchecked [ ] | -| Supports Entry Password | | Unchecked [ ] | - -![k8sjks_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8sjks_basic.png) + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` + + ### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` + + + +
+ +2. Create Certificate Store Types for the Kubernetes Orchestrator extension. + + * **Using kfutil**: + + ```shell + # K8SCert + kfutil store-types create K8SCert + ``` + + * **Manually**: + * [K8SCert](docs/k8scert.md#certificate-store-type-configuration) + +3. Install the Kubernetes Universal Orchestrator extension. + + * **Using kfutil**: On the server that that hosts the Universal Orchestrator, run the following command: + + ```shell + # Windows Server + kfutil orchestrator extension -e k8s-orchestrator@latest --out "C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions" + + # Linux + kfutil orchestrator extension -e k8s-orchestrator@latest --out "/opt/keyfactor/orchestrator/extensions" + ``` + + * **Manually**: Follow the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions) to install the latest [Kubernetes Universal Orchestrator extension](https://github.com/Keyfactor/k8s-orchestrator/releases/latest). + +4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension. + + * [K8SCert](docs/k8scert.md#certificate-store-configuration) + + +
+ +
K8SCluster + + +1. Follow the [requirements section](docs/k8scluster.md#requirements) to configure a Service Account and grant necessary API permissions. + +
Requirements + + ### Security Considerations + For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must + be able to authenticate with the cluster. This is done by providing the extension with a service account + token that has the appropriate permissions to perform the desired operations. The service account token + can be provided to the extension in one of two ways: + - As a raw JSON file that contains the service account credentials + - As a base64 encoded string that contains the service account credentials + + ### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` + + ### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` + + + +
+ +2. Create Certificate Store Types for the Kubernetes Orchestrator extension. + + * **Using kfutil**: + + ```shell + # K8SCluster + kfutil store-types create K8SCluster + ``` + + * **Manually**: + * [K8SCluster](docs/k8scluster.md#certificate-store-type-configuration) + +3. Install the Kubernetes Universal Orchestrator extension. + + * **Using kfutil**: On the server that that hosts the Universal Orchestrator, run the following command: + + ```shell + # Windows Server + kfutil orchestrator extension -e k8s-orchestrator@latest --out "C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions" + + # Linux + kfutil orchestrator extension -e k8s-orchestrator@latest --out "/opt/keyfactor/orchestrator/extensions" + ``` + + * **Manually**: Follow the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions) to install the latest [Kubernetes Universal Orchestrator extension](https://github.com/Keyfactor/k8s-orchestrator/releases/latest). + +4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension. + + * [K8SCluster](docs/k8scluster.md#certificate-store-configuration) + + +
+ +
K8SJKS + + +1. Follow the [requirements section](docs/k8sjks.md#requirements) to configure a Service Account and grant necessary API permissions. + +
Requirements + + ### Security Considerations + For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must + be able to authenticate with the cluster. This is done by providing the extension with a service account + token that has the appropriate permissions to perform the desired operations. The service account token + can be provided to the extension in one of two ways: + - As a raw JSON file that contains the service account credentials + - As a base64 encoded string that contains the service account credentials + + ### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` + + ### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` + + + +
+ +2. Create Certificate Store Types for the Kubernetes Orchestrator extension. + + * **Using kfutil**: + + ```shell + # K8SJKS + kfutil store-types create K8SJKS + ``` + + * **Manually**: + * [K8SJKS](docs/k8sjks.md#certificate-store-type-configuration) + +3. Install the Kubernetes Universal Orchestrator extension. + + * **Using kfutil**: On the server that that hosts the Universal Orchestrator, run the following command: + + ```shell + # Windows Server + kfutil orchestrator extension -e k8s-orchestrator@latest --out "C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions" + + # Linux + kfutil orchestrator extension -e k8s-orchestrator@latest --out "/opt/keyfactor/orchestrator/extensions" + ``` + + * **Manually**: Follow the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions) to install the latest [Kubernetes Universal Orchestrator extension](https://github.com/Keyfactor/k8s-orchestrator/releases/latest). + +4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension. + + * [K8SJKS](docs/k8sjks.md#certificate-store-configuration) + + +
+ +
K8SNS + + +1. Follow the [requirements section](docs/k8sns.md#requirements) to configure a Service Account and grant necessary API permissions. + +
Requirements + + ### Security Considerations + For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must + be able to authenticate with the cluster. This is done by providing the extension with a service account + token that has the appropriate permissions to perform the desired operations. The service account token + can be provided to the extension in one of two ways: + - As a raw JSON file that contains the service account credentials + - As a base64 encoded string that contains the service account credentials + + ### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` + + ### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` + + + +
+ +2. Create Certificate Store Types for the Kubernetes Orchestrator extension. + + * **Using kfutil**: + + ```shell + # K8SNS + kfutil store-types create K8SNS + ``` + + * **Manually**: + * [K8SNS](docs/k8sns.md#certificate-store-type-configuration) + +3. Install the Kubernetes Universal Orchestrator extension. + + * **Using kfutil**: On the server that that hosts the Universal Orchestrator, run the following command: + + ```shell + # Windows Server + kfutil orchestrator extension -e k8s-orchestrator@latest --out "C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions" + + # Linux + kfutil orchestrator extension -e k8s-orchestrator@latest --out "/opt/keyfactor/orchestrator/extensions" + ``` + + * **Manually**: Follow the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions) to install the latest [Kubernetes Universal Orchestrator extension](https://github.com/Keyfactor/k8s-orchestrator/releases/latest). + +4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension. + + * [K8SNS](docs/k8sns.md#certificate-store-configuration) + + +
+ +
K8SPKCS12 + + +1. Follow the [requirements section](docs/k8spkcs12.md#requirements) to configure a Service Account and grant necessary API permissions. + +
Requirements + + ### Security Considerations + For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must + be able to authenticate with the cluster. This is done by providing the extension with a service account + token that has the appropriate permissions to perform the desired operations. The service account token + can be provided to the extension in one of two ways: + - As a raw JSON file that contains the service account credentials + - As a base64 encoded string that contains the service account credentials + + ### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` + + ### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` + + + +
+ +2. Create Certificate Store Types for the Kubernetes Orchestrator extension. + + * **Using kfutil**: + + ```shell + # K8SPKCS12 + kfutil store-types create K8SPKCS12 + ``` + + * **Manually**: + * [K8SPKCS12](docs/k8spkcs12.md#certificate-store-type-configuration) + +3. Install the Kubernetes Universal Orchestrator extension. + + * **Using kfutil**: On the server that that hosts the Universal Orchestrator, run the following command: + + ```shell + # Windows Server + kfutil orchestrator extension -e k8s-orchestrator@latest --out "C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions" + + # Linux + kfutil orchestrator extension -e k8s-orchestrator@latest --out "/opt/keyfactor/orchestrator/extensions" + ``` + + * **Manually**: Follow the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions) to install the latest [Kubernetes Universal Orchestrator extension](https://github.com/Keyfactor/k8s-orchestrator/releases/latest). + +4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension. + + * [K8SPKCS12](docs/k8spkcs12.md#certificate-store-configuration) + + +
+ +
K8SSecret + + +1. Follow the [requirements section](docs/k8ssecret.md#requirements) to configure a Service Account and grant necessary API permissions. + +
Requirements + + ### Security Considerations + For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must + be able to authenticate with the cluster. This is done by providing the extension with a service account + token that has the appropriate permissions to perform the desired operations. The service account token + can be provided to the extension in one of two ways: + - As a raw JSON file that contains the service account credentials + - As a base64 encoded string that contains the service account credentials + + ### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` + + ### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` + + + +
+ +2. Create Certificate Store Types for the Kubernetes Orchestrator extension. + + * **Using kfutil**: + + ```shell + # K8SSecret + kfutil store-types create K8SSecret + ``` + + * **Manually**: + * [K8SSecret](docs/k8ssecret.md#certificate-store-type-configuration) + +3. Install the Kubernetes Universal Orchestrator extension. + + * **Using kfutil**: On the server that that hosts the Universal Orchestrator, run the following command: + + ```shell + # Windows Server + kfutil orchestrator extension -e k8s-orchestrator@latest --out "C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions" + + # Linux + kfutil orchestrator extension -e k8s-orchestrator@latest --out "/opt/keyfactor/orchestrator/extensions" + ``` + + * **Manually**: Follow the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions) to install the latest [Kubernetes Universal Orchestrator extension](https://github.com/Keyfactor/k8s-orchestrator/releases/latest). + +4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension. + + * [K8SSecret](docs/k8ssecret.md#certificate-store-configuration) + + +
+ +
K8STLSSecr + + +1. Follow the [requirements section](docs/k8stlssecr.md#requirements) to configure a Service Account and grant necessary API permissions. + +
Requirements + + ### Security Considerations + For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must + be able to authenticate with the cluster. This is done by providing the extension with a service account + token that has the appropriate permissions to perform the desired operations. The service account token + can be provided to the extension in one of two ways: + - As a raw JSON file that contains the service account credentials + - As a base64 encoded string that contains the service account credentials + + ### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` + + ### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: keyfactor + namespace: keyfactor + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: keyfactor + rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: keyfactor + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor + subjects: + - kind: ServiceAccount + name: keyfactor + namespace: keyfactor + ``` -##### UI Advanced Tab -| Field Name | Required | Value | -|-----------------------|----------|----------| -| Store Path Type | | Freeform | -| Supports Custom Alias | ✓ | Required | -| Private Key Handling | | Optional | -| PFX Password Style | | Default | -![k8sjks_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8sjks_advanced.png) -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | Description | -|--------------------------|-----------------------------|--------|----------|---------------|--------------------------------------------------------------------------------------------------------| -| KubeNamespace | Kube Namespace | String | | | K8S namespace the JKS secret lives. This will override any value inferred in the `Store Path`. | -| KubeSecretName | Kube Secret Name | String | | | The K8S secret name that contains JKS data. This will override any value inferred in the `Store Path`. | -| KubeSecretType | Kube Secret Type | String | ✓ | `jks` | | -| CertificateDataFieldName | Certificate Data Field Name | String | ✓ | `.jks` | The K8S secret field name to source the JKS data from | -| PasswordFieldName | Password Field Name | String | ✓ | `password` | If sourcing the JKS password from a K8S secret this is the field it will look for the password in. | -| PasswordIsK8SSecret | Password Is K8S Secret | Bool | ✓ | `false` | If you want to use the JKS secret or a separate secret specific in `` set this to `true` | -| StorePassword | Kube Secret Password | Secret | | | If you want to specify the JKS password on the store in Command use this. | -| StorePasswordPath | Kube Secret Password Path | String | | | Source JKS password from a separate K8S secret. Pattern: `namespace_name/secret_name` | - - -![k8sjks_custom_fields.png](docs%2Fscreenshots%2Fstore_types%2Fk8sjks_custom_fields.png) - -##### UI Entry Parameters Tab: -Empty - -### K8SCluster Store Type - -#### Storepath Patterns -- `cluster_name` - -#### Alias Patterns -- `namespace_name/secrets/secret_type/secret_name` - -#### kfutil Create K8SCluster Store Type - -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. - -```bash -kfutil login -kfutil store-types create --name K8SCluster -``` +
-#### UI Configuration +2. Create Certificate Store Types for the Kubernetes Orchestrator extension. -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|----------|---------------------------------| -| Name | ✓ | `K8SCluster` | -| ShortName | ✓ | `K8SCluster` | -| Custom Capability | ✓ | Checked [x] + `K8SCluster` | -| Supported Job Types | ✓ | Inventory, Add, Remove, Create | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | | Unchecked [ ] | -| Supports Entry Password | | Unchecked [ ] | + * **Using kfutil**: -![k8scluster_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8scluster_basic.png) + ```shell + # K8STLSSecr + kfutil store-types create K8STLSSecr + ``` -##### UI Advanced Tab -| Field Name | Required | Value | -|-----------------------|----------|----------| -| Store Path Type | | Freeform | -| Supports Custom Alias | | Required | -| Private Key Handling | | Optional | -| PFX Password Style | | Default | + * **Manually**: + * [K8STLSSecr](docs/k8stlssecr.md#certificate-store-type-configuration) -![k8scluster_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8scluster_advanced.png) - - -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | Description | -|------------------|---------------------------|--------|----------|----------------|------------------------------------------------------------------------------------------------------------------------------------------------------| -| IncludeCertChain | Include Certificate Chain | Bool | | `true` | Will default to `true` if not set. If set to `false` only leaf cert will be deployed. | -| SeparateChain | Separate Chain | Bool | | `false` | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for `Opaque` and `tls` secrets. | - -![k8sns_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8sns_advanced.png) - -##### UI Entry Parameters Tab: -Empty - -### K8SNS Store Type - -**NOTE**: This store type will only inventory K8S secrets that contain the keys `tls.crt` and `tls.key`. - -#### Storepath Patterns -- `namespace_name` -- `cluster_name/namespace_name` +3. Install the Kubernetes Universal Orchestrator extension. + + * **Using kfutil**: On the server that that hosts the Universal Orchestrator, run the following command: -#### Alias Patterns -- `secrets/secret_type/secret_name` + ```shell + # Windows Server + kfutil orchestrator extension -e k8s-orchestrator@latest --out "C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions" -#### kfutil Create K8SNS Store Type + # Linux + kfutil orchestrator extension -e k8s-orchestrator@latest --out "/opt/keyfactor/orchestrator/extensions" + ``` -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. + * **Manually**: Follow the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions) to install the latest [Kubernetes Universal Orchestrator extension](https://github.com/Keyfactor/k8s-orchestrator/releases/latest). -```bash -kfutil login -kfutil store-types create --name K8SNS -``` +4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension. -#### UI Configuration + * [K8STLSSecr](docs/k8stlssecr.md#certificate-store-configuration) -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|----------|--------------------------------| -| Name | ✓ | `K8SNS` | -| ShortName | ✓ | `K8SNS` | -| Custom Capability | ✓ | Checked [x] + `K8SNS` | -| Supported Job Types | ✓ | Inventory, Add, Remove, Create | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | | Unchecked [ ] | -| Supports Entry Password | | Unchecked [ ] | -![k8scluster_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8scluster_basic.png) +
-##### UI Advanced Tab -| Field Name | Required | Value | -|-----------------------|----------|----------| -| Store Path Type | | Freeform | -| Supports Custom Alias | | Required | -| Private Key Handling | | Optional | -| PFX Password Style | | Default | - -![k8sns_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8sns_advanced.png) - -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | Description | -|------------------|---------------------------|--------|----------|---------------|------------------------------------------------------------------------------------------------------------------------------------------------------| -| KubeNamespace | Kube Namespace | String | | | K8S namespace to manage. This will override any value inferred in the `Store Path`. | -| IncludeCertChain | Include Certificate Chain | Bool | | `true` | Will default to `true` if not set. If set to `false` only leaf cert will be deployed. | -| SeparateChain | Separate Chain | Bool | | `false` | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for `Opaque` and `tls` secrets. | - - -##### UI Entry Parameters Tab: -Empty - -### K8SCert Store Type - -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. - -```bash -kfutil login -kfutil store-types create --name K8SCert -``` - -#### UI Configuration - -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|----------|--------------------------| -| Name | ✓ | `K8SCert` | -| ShortName | ✓ | `K8SCert` | -| Custom Capability | ✓ | Checked [x] + `K8SCert` | -| Supported Job Types | ✓ | Inventory, Discovery | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | | Unchecked [ ] | -| Supports Entry Password | | Unchecked [ ] | - -![k8scert_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8scert_basic.png) - -##### UI Advanced Tab -| Field Name | Required | Value | -|-----------------------|----------|------------| -| Store Path Type | | Freeform | -| Supports Custom Alias | | Forbidden | -| Private Key Handling | | Forbidden | -| PFX Password Style | | Default | - -![k8scert_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8scert_advanced.png) - -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | Description | -|--------------------|---------------------------|--------|----------|---------------|--------------------------------------------------------------------------------------------------------| -| KubeNamespace | Kube Namespace | String | | | The K8S namespace the `cert` resource lives. This will override any value inferred in the `Store Path` | -| KubeSecretName | Kube Secret Name | String | | | The K8S `cert` name. This will override any value inferred in the `Store Path`. | -| KubeSecretType | Kube Secret Type | String | ✓ | `cert` | | - - -![k8scert_custom_fields.png](docs%2Fscreenshots%2Fstore_types%2Fk8scert_custom_fields.png) - -##### UI Entry Parameters Tab: -Empty - -## Creating Certificate Stores and Scheduling Discovery Jobs - -Please refer to the Keyfactor Command Reference Guide for information on creating -certificate stores and scheduling Discovery jobs in Keyfactor Command. - -## Certificate Discovery -**NOTE:** To use disovery jobs, you must have the story type created in Keyfactor Command and the `needs_server` checkbox MUST be checked. -Otherwise you will not be able to provide credentials to the discovery job. - -The Kubernetes Orchestrator Extension supports certificate discovery jobs. This allows you to populate the certificate stores with existing certificates. To run a discovery job, follow these steps: -1. Click on the "Locations > Certificate Stores" menu item. -2. Click the "Discover" tab. -3. Click the "Schedule" button. -4. Configure the job based on storetype. **Note** the "Server Username" field must be set to `kubeconfig` and the "Server Password" field is the `kubeconfig` formatted JSON file containing the service account credentials. See the "Service Account Setup" section earlier in this README for more information on setting up a service account. - ![discover_schedule_start.png](docs%2Fscreenshots%2Fdiscovery%2Fdiscover_schedule_start.png) - ![discover_schedule_config.png](docs%2Fscreenshots%2Fdiscovery%2Fdiscover_schedule_config.png) - ![discover_server_username.png](docs%2Fscreenshots%2Fdiscovery%2Fdiscover_server_username.png) - ![discover_server_password.png](docs%2Fscreenshots%2Fdiscovery%2Fdiscover_server_password.png) -5. Click the "Save" button and wait for the Orchestrator to run the job. This may take some time depending on the number of certificates in the store and the Orchestrator's check-in schedule. - -### K8SNS Discovery -For discovery of K8SNS stores toy can use the following params to filter the certificates that will be discovered: -- `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all namespaces. *This cannot be left blank.* - -### K8SPKCS12 and K8SJKS Discovery -For discovery of K8SPKCS12 and K8SJKS stores toy can use the following params to filter the certificates that will be discovered: -- `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all namespaces. *This cannot be left blank.* -- `File name patterns to match` - comma separated list of K8S secret keys to search for PKCS12 or JKS data. Will use the following keys by default: `tls.pfx`,`tls.pkcs12`,`pfx`,`pkcs12`,`tls.jks`,`jks`. - -## Certificate Inventory -In order for certificates to be inventoried by the Keyfactor k8s-orchestrator, they must have specific keys and values -in the Kubernetes Secret. The following table shows the required keys and values for each type of certificate store. - -| Store Type | Valid Secret Keys | -|------------|--------------------------------| -| K8STLSSecr | `tls.crt`,`tls.key`, `ca.crt` | -| K8SSecret | `tls.crt`,`tls.crts`, `ca.crt` | -| K8SCert | `cert`, `csr` | -| K8SPKCS12 | `*.pfx`,`*.pkcs12`, `*.p12` | -| K8SJKS | `*.jks` | -| K8SNS | `tls.crt`,`tls.crts`, `ca.crt` | -| K8SCluster | `tls.crt`,`tls.crts`, `ca.crt` | - -## Certificate Management -Management add/remove/create operations will attempt to write back to the Kubernetes Secret. -The following table shows the keys that the orchestrator will write back to the Kubernetes Secret for -each type of certificate store. - -| Store Type | Managed Secret Keys | -|------------|-----------------------------------------------------------| -| K8STLSSecr | `tls.crt`,`tls.key`, `ca.crt` | -| K8SSecret | `tls.crt`,`tls.key`, `ca.crt` | -| K8SPKCS12 | Specified in custom field `KubeSecretKey` or use defaults | -| K8SJKS | Specified in custom field `KubeSecretKey` or use defaults | -| K8SCluster | `tls.crt`,`tls.key` | -| K8SNS | `tls.crt`,`tls.key` | - -### K8STLSSecr & K8SSecret -These store types are virtually the same, they only differ in what K8S secret type they create. Both store types allow -for **ONLY** a single certificate to be stored in the secret. This means any `add` job will **overwrite** the existing -`tls.crt`, `tls.key`, and `ca.crt` values in the secret. If a secret does not exist, the orchestrator will create one -with the fields `tls.crt`, `tls.key`. Additionally, if `SeparateChain` on the store definition is set to -`true`, then the field `ca.crt` will be populated with the certificate chain data. - -**NOTE:** If a secret already exists and does not contain the field `ca.crt`, the orchestrator will **NOT** add the field -`ca.crt` to the secret, and instead will deploy a full certificate chain to the `tls.crt` field. - -#### Opaque & tls secret w/o ca.crt -Here's what an `Opaque` secret looks like in the UI when it does not contain the `ca.crt` field **NOTE** the chain is -included in the `tls.crt` field: -![opaque_no_cacrt_field.png](docs%2Fscreenshots%2Fmanagement%2Fopaque_no_cacrt_field.png) - -#### Opaque & tls secret w/ ca.crt -Here's what an `Opaque` secret looks like in the UI when it does contain the `ca.crt` field: -![opaque_cacrt.png](docs%2Fscreenshots%2Fmanagement%2Fopaque_cacrt.png) - -#### Opaque & tls secret w/o private key -It is possible to deploy a certificate without the private key from Command, and this is how it will look in the UI -**NOTE** the chain will only be included if Command has inventoried it: -![opaque_no_private_key.png](docs%2Fscreenshots%2Fmanagement%2Fopaque_no_private_key.png) - -### K8SJKS & K8SPKCS12 - -The K8SJKS store type is a Java Key Store (JKS) that is stored in a Kubernetes Secret. The secret can contain multiple -JKS files. The orchestrator will attempt to manage the JKS files found in the secret that match the `allowed_keys` or -`CertificateDataFieldName` custom field values. - -Alias pattern: `/`. - -Example of secret containing 2 JKS stores: -![k8sjks_multi.png](docs%2Fscreenshots%2Fstore_types%2Fk8sjks_multi.png) - -Here's what this looks like in the UI: -![k8sjks_inventory_ui.png](docs%2Fscreenshots%2Fstore_types%2Fk8sjks_inventory_ui.png) - -## Development - -[See the development guide](Development.md) ## License -[Apache](https://apache.org/licenses/LICENSE-2.0) +Apache License 2.0, see [LICENSE](LICENSE). + +## Related Integrations +See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator). \ No newline at end of file diff --git a/docs/k8scert.md b/docs/k8scert.md new file mode 100644 index 0000000..b5f13ff --- /dev/null +++ b/docs/k8scert.md @@ -0,0 +1,210 @@ +## K8SCert + +The K8SCert Certificate Store Type is designed to manage Kubernetes certificates of type `certificates.k8s.io/v1`. This store type interacts with Kubernetes' native CertificateSigningRequest (CSR) resources and manages the lifecycle of Kubernetes certificates, ensuring they are deployed and updated as needed within the cluster. + +### Representation + +K8SCert represents the certificates requested and issued via Kubernetes' CSR API. These certificates are often employed for various internal Kubernetes operations, such as securing API calls and container-to-container communications within the cluster. By managing these certificates, the orchestrator ensures that communication between different Kubernetes components remains secure. + +### Usage and SDK + +The K8SCert Certificate Store Type does not require any additional SDKs as it communicates directly with the Kubernetes API using a service account. This integration leverages Kubernetes’ native capabilities to handle certificate requests and issuances, making use of the service account's permissions to perform necessary operations. + +### Caveats and Limitations + +There are a few important considerations when using the K8SCert Certificate Store Type: + +- **Service Account Permissions**: The service account used by the orchestrator must have the necessary permissions to create, view, update, and delete CSRs within the cluster. Insufficient permissions will result in failures to manage certificates properly. +- **Chain of Trust**: Be aware of the chain of trust for certificates managed by the K8SCert store type. Properly configuring and maintaining the trust chain is critical to maintain secure communications. +- **Private Key Handling**: This store type doesn't handle private keys directly within Kubernetes secrets but rather relies on the managed CSR’s mechanisms to secure keys. + +The K8SCert Certificate Store Type offers a robust approach to managing Kubernetes-native certificates, ensuring secure and authenticated communication within your Kubernetes environment. + + + +### Supported Job Types + +| Job Name | Supported | +| -------- | --------- | +| Inventory | ✅ | +| Management Add | | +| Management Remove | | +| Discovery | ✅ | +| Create | | +| Reenrollment | | + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +#### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + + + +## Certificate Store Type Configuration + +The recommended method for creating the `K8SCert` Certificate Store Type is to use [kfutil](https://github.com/Keyfactor/kfutil). After installing, use the following command to create the `` Certificate Store Type: + +```shell +kfutil store-types create K8SCert +``` + +
K8SCert + +Create a store type called `K8SCert` with the attributes in the tables below: + +### Basic Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Name | K8SCert | Display name for the store type (may be customized) | +| Short Name | K8SCert | Short display name for the store type | +| Capability | K8SCert | Store type name orchestrator will register with. Check the box to allow entry of value | +| Supported Job Types (check the box for each) | Add, Discovery, Remove | Job types the extension supports | +| Supports Add | | Indicates that the Store Type supports Management Add | +| Supports Remove | | Indicates that the Store Type supports Management Remove | +| Supports Discovery | ✅ | Check the box. Indicates that the Store Type supports Discovery | +| Supports Reenrollment | | Indicates that the Store Type supports Reenrollment | +| Supports Create | | Indicates that the Store Type supports store creation | +| Needs Server | ✅ | Determines if a target server name is required when creating store | +| Blueprint Allowed | | Determines if store type may be included in an Orchestrator blueprint | +| Uses PowerShell | | Determines if underlying implementation is PowerShell | +| Requires Store Password | | Determines if a store password is required when configuring an individual store. | +| Supports Entry Password | | Determines if an individual entry within a store can have a password. | + +The Basic tab should look like this: + +![K8SCert Basic Tab](../docsource/images/K8SCert-basic-store-type-dialog.png) + +### Advanced Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. | +| Private Key Handling | Forbidden | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | +| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | + +The Advanced tab should look like this: + +![K8SCert Advanced Tab](../docsource/images/K8SCert-advanced-store-type-dialog.png) + +### Custom Fields Tab +Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: + +| Name | Display Name | Type | Default Value/Options | Required | Description | +| ---- | ------------ | ---- | --------------------- | -------- | ----------- | + + +The Custom Fields tab should look like this: + +![K8SCert Custom Fields Tab](../docsource/images/K8SCert-custom-fields-store-type-dialog.png) + + + +
+ +## Certificate Store Configuration + +After creating the `K8SCert` Certificate Store Type and installing the Kubernetes Universal Orchestrator extension, you can create new [Certificate Stores](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store) to manage certificates in the remote platform. + +The following table describes the required and optional fields for the `K8SCert` certificate store type. + +| Attribute | Description | Attribute is PAM Eligible | +| --------- | ----------- | ------------------------- | +| Category | Select "K8SCert" or the customized certificate store name from the previous step. | | +| Container | Optional container to associate certificate store with. | | +| Client Machine | For the Client Machine field when instantiating new Certificate Stores of type 'K8SCert', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'. | | +| Store Path | For the Store Path field when instantiating new Certificate Stores of type 'K8SCert', enter the namespace and the name of the certificate resource in the format 'namespace/certificateName'. Example: 'default/my-k8s-cert'. | | +| Orchestrator | Select an approved orchestrator capable of managing `K8SCert` certificates. Specifically, one with the `K8SCert` capability. | | + +* **Using kfutil** + + ```shell + # Generate a CSV template for the AzureApp certificate store + kfutil stores import generate-template --store-type-name K8SCert --outpath K8SCert.csv + + # Open the CSV file and fill in the required fields for each certificate store. + + # Import the CSV file to create the certificate stores + kfutil stores import csv --store-type-name K8SCert --file K8SCert.csv + ``` + +* **Manually with the Command UI**: In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the attributes in the table above. \ No newline at end of file diff --git a/docs/k8scluster.md b/docs/k8scluster.md new file mode 100644 index 0000000..2896e5e --- /dev/null +++ b/docs/k8scluster.md @@ -0,0 +1,210 @@ +## K8SCluster + +The K8SCluster Certificate Store Type enables the management of certificates across an entire Kubernetes cluster. This store type is designed to handle Kubernetes secrets of type `Opaque` and `kubernetes.io/tls` across all namespaces within a cluster, acting as a container for `K8SSecret` and `K8STLSSecret` stores. + +### Representation + +K8SCluster represents a higher-level aggregation of secrets management, providing a unified interface to manage certificates across multiple namespaces. This is particularly useful for organizations wanting centralized control over their certificate infrastructure within a Kubernetes environment. + +### Usage and SDK + +The K8SCluster Certificate Store Type does not require any additional SDKs as it relies on Kubernetes’ native API capabilities. The orchestrator uses a service account to interact with the Kubernetes API, performing operations needed to inventory and manage secrets across the cluster. + +### Caveats and Limitations + +There are some important considerations when using the K8SCluster Certificate Store Type: + +- **Service Account Permissions**: The service account should have sufficient permissions to list, create, update, and delete secrets across all namespaces. The lack of such permissions can hinder the orchestrator's ability to manage certificates. +- **Resource Scope**: Managing certificates at the cluster level can be complex due to the varied configurations and security policies across different namespaces. It's important to ensure that sensitive data is properly segregated and managed according to security best practices. +- **Configuration Complexity**: Given the broad scope of management, initial configuration can be intricate. Proper attention to detail is required to ensure all namespaces and their resources are correctly configured for certificate management. + +The K8SCluster Certificate Store Type offers a comprehensive solution for managing certificates across a Kubernetes cluster, providing centralized control while ensuring secure and efficient certificate lifecycle management. + + + +### Supported Job Types + +| Job Name | Supported | +| -------- | --------- | +| Inventory | ✅ | +| Management Add | ✅ | +| Management Remove | ✅ | +| Discovery | | +| Create | ✅ | +| Reenrollment | | + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + + + +## Certificate Store Type Configuration + +The recommended method for creating the `K8SCluster` Certificate Store Type is to use [kfutil](https://github.com/Keyfactor/kfutil). After installing, use the following command to create the `` Certificate Store Type: + +```shell +kfutil store-types create K8SCluster +``` + +
K8SCluster + +Create a store type called `K8SCluster` with the attributes in the tables below: + +### Basic Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Name | K8SCluster | Display name for the store type (may be customized) | +| Short Name | K8SCluster | Short display name for the store type | +| Capability | K8SCluster | Store type name orchestrator will register with. Check the box to allow entry of value | +| Supported Job Types (check the box for each) | Add, Discovery, Remove | Job types the extension supports | +| Supports Add | ✅ | Check the box. Indicates that the Store Type supports Management Add | +| Supports Remove | ✅ | Check the box. Indicates that the Store Type supports Management Remove | +| Supports Discovery | | Indicates that the Store Type supports Discovery | +| Supports Reenrollment | | Indicates that the Store Type supports Reenrollment | +| Supports Create | ✅ | Check the box. Indicates that the Store Type supports store creation | +| Needs Server | ✅ | Determines if a target server name is required when creating store | +| Blueprint Allowed | | Determines if store type may be included in an Orchestrator blueprint | +| Uses PowerShell | | Determines if underlying implementation is PowerShell | +| Requires Store Password | | Determines if a store password is required when configuring an individual store. | +| Supports Entry Password | | Determines if an individual entry within a store can have a password. | + +The Basic tab should look like this: + +![K8SCluster Basic Tab](../docsource/images/K8SCluster-basic-store-type-dialog.png) + +### Advanced Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | +| Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | +| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | + +The Advanced tab should look like this: + +![K8SCluster Advanced Tab](../docsource/images/K8SCluster-advanced-store-type-dialog.png) + +### Custom Fields Tab +Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: + +| Name | Display Name | Type | Default Value/Options | Required | Description | +| ---- | ------------ | ---- | --------------------- | -------- | ----------- | + + +The Custom Fields tab should look like this: + +![K8SCluster Custom Fields Tab](../docsource/images/K8SCluster-custom-fields-store-type-dialog.png) + + + +
+ +## Certificate Store Configuration + +After creating the `K8SCluster` Certificate Store Type and installing the Kubernetes Universal Orchestrator extension, you can create new [Certificate Stores](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store) to manage certificates in the remote platform. + +The following table describes the required and optional fields for the `K8SCluster` certificate store type. + +| Attribute | Description | Attribute is PAM Eligible | +| --------- | ----------- | ------------------------- | +| Category | Select "K8SCluster" or the customized certificate store name from the previous step. | | +| Container | Optional container to associate certificate store with. | | +| Client Machine | For the Client Machine field when instantiating new Certificate Stores of type 'K8SCluster', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'. | | +| Store Path | For the Store Path field when instantiating new Certificate Stores of type 'K8SCluster', enter the name of the Kubernetes cluster. Example: 'my-k8s-cluster'. | | +| Orchestrator | Select an approved orchestrator capable of managing `K8SCluster` certificates. Specifically, one with the `K8SCluster` capability. | | + +* **Using kfutil** + + ```shell + # Generate a CSV template for the AzureApp certificate store + kfutil stores import generate-template --store-type-name K8SCluster --outpath K8SCluster.csv + + # Open the CSV file and fill in the required fields for each certificate store. + + # Import the CSV file to create the certificate stores + kfutil stores import csv --store-type-name K8SCluster --file K8SCluster.csv + ``` + +* **Manually with the Command UI**: In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the attributes in the table above. \ No newline at end of file diff --git a/docs/k8sjks.md b/docs/k8sjks.md new file mode 100644 index 0000000..8f99ab5 --- /dev/null +++ b/docs/k8sjks.md @@ -0,0 +1,210 @@ +## K8SJKS + +The K8SJKS Certificate Store Type is designed to manage Java Keystores (JKS) that are stored within Kubernetes secrets of type `Opaque`. This store type specifically interacts with fields in Kubernetes secrets that contain JKS data, allowing for the inventory and management of certificates within these keystores. + +### Representation + +K8SJKS represents Kubernetes secrets that include one or more JKS files. Each entry within a JKS file is treated as a separate certificate entity, managed using a custom alias pattern. This is particularly useful for applications and services hosted within a Kubernetes cluster that require Java Keystore management. + +### Usage and SDK + +The K8SJKS Certificate Store Type does not require any additional SDKs and relies on direct interaction with the Kubernetes API through a service account. This interaction allows the orchestrator to inventory and manage secrets efficiently without needing any third-party libraries. + +### Caveats and Limitations + +There are a few important considerations when using the K8SJKS Certificate Store Type: + +- **Service Account Permissions**: The service account must have the necessary permissions to list, create, update, and delete secrets within the Kubernetes namespace. Without sufficient permissions, the orchestrator will be unable to manage the JKS secrets. +- **Custom Alias Pattern**: The orchestrator manages certificates using a custom alias of the pattern `k8s_secret_field_name/keystore_alias`. Users must understand this pattern to correctly reference and manage specific certificates within a JKS. +- **Unique Credentials**: Each JKS requires unique credentials, making it impossible to manage them collectively at the cluster or namespace level. This granularity necessitates careful configuration to ensure each keystore is correctly managed. + +By recognizing these considerations, the K8SJKS Certificate Store Type offers a robust solution for managing Java Keystores within Kubernetes, facilitating secure and efficient certificate lifecycle management for Java applications deployed in the cluster. + + + +### Supported Job Types + +| Job Name | Supported | +| -------- | --------- | +| Inventory | ✅ | +| Management Add | ✅ | +| Management Remove | ✅ | +| Discovery | ✅ | +| Create | ✅ | +| Reenrollment | | + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + + + +## Certificate Store Type Configuration + +The recommended method for creating the `K8SJKS` Certificate Store Type is to use [kfutil](https://github.com/Keyfactor/kfutil). After installing, use the following command to create the `` Certificate Store Type: + +```shell +kfutil store-types create K8SJKS +``` + +
K8SJKS + +Create a store type called `K8SJKS` with the attributes in the tables below: + +### Basic Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Name | K8SJKS | Display name for the store type (may be customized) | +| Short Name | K8SJKS | Short display name for the store type | +| Capability | K8SJKS | Store type name orchestrator will register with. Check the box to allow entry of value | +| Supported Job Types (check the box for each) | Add, Discovery, Remove | Job types the extension supports | +| Supports Add | ✅ | Check the box. Indicates that the Store Type supports Management Add | +| Supports Remove | ✅ | Check the box. Indicates that the Store Type supports Management Remove | +| Supports Discovery | ✅ | Check the box. Indicates that the Store Type supports Discovery | +| Supports Reenrollment | | Indicates that the Store Type supports Reenrollment | +| Supports Create | ✅ | Check the box. Indicates that the Store Type supports store creation | +| Needs Server | ✅ | Determines if a target server name is required when creating store | +| Blueprint Allowed | | Determines if store type may be included in an Orchestrator blueprint | +| Uses PowerShell | | Determines if underlying implementation is PowerShell | +| Requires Store Password | ✅ | Determines if a store password is required when configuring an individual store. | +| Supports Entry Password | | Determines if an individual entry within a store can have a password. | + +The Basic tab should look like this: + +![K8SJKS Basic Tab](../docsource/images/K8SJKS-basic-store-type-dialog.png) + +### Advanced Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | +| Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | +| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | + +The Advanced tab should look like this: + +![K8SJKS Advanced Tab](../docsource/images/K8SJKS-advanced-store-type-dialog.png) + +### Custom Fields Tab +Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: + +| Name | Display Name | Type | Default Value/Options | Required | Description | +| ---- | ------------ | ---- | --------------------- | -------- | ----------- | + + +The Custom Fields tab should look like this: + +![K8SJKS Custom Fields Tab](../docsource/images/K8SJKS-custom-fields-store-type-dialog.png) + + + +
+ +## Certificate Store Configuration + +After creating the `K8SJKS` Certificate Store Type and installing the Kubernetes Universal Orchestrator extension, you can create new [Certificate Stores](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store) to manage certificates in the remote platform. + +The following table describes the required and optional fields for the `K8SJKS` certificate store type. + +| Attribute | Description | Attribute is PAM Eligible | +| --------- | ----------- | ------------------------- | +| Category | Select "K8SJKS" or the customized certificate store name from the previous step. | | +| Container | Optional container to associate certificate store with. | | +| Client Machine | For the Client Machine field when instantiating new Certificate Stores of type 'K8SJKS', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'. | | +| Store Path | For the Store Path field when instantiating new Certificate Stores of type 'K8SJKS', enter the namespace and the secret name containing the JKS data in the format 'namespace/secretName'. Example: 'default/my-jks-secret'. | | +| Orchestrator | Select an approved orchestrator capable of managing `K8SJKS` certificates. Specifically, one with the `K8SJKS` capability. | | + +* **Using kfutil** + + ```shell + # Generate a CSV template for the AzureApp certificate store + kfutil stores import generate-template --store-type-name K8SJKS --outpath K8SJKS.csv + + # Open the CSV file and fill in the required fields for each certificate store. + + # Import the CSV file to create the certificate stores + kfutil stores import csv --store-type-name K8SJKS --file K8SJKS.csv + ``` + +* **Manually with the Command UI**: In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the attributes in the table above. \ No newline at end of file diff --git a/docs/k8sns.md b/docs/k8sns.md new file mode 100644 index 0000000..4de6f79 --- /dev/null +++ b/docs/k8sns.md @@ -0,0 +1,210 @@ +## K8SNS + +The K8SNS Certificate Store Type is designed to manage certificates within a specific Kubernetes namespace. This store type aggregates secrets of type `Opaque` and `kubernetes.io/tls` within a defined namespace, effectively acting as a container for `K8SSecret` and `K8STLSSecret` stores in that namespace. + +### Representation + +K8SNS represents a high-level grouping of secrets management focused on a single Kubernetes namespace. By managing all relevant secrets within this scope, it allows for more centralized and controlled certificate management across that namespace. This is particularly useful for segmenting and managing certificates in multi-tenant environments or environments with specific namespace-based security policies. + +### Usage and SDK + +The K8SNS Certificate Store Type interacts directly with the Kubernetes API through a service account, thus it does not require any additional SDKs. The orchestrator uses the permissions granted to the service account to manage secrets efficiently within the specified namespace. + +### Caveats and Limitations + +There are important considerations when using the K8SNS Certificate Store Type: + +- **Service Account Permissions**: The service account must have sufficient permissions to list, create, update, and delete secrets within the target namespace. Insufficient permissions can prevent the orchestrator from functioning correctly. +- **Namespace Scope**: While this store type is useful for managing certificates within a single namespace, it does not provide a cross-namespace management capability. Users must set up individual stores for each namespace they want to manage. +- **Field Requirements**: This store type will only inventory secrets that contain the keys `tls.crt` and `tls.key`. Other data within the secret will be ignored. + +By taking these considerations into account, the K8SNS Certificate Store Type provides an effective solution for managing certificates within a Kubernetes namespace, supporting secure and organized certificate lifecycle management. + + + +### Supported Job Types + +| Job Name | Supported | +| -------- | --------- | +| Inventory | ✅ | +| Management Add | ✅ | +| Management Remove | ✅ | +| Discovery | ✅ | +| Create | ✅ | +| Reenrollment | | + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + + + +## Certificate Store Type Configuration + +The recommended method for creating the `K8SNS` Certificate Store Type is to use [kfutil](https://github.com/Keyfactor/kfutil). After installing, use the following command to create the `` Certificate Store Type: + +```shell +kfutil store-types create K8SNS +``` + +
K8SNS + +Create a store type called `K8SNS` with the attributes in the tables below: + +### Basic Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Name | K8SNS | Display name for the store type (may be customized) | +| Short Name | K8SNS | Short display name for the store type | +| Capability | K8SNS | Store type name orchestrator will register with. Check the box to allow entry of value | +| Supported Job Types (check the box for each) | Add, Discovery, Remove | Job types the extension supports | +| Supports Add | ✅ | Check the box. Indicates that the Store Type supports Management Add | +| Supports Remove | ✅ | Check the box. Indicates that the Store Type supports Management Remove | +| Supports Discovery | ✅ | Check the box. Indicates that the Store Type supports Discovery | +| Supports Reenrollment | | Indicates that the Store Type supports Reenrollment | +| Supports Create | ✅ | Check the box. Indicates that the Store Type supports store creation | +| Needs Server | ✅ | Determines if a target server name is required when creating store | +| Blueprint Allowed | | Determines if store type may be included in an Orchestrator blueprint | +| Uses PowerShell | | Determines if underlying implementation is PowerShell | +| Requires Store Password | | Determines if a store password is required when configuring an individual store. | +| Supports Entry Password | | Determines if an individual entry within a store can have a password. | + +The Basic tab should look like this: + +![K8SNS Basic Tab](../docsource/images/K8SNS-basic-store-type-dialog.png) + +### Advanced Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | +| Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | +| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | + +The Advanced tab should look like this: + +![K8SNS Advanced Tab](../docsource/images/K8SNS-advanced-store-type-dialog.png) + +### Custom Fields Tab +Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: + +| Name | Display Name | Type | Default Value/Options | Required | Description | +| ---- | ------------ | ---- | --------------------- | -------- | ----------- | + + +The Custom Fields tab should look like this: + +![K8SNS Custom Fields Tab](../docsource/images/K8SNS-custom-fields-store-type-dialog.png) + + + +
+ +## Certificate Store Configuration + +After creating the `K8SNS` Certificate Store Type and installing the Kubernetes Universal Orchestrator extension, you can create new [Certificate Stores](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store) to manage certificates in the remote platform. + +The following table describes the required and optional fields for the `K8SNS` certificate store type. + +| Attribute | Description | Attribute is PAM Eligible | +| --------- | ----------- | ------------------------- | +| Category | Select "K8SNS" or the customized certificate store name from the previous step. | | +| Container | Optional container to associate certificate store with. | | +| Client Machine | For the Client Machine field when instantiating new Certificate Stores of type 'K8SNS', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'. | | +| Store Path | For the Store Path field when instantiating new Certificate Stores of type 'K8SNS', enter the namespace you wish to manage. Example: 'default'. | | +| Orchestrator | Select an approved orchestrator capable of managing `K8SNS` certificates. Specifically, one with the `K8SNS` capability. | | + +* **Using kfutil** + + ```shell + # Generate a CSV template for the AzureApp certificate store + kfutil stores import generate-template --store-type-name K8SNS --outpath K8SNS.csv + + # Open the CSV file and fill in the required fields for each certificate store. + + # Import the CSV file to create the certificate stores + kfutil stores import csv --store-type-name K8SNS --file K8SNS.csv + ``` + +* **Manually with the Command UI**: In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the attributes in the table above. \ No newline at end of file diff --git a/docs/k8spkcs12.md b/docs/k8spkcs12.md new file mode 100644 index 0000000..eadcc5d --- /dev/null +++ b/docs/k8spkcs12.md @@ -0,0 +1,214 @@ +## K8SPKCS12 + +The K8SPKCS12 Certificate Store Type is designed to manage PKCS12 files stored within Kubernetes secrets of type `Opaque`. This store type focuses on secrets containing PKCS12 data, allowing for the inventory and management of certificates and keys within these files. + +### Representation + +K8SPKCS12 represents Kubernetes secrets that include one or more PKCS12 files. Each file within a secret is treated as a separate certificate entity, managed using a custom alias pattern. This is particularly useful for applications requiring PKCS12 format for their keystores, commonly seen in Java applications and other use-cases requiring bundled certificates and keys. + +### Usage and SDK + +The K8SPKCS12 Certificate Store Type does not require any additional SDKs beyond the orchestrator’s capabilities. It communicates directly with the Kubernetes API using a service account to perform its operations. No third-party libraries are needed. + +### Caveats and Limitations + +Several important considerations should be noted when using the K8SPKCS12 Certificate Store Type: + +- **Service Account Permissions**: The service account must have sufficient permissions to list, create, update, and delete secrets in the Kubernetes namespace where the secrets reside. Without these permissions, the orchestrator cannot function correctly. + +- **Custom Alias Pattern**: The orchestrator uses a custom alias pattern for managing certificates: `/`. Users should be familiar with this pattern to correctly reference and manage specific certificates within a PKCS12 file. + +- **Password Management**: PKCS12 files often require passwords to access their contents. The orchestrator supports various methods for password management, including specifying passwords directly in the secrets or through other configuration fields. + +- **Unique Credentials**: Each PKCS12 file may require unique credentials, which makes it challenging to manage them collectively at the cluster or namespace level. This requires detailed configuration to ensure each PKCS12 keystore is managed correctly. + +By considering these factors, the K8SPKCS12 Certificate Store Type offers a robust solution for managing PKCS12 files within Kubernetes, facilitating secure and efficient certificate lifecycle management for applications that rely on this format. + + + +### Supported Job Types + +| Job Name | Supported | +| -------- | --------- | +| Inventory | ✅ | +| Management Add | ✅ | +| Management Remove | ✅ | +| Discovery | ✅ | +| Create | ✅ | +| Reenrollment | | + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + + + +## Certificate Store Type Configuration + +The recommended method for creating the `K8SPKCS12` Certificate Store Type is to use [kfutil](https://github.com/Keyfactor/kfutil). After installing, use the following command to create the `` Certificate Store Type: + +```shell +kfutil store-types create K8SPKCS12 +``` + +
K8SPKCS12 + +Create a store type called `K8SPKCS12` with the attributes in the tables below: + +### Basic Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Name | K8SPKCS12 | Display name for the store type (may be customized) | +| Short Name | K8SPKCS12 | Short display name for the store type | +| Capability | K8SPKCS12 | Store type name orchestrator will register with. Check the box to allow entry of value | +| Supported Job Types (check the box for each) | Add, Discovery, Remove | Job types the extension supports | +| Supports Add | ✅ | Check the box. Indicates that the Store Type supports Management Add | +| Supports Remove | ✅ | Check the box. Indicates that the Store Type supports Management Remove | +| Supports Discovery | ✅ | Check the box. Indicates that the Store Type supports Discovery | +| Supports Reenrollment | | Indicates that the Store Type supports Reenrollment | +| Supports Create | ✅ | Check the box. Indicates that the Store Type supports store creation | +| Needs Server | ✅ | Determines if a target server name is required when creating store | +| Blueprint Allowed | | Determines if store type may be included in an Orchestrator blueprint | +| Uses PowerShell | | Determines if underlying implementation is PowerShell | +| Requires Store Password | ✅ | Determines if a store password is required when configuring an individual store. | +| Supports Entry Password | | Determines if an individual entry within a store can have a password. | + +The Basic tab should look like this: + +![K8SPKCS12 Basic Tab](../docsource/images/K8SPKCS12-basic-store-type-dialog.png) + +### Advanced Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | +| Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | +| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | + +The Advanced tab should look like this: + +![K8SPKCS12 Advanced Tab](../docsource/images/K8SPKCS12-advanced-store-type-dialog.png) + +### Custom Fields Tab +Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: + +| Name | Display Name | Type | Default Value/Options | Required | Description | +| ---- | ------------ | ---- | --------------------- | -------- | ----------- | + + +The Custom Fields tab should look like this: + +![K8SPKCS12 Custom Fields Tab](../docsource/images/K8SPKCS12-custom-fields-store-type-dialog.png) + + + +
+ +## Certificate Store Configuration + +After creating the `K8SPKCS12` Certificate Store Type and installing the Kubernetes Universal Orchestrator extension, you can create new [Certificate Stores](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store) to manage certificates in the remote platform. + +The following table describes the required and optional fields for the `K8SPKCS12` certificate store type. + +| Attribute | Description | Attribute is PAM Eligible | +| --------- | ----------- | ------------------------- | +| Category | Select "K8SPKCS12" or the customized certificate store name from the previous step. | | +| Container | Optional container to associate certificate store with. | | +| Client Machine | For the Client Machine field when instantiating new Certificate Stores of type 'K8SPKCS12', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'. | | +| Store Path | For the Store Path field when instantiating new Certificate Stores of type 'K8SPKCS12', enter the namespace and the secret name containing the PKCS12 data in the format 'namespace/secretName'. Example: 'default/my-pkcs12-secret'. | | +| Orchestrator | Select an approved orchestrator capable of managing `K8SPKCS12` certificates. Specifically, one with the `K8SPKCS12` capability. | | + +* **Using kfutil** + + ```shell + # Generate a CSV template for the AzureApp certificate store + kfutil stores import generate-template --store-type-name K8SPKCS12 --outpath K8SPKCS12.csv + + # Open the CSV file and fill in the required fields for each certificate store. + + # Import the CSV file to create the certificate stores + kfutil stores import csv --store-type-name K8SPKCS12 --file K8SPKCS12.csv + ``` + +* **Manually with the Command UI**: In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the attributes in the table above. \ No newline at end of file diff --git a/docs/k8ssecret.md b/docs/k8ssecret.md new file mode 100644 index 0000000..b1d1732 --- /dev/null +++ b/docs/k8ssecret.md @@ -0,0 +1,212 @@ +## K8SSecret + +The K8SSecret Certificate Store Type is designed to manage Kubernetes secrets of type `Opaque`. This store type provides functionality for storing and managing various certificates and their associated private keys within Kubernetes secrets, allowing for secure and organized certificate management. + +### Representation + +K8SSecret represents Kubernetes `Opaque` secrets that can contain arbitrary fields. However, the orchestrator specifically manages fields named `certificates` and `private_keys`, ensuring that certificate and key data is handled securely and efficiently. This is useful for various applications and services within a Kubernetes cluster that need to securely store and access certificates. + +### Usage and SDK + +The K8SSecret Certificate Store Type communicates directly with the Kubernetes API using a service account, eliminating the need for any additional SDKs. The orchestrator leverages the permissions of the service account to perform necessary operations such as inventory, add, and remove certificates within the Kubernetes secrets. + +### Caveats and Limitations + +Several important considerations should be noted when using the K8SSecret Certificate Store Type: + +- **Service Account Permissions**: The service account must have the appropriate permissions to create, list, update, and delete secrets within the specified Kubernetes namespace. Without sufficient permissions, the orchestrator will not be able to manage the secrets effectively. + +- **Field Constraints**: The orchestrator will only manage the fields named `certificates` and `private_keys` within the secret. Any other fields will be ignored, which means users must ensure that the relevant data is stored in these fields. + +- **Single Certificate Management**: This store type supports the management of a single certificate within each secret. Adding a new certificate will overwrite the existing fields in the secret. Users should be cautious of this behavior to avoid unintentional data loss. + +By considering these factors, the K8SSecret Certificate Store Type offers a reliable way to manage `Opaque` secrets in Kubernetes, ensuring secure and efficient certificate lifecycle management within the cluster. + + + +### Supported Job Types + +| Job Name | Supported | +| -------- | --------- | +| Inventory | ✅ | +| Management Add | ✅ | +| Management Remove | ✅ | +| Discovery | ✅ | +| Create | ✅ | +| Reenrollment | | + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + + + +## Certificate Store Type Configuration + +The recommended method for creating the `K8SSecret` Certificate Store Type is to use [kfutil](https://github.com/Keyfactor/kfutil). After installing, use the following command to create the `` Certificate Store Type: + +```shell +kfutil store-types create K8SSecret +``` + +
K8SSecret + +Create a store type called `K8SSecret` with the attributes in the tables below: + +### Basic Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Name | K8SSecret | Display name for the store type (may be customized) | +| Short Name | K8SSecret | Short display name for the store type | +| Capability | K8SSecret | Store type name orchestrator will register with. Check the box to allow entry of value | +| Supported Job Types (check the box for each) | Add, Discovery, Remove | Job types the extension supports | +| Supports Add | ✅ | Check the box. Indicates that the Store Type supports Management Add | +| Supports Remove | ✅ | Check the box. Indicates that the Store Type supports Management Remove | +| Supports Discovery | ✅ | Check the box. Indicates that the Store Type supports Discovery | +| Supports Reenrollment | | Indicates that the Store Type supports Reenrollment | +| Supports Create | ✅ | Check the box. Indicates that the Store Type supports store creation | +| Needs Server | ✅ | Determines if a target server name is required when creating store | +| Blueprint Allowed | | Determines if store type may be included in an Orchestrator blueprint | +| Uses PowerShell | | Determines if underlying implementation is PowerShell | +| Requires Store Password | | Determines if a store password is required when configuring an individual store. | +| Supports Entry Password | | Determines if an individual entry within a store can have a password. | + +The Basic tab should look like this: + +![K8SSecret Basic Tab](../docsource/images/K8SSecret-basic-store-type-dialog.png) + +### Advanced Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. | +| Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | +| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | + +The Advanced tab should look like this: + +![K8SSecret Advanced Tab](../docsource/images/K8SSecret-advanced-store-type-dialog.png) + +### Custom Fields Tab +Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: + +| Name | Display Name | Type | Default Value/Options | Required | Description | +| ---- | ------------ | ---- | --------------------- | -------- | ----------- | + + +The Custom Fields tab should look like this: + +![K8SSecret Custom Fields Tab](../docsource/images/K8SSecret-custom-fields-store-type-dialog.png) + + + +
+ +## Certificate Store Configuration + +After creating the `K8SSecret` Certificate Store Type and installing the Kubernetes Universal Orchestrator extension, you can create new [Certificate Stores](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store) to manage certificates in the remote platform. + +The following table describes the required and optional fields for the `K8SSecret` certificate store type. + +| Attribute | Description | Attribute is PAM Eligible | +| --------- | ----------- | ------------------------- | +| Category | Select "K8SSecret" or the customized certificate store name from the previous step. | | +| Container | Optional container to associate certificate store with. | | +| Client Machine | For the Client Machine field when instantiating new Certificate Stores of type 'K8SSecret', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'. | | +| Store Path | For the Store Path field when instantiating new Certificate Stores of type 'K8SSecret', enter the namespace and the secret name in the format 'namespace/secretName'. Example: 'default/my-secret'. | | +| Orchestrator | Select an approved orchestrator capable of managing `K8SSecret` certificates. Specifically, one with the `K8SSecret` capability. | | + +* **Using kfutil** + + ```shell + # Generate a CSV template for the AzureApp certificate store + kfutil stores import generate-template --store-type-name K8SSecret --outpath K8SSecret.csv + + # Open the CSV file and fill in the required fields for each certificate store. + + # Import the CSV file to create the certificate stores + kfutil stores import csv --store-type-name K8SSecret --file K8SSecret.csv + ``` + +* **Manually with the Command UI**: In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the attributes in the table above. \ No newline at end of file diff --git a/docs/k8stlssecr.md b/docs/k8stlssecr.md new file mode 100644 index 0000000..0b7f178 --- /dev/null +++ b/docs/k8stlssecr.md @@ -0,0 +1,214 @@ +## K8STLSSecr + +The K8STLSSecr Certificate Store Type is designed to manage Kubernetes secrets of type `kubernetes.io/tls`. This store type specifically deals with secrets formatted for storing TLS certificates and their corresponding private keys, facilitating secure and structured certificate management within Kubernetes. + +### Representation + +K8STLSSecr represents Kubernetes `tls` secrets, which are used to store SSL/TLS certificates and their associated private keys. These secrets are critical for securing communications within a Kubernetes cluster, particularly for web services and other applications requiring SSL/TLS encryption. + +### Usage and SDK + +The K8STLSSecr Certificate Store Type does not require any additional SDKs. It directly communicates with the Kubernetes API using a service account, leveraging native Kubernetes capabilities to manage the inventory and lifecycle of TLS secrets. + +### Caveats and Limitations + +There are several important considerations to keep in mind when using the K8STLSSecr Certificate Store Type: + +- **Service Account Permissions**: The service account must have sufficient permissions to create, list, update, and delete secrets within the designated namespace. Without adequate permissions, the orchestrator will be unable to manage the TLS secrets properly. + +- **Field Requirements**: The `tls` secret must contain the `tls.crt` and `tls.key` fields. The orchestrator also supports the `ca.crt` field for storing the certificate chain. It's important to ensure these fields are present and correctly formatted. + +- **Single Certificate Management**: This store type supports the storage and management of a single certificate and its private key per secret. Adding a new certificate will overwrite the existing data in the secret. Users should take care to avoid unintentional data loss. + +- **Separate Chain Handling**: The orchestrator can handle the deployment of certificate chains. If the `SeparateChain` custom field is set to true, the chain will be stored in the `ca.crt` field, separated from the leaf certificate in `tls.crt`. + +By considering these factors, the K8STLSSecr Certificate Store Type provides an effective solution for managing TLS secrets in Kubernetes, ensuring secure and efficient certificate lifecycle management for applications requiring SSL/TLS encryption. + + + +### Supported Job Types + +| Job Name | Supported | +| -------- | --------- | +| Inventory | ✅ | +| Management Add | ✅ | +| Management Remove | ✅ | +| Discovery | ✅ | +| Create | ✅ | +| Reenrollment | | + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + + + +## Certificate Store Type Configuration + +The recommended method for creating the `K8STLSSecr` Certificate Store Type is to use [kfutil](https://github.com/Keyfactor/kfutil). After installing, use the following command to create the `` Certificate Store Type: + +```shell +kfutil store-types create K8STLSSecr +``` + +
K8STLSSecr + +Create a store type called `K8STLSSecr` with the attributes in the tables below: + +### Basic Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Name | K8STLSSecr | Display name for the store type (may be customized) | +| Short Name | K8STLSSecr | Short display name for the store type | +| Capability | K8STLSSecr | Store type name orchestrator will register with. Check the box to allow entry of value | +| Supported Job Types (check the box for each) | Add, Discovery, Remove | Job types the extension supports | +| Supports Add | ✅ | Check the box. Indicates that the Store Type supports Management Add | +| Supports Remove | ✅ | Check the box. Indicates that the Store Type supports Management Remove | +| Supports Discovery | ✅ | Check the box. Indicates that the Store Type supports Discovery | +| Supports Reenrollment | | Indicates that the Store Type supports Reenrollment | +| Supports Create | ✅ | Check the box. Indicates that the Store Type supports store creation | +| Needs Server | ✅ | Determines if a target server name is required when creating store | +| Blueprint Allowed | | Determines if store type may be included in an Orchestrator blueprint | +| Uses PowerShell | | Determines if underlying implementation is PowerShell | +| Requires Store Password | | Determines if a store password is required when configuring an individual store. | +| Supports Entry Password | | Determines if an individual entry within a store can have a password. | + +The Basic tab should look like this: + +![K8STLSSecr Basic Tab](../docsource/images/K8STLSSecr-basic-store-type-dialog.png) + +### Advanced Tab +| Attribute | Value | Description | +| --------- | ----- | ----- | +| Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. | +| Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | +| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | + +The Advanced tab should look like this: + +![K8STLSSecr Advanced Tab](../docsource/images/K8STLSSecr-advanced-store-type-dialog.png) + +### Custom Fields Tab +Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: + +| Name | Display Name | Type | Default Value/Options | Required | Description | +| ---- | ------------ | ---- | --------------------- | -------- | ----------- | + + +The Custom Fields tab should look like this: + +![K8STLSSecr Custom Fields Tab](../docsource/images/K8STLSSecr-custom-fields-store-type-dialog.png) + + + +
+ +## Certificate Store Configuration + +After creating the `K8STLSSecr` Certificate Store Type and installing the Kubernetes Universal Orchestrator extension, you can create new [Certificate Stores](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store) to manage certificates in the remote platform. + +The following table describes the required and optional fields for the `K8STLSSecr` certificate store type. + +| Attribute | Description | Attribute is PAM Eligible | +| --------- | ----------- | ------------------------- | +| Category | Select "K8STLSSecr" or the customized certificate store name from the previous step. | | +| Container | Optional container to associate certificate store with. | | +| Client Machine | For the Client Machine field when instantiating new Certificate Stores of type 'K8STLSSecr', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'. | | +| Store Path | For the Store Path field when instantiating new Certificate Stores of type 'K8STLSSecr', enter the namespace and the secret name in the format 'namespace/secretName'. Example: 'default/my-tls-secret'. | | +| Orchestrator | Select an approved orchestrator capable of managing `K8STLSSecr` certificates. Specifically, one with the `K8STLSSecr` capability. | | + +* **Using kfutil** + + ```shell + # Generate a CSV template for the AzureApp certificate store + kfutil stores import generate-template --store-type-name K8STLSSecr --outpath K8STLSSecr.csv + + # Open the CSV file and fill in the required fields for each certificate store. + + # Import the CSV file to create the certificate stores + kfutil stores import csv --store-type-name K8STLSSecr --file K8STLSSecr.csv + ``` + +* **Manually with the Command UI**: In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the attributes in the table above. \ No newline at end of file diff --git a/docsource/k8scert.md b/docsource/k8scert.md new file mode 100644 index 0000000..1d6d5f6 --- /dev/null +++ b/docsource/k8scert.md @@ -0,0 +1,108 @@ +## Overview + +The K8SCert Certificate Store Type is designed to manage Kubernetes certificates of type `certificates.k8s.io/v1`. This store type interacts with Kubernetes' native CertificateSigningRequest (CSR) resources and manages the lifecycle of Kubernetes certificates, ensuring they are deployed and updated as needed within the cluster. + +### Representation + +K8SCert represents the certificates requested and issued via Kubernetes' CSR API. These certificates are often employed for various internal Kubernetes operations, such as securing API calls and container-to-container communications within the cluster. By managing these certificates, the orchestrator ensures that communication between different Kubernetes components remains secure. + +### Usage and SDK + +The K8SCert Certificate Store Type does not require any additional SDKs as it communicates directly with the Kubernetes API using a service account. This integration leverages Kubernetes’ native capabilities to handle certificate requests and issuances, making use of the service account's permissions to perform necessary operations. + +### Caveats and Limitations + +There are a few important considerations when using the K8SCert Certificate Store Type: + +- **Service Account Permissions**: The service account used by the orchestrator must have the necessary permissions to create, view, update, and delete CSRs within the cluster. Insufficient permissions will result in failures to manage certificates properly. +- **Chain of Trust**: Be aware of the chain of trust for certificates managed by the K8SCert store type. Properly configuring and maintaining the trust chain is critical to maintain secure communications. +- **Private Key Handling**: This store type doesn't handle private keys directly within Kubernetes secrets but rather relies on the managed CSR’s mechanisms to secure keys. + +The K8SCert Certificate Store Type offers a robust approach to managing Kubernetes-native certificates, ensuring secure and authenticated communication within your Kubernetes environment. + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +#### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + diff --git a/docsource/k8scluster.md b/docsource/k8scluster.md new file mode 100644 index 0000000..635f599 --- /dev/null +++ b/docsource/k8scluster.md @@ -0,0 +1,108 @@ +## Overview + +The K8SCluster Certificate Store Type enables the management of certificates across an entire Kubernetes cluster. This store type is designed to handle Kubernetes secrets of type `Opaque` and `kubernetes.io/tls` across all namespaces within a cluster, acting as a container for `K8SSecret` and `K8STLSSecret` stores. + +### Representation + +K8SCluster represents a higher-level aggregation of secrets management, providing a unified interface to manage certificates across multiple namespaces. This is particularly useful for organizations wanting centralized control over their certificate infrastructure within a Kubernetes environment. + +### Usage and SDK + +The K8SCluster Certificate Store Type does not require any additional SDKs as it relies on Kubernetes’ native API capabilities. The orchestrator uses a service account to interact with the Kubernetes API, performing operations needed to inventory and manage secrets across the cluster. + +### Caveats and Limitations + +There are some important considerations when using the K8SCluster Certificate Store Type: + +- **Service Account Permissions**: The service account should have sufficient permissions to list, create, update, and delete secrets across all namespaces. The lack of such permissions can hinder the orchestrator's ability to manage certificates. +- **Resource Scope**: Managing certificates at the cluster level can be complex due to the varied configurations and security policies across different namespaces. It's important to ensure that sensitive data is properly segregated and managed according to security best practices. +- **Configuration Complexity**: Given the broad scope of management, initial configuration can be intricate. Proper attention to detail is required to ensure all namespaces and their resources are correctly configured for certificate management. + +The K8SCluster Certificate Store Type offers a comprehensive solution for managing certificates across a Kubernetes cluster, providing centralized control while ensuring secure and efficient certificate lifecycle management. + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + diff --git a/docsource/k8sjks.md b/docsource/k8sjks.md new file mode 100644 index 0000000..b67c4ae --- /dev/null +++ b/docsource/k8sjks.md @@ -0,0 +1,108 @@ +## Overview + +The K8SJKS Certificate Store Type is designed to manage Java Keystores (JKS) that are stored within Kubernetes secrets of type `Opaque`. This store type specifically interacts with fields in Kubernetes secrets that contain JKS data, allowing for the inventory and management of certificates within these keystores. + +### Representation + +K8SJKS represents Kubernetes secrets that include one or more JKS files. Each entry within a JKS file is treated as a separate certificate entity, managed using a custom alias pattern. This is particularly useful for applications and services hosted within a Kubernetes cluster that require Java Keystore management. + +### Usage and SDK + +The K8SJKS Certificate Store Type does not require any additional SDKs and relies on direct interaction with the Kubernetes API through a service account. This interaction allows the orchestrator to inventory and manage secrets efficiently without needing any third-party libraries. + +### Caveats and Limitations + +There are a few important considerations when using the K8SJKS Certificate Store Type: + +- **Service Account Permissions**: The service account must have the necessary permissions to list, create, update, and delete secrets within the Kubernetes namespace. Without sufficient permissions, the orchestrator will be unable to manage the JKS secrets. +- **Custom Alias Pattern**: The orchestrator manages certificates using a custom alias of the pattern `k8s_secret_field_name/keystore_alias`. Users must understand this pattern to correctly reference and manage specific certificates within a JKS. +- **Unique Credentials**: Each JKS requires unique credentials, making it impossible to manage them collectively at the cluster or namespace level. This granularity necessitates careful configuration to ensure each keystore is correctly managed. + +By recognizing these considerations, the K8SJKS Certificate Store Type offers a robust solution for managing Java Keystores within Kubernetes, facilitating secure and efficient certificate lifecycle management for Java applications deployed in the cluster. + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + diff --git a/docsource/k8sns.md b/docsource/k8sns.md new file mode 100644 index 0000000..c603c13 --- /dev/null +++ b/docsource/k8sns.md @@ -0,0 +1,108 @@ +## Overview + +The K8SNS Certificate Store Type is designed to manage certificates within a specific Kubernetes namespace. This store type aggregates secrets of type `Opaque` and `kubernetes.io/tls` within a defined namespace, effectively acting as a container for `K8SSecret` and `K8STLSSecret` stores in that namespace. + +### Representation + +K8SNS represents a high-level grouping of secrets management focused on a single Kubernetes namespace. By managing all relevant secrets within this scope, it allows for more centralized and controlled certificate management across that namespace. This is particularly useful for segmenting and managing certificates in multi-tenant environments or environments with specific namespace-based security policies. + +### Usage and SDK + +The K8SNS Certificate Store Type interacts directly with the Kubernetes API through a service account, thus it does not require any additional SDKs. The orchestrator uses the permissions granted to the service account to manage secrets efficiently within the specified namespace. + +### Caveats and Limitations + +There are important considerations when using the K8SNS Certificate Store Type: + +- **Service Account Permissions**: The service account must have sufficient permissions to list, create, update, and delete secrets within the target namespace. Insufficient permissions can prevent the orchestrator from functioning correctly. +- **Namespace Scope**: While this store type is useful for managing certificates within a single namespace, it does not provide a cross-namespace management capability. Users must set up individual stores for each namespace they want to manage. +- **Field Requirements**: This store type will only inventory secrets that contain the keys `tls.crt` and `tls.key`. Other data within the secret will be ignored. + +By taking these considerations into account, the K8SNS Certificate Store Type provides an effective solution for managing certificates within a Kubernetes namespace, supporting secure and organized certificate lifecycle management. + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + diff --git a/docsource/k8spkcs12.md b/docsource/k8spkcs12.md new file mode 100644 index 0000000..03a88d2 --- /dev/null +++ b/docsource/k8spkcs12.md @@ -0,0 +1,112 @@ +## Overview + +The K8SPKCS12 Certificate Store Type is designed to manage PKCS12 files stored within Kubernetes secrets of type `Opaque`. This store type focuses on secrets containing PKCS12 data, allowing for the inventory and management of certificates and keys within these files. + +### Representation + +K8SPKCS12 represents Kubernetes secrets that include one or more PKCS12 files. Each file within a secret is treated as a separate certificate entity, managed using a custom alias pattern. This is particularly useful for applications requiring PKCS12 format for their keystores, commonly seen in Java applications and other use-cases requiring bundled certificates and keys. + +### Usage and SDK + +The K8SPKCS12 Certificate Store Type does not require any additional SDKs beyond the orchestrator’s capabilities. It communicates directly with the Kubernetes API using a service account to perform its operations. No third-party libraries are needed. + +### Caveats and Limitations + +Several important considerations should be noted when using the K8SPKCS12 Certificate Store Type: + +- **Service Account Permissions**: The service account must have sufficient permissions to list, create, update, and delete secrets in the Kubernetes namespace where the secrets reside. Without these permissions, the orchestrator cannot function correctly. + +- **Custom Alias Pattern**: The orchestrator uses a custom alias pattern for managing certificates: `/`. Users should be familiar with this pattern to correctly reference and manage specific certificates within a PKCS12 file. + +- **Password Management**: PKCS12 files often require passwords to access their contents. The orchestrator supports various methods for password management, including specifying passwords directly in the secrets or through other configuration fields. + +- **Unique Credentials**: Each PKCS12 file may require unique credentials, which makes it challenging to manage them collectively at the cluster or namespace level. This requires detailed configuration to ensure each PKCS12 keystore is managed correctly. + +By considering these factors, the K8SPKCS12 Certificate Store Type offers a robust solution for managing PKCS12 files within Kubernetes, facilitating secure and efficient certificate lifecycle management for applications that rely on this format. + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + diff --git a/docsource/k8ssecret.md b/docsource/k8ssecret.md new file mode 100644 index 0000000..fdcfa49 --- /dev/null +++ b/docsource/k8ssecret.md @@ -0,0 +1,110 @@ +## Overview + +The K8SSecret Certificate Store Type is designed to manage Kubernetes secrets of type `Opaque`. This store type provides functionality for storing and managing various certificates and their associated private keys within Kubernetes secrets, allowing for secure and organized certificate management. + +### Representation + +K8SSecret represents Kubernetes `Opaque` secrets that can contain arbitrary fields. However, the orchestrator specifically manages fields named `certificates` and `private_keys`, ensuring that certificate and key data is handled securely and efficiently. This is useful for various applications and services within a Kubernetes cluster that need to securely store and access certificates. + +### Usage and SDK + +The K8SSecret Certificate Store Type communicates directly with the Kubernetes API using a service account, eliminating the need for any additional SDKs. The orchestrator leverages the permissions of the service account to perform necessary operations such as inventory, add, and remove certificates within the Kubernetes secrets. + +### Caveats and Limitations + +Several important considerations should be noted when using the K8SSecret Certificate Store Type: + +- **Service Account Permissions**: The service account must have the appropriate permissions to create, list, update, and delete secrets within the specified Kubernetes namespace. Without sufficient permissions, the orchestrator will not be able to manage the secrets effectively. + +- **Field Constraints**: The orchestrator will only manage the fields named `certificates` and `private_keys` within the secret. Any other fields will be ignored, which means users must ensure that the relevant data is stored in these fields. + +- **Single Certificate Management**: This store type supports the management of a single certificate within each secret. Adding a new certificate will overwrite the existing fields in the secret. Users should be cautious of this behavior to avoid unintentional data loss. + +By considering these factors, the K8SSecret Certificate Store Type offers a reliable way to manage `Opaque` secrets in Kubernetes, ensuring secure and efficient certificate lifecycle management within the cluster. + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + diff --git a/docsource/k8stlssecr.md b/docsource/k8stlssecr.md new file mode 100644 index 0000000..26919c5 --- /dev/null +++ b/docsource/k8stlssecr.md @@ -0,0 +1,112 @@ +## Overview + +The K8STLSSecr Certificate Store Type is designed to manage Kubernetes secrets of type `kubernetes.io/tls`. This store type specifically deals with secrets formatted for storing TLS certificates and their corresponding private keys, facilitating secure and structured certificate management within Kubernetes. + +### Representation + +K8STLSSecr represents Kubernetes `tls` secrets, which are used to store SSL/TLS certificates and their associated private keys. These secrets are critical for securing communications within a Kubernetes cluster, particularly for web services and other applications requiring SSL/TLS encryption. + +### Usage and SDK + +The K8STLSSecr Certificate Store Type does not require any additional SDKs. It directly communicates with the Kubernetes API using a service account, leveraging native Kubernetes capabilities to manage the inventory and lifecycle of TLS secrets. + +### Caveats and Limitations + +There are several important considerations to keep in mind when using the K8STLSSecr Certificate Store Type: + +- **Service Account Permissions**: The service account must have sufficient permissions to create, list, update, and delete secrets within the designated namespace. Without adequate permissions, the orchestrator will be unable to manage the TLS secrets properly. + +- **Field Requirements**: The `tls` secret must contain the `tls.crt` and `tls.key` fields. The orchestrator also supports the `ca.crt` field for storing the certificate chain. It's important to ensure these fields are present and correctly formatted. + +- **Single Certificate Management**: This store type supports the storage and management of a single certificate and its private key per secret. Adding a new certificate will overwrite the existing data in the secret. Users should take care to avoid unintentional data loss. + +- **Separate Chain Handling**: The orchestrator can handle the deployment of certificate chains. If the `SeparateChain` custom field is set to true, the chain will be stored in the `ca.crt` field, separated from the leaf certificate in `tls.crt`. + +By considering these factors, the K8STLSSecr Certificate Store Type provides an effective solution for managing TLS secrets in Kubernetes, ensuring secure and efficient certificate lifecycle management for applications requiring SSL/TLS encryption. + +## Requirements + +### Security Considerations +For the Kubernetes Orchestrator Extension to be able to communicate with a Kubernetes cluster, it must +be able to authenticate with the cluster. This is done by providing the extension with a service account +token that has the appropriate permissions to perform the desired operations. The service account token +can be provided to the extension in one of two ways: +- As a raw JSON file that contains the service account credentials +- As a base64 encoded string that contains the service account credentials + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + +### Service Account Setup +To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension, use the following example as a guide: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keyfactor + namespace: keyfactor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keyfactor +rules: +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keyfactor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keyfactor +subjects: +- kind: ServiceAccount + name: keyfactor + namespace: keyfactor +``` + diff --git a/docsource/overview.md b/docsource/overview.md new file mode 100644 index 0000000..6c1b75f --- /dev/null +++ b/docsource/overview.md @@ -0,0 +1,24 @@ +## Overview + +The Kubernetes Universal Orchestrator extension is designed to facilitate the remote management of cryptographic certificates within a Kubernetes cluster. Kubernetes employs certificates for various purposes such as securing communication channels between components (e.g., kube-apiserver, kubelet, etcd), authenticating users and services, and ensuring the integrity of the system. + +### Certificate Store Types + +This extension provides support for several types of Certificate Stores, each adapted to different Kubernetes resources and use cases: + +**K8SCert**: Manages Kubernetes certificates of type `certificates.k8s.io/v1`. These certificates are typically used for Kubernetes admission and webhook servers. For provisioning, refer to the [k8s-csr-signer](https://github.com/Keyfactor/k8s-csr-signer) documentation. + +**K8SSecret**: Handles Kubernetes secrets of type `Opaque`. These secrets can store arbitrary data but are primarily used to manage certificate and private key pairs. The orchestrator focuses on fields named `certificates` and `private_keys`. + +**K8STLSSecret**: Manages Kubernetes secrets of type `kubernetes.io/tls`. These secrets specifically store SSL/TLS certificates and their corresponding private keys. They must include `tls.crt` and `tls.key` fields. + +**K8SCluster**: This type allows managing a cluster’s secrets of types `Opaque` and `kubernetes.io/tls` across all Kubernetes namespaces. It acts as a container that encompasses `K8SSecret` and `K8STLSSecret` stores. + +**K8SNS**: Manages all secrets of type `Opaque` and `kubernetes.io/tls` within a specific namespace. Similar to `K8SCluster`, it acts as a container but is limited to a specific namespace. + +**K8SJKS**: Works with Kubernetes secrets of type `Opaque` that contain one or more Java Keystore (JKS) files. Each keystore within the secret requires unique credentials and is managed individually. + +**K8SPKCS12**: Manages Kubernetes secrets of type `Opaque` that contain PKCS12 files. Like `K8SJKS`, these cannot be managed at cluster or namespace levels due to needing unique credentials. + +In summary, the Kubernetes Universal Orchestrator extension offers a versatile approach to managing certificates and keys within a Kubernetes cluster, ensuring secure communication and authentication across components and services. + diff --git a/integration-manifest.json b/integration-manifest.json index e4beb31..338fac8 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -1,612 +1,259 @@ { - "$schema": "https://keyfactor.github.io/integration-manifest-schema.json", - "integration_type": "orchestrator", - "name": "Kubernetes Orchestrator Extension", - "status": "production", - "description": "The Kubernetes Orchestrator allows for the remote management of certificate stores defined in a Kubernetes cluster. The following types of Kubernetes resources are supported: kubernetes secrets of `kubernetes.io/tls` or `Opaque` and kubernetes certificates `certificates.k8s.io/v1`", - "short_description": "The Kubernetes Orchestrator allows for remote management of Kubernetes secret types 'Opaque' and 'kubernetes.io/tls' as well as 'certificates.k8s.io/v1' resources. ", - "link_github": true, - "topics": [ - "kubernetes", - "certificates", - "secrets", - "k8s", - "aks", - "eks", - "gke", - "keyfactor", - "orchestrator", - "keyfactor-universal-orchestrator" - ], - "update_catalog": true, - "support_level": "kf-supported", - "about": { - "orchestrator": { - "UOFramework": "10.1", - "pam_support": true, - "win": { - "supportsCreateStore": true, - "supportsDiscovery": true, - "supportsManagementAdd": true, - "supportsManagementRemove": true, - "supportsReenrollment": false, - "supportsInventory": true, - "platformSupport": "Unused" - }, - "linux": { - "supportsCreateStore": true, - "supportsDiscovery": true, - "supportsManagementAdd": true, - "supportsManagementRemove": true, - "supportsReenrollment": false, - "supportsInventory": true, - "platformSupport": "Unused" - }, - "store_types": [ - { - "Name": "K8SCert", - "ShortName": "K8SCert", - "Capability": "K8SCert", - "LocalStore": false, - "SupportedOperations": { - "Add": false, - "Create": false, - "Discovery": true, - "Enrollment": false, - "Remove": false - }, - "Properties": [ - { - "Name": "KubeNamespace", - "DisplayName": "KubeNamespace", - "Type": "String", - "DependsOn": "", - "DefaultValue": "default", - "Required": false - }, - { - "Name": "KubeSecretName", - "DisplayName": "KubeSecretName", - "Type": "String", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "KubeSecretType", - "DisplayName": "KubeSecretType", - "Type": "String", - "DependsOn": "", - "DefaultValue": "cert", - "Required": true - }, - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": true - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "true", - "Required": true - } - ], - "EntryParameters": null, - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" - }, - "StorePathType": "", - "StorePathValue": "", - "PrivateKeyAllowed": "Forbidden", - "JobProperties": [], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Forbidden" - }, - { - "Name": "K8SCluster", - "ShortName": "K8SCluster", - "Capability": "K8SCluster", - "LocalStore": false, - "SupportedOperations": { - "Add": true, - "Create": true, - "Discovery": false, - "Enrollment": false, - "Remove": true - }, - "Properties": [ - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": true - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "true", - "Required": true - } - ], - "EntryParameters": null, - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" - }, - "StorePathType": "", - "StorePathValue": "", - "PrivateKeyAllowed": "Optional", - "JobProperties": [], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Required" - }, - { - "Name": "K8SJKS", - "ShortName": "K8SJKS", - "Capability": "K8SJKS", - "LocalStore": false, - "SupportedOperations": { - "Add": true, - "Create": true, - "Discovery": true, - "Enrollment": false, - "Remove": true - }, - "Properties": [ - { - "Name": "KubeNamespace", - "DisplayName": "KubeNamespace", - "Type": "String", - "DependsOn": "", - "DefaultValue": "default", - "Required": false - }, - { - "Name": "KubeSecretName", - "DisplayName": "KubeSecretName", - "Type": "String", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "KubeSecretType", - "DisplayName": "KubeSecretType", - "Type": "String", - "DependsOn": "", - "DefaultValue": "jks", - "Required": true - }, - { - "Name": "CertificateDataFieldName", - "DisplayName": "CertificateDataFieldName", - "Type": "String", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "PasswordFieldName", - "DisplayName": "PasswordFieldName", - "Type": "String", - "DependsOn": "", - "DefaultValue": "password", - "Required": false - }, - { - "Name": "PasswordIsK8SSecret", - "DisplayName": "PasswordIsK8SSecret", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "false", - "Required": false - }, - { - "Name": "StorePasswordPath", - "DisplayName": "StorePasswordPath", - "Type": "String", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": true - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "true", - "Required": true - } - ], - "EntryParameters": null, - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": true, - "Style": "Default" - }, - "StorePathType": "", - "StorePathValue": "", - "PrivateKeyAllowed": "Optional", - "JobProperties": [], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Required" - }, - { - "Name": "K8SNS", - "ShortName": "K8SNS", - "Capability": "K8SNS", - "LocalStore": false, - "SupportedOperations": { - "Add": true, - "Create": true, - "Discovery": true, - "Enrollment": false, - "Remove": true - }, - "Properties": [ - { - "Name": "KubeNamespace", - "DisplayName": "Kube Namespace", - "Type": "String", - "DependsOn": "", - "DefaultValue": "default", - "Required": false - }, - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": true - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "true", - "Required": true - } - ], - "EntryParameters": null, - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" - }, - "StorePathType": "", - "StorePathValue": "", - "PrivateKeyAllowed": "Optional", - "JobProperties": [], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Required" - }, - { - "Name": "K8SPKCS12", - "ShortName": "K8SPKCS12", - "Capability": "K8SPKCS12", - "LocalStore": false, - "SupportedOperations": { - "Add": true, - "Create": true, - "Discovery": true, - "Enrollment": false, - "Remove": true - }, - "Properties": [ - { - "Name": "KubeSecretKey", - "DisplayName": "Kube Secret Key", - "Type": "String", - "DependsOn": "", - "DefaultValue": "pfx", - "Required": false - }, - { - "Name": "PasswordFieldName", - "DisplayName": "Password Field Name", - "Type": "String", - "DependsOn": "", - "DefaultValue": "password", - "Required": false - }, - { - "Name": "PasswordIsK8SSecret", - "DisplayName": "Password Is K8S Secret", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "false", - "Required": false - }, - { - "Name": "KubeNamespace", - "DisplayName": "Kube Namespace", - "Type": "String", - "DependsOn": "", - "DefaultValue": "default", - "Required": false - }, - { - "Name": "KubeSecretName", - "DisplayName": "Kube Secret Name", - "Type": "String", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": true - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "true", - "Required": true - }, - { - "Name": "KubeSecretType", - "DisplayName": "Kube Secret Type", - "Type": "String", - "DependsOn": "", - "DefaultValue": "pkcs12", - "Required": true - }, - { - "Name": "StorePasswordPath", - "DisplayName": "StorePasswordPath", - "Type": "String", - "DependsOn": "", - "DefaultValue": null, - "Required": false - } - ], - "EntryParameters": null, - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": true, - "Style": "Default" - }, - "StorePathType": "", - "StorePathValue": "", - "PrivateKeyAllowed": "Optional", - "JobProperties": [], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Required" - }, - { - "Name": "K8SSecret", - "ShortName": "K8SSecret", - "Capability": "K8SSecret", - "LocalStore": false, - "SupportedOperations": { - "Add": true, - "Create": true, - "Discovery": true, - "Enrollment": false, - "Remove": true - }, - "Properties": [ - { - "Name": "KubeNamespace", - "DisplayName": "KubeNamespace", - "Type": "String", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "KubeSecretName", - "DisplayName": "KubeSecretName", - "Type": "String", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "KubeSecretType", - "DisplayName": "KubeSecretType", - "Type": "String", - "DependsOn": "", - "DefaultValue": "secret", - "Required": true - }, - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": true - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "true", - "Required": true - } - ], - "EntryParameters": null, - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" - }, - "StorePathType": "", - "StorePathValue": "", - "PrivateKeyAllowed": "Optional", - "JobProperties": [], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Forbidden" - }, - { - "Name": "K8STLSSecr", - "ShortName": "K8STLSSecr", - "Capability": "K8STLSSecr", - "LocalStore": false, - "SupportedOperations": { - "Add": true, - "Create": true, - "Discovery": true, - "Enrollment": false, - "Remove": true - }, - "Properties": [ - { - "Name": "KubeNamespace", - "DisplayName": "KubeNamespace", - "Type": "String", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "KubeSecretName", - "DisplayName": "KubeSecretName", - "Type": "String", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "KubeSecretType", - "DisplayName": "KubeSecretType", - "Type": "String", - "DependsOn": "", - "DefaultValue": "tls_secret", - "Required": true - }, - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": true - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "true", - "Required": true - } - ], - "EntryParameters": null, - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" - }, - "StorePathType": "", - "StorePathValue": "", - "PrivateKeyAllowed": "Optional", - "JobProperties": [], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Forbidden" + "$schema": "/Users/hroszell/coding/dev/staff-tools/keyfactor.github.io/v2/integration-manifest-schema.json", + "integration_type": "orchestrator", + "name": "Kubernetes Orchestrator Extension", + "status": "production", + "description": "The Kubernetes Orchestrator allows for the remote management of certificate stores defined in a Kubernetes cluster. The following types of Kubernetes resources are supported: kubernetes secrets of `kubernetes.io/tls` or `Opaque` and kubernetes certificates `certificates.k8s.io/v1`", + "short_description": "The Kubernetes Orchestrator allows for remote management of Kubernetes secret types 'Opaque' and 'kubernetes.io/tls' as well as 'certificates.k8s.io/v1' resources. ", + "link_github": true, + "topics": [ + "kubernetes", + "certificates", + "secrets", + "k8s", + "aks", + "eks", + "gke", + "keyfactor", + "orchestrator", + "keyfactor-universal-orchestrator" + ], + "update_catalog": true, + "support_level": "kf-supported", + "about": { + "orchestrator": { + "UOFramework": "10.1", + "pam_support": true, + "win": { + "supportsCreateStore": true, + "supportsDiscovery": true, + "supportsManagementAdd": true, + "supportsManagementRemove": true, + "supportsReenrollment": false, + "supportsInventory": true, + "platformSupport": "Unused" + }, + "linux": { + "supportsCreateStore": true, + "supportsDiscovery": true, + "supportsManagementAdd": true, + "supportsManagementRemove": true, + "supportsReenrollment": false, + "supportsInventory": true, + "platformSupport": "Unused" + }, + "store_types": [ + { + "Name": "K8SCert", + "ShortName": "K8SCert", + "Capability": "K8SCert", + "LocalStore": false, + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": true, + "Enrollment": false, + "Remove": false + }, + "Properties": [], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Forbidden", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "For the Client Machine field when instantiating new Certificate Stores of type 'K8SCert', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'.", + "StorePathDescription": "For the Store Path field when instantiating new Certificate Stores of type 'K8SCert', enter the namespace and the name of the certificate resource in the format 'namespace/certificateName'. Example: 'default/my-k8s-cert'." + }, + { + "Name": "K8SCluster", + "ShortName": "K8SCluster", + "Capability": "K8SCluster", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "ClientMachineDescription": "For the Client Machine field when instantiating new Certificate Stores of type 'K8SCluster', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'.", + "StorePathDescription": "For the Store Path field when instantiating new Certificate Stores of type 'K8SCluster', enter the name of the Kubernetes cluster. Example: 'my-k8s-cluster'." + }, + { + "Name": "K8SJKS", + "ShortName": "K8SJKS", + "Capability": "K8SJKS", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": true, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "ClientMachineDescription": "For the Client Machine field when instantiating new Certificate Stores of type 'K8SJKS', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'.", + "StorePathDescription": "For the Store Path field when instantiating new Certificate Stores of type 'K8SJKS', enter the namespace and the secret name containing the JKS data in the format 'namespace/secretName'. Example: 'default/my-jks-secret'." + }, + { + "Name": "K8SNS", + "ShortName": "K8SNS", + "Capability": "K8SNS", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "ClientMachineDescription": "For the Client Machine field when instantiating new Certificate Stores of type 'K8SNS', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'.", + "StorePathDescription": "For the Store Path field when instantiating new Certificate Stores of type 'K8SNS', enter the namespace you wish to manage. Example: 'default'." + }, + { + "Name": "K8SPKCS12", + "ShortName": "K8SPKCS12", + "Capability": "K8SPKCS12", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": true, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "ClientMachineDescription": "For the Client Machine field when instantiating new Certificate Stores of type 'K8SPKCS12', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'.", + "StorePathDescription": "For the Store Path field when instantiating new Certificate Stores of type 'K8SPKCS12', enter the namespace and the secret name containing the PKCS12 data in the format 'namespace/secretName'. Example: 'default/my-pkcs12-secret'." + }, + { + "Name": "K8SSecret", + "ShortName": "K8SSecret", + "Capability": "K8SSecret", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "For the Client Machine field when instantiating new Certificate Stores of type 'K8SSecret', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'.", + "StorePathDescription": "For the Store Path field when instantiating new Certificate Stores of type 'K8SSecret', enter the namespace and the secret name in the format 'namespace/secretName'. Example: 'default/my-secret'." + }, + { + "Name": "K8STLSSecr", + "ShortName": "K8STLSSecr", + "Capability": "K8STLSSecr", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "For the Client Machine field when instantiating new Certificate Stores of type 'K8STLSSecr', enter the Kubernetes cluster endpoint or API server URL. Example: 'https://api.k8s.cluster.local:6443'.", + "StorePathDescription": "For the Store Path field when instantiating new Certificate Stores of type 'K8STLSSecr', enter the namespace and the secret name in the format 'namespace/secretName'. Example: 'default/my-tls-secret'." + } + ] } - ] } - } -} +} \ No newline at end of file