secrets-agent usage
Usage for the secrets-agent is controlled using environment variables. Add the following environment variables to your K8s yaml file:
Environment variables
- SECRETS_PATH
- Optional sidecar or initContainer environment variable.
- Defaults to: /usr/src/app/secrets_files
- The name and path of the folder on the volume to store secrets and their metadata in.
- Example usage:
SECRETS_PATH="/usr/src/app/secrets_files"
- BT_API_URL
- Mandatory sidecar or initContainer environment variable.
- The URL for retrieving secrets.
- Example usage:
BT_API_URL=https://PasswordSafeInstance.com:443/BeyondTrust/api/public/v3
- BT_API_KEY
- Mandatory sidecar or initContainer environment variable.
- The registered API key.
- Example usage:
BT_API_KEY="<API-KEY>;runas=username;"
- SECRET_LIST
- Optional sidecar or initContainer environment variable.
- By default a comma-delimited list of Secrets Safe paths.
- Use List_DELIMITER to change the default comma-delimited to a different character.
- Example usage:
rootFolder/childFolder1/secretTitle,rootFolder/secretTitle
- FOLDER_LIST
- Optional sidecar or initContainer environment variable.
- By default a comma-delimited list of Secrets Safe folder paths.
- Use List_DELIMITER to change the default comma-delimited to a different character.
Only secrets at the level specified are shown. Usage of this variable does not traverse subfolders for secrets.
- Example usage:
rootFolder/childFolder1/,rootFolder2/
- MANAGED_ACCOUNTS_LIST
- Optional sidecar or initContainer environment variable.
- By default a comma-delimited list of managed account paths.
- Use LIST_DELIMITER to change the default comma-delimited to a different character.
- Example usage:
MANAGED_ACCOUNTS=server2019/accountName1,server2019/accountName2
- BT_VERIFY_CA
- Optional sidecar or initContainer environment variable.
- Instructs the secrets-agent to not verify the Password Safe certificate authority. If the environment variable is not specified or BT_VERIFY_CA=False, the CA will not be verified.
- Example Usage:
BT_VERIFY_CA=False
OR
name: BT_VERIFY_CA value: "False"
- POLLING_WAIT_BETWEEN_REQUESTS_MINUTES
- Mandatory sidecar-only environment variable.
- When running secrets-agent as a sidecar, you can specify how long to wait between subsequent secrets requests. The recommended wait time is 20 minutes. The minimum wait is 5 minutes.
- If not specified or POLLING_WAIT_BETWEEN_REQUESTS_MINUTES=0, there will be no polling.
If this variable is used for your initContainer configuration, the initContainer will never complete.
- Example usage:
POLLING_WAIT_BETWEEN_REQUESTS_MINUTES=20
- BT_CLIENT_CERTIFICATE_PATH
- Optional sidecar or initContainer environment variable.
- The path to a persistent volume with the client certificate file. If a path is empty, a client certificate will not be used.
- Example usage:
BT_CLIENT_CERTIFICATE_PATH="/usr/src/app/certificate/certificate.pfx"
- BT_CLIENT_CERTIFICATE_PASSWORD
- Optional sidecar or initContainer environment variable.
- The client certificate password.
- Example Usage:
BT_CLIENT_CERTIFICATE_PASSWORD=password
-
LIST_DELIMITER
- Optional sidecar or initContainer environment variable. Default to using a comma if not specified.
- Used to change the default delimiter for the SECRETS_LIST, FOLDER_LIST and the MANAGED_ACCOUNTS_LIST variables.
- Example Usage:
LIST_DELIMITER=";"
The initContainer environment variable list from the manifest example above can be expanded to include these options for a client certificate file:
apiVersion: v1 kind: PersistentVolume metadata: name: pv spec: storageClassName: standard capacity: storage: 5Gi accessModes: - ReadWriteMany hostPath: path: "/home/docker/"
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 200Mi storageClassName: standard volumeName: pv
apiVersion: v1
kind: Pod
metadata:
name: passwordsafe-integration
spec:
volumes:
- name: secrets
emptyDir:
medium: Memory
- name: certificate
persistentVolumeClaim:
claimName: pvc
containers:
- name: secrets-agent-sidecar
image: secrets-agent:latest
volumeMounts:
- name: secrets
mountPath: /usr/src/app/secrets_files
- name: certificate
mountPath: /usr/src/app/certificate
ports:
- containerPort: 8000
name: secrets-agent
imagePullPolicy: Never
resources:
limits:
memory: "400Mi"
env:
- name: SECRETS_PATH
value: "/usr/src/app/secrets_files"
- name: BT_API_URL
value: "https://example.com:443/BeyondTrust/api/public/v3"
- name: BT_API_KEY
value: "<API-KEY>;runas=username;"
- name: SECRETS_LIST
value: "rootFolder/childFolder1/secretTitle"
- name: FOLDER_LIST
value: "rootFolder/childFolder2"
- name: MANAGED_ACCOUNTS_LIST
value: "Server2016Standard/serveruser1"
- name: POLLING_WAIT_BETWEEN_REQUESTS_MINUTES
value: "20"
- name: BT_VERIFY_CA
value: "True"
- name: BT_CLIENT_CERTIFICATE_PATH
value: "/usr/src/app/certificate/certificate.pfx"
- name: BT_CLIENT_CERTIFICATE_PASSWORD
value: "***************"