secrets-agent usage

Usage for the secrets-agent is controlled using environment variables. Add the following environment variables to your K8s yaml file:

Environment variables

  1. SECRETS_PATH
    • Optional sidecar or initContainer environment variable.
    • Defaults to: /usr/src/app/secrets_files
    • The name and path of the folder on the volume to store secrets and their metadata in.
    • Example usage: 
SECRETS_PATH="/usr/src/app/secrets_files"
  1. BT_API_URL
    • Mandatory sidecar or initContainer environment variable.
    • The URL for retrieving secrets.
    • Example usage:
BT_API_URL=https://PasswordSafeInstance.com:443/BeyondTrust/api/public/v3
  1. BT_API_KEY
    • Mandatory sidecar or initContainer environment variable.
    • The registered API key.
    • Example usage:
BT_API_KEY="<API-KEY>;runas=username;"
  1. SECRET_LIST
    • Optional sidecar or initContainer environment variable.
    • By default a comma-delimited list of Secrets Safe paths.
    • Use List_DELIMITER to change the default comma-delimited to a different character.
    • Example usage:
rootFolder/childFolder1/secretTitle,rootFolder/secretTitle
  1. FOLDER_LIST
    • Optional sidecar or initContainer environment variable.
    • By default a comma-delimited list of Secrets Safe folder paths.
    • Use List_DELIMITER to change the default comma-delimited to a different character.

Only secrets at the level specified are shown. Usage of this variable does not traverse subfolders for secrets.

    • Example usage:
rootFolder/childFolder1/,rootFolder2/
  1. MANAGED_ACCOUNTS_LIST
    • Optional sidecar or initContainer environment variable.
    • By default a comma-delimited list of managed account paths.
    • Use LIST_DELIMITER to change the default comma-delimited to a different character.
    • Example usage:
MANAGED_ACCOUNTS=server2019/accountName1,server2019/accountName2
  1. BT_VERIFY_CA
    • Optional sidecar or initContainer environment variable.
    • Instructs the secrets-agent to not verify the Password Safe certificate authority. If the environment variable is not specified or BT_VERIFY_CA=False, the CA will not be verified.
    • Example Usage:
BT_VERIFY_CA=False

OR

name: BT_VERIFY_CA
value: "False"
  1. POLLING_WAIT_BETWEEN_REQUESTS_MINUTES
    • Mandatory sidecar-only environment variable.
    • When running secrets-agent as a sidecar, you can specify how long to wait between subsequent secrets requests. The recommended wait time is 20 minutes. The minimum wait is 5 minutes.
    • If not specified or POLLING_WAIT_BETWEEN_REQUESTS_MINUTES=0, there will be no polling.

If this variable is used for your initContainer configuration, the initContainer will never complete.

    • Example usage:
POLLING_WAIT_BETWEEN_REQUESTS_MINUTES=20
  1. BT_CLIENT_CERTIFICATE_PATH
    • Optional sidecar or initContainer environment variable.
    • The path to a persistent volume with the client certificate file. If a path is empty, a client certificate will not be used.
    • Example usage:
BT_CLIENT_CERTIFICATE_PATH="/usr/src/app/certificate/certificate.pfx"
  1. BT_CLIENT_CERTIFICATE_PASSWORD
    • Optional sidecar or initContainer environment variable.
    • The client certificate password.
    • Example Usage:
BT_CLIENT_CERTIFICATE_PASSWORD=password

  1. LIST_DELIMITER

    • Optional sidecar or initContainer environment variable. Default to using a comma if not specified.
    • Used to change the default delimiter for the SECRETS_LIST, FOLDER_LIST and the MANAGED_ACCOUNTS_LIST variables.
    • Example Usage: 
LIST_DELIMITER=";"

The initContainer environment variable list from the manifest example above can be expanded to include these options for a client certificate file:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv
spec:
  storageClassName: standard
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteMany
  hostPath:
    path: "/home/docker/"
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 200Mi
  storageClassName: standard
  volumeName: pv
apiVersion: v1
kind: Pod
metadata:
  name: passwordsafe-integration
spec:
  volumes:
    - name: secrets
      emptyDir:
        medium: Memory
    - name: certificate
      persistentVolumeClaim:
        claimName: pvc
  containers:
  - name: secrets-agent-sidecar
    image: secrets-agent:latest
    volumeMounts:
      - name: secrets
        mountPath: /usr/src/app/secrets_files
      - name: certificate
        mountPath: /usr/src/app/certificate
    ports:
      - containerPort: 8000
        name: secrets-agent
    imagePullPolicy: Never
    resources:
      limits:
        memory: "400Mi"
    env:
    - name: SECRETS_PATH
      value: "/usr/src/app/secrets_files"
    - name: BT_API_URL
      value: "https://example.com:443/BeyondTrust/api/public/v3"
    - name: BT_API_KEY
      value: "<API-KEY>;runas=username;"
    - name: SECRETS_LIST
      value: "rootFolder/childFolder1/secretTitle"
    - name: FOLDER_LIST
      value: "rootFolder/childFolder2"
    - name: MANAGED_ACCOUNTS_LIST
      value: "Server2016Standard/serveruser1"
    - name: POLLING_WAIT_BETWEEN_REQUESTS_MINUTES
      value: "20"
    - name: BT_VERIFY_CA
      value: "True"
    - name: BT_CLIENT_CERTIFICATE_PATH
      value: "/usr/src/app/certificate/certificate.pfx"
    - name: BT_CLIENT_CERTIFICATE_PASSWORD
      value: "***************"