wstrange/sac.yaml

## sac.yaml
apiVersion: secret-agent.secrets.forgerock.io/v1alpha1
kind: SecretAgentConfiguration
metadata:
  name: platform-secrets
  namespace: warren  # secret-agent CRD is namespaced
spec:
  appConfig:
    createKubernetesObjects: true # True if we should create k8s secrets
    retainSecrets: true # retain secrets if the CRD is deleted. Not implemented
    secretsManager: none  # none, AWS, or GCP
    # gcpProjectID: example-projectID
    # awsRegion: example-region
    # azureVaultName: example-vault
  secrets:
  # A plaform CA is used for mTLS within a deployment and to sign
  # other certs in the platform.
  - name: platform-ca
    keys:
    # The type `ca` implicitly generates public and private secrets
    # The following secret + keys will exist in the namespace
    # and can be referenced directly:
    #  platform-ca/ca.pem
    #  platform-ca/ca-private.pem
    - name: ca
      type: ca

  # Example of generating SSH keys
  - name: amster-ssh
    keys:
    # The type "ssh" will generate a keypair for ssh. This results in in the following secrets + keys:
    # amster-ssh/id_rsa
    # amster-ssh/id_rsa.pub
    - name: id_rsa
      type: ssh

  ## Secrets for the directory server
  - name: ds-env-secrets
    keys:
    - name: dirmanager.pw
      type: password
      # Note that types always have a spec which is unique to the type
      spec:
        length: 32
    # Example of a literal password
    - name: monitor.pw
      type: literal
      spec:
        value: prometheus
   # A secret populated from an existing secret
    - name: some-other-secret
      type: secretReference
      spec:
        # value is the path including the secret name (in this namespace) and the key.
        # This is a json path expression
        value:  /mysecret/mykey

  - name: ds
    keys:
    - name: keystore.pin
      type: password
      spec:
        length: 32
    - name:  ssl-key-pair
      type: keyPair
      spec:
        algorithm: ECDSAWithSHA256
        commonName: ds
        sans:
        - "*.ds"
        - "*.ds-idrepo"
        - "*.ds-cts"
        signedWith: /platform-ca/ca.pem # json path to a secret + key
    - name: master-key-pair
      type: keyPair
      spec:
        algorithm: SHA256WithRSA
        commonName: master-key
        signedWith: /platform-ca-private/ca.pem
    # Keystore example.  Mirrors the keytool command
    # See https://docs.oracle.com/en/java/javase/14/docs/specs/man/keytool.html
    - name: keystore.p12
      type: keytool
      spec:
        storeType: p12
        # Note: storepass and keypass are secret references.
        storePass: ds/keystore.pin
        keyPass: ds/keystore.pin
        # Aliases is a map of names, and the spec on how to generate the alias
        aliases:
          ca-cert:
            importcert: "/platform-ca/ca.pem"
          ssl-keypair:
            importcert: "/ds/ssl-keypair"
          master-keypair:
            importcert: "/ds/master-keypair"

  # AM secret files that get mounted.
  - name: am-passwords
    keys:
    - name: .keypass
      type: password
      spec:
        length: 32
    - name: .storepass
      type: password
      spec:
        length: 32

  - name: am-keystore
    keys:
    - name: keystore.jceks
      type: keytool
      spec:
        storetype: jceks
        storePass: /mysecret/mykey  # this is a secret reference
        keyPass: /mysecret/mykey
        # aliases. Only a subset of keytool commands are supported.
        aliases:
          rsajwtsigningkey:
            # This is essentially the arguyments to the keytool -genkeypair command
            genkeypair: ["-keyalg", "RSA", "-keysize", "2048", "-validity": "7300"]
          ec256test:
            genkeypair : ["-keyalg", "EC","-sigalg",  "SHA256withECDSA", "-dname", "CN=ForgeRock", "-keysize", "256"]
          hmacsigningtest:
            genseckey: ["-keyalg", "HMacSHA512", "-keysize", "512"]
          # Alternative using arrays.
          - name: hmacsignigng
            cmd: genkeypair
            args:  ["-keyalg", "HMacSHA512", "-keysize", "512"]
          - name: configstorepwd
            cmd: importpass
            path: /mysecret/mykey


          # Example of importing a password into keytool
          configstorepwd:
            importpass:  /mysecret/mykey
          my-imported-cert:
            # This is the "escape hatch to import other certs, CA signed certs, etc"
            importcert: /truststore/ca.pem

  # Type truststore create a java truststore. Implicitly imports
  # The system truststore in /etc/ and concatenate any our certs.
  - name: truststore
    keys:
    - name: truststore
      type: truststore
      spec:
        importcerts: ["/platform-ca/ca.pem", "/vault-secrets/vault-ca.pem"]
	apiVersion: secret-agent.secrets.forgerock.io/v1alpha1
	kind: SecretAgentConfiguration
	metadata:
	name: platform-secrets
	namespace: warren # secret-agent CRD is namespaced
	spec:
	appConfig:
	createKubernetesObjects: true # True if we should create k8s secrets
	retainSecrets: true # retain secrets if the CRD is deleted. Not implemented
	secretsManager: none # none, AWS, or GCP
	# gcpProjectID: example-projectID
	# awsRegion: example-region
	# azureVaultName: example-vault
	secrets:
	# A plaform CA is used for mTLS within a deployment and to sign
	# other certs in the platform.
	- name: platform-ca
	keys:
	# The type `ca` implicitly generates public and private secrets
	# The following secret + keys will exist in the namespace
	# and can be referenced directly:
	# platform-ca/ca.pem
	# platform-ca/ca-private.pem
	- name: ca
	type: ca

	# Example of generating SSH keys
	- name: amster-ssh
	keys:
	# The type "ssh" will generate a keypair for ssh. This results in in the following secrets + keys:
	# amster-ssh/id_rsa
	# amster-ssh/id_rsa.pub
	- name: id_rsa
	type: ssh

	## Secrets for the directory server
	- name: ds-env-secrets
	keys:
	- name: dirmanager.pw
	type: password
	# Note that types always have a spec which is unique to the type
	spec:
	length: 32
	# Example of a literal password
	- name: monitor.pw
	type: literal
	spec:
	value: prometheus
	# A secret populated from an existing secret
	- name: some-other-secret
	type: secretReference
	spec:
	# value is the path including the secret name (in this namespace) and the key.
	# This is a json path expression
	value: /mysecret/mykey

	- name: ds
	keys:
	- name: keystore.pin
	type: password
	spec:
	length: 32
	- name: ssl-key-pair
	type: keyPair
	spec:
	algorithm: ECDSAWithSHA256
	commonName: ds
	sans:
	- "*.ds"
	- "*.ds-idrepo"
	- "*.ds-cts"
	signedWith: /platform-ca/ca.pem # json path to a secret + key
	- name: master-key-pair
	type: keyPair
	spec:
	algorithm: SHA256WithRSA
	commonName: master-key
	signedWith: /platform-ca-private/ca.pem
	# Keystore example. Mirrors the keytool command
	# See https://docs.oracle.com/en/java/javase/14/docs/specs/man/keytool.html
	- name: keystore.p12
	type: keytool
	spec:
	storeType: p12
	# Note: storepass and keypass are secret references.
	storePass: ds/keystore.pin
	keyPass: ds/keystore.pin
	# Aliases is a map of names, and the spec on how to generate the alias
	aliases:
	ca-cert:
	importcert: "/platform-ca/ca.pem"
	ssl-keypair:
	importcert: "/ds/ssl-keypair"
	master-keypair:
	importcert: "/ds/master-keypair"

	# AM secret files that get mounted.
	- name: am-passwords
	keys:
	- name: .keypass
	type: password
	spec:
	length: 32
	- name: .storepass
	type: password
	spec:
	length: 32

	- name: am-keystore
	keys:
	- name: keystore.jceks
	type: keytool
	spec:
	storetype: jceks
	storePass: /mysecret/mykey # this is a secret reference
	keyPass: /mysecret/mykey
	# aliases. Only a subset of keytool commands are supported.
	aliases:
	rsajwtsigningkey:
	# This is essentially the arguyments to the keytool -genkeypair command
	genkeypair: ["-keyalg", "RSA", "-keysize", "2048", "-validity": "7300"]
	ec256test:
	genkeypair : ["-keyalg", "EC","-sigalg", "SHA256withECDSA", "-dname", "CN=ForgeRock", "-keysize", "256"]
	hmacsigningtest:
	genseckey: ["-keyalg", "HMacSHA512", "-keysize", "512"]
	# Alternative using arrays.
	- name: hmacsignigng
	cmd: genkeypair
	args: ["-keyalg", "HMacSHA512", "-keysize", "512"]
	- name: configstorepwd
	cmd: importpass
	path: /mysecret/mykey


	# Example of importing a password into keytool
	configstorepwd:
	importpass: /mysecret/mykey
	my-imported-cert:
	# This is the "escape hatch to import other certs, CA signed certs, etc"
	importcert: /truststore/ca.pem

	# Type truststore create a java truststore. Implicitly imports
	# The system truststore in /etc/ and concatenate any our certs.
	- name: truststore
	keys:
	- name: truststore
	type: truststore
	spec:
	importcerts: ["/platform-ca/ca.pem", "/vault-secrets/vault-ca.pem"]