Last active
June 29, 2020 17:12
-
-
Save wstrange/0c7ac06b82e8cd2a560190823f11e6a0 to your computer and use it in GitHub Desktop.
secret agent proposed format
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: secret-agent.secrets.forgerock.io/v1alpha1 | |
kind: SecretAgentConfiguration | |
metadata: | |
name: platform-secrets | |
namespace: warren # secret-agent CRD is namespaced | |
spec: | |
appConfig: | |
createKubernetesObjects: true # True if we should create k8s secrets | |
retainSecrets: true # retain secrets if the CRD is deleted. Not implemented | |
secretsManager: none # none, AWS, or GCP | |
# gcpProjectID: example-projectID | |
# awsRegion: example-region | |
# azureVaultName: example-vault | |
secrets: | |
# A plaform CA is used for mTLS within a deployment and to sign | |
# other certs in the platform. | |
- name: platform-ca | |
keys: | |
# The type `ca` implicitly generates public and private secrets | |
# The following secret + keys will exist in the namespace | |
# and can be referenced directly: | |
# platform-ca/ca.pem | |
# platform-ca/ca-private.pem | |
- name: ca | |
type: ca | |
# Example of generating SSH keys | |
- name: amster-ssh | |
keys: | |
# The type "ssh" will generate a keypair for ssh. This results in in the following secrets + keys: | |
# amster-ssh/id_rsa | |
# amster-ssh/id_rsa.pub | |
- name: id_rsa | |
type: ssh | |
## Secrets for the directory server | |
- name: ds-env-secrets | |
keys: | |
- name: dirmanager.pw | |
type: password | |
# Note that types always have a spec which is unique to the type | |
spec: | |
length: 32 | |
# Example of a literal password | |
- name: monitor.pw | |
type: literal | |
spec: | |
value: prometheus | |
# A secret populated from an existing secret | |
- name: some-other-secret | |
type: secretReference | |
spec: | |
# value is the path including the secret name (in this namespace) and the key. | |
# This is a json path expression | |
value: /mysecret/mykey | |
- name: ds | |
keys: | |
- name: keystore.pin | |
type: password | |
spec: | |
length: 32 | |
- name: ssl-key-pair | |
type: keyPair | |
spec: | |
algorithm: ECDSAWithSHA256 | |
commonName: ds | |
sans: | |
- "*.ds" | |
- "*.ds-idrepo" | |
- "*.ds-cts" | |
signedWith: /platform-ca/ca.pem # json path to a secret + key | |
- name: master-key-pair | |
type: keyPair | |
spec: | |
algorithm: SHA256WithRSA | |
commonName: master-key | |
signedWith: /platform-ca-private/ca.pem | |
# Keystore example. Mirrors the keytool command | |
# See https://docs.oracle.com/en/java/javase/14/docs/specs/man/keytool.html | |
- name: keystore.p12 | |
type: keytool | |
spec: | |
storeType: p12 | |
# Note: storepass and keypass are secret references. | |
storePass: ds/keystore.pin | |
keyPass: ds/keystore.pin | |
# Aliases is a map of names, and the spec on how to generate the alias | |
aliases: | |
ca-cert: | |
importcert: "/platform-ca/ca.pem" | |
ssl-keypair: | |
importcert: "/ds/ssl-keypair" | |
master-keypair: | |
importcert: "/ds/master-keypair" | |
# AM secret files that get mounted. | |
- name: am-passwords | |
keys: | |
- name: .keypass | |
type: password | |
spec: | |
length: 32 | |
- name: .storepass | |
type: password | |
spec: | |
length: 32 | |
- name: am-keystore | |
keys: | |
- name: keystore.jceks | |
type: keytool | |
spec: | |
storetype: jceks | |
storePass: /mysecret/mykey # this is a secret reference | |
keyPass: /mysecret/mykey | |
# aliases. Only a subset of keytool commands are supported. | |
aliases: | |
rsajwtsigningkey: | |
# This is essentially the arguyments to the keytool -genkeypair command | |
genkeypair: ["-keyalg", "RSA", "-keysize", "2048", "-validity": "7300"] | |
ec256test: | |
genkeypair : ["-keyalg", "EC","-sigalg", "SHA256withECDSA", "-dname", "CN=ForgeRock", "-keysize", "256"] | |
hmacsigningtest: | |
genseckey: ["-keyalg", "HMacSHA512", "-keysize", "512"] | |
# Alternative using arrays. | |
- name: hmacsignigng | |
cmd: genkeypair | |
args: ["-keyalg", "HMacSHA512", "-keysize", "512"] | |
- name: configstorepwd | |
cmd: importpass | |
path: /mysecret/mykey | |
# Example of importing a password into keytool | |
configstorepwd: | |
importpass: /mysecret/mykey | |
my-imported-cert: | |
# This is the "escape hatch to import other certs, CA signed certs, etc" | |
importcert: /truststore/ca.pem | |
# Type truststore create a java truststore. Implicitly imports | |
# The system truststore in /etc/ and concatenate any our certs. | |
- name: truststore | |
keys: | |
- name: truststore | |
type: truststore | |
spec: | |
importcerts: ["/platform-ca/ca.pem", "/vault-secrets/vault-ca.pem"] | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment