Install DevOps Secrets Safe

The DevOps Secrets Safe Kubernetes installation script will perform several kubectl commands to insert data into the cluster and will use Helm v2 to install the application. In order for the application to run successfully a cluster must exist and an Nginx Ingress Controller must be configured in the cluster. The installing user must provide BeyondTrust their DockerHub username in advance in order for them to be given permission to pull the required images.

Prerequisites

  1. Kubernetes cluster with versions 1.13, 1.14, 1.15 available to host the deployment.*
  2. Install Kubectl and configure to allow full permissions to the cluster
  3. Install Helm 2 and initialize with the appropriate Role-Based Access Control (RBAC)

For more information on installing Kubectl for Linux, please see Install Kubectl on Linux.

For more information on installing Helm 2, please see Install Helm.

*As a reference deployment, DevOps Secrets Safe has been tested on a three-node Kubernetes cluster, each with a minimum of 6 GB of RAM.

Installation Instructions

The install.sh script can be run interactively or alternatively can be called with parameters to supply the required values. Any values not specified as parameters will be requested interactively.

To see a list of accepted parameters, run the install script with --help.

./install.sh --help

The following is an example of installing DevOps Secrets Safe using a postgreSQL database.

./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email docker-user@beyondtrust.com --database-type postgres --connection-string 'Server=secretssafe.database.beyondtrust.com;Database=secrets-safe;Port=5432;User Id=postgresql-user@secretssafe;Password=postgresql-password;Ssl Mode=Require;'

The following is an example of installing DevOps Secrets Safe using an Oracle database.

./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email docker-user@beyondtrust.com --database-type oracledb --connection-string 'User Id=oracleuser;Password=oraclepass;Data Source=10.10.10.10:1521/XE;'

Uninstall Instructions

To remove a DevOps Secrets Safe installation from a cluster, run the uninstall script. The uninstall script will remove all DSS data, containers, secrets, etc from the cluster. This does not include removing the database.

./uninstall.sh

If an installation did not complete successfully, then it is recommended for the uninstaller to be run prior to the installer being run again.

Install Certificates

The Secrets-Safe application will always serve over an HTTPS connection. By default, the standard Kubernetes self-signed certificate will be used.

If you wish to supply a custom certificate for an instance of DevOps Secrets Safe you must modify the values.yml and provide your certificate to the cluster before installing.

Modify the following in the values.yml:

  1. Change the ingress.suppliedCertificate value to true
  2. Change the ingress.host to the hostname you wish to use to refer to the ingress

In order to provide your chosen certificate to the cluster use the following command:

kubectl create secret tls ss-ingress-tls-secret --key ${KEY_FILE} --cert ${CERT_FILE}

If you do not wish to supply a custom certificate but you do want the feature of hostname-based routing, then you may leave the suppliedCertificate value as false but fill in the preferred ingress hostname.

Upgrade Instructions

To upgrade DevOps Secrets Safe, first perform an uninstall followed by an installation using the install script from new deployment.

Additional Notes - Helm

Currently the DevOps Secrets Safe Helm chart is compatible with version 2.X only.

Additional Notes - Nginx Ingress Installation

Currently the DevOps Secrets Safe application is compatible with the Nginx Ingress Controller.

If you wish to install this ingress controller from the official Helm chart for a bare metal deployment the following command may be run:

helm install stable/nginx-ingress --namespace kube-system --set controller.hostNetwork=true --version v1.24.5 --set rbac.create=true --set controller.kind=DaemonSet -n nginx-ingress

If you wish to install this ingress controller from the official Helm chart for a cloud deployment the following command may be run:

helm install stable/nginx-ingress --namespace kube-system --set controller.replicaCount=3 --version v1.24.5 -n nginx-ingress --set controller.service.externalTrafficPolicy=Local

The --set controller.service.externalTrafficPolicy=Local option is added to the Helm install command for safelist enforcement purposes. This will enable client source IP preservation for requests to containers in your cluster. If you are not planning on using safelist enforcement, this option can be exluded.