Install DevOps Secrets Safe

The DevOps Secrets Safe Kubernetes installation script performs several kubectl commands to insert data into the cluster and uses Helm v3 to install the application. In order for the application to run successfully, a cluster must exist and an Nginx Ingress Controller must be configured in the cluster. The installing user must provide BeyondTrust their DockerHub username in advance to be given permission to pull the required images.

Prerequisites

  1. Kubernetes cluster with version 1.14, 1.15, 1.16, 1.17. 1.18, 1.19, or 1.20, must be available to host the deployment.
  2. Install kubectl and configure to allow full permissions to the cluster. The version of kubectl must be within one minor version of the cluster (above or below).
  3. Install Helm v3 and initialize with the appropriate Role-Based Access Control (RBAC).
  4. In order for the application to be reachable an NGINX ingress controller must be configured in the cluster.
  5. The installing user must provide BeyondTrust their DockerHub username in advance in order for them to be given permission to pull the required images.

For more information, please see the following:

As a reference deployment, DevOps Secrets Safe has been tested on a three-node Kubernetes cluster, each with a minimum of 7GB of RAM.

Installation Instructions

The install.sh script is a bash entrypoint which installs DevOps Secrets Safe through a series of kubectl calls and then a helm install call. Values in the file values.yml within the helm chart will be used as defaults for the install. The install.sh script itself can be supplied with values either through arguments, through environment variables, or interactively. Values passed by argument override any other form, then environment variables are accepted, and finally, mandatory values not specified otherwise will be requested interactively.

To see a list of accepted parameters, run the install script with --help.

./install.sh --help

If an installation does not complete successfully, run the uninstaller before running the installer again.

./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email docker-user@beyondtrust.com --database-type postgres --connection-string 'Server=secretssafe.database.beyondtrust.com;Database=secrets-safe;Port=5432;User Id=postgresql-user@secretssafe;Password=postgresql-password;Ssl Mode=Require;'
./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email docker-user@beyondtrust.com --database-type oracledb --connection-string 'User Id=oracleuser;Password=oraclepass;Data Source=10.10.10.10:1521/XE;'
./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email docker-user@beyondtrust.com --database-type mssql --connection-string' Server=10.10.10.10;Database=secrets-safe;User Id=sqluser;Password=sqlpass;'

Once the application is installed, a means to access it is also required. Currently DevOps Secrets Safe is compatible with the NGINX Ingress controller.

Upgrade Instructions

To upgrade an existing DevOps Secrets Safe installation from a cluster run the install script with the --upgrade parameter. This preserves all custom values entered for the release. Additional value overrides may be specified during the upgrade either with additional parameters or by modifying the values file prior to upgrade and specifying the --values-from-file flag.

./install.sh --upgrade

Installing with a Certificate

Please see the Certificates and DevOps Secrets Safe for instructions on how to mount a custom certificate in a Secrets Safe installation.

Uninstall Instructions

To remove a DevOps Secrets Safe installation from a cluster, run the uninstall script. The uninstall script removes all DSS data, containers, secrets, etc. from the cluster. This does not include removing the database.

./uninstall.sh