Install DevOps Secrets Safe

The DevOps Secrets Safe Kubernetes installation script performs several kubectl commands to insert data into the cluster and uses Helm v3 to install the application. In order for the application to run successfully, a cluster must exist and an Nginx Ingress Controller must be configured in the cluster. The installing user must provide BeyondTrust their DockerHub username in advance to be given permission to pull the required images.

Prerequisites

  1. Kubernetes cluster with version 1.14, 1.15, 1.16, 1.17. 1.18, or 1.19 must available to host the deployment.
  2. Install kubectl and configure to allow full permissions to the cluster.
  3. Install Helm and initialize with the appropriate Role-Based Access Control (RBAC).
  4. In order for the application to be reachable an NGINX ingress controller must be configured in the cluster.
  5. The installing user must provide BeyondTrust their DockerHub username in advance in order for them to be given permission to pull the required images.

For more information, please see the following:

As a reference deployment, DevOps Secrets Safe has been tested on a three-node Kubernetes cluster, each with a minimum of 6GB of RAM.

Installation Instructions

The install.sh script is a bash entrypoint which installs DevOps Secrets Safe through a series of kubectl calls and then a helm install call. Values in the file values.yml within the helm chart will be used as defaults for the install. The install.sh script itself can be supplied with values either through arguments, through environment variables, or interactively. Values passed by argument override any other form, then environment variables are accepted, and finally, mandatory values not specified otherwise will be requested interactively.

To see a list of accepted parameters, run the install script with --help.

./install.sh --help

If an installation does not complete successfully, run the uninstaller before running the installer again.

./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email docker-user@beyondtrust.com --database-type postgres --connection-string 'Server=secretssafe.database.beyondtrust.com;Database=secrets-safe;Port=5432;User Id=postgresql-user@secretssafe;Password=postgresql-password;Ssl Mode=Require;'
./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email docker-user@beyondtrust.com --database-type oracledb --connection-string 'User Id=oracleuser;Password=oraclepass;Data Source=10.10.10.10:1521/XE;'
./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email docker-user@beyondtrust.com --database-type mssql --connection-string' Server=10.10.10.10;Database=secrets-safe;User Id=sqluser;Password=sqlpass;'

Once the application is installed, a means to access it is also required. Currently DevOps Secrets Safe is compatible with the NGINX Ingress controller.

Upgrade Instructions

To upgrade an existing DevOps Secrets Safe installation from a cluster run the install script with the --upgrade parameter. This preserves all custom values entered for the release. Additional value overrides may be specified during the upgrade either with additional parameters or by modifying the values file prior to upgrade and specifying the --values-from-file flag.

./install.sh --upgrade

Installing with a Certificate

The DevOps Secrets Safe application uses both client facing and internal application certificates to maximize the security of the application. The following sections describe their usage and purpose.

Client Facing Certificates

The DevOps Secrets Safe application always serves over an HTTPS connection. By default the standard Kubernetes self-signed certificate is used.

If you wish to supply a custom certificate for an instance of DevOps Secrets Safe, you must provide your certificate to the cluster before installing and supply the certificate name for the install either through installer arguments or values file entries.

If using the values file, modify the following in the values.yml file:

  • Change the ingress.certificateSecretName: value to ${CERT_SECRET_NAME}.
  • Change the ingress.host to the hostname you wish to use to refer to the ingress.

If using the installer arguments, those values may be supplied using --ingress-cert-secret-name and --ingress-hostname arguments.

In order to provide your chosen certificate to the cluster use the following command:

kubectl create secret tls ${CERT_SECRET_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}

If you do not wish to supply a custom certificate but you do want the feature of hostname-based routing, you may leave the certificateSecretName value blank but fill in the preferred ingress hostname.

Internal Application Certificates

The DevOps Secrets Safe application leverages an internal set of certificates signed by the cluster's Certificate Authority to enhance security. These certificates have a duration governed by the configuration of the cluster (many clusters default to one year).

In order to renew these certificates you can run the following command:

<installer_directory>/install.sh --rotate-certificates --namespace ${KUBERNETES_NAMESPACE}

Renewing these certificates will not interrupt normal operations.

For more information, please see the section on Certificates for instructions on how to mount custom certificates in a DevOps Secrets Safe installation.

Uninstall Instructions

To remove a DevOps Secrets Safe installation from a cluster, run the uninstall script. The uninstall script removes all DSS data, containers, secrets, etc. from the cluster. This does not include removing the database.

./uninstall.sh