Install DevOps Secrets Safe
The DevOps Secrets Safe Kubernetes installation script performs several kubectl commands to insert data into the cluster and uses Helm v3 to install the application. In order for the application to run successfully, a cluster must exist and an Nginx Ingress Controller must be configured in the cluster. The installing user must provide BeyondTrust their DockerHub username in advance to be given permission to pull the required images.
- Installation Instructions
- Upgrade Instructions
- Installing with a Certificate
- Uninstall Instructions
- Kubernetes cluster with version 1.14, 1.15, 1.16, 1.17. 1.18, 1.19, or 1.20, must be available to host the deployment.
- Install kubectl and configure to allow full permissions to the cluster. The version of kubectl must be within one minor version of the cluster (above or below).
- Install Helm v3 and initialize with the appropriate Role-Based Access Control (RBAC).
- In order for the application to be reachable an NGINX ingress controller must be configured in the cluster.
- The installing user must provide BeyondTrust their DockerHub username in advance in order for them to be given permission to pull the required images.
As a reference deployment, DevOps Secrets Safe has been tested on a three-node Kubernetes cluster, each with a minimum of 7GB of RAM.
The install.sh script is a bash entrypoint which installs DevOps Secrets Safe through a series of kubectl calls and then a helm install call. Values in the file values.yml within the helm chart will be used as defaults for the install. The install.sh script itself can be supplied with values either through arguments, through environment variables, or interactively. Values passed by argument override any other form, then environment variables are accepted, and finally, mandatory values not specified otherwise will be requested interactively.
To see a list of accepted parameters, run the install script with --help.
If an installation does not complete successfully, run the uninstaller before running the installer again.
./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email firstname.lastname@example.org --database-type postgres --connection-string 'Server=secretssafe.database.beyondtrust.com;Database=secrets-safe;Port=5432;User Id=postgresql-user@secretssafe;Password=postgresql-password;Ssl Mode=Require;'
./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email email@example.com --database-type oracledb --connection-string 'User Id=oracleuser;Password=oraclepass;Data Source=10.10.10.10:1521/XE;'
./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email firstname.lastname@example.org --database-type mssql --connection-string' Server=10.10.10.10;Database=secrets-safe;User Id=sqluser;Password=sqlpass;'
Once the application is installed, a means to access it is also required. Currently DevOps Secrets Safe is compatible with the NGINX Ingress controller.
To upgrade an existing DevOps Secrets Safe installation from a cluster run the install script with the --upgrade parameter. This preserves all custom values entered for the release. Additional value overrides may be specified during the upgrade either with additional parameters or by modifying the values file prior to upgrade and specifying the --values-from-file flag.
Please see the Certificates and DevOps Secrets Safe for instructions on how to mount a custom certificate in a Secrets Safe installation.
To remove a DevOps Secrets Safe installation from a cluster, run the uninstall script. The uninstall script removes all DSS data, containers, secrets, etc. from the cluster. This does not include removing the database.