Install DevOps Secrets Safe

The DevOps Secrets Safe Kubernetes installation script performs several kubectl commands to insert data into the cluster and uses Helm v3 to install the application. In order for the application to run successfully, a cluster must exist and an Nginx Ingress Controller must be configured in the cluster. The installing user must provide BeyondTrust their DockerHub username in advance to be given permission to pull the required images.

Prerequisites

  1. Kubernetes cluster with version 1.13, 1.14, 1.15, 1.16, or 1.17 available to host the deployment.
  2. Install Kubectl and configure to allow full permissions to the cluster.
  3. Install Helm and initialize with the appropriate Role-Based Access Control (RBAC).

For more information, please see the following:

As a reference deployment, DevOps Secrets Safe has been tested on a three-node Kubernetes cluster, each with a minimum of 6GB of RAM.

Installation Instructions

The install.sh script can be run interactively or alternatively can be called with parameters to supply the required values. Any values not specified as parameters will be requested interactively.

To see a list of accepted parameters, run the install script with --help.

./install.sh --help

If an installation does not complete successfully, run the uninstaller before running the installer again.

 

./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email docker-user@beyondtrust.com --database-type postgres --connection-string 'Server=secretssafe.database.beyondtrust.com;Database=secrets-safe;Port=5432;User Id=postgresql-user@secretssafe;Password=postgresql-password;Ssl Mode=Require;'

 

./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email docker-user@beyondtrust.com --database-type oracledb --connection-string 'User Id=oracleuser;Password=oraclepass;Data Source=10.10.10.10:1521/XE;'

 

./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email docker-user@beyondtrust.com --database-type mssql --connection-string' Server=10.10.10.10;Database=secrets-safe;User Id=sqluser;Password=sqlpass;'

Upgrade Instructions

To upgrade DevOps Secrets Safe, first perform an uninstall followed by an installation using the install script from new deployment.

Uninstall Instructions

To remove a DevOps Secrets Safe installation from a cluster, run the uninstall script. The uninstall script will remove all DSS data, containers, secrets, etc. from the cluster. This does not include removing the database.

./uninstall.sh

Additional Notes - Nginx Ingress Installation

Currently the DevOps Secrets Safe application is compatible with the Nginx Ingress Controller.

If you wish to install this ingress controller from the official Helm chart for an on-premise deployment, the following command may be run:

helm install nginx-ingress stable/nginx-ingress --version v1.24.5 --namespace kube-system --set controller.hostNetwork=true --set rbac.create=true --set controller.kind=DaemonSet

If you wish to install this ingress controller from the official Helm chart for a cloud deployment, the following command may be run:

helm install nginx-ingress stable/nginx-ingress --version v1.24.5 --namespace kube-system --set controller.replicaCount=3 --set controller.service.externalTrafficPolicy=Local

The --set controller.service.externalTrafficPolicy=Local option is added to the Helm install command for safelist enforcement purposes. This will enable client source IP preservation for requests to containers in your cluster. If you do not plan to use safelist enforcement, this option can be exlcuded.