Install DevOps Secrets Safe on the Server
To install DevOps Secrets Safe, review the prerequisites, and then run the install script, as detailed below. Instructions to upgrade and uninstall are also noted below.
- Kubernetes cluster with version 1.14, 1.15, 1.16, 1.17. 1.18, 1.19, or 1.20 must be available to host the deployment.
- Install kubectl and configure to allow full permissions to the cluster. The version of kubectl must be within one minor version of the cluster (above or below).
- Install Helm v3 and initialize with the appropriate Role-Based Access Control (RBAC).
- In order for the application to be reachable, configure an NGINX ingress controller in the cluster.
- Provide BeyondTrust the DockerHub username of the installing user, for them to be given permission to pull the required images.
As a reference deployment, DevOps Secrets Safe has been tested on a three-node Kubernetes cluster, each with a minimum of 7GB of RAM.
The following information provides details on supported database providers and any privileges required by the DevOps Secrets Safe database user.
DevOps Secrets Safe currently supports Postgres 11+.
Minimum version: 11
The user specified in the DevOps Secrets Safe database connection string requires special privileges:
- CREATEDB (Unless the initial run of DevOps Secrets Safe points to a pre-existing database)
- CREATE (On the database DevOps Secrets Safe uses)
The install.sh script is a bash entry point that installs DevOps Secrets Safe through a series of kubectl calls and then a helm install call. Values in the file values.yml within the helm chart are the defaults for the install. The install.sh script itself can be supplied with values through arguments or environment variables, or interactively. Values passed by arguments override any other form, then environment variables are accepted, and finally, mandatory values not specified otherwise are requested interactively.
To see a list of accepted parameters, run the install script with the --help parameter.
If an installation does not complete successfully, run the uninstaller before running the installer again.
./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email firstname.lastname@example.org --database-type postgres --connection-string 'Server=secretssafe.database.beyondtrust.com;Database=secrets-safe;Port=5432;User Id=postgresql-user@secretssafe;Password=postgresql-password;Ssl Mode=Require;'
./install.sh --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email email@example.com --database-type mssql --connection-string' Server=10.10.10.10;Database=secrets-safe;User Id=sqluser;Password=sqlpass;'
Once the application is installed, a means to access it is also required. Currently, DevOps Secrets Safe is compatible with the NGINX Ingress controller.
To upgrade an existing DevOps Secrets Safe installation from a cluster, run the install script with the --upgrade parameter. This preserves all custom values entered for the release. Additional value overrides can be specified during the upgrade either with additional parameters or by modifying the values file prior to upgrade and specifying the --values-from-file flag.
Install with a Certificate
Please see the Certificates.md file for instructions on how to mount a custom certificate in a Secrets Safe installation.
To remove a DevOps Secrets Safe installation from a cluster, run the uninstall script. The uninstall script removes all DSS data, containers, secrets, etc. from the cluster. This does not include removing the database.