Skip to content

Commit

Permalink
Merge pull request #15 from Keyfactor/pan_feedback
Browse files Browse the repository at this point in the history 
fix(inventory): Allowing for secret key `tls.crt` and `tls.key` for `…
  • Loading branch information
@spbsoluble
spbsoluble authored Apr 18, 2023
2 parents 09efc3f + a803a3d commit 0de9060
Show file tree
Hide file tree
Showing 4 changed files with 125 additions and 111 deletions.
103 changes: 50 additions & 53 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@ The Kubernetes Orchestrator allows for the remote management of certificate stor

#### Integration status: Pilot - Ready for use in test environments. Not for use in production.

## About the Keyfactor Universal Orchestrator Capability
## About the Keyfactor Universal Orchestrator Extension

This repository contains a Universal Orchestrator Capability which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.
This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.

The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Capabilities, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Capability, see below in this readme.
The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme.

The Universal Orchestrator is the successor to the Windows Orchestrator. This Capability plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.



Expand Down Expand Up @@ -181,7 +181,8 @@ The secrets that this orchestrator extension supports for use with a PAM Provide

| Name | Description |
|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| KubeSvcCreds | This is a raw JSON file that contains service account credentials to interact with the Kubernetes APIs. See the service account setup guide for permission details. |
| ServerPassword | This is a raw JSON file that contains service account credentials to interact with the Kubernetes APIs. See the service account setup guide for permission details. |
| ServerUsername | This is a static value that must be set to `kubeconfig`. |


It is not necessary to implement all of the secrets available to be managed by a PAM provider.
Expand Down Expand Up @@ -326,17 +327,17 @@ Below is a table of the common values that should be used for all certificate st

#### Common Values
##### UI Basic Tab
| Field Name | Required | Description | Value |
|-------------------------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|
| Name | ✓ | The display name you wish to use for the new Certificate Store Type. | Depends on store type. |
| ShortName | ✓ | The short name you wish to use for the new Certificate Store Type. | Depends on store type. |
| Custom Capability | ✓ | Whether or not the certificate store type supports custom capabilities. | Checked [x] |
| Supported Job Types | ✓ | The job types supported by the certificate store type. | Depends on store type. |
| Needs Server | | Must be set to true or checked to use PAM, otherwise can be left unchecked. NOTE: If using this `server_username` must be equal to `kubeconfig` and `server_password` will be the kubeconfig file in JSON format | Unchecked [ ] |
| Blueprint Allowed | | Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. | Unchecked [ ] |
| Uses PowerShell | | Whether or not the certificate store type uses PowerShell. | Unchecked [ ] |
| Requires Store Password | | Whether or not the certificate store type requires a password. | Unchecked [ ] |
| Supports Entry Password | | Whether or not the certificate store type supports entry passwords. | Unchecked [ ] |
| Field Name | Required | Description | Value |
|-------------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|
| Name | ✓ | The display name you wish to use for the new Certificate Store Type. | Depends on store type. |
| ShortName | ✓ | The short name you wish to use for the new Certificate Store Type. | Depends on store type. |
| Custom Capability | ✓ | Whether or not the certificate store type supports custom capabilities. | Checked [x] |
| Supported Job Types | ✓ | The job types supported by the certificate store type. | Depends on store type. |
| Needs Server | ✓ | Must be set to true or checked. NOTE: If using this `ServerUsername` must be equal to `kubeconfig` and `ServerPassword` will be the kubeconfig file in JSON format | Checked [x] |
| Blueprint Allowed | | Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. | Unchecked [ ] |
| Uses PowerShell | | Whether or not the certificate store type uses PowerShell. | Unchecked [ ] |
| Requires Store Password | | Whether or not the certificate store type requires a password. | Unchecked [ ] |
| Supports Entry Password | | Whether or not the certificate store type supports entry passwords. | Unchecked [ ] |

##### UI Advanced Tab
| Field Name | Required | Description | Value |
Expand All @@ -352,7 +353,6 @@ Below is a table of the common values that should be used for all certificate st
| KubeNamespace | Kube Namespace | String | | `default` | The Kubernetes namespace the store will reside. |
| KubeSecretName | Kube Secret Name | String | | none | This field overrides `storepath` value. The Kubernetes secret or certificate resource name. |
| KubeSecretType | Kube Secret Type | String | ✓ | none | Must be one of the following `secret`, `secret_tls` or `cert`. See [kube-secret-types](#kube-secret-types). |
| KubeSvcCreds | Kube Service Account | Secret | ✓ | none | A JSON string containing the service account credentials to the Kubernetes API. Must be in `kubeconfig` format. For more information review [Kubernetes service account](scripts/kubernetes/README.md) docs and scripts. **NOTE: If using PAM this can be optional.** |

##### Kube Secret Types
- `secret` - A generic secret of type `Opaque`. Must contain a key of one of the following values: [ `cert`, `certficate`, `certs`,`certificates` ] to be inventoried.
Expand All @@ -376,17 +376,17 @@ kfutil store-types create --name K8SSecret
#### UI Configuration

##### UI Basic Tab
| Field Name | Required | Value |
|-------------------------|----------|-------------------------------------------------------------------------|
| Name | ✓ | `K8SSecret` |
| ShortName | ✓ | `K8SSecret` |
| Custom Capability | ✓ | Checked [x] + `K8SSecret` |
| Supported Job Types | ✓ | Inventory, Add, Remove, Create, Discovery |
| Needs Server | | Unchecked [ ] **Note: Check this to use PAM or Certificate Discovery ** |
| Blueprint Allowed | | Unchecked [ ] |
| Uses PowerShell | | Unchecked [ ] |
| Requires Store Password | | Unchecked [ ] |
| Supports Entry Password | | Unchecked [ ] |
| Field Name | Required | Value |
|-------------------------|----------|-------------------------------------------|
| Name | ✓ | `K8SSecret` |
| ShortName | ✓ | `K8SSecret` |
| Custom Capability | ✓ | Checked [x] + `K8SSecret` |
| Supported Job Types | ✓ | Inventory, Add, Remove, Create, Discovery |
| Needs Server | ✓ | Checked [x] |
| Blueprint Allowed | | Unchecked [ ] |
| Uses PowerShell | | Unchecked [ ] |
| Requires Store Password | | Unchecked [ ] |
| Supports Entry Password | | Unchecked [ ] |

**NOTE:** If using PAM, `server_username` must be equal to `kubeconfig` and `server_password` will be the kubeconfig file in JSON format.

Expand All @@ -408,7 +408,6 @@ kfutil store-types create --name K8SSecret
| KubeNamespace | Kube Namespace | String | | `default` |
| KubeSecretName | Kube Secret Name | String | ✓ | |
| KubeSecretType | Kube Secret Type | String | ✓ | `secret` |
| KubeSvcCreds | Kube Service Account | Secret | ✓ | |

![k8ssecret_custom_fields.png](docs%2Fscreenshots%2Fstore_types%2Fk8ssecret_custom_fields.png)

Expand All @@ -429,17 +428,17 @@ kfutil store-types create --name K8STLSSecr
#### UI Configuration

##### UI Basic Tab
| Field Name | Required | Value |
|------------|----------|---------------------------|
| Name | ✓ | `K8STLSSecr` |
| ShortName | ✓ | `K8STLSSecr` |
| Custom Capability | ✓ | Checked [x] + `K8STLSSecr` |
| Supported Job Types | ✓ | Inventory, Add, Remove, Create, Discovery |
| Needs Server | | Unchecked [ ] |
| Blueprint Allowed | | Unchecked [ ] |
| Uses PowerShell | | Unchecked [ ] |
| Requires Store Password | | Unchecked [ ] |
| Supports Entry Password | | Unchecked [ ] |
| Field Name | Required | Value |
|-------------------------|----------|-------------------------------------------|
| Name | ✓ | `K8STLSSecr` |
| ShortName | ✓ | `K8STLSSecr` |
| Custom Capability | ✓ | Checked [x] + `K8STLSSecr` |
| Supported Job Types | ✓ | Inventory, Add, Remove, Create, Discovery |
| Needs Server | ✓ | Checked [x] |
| Blueprint Allowed | | Unchecked [ ] |
| Uses PowerShell | | Unchecked [ ] |
| Requires Store Password | | Unchecked [ ] |
| Supports Entry Password | | Unchecked [ ] |

![k8sstlssecr_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8sstlssecr_basic.png)

Expand All @@ -459,7 +458,6 @@ kfutil store-types create --name K8STLSSecr
| KubeNamespace | Kube Namespace | String | | `default` |
| KubeSecretName | Kube Secret Name | String | ✓ | |
| KubeSecretType | Kube Secret Type | String | ✓ | `tls_secret` |
| KubeSvcCreds | Kube Service Account | Secret | ✓ | |

![k8sstlssecr_custom_fields.png](docs%2Fscreenshots%2Fstore_types%2Fk8sstlssecr_custom_fields.png)

Expand All @@ -478,17 +476,17 @@ kfutil store-types create --name K8SCert
#### UI Configuration

##### UI Basic Tab
| Field Name | Required | Value |
|------------|----------|---------------------------|
| Name | ✓ | `K8SCert` |
| ShortName | ✓ | `K8SCert` |
| Custom Capability | ✓ | Checked [x] + `K8SCert` |
| Supported Job Types | ✓ | Inventory, Discovery |
| Needs Server | | Unchecked [ ] |
| Blueprint Allowed | | Unchecked [ ] |
| Uses PowerShell | | Unchecked [ ] |
| Requires Store Password | | Unchecked [ ] |
| Supports Entry Password | | Unchecked [ ] |
| Field Name | Required | Value |
|-------------------------|----------|--------------------------|
| Name | ✓ | `K8SCert` |
| ShortName | ✓ | `K8SCert` |
| Custom Capability | ✓ | Checked [x] + `K8SCert` |
| Supported Job Types | ✓ | Inventory, Discovery |
| Needs Server | ✓ | Checked [x] |
| Blueprint Allowed | | Unchecked [ ] |
| Uses PowerShell | | Unchecked [ ] |
| Requires Store Password | | Unchecked [ ] |
| Supports Entry Password | | Unchecked [ ] |

![k8scert_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8scert_basic.png)

Expand All @@ -508,7 +506,6 @@ kfutil store-types create --name K8SCert
| KubeNamespace | Kube Namespace | String | | `default` |
| KubeSecretName | Kube Secret Name | String | ✓ | |
| KubeSecretType | Kube Secret Type | String | ✓ | `cert` |
| KubeSvcCreds | Kube Service Account | Secret | ✓ | |

![k8scert_custom_fields.png](docs%2Fscreenshots%2Fstore_types%2Fk8scert_custom_fields.png)

Expand Down
8 changes: 6 additions & 2 deletions kubernetes-orchestrator-extension/Jobs/Inventory.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
{
case "secret":
case "secrets":
var secretAllowedKeys = new[] { "tls.crts", "cert", "certs", "certificate", "certificates", "crt", "crts", "ca.crt" };
var secretAllowedKeys = new[] { "tls.crts", "cert", "certs", "certificate", "certificates", "crt", "crts", "ca.crt", "tls.crt", "tls.key" };
return HandleOpaqueSecret(config.JobHistoryId, submitInventory, secretAllowedKeys);
case "tls_secret":
case "tls":
Expand Down Expand Up @@ -197,7 +197,11 @@ private JobResult HandleOpaqueSecret(long jobId, SubmitInventoryUpdate submitInv
{
var certificatesBytes = certData.Data[allowedKey];
var certificates = Encoding.UTF8.GetString(certificatesBytes);
certsList.Concat(certificates.Split(CertChainSeparator));
//split the certificates by the separator
var splitCerts = certificates.Split(CertChainSeparator);
//add the split certs to the list
certsList = certsList.Concat(splitCerts).ToArray();
// certsList.Concat(certificates.Split(CertChainSeparator));
}
}
return PushInventory(certsList, jobId, submitInventory, hasPrivateKey);
Expand Down
Loading

0 comments on commit 0de9060

Please sign in to comment.