Delinea
Delinea DevOps Secrets Vault
External Secrets Operator integrates with Delinea DevOps Secrets Vault.
Please note that the Delinea Secret Server product is NOT in scope of this integration.
Creating a SecretStore
You need client ID, client secret and tenant to authenticate with DSV. Both client ID and client secret can be specified either directly in the config, or by referencing a kubernetes secret.
To acquire client ID and client secret, refer to the policy management and client management documentation.
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: secret-store
spec:
provider:
delinea:
tenant: <TENANT>
tld: <TLD>
clientId:
value: <CLIENT_ID>
clientSecret:
secretRef:
name: <NAME_OF_KUBE_SECRET>
key: <KEY_IN_KUBE_SECRET>
Both clientId
and clientSecret
can either be specified directly via the value
field or can reference a kubernetes secret.
The tenant
field must correspond to the host name / site name of your DevOps vault. If you selected a region other than the US you must also specify the TLD, e.g. tld: eu
.
If required, the URL template (urlTemplate
) can be customized as well.
Referencing Secrets
Secrets can be referenced by path. Getting a specific version of a secret is not yet supported.
Note that because all DSV secrets are JSON objects, you must specify remoteRef.property
. You can access nested values or arrays using gjson syntax.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: secret
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: secret-store
data:
- secretKey: <KEY_IN_KUBE_SECRET>
remoteRef:
key: <SECRET_PATH>
property: <JSON_PROPERTY>