v1.2.2

.github/workflows/keyfactor-starter-workflow.yml

@@ -11,9 +11,10 @@ on:
 
 jobs:
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@v2
+    uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2
     secrets:
       token: ${{ secrets.V2BUILDTOKEN}}
       APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
       gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
       gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
+      scan_token: ${{ secrets.SAST_TOKEN }}

CHANGELOG.md

@@ -1,4 +1,12 @@
+# 1.2.2
+
+## Bug Fixes
+- fix(storetypes): `K8SJKS` and `K8SPKCS12` storetypes using a separate `k8s` secret for store password does not crash
+on missing or invalid secret field name. 
+
 # 1.2.1
+
+## Bug Fixes
 - fix(management): `K8SNS` management jobs handle `storepath` parsed length is less than expected.
 
 # 1.2.0

docsource/content.md

@@ -0,0 +1,54 @@
+## Overview
+
+The Kubernetes Orchestrator allows for the remote management of certificate stores defined in a Kubernetes cluster. 
+The following types of Kubernetes resources are supported: kubernetes secrets of `kubernetes.io/tls` or `Opaque` and 
+kubernetes certificates `certificates.k8s.io/v1`
+
+The certificate store types that can be managed in the current version are:
+- `K8SCert` - Kubernetes certificates of type `certificates.k8s.io/v1`
+- `K8SSecret` - Kubernetes secrets of type `Opaque`
+- `K8STLSSecret` - Kubernetes secrets of type `kubernetes.io/tls`
+- `K8SCluster` - This allows for a single store to manage a k8s cluster's secrets or type `Opaque` and `kubernetes.io/tls`.
+  This can be thought of as a container of `K8SSecret` and `K8STLSSecret` stores across all k8s namespaces.
+- `K8SNS` - This allows for a single store to manage a k8s namespace's secrets or type `Opaque` and `kubernetes.io/tls`.
+  This can be thought of as a container of `K8SSecret` and `K8STLSSecret` stores for a single k8s namespace.
+- `K8SJKS` - Kubernetes secrets of type `Opaque` that contain one or more Java Keystore(s). These cannot be managed at the
+  cluster or namespace level as they should all require unique credentials.
+- `K8SPKCS12` - Kubernetes secrets of type `Opaque` that contain one or more PKCS12(s). These cannot be managed at the
+  cluster or namespace level as they should all require unique credentials.
+
+This orchestrator extension makes use of the Kubernetes API by using a service account
+to communicate remotely with certificate stores. The service account must have the correct permissions
+in order to perform the desired operations.  For more information on the required permissions, see the
+[service account setup guide](#service-account-setup).
+
+## Requirements
+
+### Kubernetes API Access
+This orchestrator extension makes use of the Kubernetes API by using a service account
+to communicate remotely with certificate stores. The service account must exist and have the appropriate permissions.
+The service account token can be provided to the extension in one of two ways:
+- As a raw JSON file that contains the service account credentials
+- As a base64 encoded string that contains the service account credentials
+
+#### Service Account Setup
+To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension. For full 
+information on the required permissions, see the [service account setup guide](./scripts/kubernetes/README.md).
+
+## Discovery
+
+**NOTE:** To use discovery jobs, you must have the story type created in Keyfactor Command and the `needs_server` 
+checkbox *MUST* be checked, if you do not select `needs_server` you will not be able to provide credentials to the 
+discovery job and it will fail.
+
+The Kubernetes Orchestrator Extension supports certificate discovery jobs.  This allows you to populate the certificate stores with existing certificates.  To run a discovery job, follow these steps:
+1. Click on the "Locations > Certificate Stores" menu item.
+2. Click the "Discover" tab.
+3. Click the "Schedule" button.
+4. Configure the job based on storetype. **Note** the "Server Username" field must be set to `kubeconfig` and the "Server Password" field is the `kubeconfig` formatted JSON file containing the service account credentials.  See the "Service Account Setup" section earlier in this README for more information on setting up a service account.
+   ![discover_schedule_start.png](./docs/screenshots/discovery/discover_schedule_start.png)
+   ![discover_schedule_config.png](./docs/screenshots/discovery/discover_schedule_config.png)
+   ![discover_server_username.png](./docs/screenshots/discovery/discover_server_username.png)
+   ![discover_server_password.png](./docs/screenshots/discovery/discover_server_password.png)
+5. Click the "Save" button and wait for the Orchestrator to run the job. This may take some time depending on the number of certificates in the store and the Orchestrator's check-in schedule.
+

docsource/k8scert.md

@@ -0,0 +1,7 @@
+## Overview
+
+The `K8SCert` store type is used to manage Kubernetes certificates of type `certificates.k8s.io/v1`. 
+
+**NOTE**: only `inventory` and `discovery` of these resources is supported with this extension. To provision these certs use the 
+[k8s-csr-signer](https://github.com/Keyfactor/k8s-csr-signer).
+

docsource/k8scluster.md

@@ -0,0 +1,18 @@
+## Overview
+
+The `K8SCluster` store type allows for a single store to manage a k8s cluster's secrets or type `Opaque` and `kubernetes.io/tls`.
+
+## Certificate Store Configuration
+
+In order for certificates of type `Opaque` and/or `kubernetes.io/tls` to be inventoried in `K8SCluster` store types, they must
+have specific keys in the Kubernetes secret.
+- Required keys: `tls.crt` or `ca.crt`
+- Additional keys: `tls.key`
+
+### Storepath Patterns
+- `<cluster_name>`
+
+### Alias Patterns
+- `<namespace_name>/secrets/<tls|opaque>/<secret_name>`
+
+

docsource/k8sjks.md

@@ -0,0 +1,33 @@
+## Overview
+
+The `K8SJKS` store type is used to manage Kubernetes secrets of type `Opaque`.  These secrets
+must have a field that ends in `.jks`. The orchestrator will inventory and manage using a *custom alias* of the following
+pattern: `<k8s_secret_field_name>/<keystore_alias>`.  For example, if the secret has a field named `mykeystore.jks` and
+the keystore contains a certificate with an alias of `mycert`, the orchestrator will manage the certificate using the
+alias `mykeystore.jks/mycert`. *NOTE* *This store type cannot be managed at the `cluster` or `namespace` level as they 
+should all require unique credentials.*
+
+## Discovery Job Configuration
+
+For discovery of `K8SJKS` stores toy can use the following params to filter the certificates that will be discovered:
+- `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all 
+namespaces. *This cannot be left blank.*
+- `File name patterns to match` - comma separated list of K8S secret keys to search for PKCS12 or JKS data. Will use 
+the following keys by default: `tls.pfx`,`tls.pkcs12`,`pfx`,`pkcs12`,`tls.jks`,`jks`.
+
+## Certificate Store Configuration
+
+In order for certificates of type `Opaque` to be inventoried as `K8SJKS` store types, they must have specific keys in
+the Kubernetes secret.
+- Valid Keys: `*.jks`
+
+### Storepath Patterns
+- `<namespace_name>/<secret_name>`
+- `<namespace_name>/secrets/<secret_name>`
+- `<cluster_name>/<namespace_name>/secrets/<secret_name>`
+
+### Alias Patterns
+- `<k8s_secret_field_name>/<keystore_alias>`
+
+Example: `test.jks/load_balancer` where `test.jks` is the field name on the `Opaque` secret and `load_balancer` is
+the certificate alias in the `jks` data store. 

docsource/k8sns.md

@@ -0,0 +1,26 @@
+## Overview
+
+The `K8SNS` store type is used to manage Kubernetes secrets of type `kubernetes.io/tls` and/or type `Opaque` in a single 
+Keyfactor Command certificate store using an alias pattern of
+
+## Discovery Job Configuration
+
+For discovery of K8SNS stores toy can use the following params to filter the certificates that will be discovered:
+- `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all 
+namespaces. *This cannot be left blank.*
+
+## Certificate Store Configuration
+
+In order for certificates of type `Opaque` and/or `kubernetes.io/tls` to be inventoried in `K8SNS` store types, they must 
+have specific keys in the Kubernetes secret.
+- Required keys: `tls.crt` or `ca.crt`
+- Additional keys: `tls.key`
+
+### Storepath Patterns
+- `<namespace_name>`
+- `<cluster_name>/<namespace_name>`
+
+### Alias Patterns
+- `secrets/<tls|opaque>/<secret_name>`
+
+

docsource/k8spkcs12.md

@@ -0,0 +1,34 @@
+## Overview
+
+The `K8SPKCS12` store type is used to manage Kubernetes secrets of type `Opaque`.  These secrets
+must have a field that ends in `.pkcs12`. The orchestrator will inventory and manage using a *custom alias* of the following
+pattern: `<k8s_secret_field_name>/<keystore_alias>`.  For example, if the secret has a field named `mykeystore.pkcs12` and
+the keystore contains a certificate with an alias of `mycert`, the orchestrator will manage the certificate using the
+alias `mykeystore.pkcs12/mycert`. *NOTE* *This store type cannot be managed at the `cluster` or `namespace` level as they
+should all require unique credentials.*
+
+## Discovery Job Configuration
+
+For discovery of `K8SPKCS12` stores toy can use the following params to filter the certificates that will be discovered:
+- `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all
+  namespaces. *This cannot be left blank.*
+- `File name patterns to match` - comma separated list of K8S secret keys to search for PKCS12 or PKCS12 data. Will use
+  the following keys by default: `tls.pfx`,`tls.pkcs12`,`pfx`,`pkcs12`,`tls.pkcs12`,`pkcs12`.
+
+## Certificate Store Configuration
+
+In order for certificates of type `Opaque` to be inventoried as `K8SPKCS12` store types, they must have specific keys in
+the Kubernetes secret.
+- Valid Keys: `*.pfx`, `*.pkcs12`, `*.p12`
+
+### Storepath Patterns
+- `<namespace_name>/<secret_name>`
+- `<namespace_name>/secrets/<secret_name>`
+- `<cluster_name>/<namespace_name>/secrets/<secret_name>`
+
+### Alias Patterns
+- `<k8s_secret_field_name>/<keystore_alias>`
+
+Example: `test.pkcs12/load_balancer` where `test.pkcs12` is the field name on the `Opaque` secret and `load_balancer` is
+the certificate alias in the `pkcs12` data store. 
+

docsource/k8ssecret.md

@@ -0,0 +1,18 @@
+## Overview
+
+The `K8SSecret` store type is used to manage Kubernetes secrets of type `Opaque`.
+
+## Discovery Job Configuration
+
+For discovery of K8SNS stores toy can use the following params to filter the certificates that will be discovered:
+- `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all
+  namespaces. *This cannot be left blank.*
+
+## Certificate Store Configuration
+
+In order for certificates of type `Opaque` to be inventoried as `K8SSecret` store types, they must have specific keys in 
+the Kubernetes secret.  
+- Required keys: `tls.crt` or `ca.crt` 
+- Additional keys: `tls.key`
+
+

docsource/k8stlssecr.md

@@ -0,0 +1,17 @@
+## Overview
+
+The `K8STLSSecret` store type is used to manage Kubernetes secrets of type `kubernetes.io/tls`
+
+## Discovery Job Configuration
+
+For discovery of K8SNS stores toy can use the following params to filter the certificates that will be discovered:
+- `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all
+  namespaces. *This cannot be left blank.*
+
+## Certificate Store Configuration
+
+In order for certificates of type `kubernetes.io/tls` to be inventoried, they must have specific keys in
+the Kubernetes secret.
+- Required keys: `tls.crt` and `tls.key`
+- Optional keys: `ca.crt`
+