diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e76d62..8e58830 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +# 1.1.3 + +## Bug Fixes +- fix(base): Add additional logging to debug issue with K8SNS store type. +- fix(client): Handle skip TLS flag when passed to a job. + +## Chores: +- chore(deps): Bump `Keyfactor.Logging` to `v1.1.2` +- chore(deps): Bump `Keyfactor.PKI` to `v5.5.0` + # 1.1.2 ## Bug Fixes diff --git a/README.md b/README.md index dfff94a..3ac6b83 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,9 @@ # Kubernetes Orchestrator Extension -The Kubernetes Orchestrator allows for the remote management of certificate stores defined in a Kubernetes cluster. The following types of Kubernetes resources are supported: kubernetes secrets of `kubernetes.io/tls` or `Opaque` and kubernetes certificates `certificates.k8s.io/v1` +The Kubernetes Orchestrator allows for the remote management of certificate stores defined in a Kubernetes cluster. The following types of Kubernetes resources are supported: +- Secrets - Kubernetes secrets of type `kubernetes.io/tls` or `Opaque` +- Certificates - Kubernetes certificates of type `certificates.k8s.io/v1` #### Integration status: Production - Ready for use in production environments. diff --git a/kubernetes-orchestrator-extension/Clients/KubeClient.cs b/kubernetes-orchestrator-extension/Clients/KubeClient.cs index 1124129..46309a7 100644 --- a/kubernetes-orchestrator-extension/Clients/KubeClient.cs +++ b/kubernetes-orchestrator-extension/Clients/KubeClient.cs @@ -7,6 +7,7 @@ using System; using System.Collections.Generic; +using System.Configuration; using System.IO; using System.Linq; using System.Net; @@ -84,14 +85,15 @@ private K8SConfiguration ParseKubeConfig(string kubeconfig, bool skipTLSVerify = { _logger.LogTrace("Entered ParseKubeConfig()"); var k8SConfiguration = new K8SConfiguration(); - + _logger.LogTrace("Checking if kubeconfig is null or empty"); if (string.IsNullOrEmpty(kubeconfig)) { _logger.LogError("kubeconfig is null or empty"); - throw new KubeConfigException("kubeconfig is null or empty, please provide a valid kubeconfig in JSON format. For more information on how to create a kubeconfig file, please visit https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json"); + throw new KubeConfigException( + "kubeconfig is null or empty, please provide a valid kubeconfig in JSON format. For more information on how to create a kubeconfig file, please visit https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json"); } - + try { // test if kubeconfig is base64 encoded @@ -118,10 +120,11 @@ private K8SConfiguration ParseKubeConfig(string kubeconfig, bool skipTLSVerify = if (!kubeconfig.StartsWith("{")) { _logger.LogError("kubeconfig is not a JSON object"); - throw new KubeConfigException("kubeconfig is not a JSON object, please provide a valid kubeconfig in JSON format. For more information on how to create a kubeconfig file, please visit: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#get_service_account_credssh"); + throw new KubeConfigException( + "kubeconfig is not a JSON object, please provide a valid kubeconfig in JSON format. For more information on how to create a kubeconfig file, please visit: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#get_service_account_credssh"); // return k8SConfiguration; - } - + } + _logger.LogDebug("Parsing kubeconfig as a dictionary of string, string"); @@ -151,18 +154,21 @@ private K8SConfiguration ParseKubeConfig(string kubeconfig, bool skipTLSVerify = _logger.LogTrace("Creating Cluster object for cluster '{Name}'", clusterMetadata["name"]?.ToString()); // get environment variable for skip tls verify and convert to bool var skipTlsEnvStr = Environment.GetEnvironmentVariable("KEYFACTOR_ORCHESTRATOR_SKIP_TLS_VERIFY"); - _logger.LogTrace("KEYFACTOR_ORCHESTRATOR_SKIP_TLS_VERIFY environment variable: {SkipTlsVerify}", skipTlsEnvStr); - if (!string.IsNullOrEmpty(skipTlsEnvStr) && (bool.TryParse(skipTlsEnvStr, out var skipTlsVerifyEnv) || skipTlsEnvStr == "1")) + _logger.LogTrace("KEYFACTOR_ORCHESTRATOR_SKIP_TLS_VERIFY environment variable: {SkipTlsVerify}", + skipTlsEnvStr); + if (!string.IsNullOrEmpty(skipTlsEnvStr) && + (bool.TryParse(skipTlsEnvStr, out var skipTlsVerifyEnv) || skipTlsEnvStr == "1")) { if (skipTlsEnvStr == "1") skipTlsVerifyEnv = true; _logger.LogDebug("Setting skip-tls-verify to {SkipTlsVerify}", skipTlsVerifyEnv); if (skipTlsVerifyEnv && !skipTLSVerify) { - _logger.LogWarning("Skipping TLS verification is enabled in environment variable KEYFACTOR_ORCHESTRATOR_SKIP_TLS_VERIFY this takes the highest precedence and verification will be skipped. To disable this, set the environment variable to 'false' or remove it"); + _logger.LogWarning( + "Skipping TLS verification is enabled in environment variable KEYFACTOR_ORCHESTRATOR_SKIP_TLS_VERIFY this takes the highest precedence and verification will be skipped. To disable this, set the environment variable to 'false' or remove it"); skipTLSVerify = true; } } - + var clusterObj = new Cluster { Name = clusterMetadata["name"]?.ToString(), @@ -173,7 +179,8 @@ private K8SConfiguration ParseKubeConfig(string kubeconfig, bool skipTLSVerify = SkipTlsVerify = skipTLSVerify } }; - _logger.LogTrace("Adding cluster '{Name}'({@Endpoint}) to K8SConfiguration", clusterObj.Name, clusterObj.ClusterEndpoint); + _logger.LogTrace("Adding cluster '{Name}'({@Endpoint}) to K8SConfiguration", clusterObj.Name, + clusterObj.ClusterEndpoint); k8SConfiguration.Clusters = new List { clusterObj }; } @@ -220,7 +227,7 @@ private K8SConfiguration ParseKubeConfig(string kubeconfig, bool skipTLSVerify = _logger.LogTrace("Finished parsing contexts"); _logger.LogDebug("Finished parsing kubeconfig"); - + return k8SConfiguration; } @@ -240,7 +247,7 @@ private IKubernetes GetKubeClient(string kubeconfig) _logger.LogDebug("Calling ParseKubeConfig()"); var k8SConfiguration = ParseKubeConfig(kubeconfig); _logger.LogDebug("Finished calling ParseKubeConfig()"); - + // use k8sConfiguration over credentialFileName KubernetesClientConfiguration config; if (k8SConfiguration != null) // Config defined in store parameters takes highest precedence @@ -258,7 +265,9 @@ private IKubernetes GetKubeClient(string kubeconfig) config = KubernetesClientConfiguration.BuildDefaultConfig(); } } - else if (string.IsNullOrEmpty(credentialFileName)) // If no config defined in store parameters, use default config. This should never happen though. + else if + (string.IsNullOrEmpty( + credentialFileName)) // If no config defined in store parameters, use default config. This should never happen though. { _logger.LogWarning( "No config defined in store parameters, using default config. This should never happen!"); @@ -1800,7 +1809,7 @@ public List DiscoverSecrets(string[] allowedKeys, string secType, string _logger.LogTrace("Client BaseUrl: {BaseUrl}", Client.BaseUri); _logger.LogDebug("Calling CoreV1.ListNamespace()"); namespaces = Client.CoreV1.ListNamespace(); - + _logger.LogDebug("returned from CoreV1.ListNamespace()"); _logger.LogTrace("namespaces.Items.Count: {Count}", namespaces.Items.Count); _logger.LogTrace("namespaces.Items: {Items}", namespaces.Items.ToString()); @@ -1816,7 +1825,8 @@ public List DiscoverSecrets(string[] allowedKeys, string secType, string if (nsLi != "all" && nsLi != nsObj.Metadata.Name) { _logger.LogWarning( - "Skipping namespace '{Namespace}' because it does not match the namespace filter", nsObj.Metadata.Name); + "Skipping namespace '{Namespace}' because it does not match the namespace filter", + nsObj.Metadata.Name); continue; } @@ -1977,6 +1987,28 @@ public List DiscoverSecrets(string[] allowedKeys, string secType, string return locations; } + public struct JksSecret + { + public string SecretPath; + public string SecretFieldName; + public V1Secret Secret; + public string Password; + public string PasswordPath; + public List AllowedKeys; + public Dictionary Inventory; + } + + public struct Pkcs12Secret + { + public string SecretPath; + public string SecretFieldName; + public V1Secret Secret; + public string Password; + public string PasswordPath; + public List AllowedKeys; + public Dictionary Inventory; + } + public JksSecret GetJksSecret(string secretName, string namespaceName, string password = null, string passwordPath = null, List allowedKeys = null) { @@ -2170,7 +2202,7 @@ public CsrObject GenerateCertificateRequest(string name, string[] sans, IPAddres X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( - new X509EnhancedKeyUsageExtension(new OidCollection { new("1.3.6.1.5.5.7.3.1") }, false)); + new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var csr = request.CreateSigningRequest(); var csrPem = "-----BEGIN CERTIFICATE REQUEST-----\r\n" + @@ -2291,28 +2323,6 @@ public V1Secret CreateOrUpdatePkcs12Secret(Pkcs12Secret k8SData, string kubeSecr return Client.CoreV1.ReplaceNamespacedSecret(s1, kubeSecretName, kubeNamespace); } - public struct JksSecret - { - public string SecretPath; - public string SecretFieldName; - public V1Secret Secret; - public string Password; - public string PasswordPath; - public List AllowedKeys; - public Dictionary Inventory; - } - - public struct Pkcs12Secret - { - public string SecretPath; - public string SecretFieldName; - public V1Secret Secret; - public string Password; - public string PasswordPath; - public List AllowedKeys; - public Dictionary Inventory; - } - public struct CsrObject { public string Csr; diff --git a/kubernetes-orchestrator-extension/Jobs/Inventory.cs b/kubernetes-orchestrator-extension/Jobs/Inventory.cs index afc3083..896ce05 100644 --- a/kubernetes-orchestrator-extension/Jobs/Inventory.cs +++ b/kubernetes-orchestrator-extension/Jobs/Inventory.cs @@ -51,12 +51,12 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd Logger.LogInformation("Begin INVENTORY for K8S Orchestrator Extension for job " + config.JobId); Logger.LogInformation($"Inventory for store type: {config.Capability}"); - Logger.LogDebug($"Server: {KubeClient.GetHost()}"); - Logger.LogDebug($"Store Path: {StorePath}"); - Logger.LogDebug("KubeSecretType: " + KubeSecretType); - Logger.LogDebug("KubeSecretName: " + KubeSecretName); - Logger.LogDebug("KubeNamespace: " + KubeNamespace); - Logger.LogDebug("Host: " + KubeClient.GetHost()); + Logger.LogDebug("Server: {Host}", KubeClient.GetHost()); + Logger.LogDebug("Store Path: {StorePath}", StorePath); + Logger.LogDebug("KubeSecretType: {KubeSecretType}", KubeSecretType); + Logger.LogDebug("KubeSecretName: {KubeSecretName}", KubeSecretName); + Logger.LogDebug("KubeNamespace: {KubeNamespace}", KubeNamespace); + Logger.LogDebug("Host: {Host}", KubeClient.GetHost()); Logger.LogTrace("Inventory entering switch based on KubeSecretType: " + KubeSecretType + "..."); diff --git a/kubernetes-orchestrator-extension/Jobs/JobBase.cs b/kubernetes-orchestrator-extension/Jobs/JobBase.cs index a27262e..7355a22 100644 --- a/kubernetes-orchestrator-extension/Jobs/JobBase.cs +++ b/kubernetes-orchestrator-extension/Jobs/JobBase.cs @@ -7,6 +7,7 @@ using System; using System.Collections.Generic; +using System.ComponentModel; using System.IO; using System.Linq; using System.Security.Cryptography; @@ -505,16 +506,19 @@ protected string ResolveStorePath(string spath) break; case 2 when IsClusterStore(Capability): - Logger.LogWarning("`StorePath`: `{StorePath}` is 2 parts this is not a valid combination for `K8SCluster` and will be ignored", spath); + Logger.LogWarning( + "`StorePath`: `{StorePath}` is 2 parts this is not a valid combination for `K8SCluster` and will be ignored", + spath); break; case 2 when IsNamespaceStore(Capability): var nsPrefix = sPathParts[0]; Logger.LogTrace("nsPrefix: {NsPrefix}", nsPrefix); var nsName = sPathParts[1]; Logger.LogTrace("nsName: {NsName}", nsName); - + Logger.LogInformation( - "`StorePath`: `{StorePath}` is 2 parts and store type is `K8SNS`, assuming that store path pattern is either `/` or `namespace/`", spath); + "`StorePath`: `{StorePath}` is 2 parts and store type is `K8SNS`, assuming that store path pattern is either `/` or `namespace/`", + spath); if (string.IsNullOrEmpty(KubeNamespace)) { Logger.LogInformation("`KubeNamespace` is empty, setting `KubeNamespace` to `{Namespace}`", nsName); @@ -522,16 +526,20 @@ protected string ResolveStorePath(string spath) } else { - Logger.LogInformation("`KubeNamespace` parameter is not empty, ignoring `StorePath` value `{StorePath}`", spath); + Logger.LogInformation( + "`KubeNamespace` parameter is not empty, ignoring `StorePath` value `{StorePath}`", spath); } + break; case 2: - Logger.LogInformation("`StorePath`: `{StorePath}` is 2 parts, assuming that store path pattern is the `/` ", spath); + Logger.LogInformation( + "`StorePath`: `{StorePath}` is 2 parts, assuming that store path pattern is the `/` ", + spath); var kNs = sPathParts[0]; Logger.LogTrace("kNs: {KubeNamespace}", kNs); var kSn = sPathParts[1]; Logger.LogTrace("kSn: {KubeSecretName}", kSn); - + if (string.IsNullOrEmpty(KubeNamespace)) { Logger.LogInformation("`KubeNamespace` is not set, setting `KubeNamespace` to `{Namespace}`", kNs); @@ -554,10 +562,14 @@ protected string ResolveStorePath(string spath) break; case 3 when IsClusterStore(Capability): - Logger.LogError("`StorePath`: `{StorePath}` is 3 parts and store type is `K8SCluster`, this is not a valid combination and `StorePath` will be ignored", spath); + Logger.LogError( + "`StorePath`: `{StorePath}` is 3 parts and store type is `K8SCluster`, this is not a valid combination and `StorePath` will be ignored", + spath); break; case 3 when IsNamespaceStore(Capability): - Logger.LogInformation("`StorePath`: `{StorePath}` is 3 parts and store type is `K8SNS`, assuming that store path pattern is `/namespace/`", spath); + Logger.LogInformation( + "`StorePath`: `{StorePath}` is 3 parts and store type is `K8SNS`, assuming that store path pattern is `/namespace/`", + spath); var nsCluster = sPathParts[0]; Logger.LogTrace("nsCluster: {NsCluster}", nsCluster); var nsClarifier = sPathParts[1]; @@ -567,33 +579,37 @@ protected string ResolveStorePath(string spath) if (string.IsNullOrEmpty(KubeNamespace)) { - Logger.LogInformation("`KubeNamespace` is not set, setting `KubeNamespace` to `{Namespace}`", nsName3); + Logger.LogInformation("`KubeNamespace` is not set, setting `KubeNamespace` to `{Namespace}`", + nsName3); KubeNamespace = nsName3; } else { - Logger.LogInformation("`KubeNamespace` is set, ignoring `StorePath` value `{StorePath}`", spath); + Logger.LogInformation("`KubeNamespace` is set, ignoring `StorePath` value `{StorePath}`", spath); } if (!string.IsNullOrEmpty(KubeSecretName)) { - Logger.LogWarning("`KubeSecretName` parameter is not empty, but is not supported for `K8SNS` store type and will be ignored"); + Logger.LogWarning( + "`KubeSecretName` parameter is not empty, but is not supported for `K8SNS` store type and will be ignored"); KubeSecretName = ""; } break; case 3: - Logger.LogInformation("Store path is 3 parts assuming that it is the '//`"); + Logger.LogInformation( + "Store path is 3 parts assuming that it is the '//`"); var kH = sPathParts[0]; Logger.LogTrace("kH: {KubeHost}", kH); var kN = sPathParts[1]; Logger.LogTrace("kN: {KubeNamespace}", kN); var kS = sPathParts[2]; Logger.LogTrace("kS: {KubeSecretName}", kS); - + if (kN is "secret" or "tls" or "certificate" or "namespace") { - Logger.LogInformation("Store path is 3 parts and the second part is a reserved keyword, assuming that it is the '//'"); + Logger.LogInformation( + "Store path is 3 parts and the second part is a reserved keyword, assuming that it is the '//'"); kN = sPathParts[0]; kS = sPathParts[1]; } @@ -826,6 +842,14 @@ private void InitializeProperties(dynamic storeProperties) KubeSvcCreds = ServerPassword; } + if (string.IsNullOrEmpty(KubeSvcCreds)) + { + const string credsErr = + "No credentials provided to connect to Kubernetes. Please provide a kubeconfig file. See https://github.com/Keyfactor/kubernetes-orchestrator/blob/main/scripts/kubernetes/get_service_account_creds.sh"; + Logger.LogError(credsErr); + throw new ConfigurationException(credsErr); + } + switch (KubeSecretType) { case "pfx": @@ -877,15 +901,15 @@ private void InitializeProperties(dynamic storeProperties) } Logger.LogTrace("Creating new KubeCertificateManagerClient object"); - // KubeClient = new KubeCertificateManagerClient(KubeSvcCreds); - // - // Logger.LogTrace("Getting KubeHost and KubeCluster from KubeClient"); - // KubeHost = KubeClient.GetHost(); - // Logger.LogTrace("KubeHost: {KubeHost}", KubeHost); - // - // Logger.LogTrace("Getting cluster name from KubeClient"); - // KubeCluster = KubeClient.GetClusterName(); - // Logger.LogTrace("KubeCluster: {KubeCluster}", KubeCluster); + KubeClient = new KubeCertificateManagerClient(KubeSvcCreds); + + Logger.LogTrace("Getting KubeHost and KubeCluster from KubeClient"); + KubeHost = KubeClient.GetHost(); + Logger.LogTrace("KubeHost: {KubeHost}", KubeHost); + + Logger.LogTrace("Getting cluster name from KubeClient"); + KubeCluster = KubeClient.GetClusterName(); + Logger.LogTrace("KubeCluster: {KubeCluster}", KubeCluster); if (string.IsNullOrEmpty(KubeSecretName) && !string.IsNullOrEmpty(StorePath) && !Capability.Contains("NS") && !Capability.Contains("Cluster")) @@ -931,17 +955,11 @@ public string GetStorePath() if (Capability.Contains("K8SNS")) - { secretType = "namespace"; - } else if (Capability.Contains("K8SCluster")) - { secretType = "cluster"; - } else - { secretType = KubeSecretType.ToLower(); - } Logger.LogTrace("secretType: {SecretType}", secretType); Logger.LogTrace("Entered switch statement based on secretType"); @@ -993,6 +1011,23 @@ public string GetStorePath() } } + protected string ResolvePamField(string name, string value) + { + try + { + Logger.LogTrace($"Attempting to resolved PAM eligible field {name}"); + return _resolver.Resolve(value); + } + catch (Exception e) + { + Logger.LogError($"Unable to resolve PAM field {name}. Returning original value."); + Logger.LogError(e.Message); + Logger.LogTrace(e.ToString()); + Logger.LogTrace(e.StackTrace); + return value; + } + } + protected byte[] GetKeyBytes(X509Certificate2 certObj, string certPassword = null) { Logger.LogDebug("Entered GetKeyBytes()"); @@ -1047,7 +1082,6 @@ protected byte[] GetKeyBytes(X509Certificate2 certObj, string certPassword = nul try { if (certObj.HasPrivateKey) - { try { Logger.LogDebug("Attempting to export private key as PKCS8"); @@ -1076,7 +1110,6 @@ protected byte[] GetKeyBytes(X509Certificate2 certObj, string certPassword = nul Logger.LogTrace("ExportEncryptedPkcs8PrivateKey() complete"); return keyBytes; } - } } catch (Exception ie) { @@ -1105,13 +1138,10 @@ protected static JobResult SuccessJob(long jobHistoryId, string jobMessage = nul var result = new JobResult { Result = OrchestratorJobStatusJobResult.Success, - JobHistoryId = jobHistoryId, + JobHistoryId = jobHistoryId }; - if (!string.IsNullOrEmpty(jobMessage)) - { - result.FailureMessage = jobMessage; - } + if (!string.IsNullOrEmpty(jobMessage)) result.FailureMessage = jobMessage; return result; } @@ -1238,15 +1268,11 @@ protected string getK8SStorePassword(V1Secret certData) Logger.LogDebug("No password found"); var passwdEx = ""; if (!string.IsNullOrEmpty(StorePasswordPath)) - { passwdEx = "Store secret '" + StorePasswordPath + "'did not contain key '" + CertificateDataFieldName + "' or '" + PasswordFieldName + "'" + " Please provide a valid store password and try again"; - } else - { passwdEx = "Invalid store password. Please provide a valid store password and try again"; - } Logger.LogError("{Msg}", passwdEx); throw new Exception(passwdEx); @@ -1278,10 +1304,7 @@ protected Pkcs12Store LoadPkcs12Store(byte[] pkcs12Data, string password) protected string GetCertificatePem(Pkcs12Store store, string password, string alias = "") { Logger.LogDebug("Entered GetCertificatePem()"); - if (string.IsNullOrEmpty(alias)) - { - alias = store.Aliases.Cast().FirstOrDefault(store.IsKeyEntry); - } + if (string.IsNullOrEmpty(alias)) alias = store.Aliases.Cast().FirstOrDefault(store.IsKeyEntry); Logger.LogDebug("Attempting to get certificate with alias {Alias}", alias); var cert = store.GetCertificate(alias).Certificate; diff --git a/kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj b/kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj index ce85ab7..b5554b9 100644 --- a/kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj +++ b/kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj @@ -17,14 +17,14 @@ - - - - - - - - + + + + + + + + diff --git a/readme-src/store-types-tables.md b/readme-src/store-types-tables.md deleted file mode 100644 index bef6d51..0000000 --- a/readme-src/store-types-tables.md +++ /dev/null @@ -1,308 +0,0 @@ - -### K8SCert Store Type -#### kfutil Create K8SCert Store Type -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. - -``` -bash -kfutil login -kfutil store - types create--name K8SCert -``` - -#### UI Configuration -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|----------|-------------------------------------------| -| Name | ✓ | K8SCert | -| ShortName | ✓ | K8SCert | -| Custom Capability | | Unchecked [ ] | -| Supported Job Types | ✓ | Inventory,Discovery | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | | Unchecked [ ] | -| Supports Entry Password | | Unchecked [ ] | - -![k8sstlssecr_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8scert_basic.png) - -##### UI Advanced Tab -| Field Name | Required | Value | -|-----------------------|----------|-----------------------| -| Store Path Type | | Freeform | -| Supports Custom Alias | | Forbidden | -| Private Key Handling | | Forbidden | -| PFX Password Style | | Default | - -![k8sstlssecr_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8scert_advanced.png) - -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | -|----------------|----------------------|--------|----------|---------------| -| KubeNamespace | Kube Namespace | String | | `default` | -| KubeSecretName | Kube Secret Name | String | ✓ | | -| KubeSecretType | Kube Secret Type | String | ✓ | `tls_secret`| - - -### K8SCluster Store Type -#### kfutil Create K8SCluster Store Type -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. - -``` -bash -kfutil login -kfutil store - types create--name K8SCluster -``` - -#### UI Configuration -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|----------|-------------------------------------------| -| Name | ✓ | K8SCluster | -| ShortName | ✓ | K8SCluster | -| Custom Capability | | Unchecked [ ] | -| Supported Job Types | ✓ | Inventory,Add,Create,Remove | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | | Unchecked [ ] | -| Supports Entry Password | | Unchecked [ ] | - -![k8sstlssecr_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8scluster_basic.png) - -##### UI Advanced Tab -| Field Name | Required | Value | -|-----------------------|----------|-----------------------| -| Store Path Type | | Freeform | -| Supports Custom Alias | | Required | -| Private Key Handling | | Optional | -| PFX Password Style | | Default | - -![k8sstlssecr_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8scluster_advanced.png) - -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | -|----------------|----------------------|--------|----------|---------------| -| KubeNamespace | Kube Namespace | String | | `default` | -| KubeSecretName | Kube Secret Name | String | ✓ | | -| KubeSecretType | Kube Secret Type | String | ✓ | `tls_secret`| - - -### K8SJKS Store Type -#### kfutil Create K8SJKS Store Type -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. - -``` -bash -kfutil login -kfutil store - types create--name K8SJKS -``` - -#### UI Configuration -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|----------|-------------------------------------------| -| Name | ✓ | K8SJKS | -| ShortName | ✓ | K8SJKS | -| Custom Capability | | Unchecked [ ] | -| Supported Job Types | ✓ | Inventory,Add,Create,Discovery,Remove | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | | Checked [x] | -| Supports Entry Password | | Unchecked [ ] | - -![k8sstlssecr_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8sjks_basic.png) - -##### UI Advanced Tab -| Field Name | Required | Value | -|-----------------------|----------|-----------------------| -| Store Path Type | | Freeform | -| Supports Custom Alias | | Required | -| Private Key Handling | | Optional | -| PFX Password Style | | Default | - -![k8sstlssecr_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8sjks_advanced.png) - -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | -|----------------|----------------------|--------|----------|---------------| -| KubeNamespace | Kube Namespace | String | | `default` | -| KubeSecretName | Kube Secret Name | String | ✓ | | -| KubeSecretType | Kube Secret Type | String | ✓ | `tls_secret`| - - -### K8SNS Store Type -#### kfutil Create K8SNS Store Type -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. - -``` -bash -kfutil login -kfutil store - types create--name K8SNS -``` - -#### UI Configuration -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|----------|-------------------------------------------| -| Name | ✓ | K8SNS | -| ShortName | ✓ | K8SNS | -| Custom Capability | | Unchecked [ ] | -| Supported Job Types | ✓ | Inventory,Add,Create,Discovery,Remove | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | | Unchecked [ ] | -| Supports Entry Password | | Unchecked [ ] | - -![k8sstlssecr_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8sns_basic.png) - -##### UI Advanced Tab -| Field Name | Required | Value | -|-----------------------|----------|-----------------------| -| Store Path Type | | Freeform | -| Supports Custom Alias | | Required | -| Private Key Handling | | Optional | -| PFX Password Style | | Default | - -![k8sstlssecr_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8sns_advanced.png) - -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | -|----------------|----------------------|--------|----------|---------------| -| KubeNamespace | Kube Namespace | String | | `default` | -| KubeSecretName | Kube Secret Name | String | ✓ | | -| KubeSecretType | Kube Secret Type | String | ✓ | `tls_secret`| - - -### K8SPKCS12 Store Type -#### kfutil Create K8SPKCS12 Store Type -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. - -``` -bash -kfutil login -kfutil store - types create--name K8SPKCS12 -``` - -#### UI Configuration -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|----------|-------------------------------------------| -| Name | ✓ | K8SPKCS12 | -| ShortName | ✓ | K8SPKCS12 | -| Custom Capability | | Unchecked [ ] | -| Supported Job Types | ✓ | Inventory,Add,Create,Discovery,Remove | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | | Checked [x] | -| Supports Entry Password | | Unchecked [ ] | - -![k8sstlssecr_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8spkcs12_basic.png) - -##### UI Advanced Tab -| Field Name | Required | Value | -|-----------------------|----------|-----------------------| -| Store Path Type | | Freeform | -| Supports Custom Alias | | Required | -| Private Key Handling | | Optional | -| PFX Password Style | | Default | - -![k8sstlssecr_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8spkcs12_advanced.png) - -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | -|----------------|----------------------|--------|----------|---------------| -| KubeNamespace | Kube Namespace | String | | `default` | -| KubeSecretName | Kube Secret Name | String | ✓ | | -| KubeSecretType | Kube Secret Type | String | ✓ | `tls_secret`| - - -### K8SSecret Store Type -#### kfutil Create K8SSecret Store Type -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. - -``` -bash -kfutil login -kfutil store - types create--name K8SSecret -``` - -#### UI Configuration -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|----------|-------------------------------------------| -| Name | ✓ | K8SSecret | -| ShortName | ✓ | K8SSecret | -| Custom Capability | | Unchecked [ ] | -| Supported Job Types | ✓ | Inventory,Add,Create,Discovery,Remove | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | | Unchecked [ ] | -| Supports Entry Password | | Unchecked [ ] | - -![k8sstlssecr_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8ssecret_basic.png) - -##### UI Advanced Tab -| Field Name | Required | Value | -|-----------------------|----------|-----------------------| -| Store Path Type | | Freeform | -| Supports Custom Alias | | Forbidden | -| Private Key Handling | | Optional | -| PFX Password Style | | Default | - -![k8sstlssecr_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8ssecret_advanced.png) - -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | -|----------------|----------------------|--------|----------|---------------| -| KubeNamespace | Kube Namespace | String | | `default` | -| KubeSecretName | Kube Secret Name | String | ✓ | | -| KubeSecretType | Kube Secret Type | String | ✓ | `tls_secret`| - - -### K8STLSSecr Store Type -#### kfutil Create K8STLSSecr Store Type -The following commands can be used with [kfutil](https://github.com/Keyfactor/kfutil). Please refer to the kfutil documentation for more information on how to use the tool to interact w/ Keyfactor Command. - -``` -bash -kfutil login -kfutil store - types create--name K8STLSSecr -``` - -#### UI Configuration -##### UI Basic Tab -| Field Name | Required | Value | -|-------------------------|----------|-------------------------------------------| -| Name | ✓ | K8STLSSecr | -| ShortName | ✓ | K8STLSSecr | -| Custom Capability | | Unchecked [ ] | -| Supported Job Types | ✓ | Inventory,Add,Create,Discovery,Remove | -| Needs Server | ✓ | Checked [x] | -| Blueprint Allowed | | Unchecked [ ] | -| Uses PowerShell | | Unchecked [ ] | -| Requires Store Password | | Unchecked [ ] | -| Supports Entry Password | | Unchecked [ ] | - -![k8sstlssecr_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8stlssecr_basic.png) - -##### UI Advanced Tab -| Field Name | Required | Value | -|-----------------------|----------|-----------------------| -| Store Path Type | | Freeform | -| Supports Custom Alias | | Forbidden | -| Private Key Handling | | Optional | -| PFX Password Style | | Default | - -![k8sstlssecr_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8stlssecr_advanced.png) - -##### UI Custom Fields Tab -| Name | Display Name | Type | Required | Default Value | -|----------------|----------------------|--------|----------|---------------| -| KubeNamespace | Kube Namespace | String | | `default` | -| KubeSecretName | Kube Secret Name | String | ✓ | | -| KubeSecretType | Kube Secret Type | String | ✓ | `tls_secret`| -