Configuring Secret Server

To configure Secret Server for the integration with Kubernetes ESO, you must complete the following steps in the specified order:

  • Step 1: Create an application account in Secret Server for this integration: The Kubernetes ESO integration uses the credentials of the application account to authenticate with the Secret Server API.

  • Step 2: Create a secret in Secret Server: Prepare the secret that you want the Kubernetes ESO integration to retrieve from Secret Server. You must share the secret with the application account that you use for the integration.

The following sections describe how to perform these tasks.

Step 1: Creating an Application Account in Secret Server

The integration requires an application account to connect to Secret Server. You specify the username and password of the application account as part of the SecretStore configuration that the integration uses to access the Secret Server API. If you don't have an application account, you can create one. For more information about creating an application account, see Managing Local Accounts in the Secret Server documentation.

The application account must have a role with the View Launcher Password on Secrets and View Secret permissions in Secret Server. The following procedure describes how to create a role with these permissions and how to assign the role to the application account.

To create a role with the required permissions and assign it to the application account:

  1. In Secret Server, navigate to Access > Roles.

  2. Select Create role.

  3. In the Create role dialog, provide a name and an optional description for the new role, and select Save.

  4. Go to the Permissions tab for the role.

  5. Select Edit and in the Scope dropdown list, select All.

  6. Search for the View Launcher Password on Secrets permission by using the search box at the top.

  7. Select the checkbox next to the permission name and select Save.

  8. Repeat steps 6–7 to add the View Secret permission to the role.

    The Permissions tab shows the permissions added to the role.

  9. Assign the role to the application account:

    1. Navigate to Access > Users.

    2. On the User management page, search for and select the application account.

    3. On the user page, go to the Roles tab and select Edit.

    4. In the window that appears below, search for and select the role that you created and select the checkbox next to the role name.

    5. Select Save.

Step 2: Creating a Secret in Secret Server

You must create a secret in Secret Server that you want the Kubernetes ESO integration to retrieve from Secret Server and inject into a Kubernetes Secret. You must share the secret with the application account that you use for the integration to enable the integration to access the secret with the application account's credentials.

To create a secret and share it with the application account:

  1. In Secret Server, select Secrets > All secrets.

  2. In the Create new secret dialog, do the following:

    1. (Optional) Change the default folder.

      Make sure that the application account has the View permission for the folder. For more information about folder permissions, see Folder Permissions in the Secret Server documentation.

    2. Under Choose a secret template, select the template from which to create a secret.

      You can use any template that fits your needs.

    3. Enter a name for the secret and the username and the password to store in the secret.

    4. Provide values for the other secret fields according to the template.

    5. Select Create secret.

  3. Share the secret with the application account:

    1. Go to the Sharing tab of the secret's page.

    2. Select Edit in the upper-right corner.

    3. Clear Inherit permissions.

    4. Search for the application account by using the search box at the top.

    5. Select the check box to the left of the application account name and then select View in the dropdown list under Secret Permissions.

    6. Select Save.