Need clarification using secrets-provider-for-k8s

[praveenlnx]

Hi,

Ques1: In Readme mentioned that for Openshift (dap only - Is it enterprise one?) is it supported only for DAP and we have a conjur oss setup shall we use it? Ques2: while using conjur secret provider in Openshift. In conjur-map spec in secrets.yaml we don't want mention the values for uname and password with base64, instead we're specifying the the secret path for conjur server to retrieve the secret value. So, when init container for secret-provider-k8s running it will fetch the secret values from conjur-server-oss and update to k8s secret. In this case this secret-provider-k8s container get the original value and update on the keys on k8s secret with base64 encoded format? If its updated in original k8s secret with those values again in k8s secret it will store the values in ETCD as plaintext right ? then there is no use of k8s-secret-povider with conjur for security purpose right? Please clarify the above.

[rpothier]

Hi praveenlnx, Thanks for posting these questions. For question one DAP refers to Conjur Enterprise. I will update the description to reflect this. So to answer your question, this is only supported for Conjur Enterprise, and not Conjur OSS. For question two, this is correct. You can see more information at CyberArk Secrets Provider for Kubernetes. If you need a higher level of security, then Secretless Broker or authn-k8s with either Summon or Conjur API can be used.

[praveenlnx]

Hi rpothier,

Thanks for the clarification.

For testing purpose, shall we try out conjur-k8s-secret-provider(conjur oss) on OPenshift 3.11?

We have only option to use k8s-secret-provider, since secretless borker supports only DB/SSH/HTTP endpoints. Even if we use DAP it does the same what conjur oss doing with respect to secret-provider right?

[rpothier]

Hi praveenlnx. Yes, that it right. You can try conjur oss for testing purpose.