From 0c4926b29c84f3b3a5f289d5ca722f083cbfd4ba Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 22 Oct 2025 15:43:20 +0000 Subject: [PATCH 01/17] Update store_types.json for all:latest --- cmd/store_types.json | 154 ++++++++++++++++++++++++++++++++++++++++--- store_types.json | 154 ++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 292 insertions(+), 16 deletions(-) diff --git a/cmd/store_types.json b/cmd/store_types.json index 6fac9af3..418e37d0 100644 --- a/cmd/store_types.json +++ b/cmd/store_types.json @@ -17,6 +17,19 @@ "OnRemove": false, "OnReenrollment": false } + }, + { + "Name": "PreserveExistingTags", + "DisplayName": "Preserve Existing Tags", + "Description": "If true, this will perform a union of any tags provided with enrollment with the tags on the existing cert with the same alias and apply the result to the new certificate.", + "Type": "Bool", + "DefaultValue": "False", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } } ], "JobProperties": [], @@ -957,7 +970,7 @@ "PowerShell": false, "BlueprintAllowed": false, "CustomAliasAllowed": "Forbidden", - "ClientMachineDescription": "The Client Machine field is the Akamai REST API URL. This should be equal to the the \"host\" value from the API credentials file.", + "ClientMachineDescription": "The Client Machine field is the Akamai REST API URL. This should be equal to the \"host\" value from the API credentials file.", "StorePathDescription": "The Akamai network the certificate will be managed from. Value can be either \"Production\" or \"Staging\"." }, { @@ -1064,6 +1077,77 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Required" }, + { + "Name": "Axis IP Camera", + "ShortName": "AxisIPCamera", + "Capability": "AxisIPCamera", + "ServerRequired": true, + "BlueprintAllowed": false, + "PowerShell": false, + "CustomAliasAllowed": "Required", + "PrivateKeyAllowed": "Forbidden", + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": true + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Enter the username of the configured \"service\" user on the camera" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Enter the password of the configured \"service\" user on the camera" + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera. This should always be \"True\"" + } + ], + "EntryParameters": [ + { + "Name": "CertUsage", + "DisplayName": "Certificate Usage", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": false, + "OnReenrollment": true + }, + "Options": "HTTPS,IEEE802.X,MQTT,Trust,Other", + "Description": "The Certificate Usage to assign to the cert after enrollment. Can be left 'Other' to be assigned later." + } + ], + "ClientMachineDescription": "The IP address of the Camera. Sample is \"192.167.231.174:44444\". Include the port if necessary.", + "StorePathDescription": "Enter the Serial Number of the camera e.g. `0b7c3d2f9e8a`", + "StorePathType": "", + "StorePathValue": "", + "JobProperties": [] + }, { "Name": "Azure App Registration (Application)", "ShortName": "AzureApp", @@ -2896,8 +2980,8 @@ "ShortName": "HPiLO", "Capability": "HPiLO", "LocalStore": false, - "StorePathDescription": "This should contain the path pointing to the HPiLO instance address, IP or domain name.", - "ClientMachineDescription": "Should contain a copy of the store path for compatibility reasons but is currently unused.", + "StorePathDescription": "This should contain the full URI pointing to the HPiLO instance, using IP (e.g. `https://10.1.1.1/`) or domain name (e.g. `https://hpilo.test.local/`). The orchestrator will connect to the iLO instance using the iLO API.", + "ClientMachineDescription": "Currently unused.", "SupportedOperations": { "Add": true, "Create": false, @@ -2955,11 +3039,11 @@ "StoreRequired": false, "Style": "Default" }, - "PrivateKeyAllowed": "Optional", + "PrivateKeyAllowed": "Required", "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": false, - "CustomAliasAllowed": "Optional" + "CustomAliasAllowed": "Required" }, { "Name": "IIS Bound Certificate", @@ -3133,7 +3217,7 @@ "DependsOn": "", "DefaultValue": "", "Options": "", - "Description": "Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server." + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" }, { "Name": "SAN", @@ -4055,6 +4139,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4169,6 +4262,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4283,6 +4385,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4406,6 +4517,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4556,6 +4676,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4670,6 +4799,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -5015,7 +5153,7 @@ "DependsOn": "", "DefaultValue": "", "Options": "", - "Description": "Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server." + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" }, { "Name": "SAN", @@ -5150,7 +5288,7 @@ "DependsOn": "", "DefaultValue": "", "Options": "", - "Description": "Optional string value specifying the name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing private keys. Example: 'Microsoft Strong Cryptographic Provider'." + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" }, { "Name": "SAN", diff --git a/store_types.json b/store_types.json index 6fac9af3..418e37d0 100644 --- a/store_types.json +++ b/store_types.json @@ -17,6 +17,19 @@ "OnRemove": false, "OnReenrollment": false } + }, + { + "Name": "PreserveExistingTags", + "DisplayName": "Preserve Existing Tags", + "Description": "If true, this will perform a union of any tags provided with enrollment with the tags on the existing cert with the same alias and apply the result to the new certificate.", + "Type": "Bool", + "DefaultValue": "False", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } } ], "JobProperties": [], @@ -957,7 +970,7 @@ "PowerShell": false, "BlueprintAllowed": false, "CustomAliasAllowed": "Forbidden", - "ClientMachineDescription": "The Client Machine field is the Akamai REST API URL. This should be equal to the the \"host\" value from the API credentials file.", + "ClientMachineDescription": "The Client Machine field is the Akamai REST API URL. This should be equal to the \"host\" value from the API credentials file.", "StorePathDescription": "The Akamai network the certificate will be managed from. Value can be either \"Production\" or \"Staging\"." }, { @@ -1064,6 +1077,77 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Required" }, + { + "Name": "Axis IP Camera", + "ShortName": "AxisIPCamera", + "Capability": "AxisIPCamera", + "ServerRequired": true, + "BlueprintAllowed": false, + "PowerShell": false, + "CustomAliasAllowed": "Required", + "PrivateKeyAllowed": "Forbidden", + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": true + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Enter the username of the configured \"service\" user on the camera" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Enter the password of the configured \"service\" user on the camera" + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera. This should always be \"True\"" + } + ], + "EntryParameters": [ + { + "Name": "CertUsage", + "DisplayName": "Certificate Usage", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": false, + "OnReenrollment": true + }, + "Options": "HTTPS,IEEE802.X,MQTT,Trust,Other", + "Description": "The Certificate Usage to assign to the cert after enrollment. Can be left 'Other' to be assigned later." + } + ], + "ClientMachineDescription": "The IP address of the Camera. Sample is \"192.167.231.174:44444\". Include the port if necessary.", + "StorePathDescription": "Enter the Serial Number of the camera e.g. `0b7c3d2f9e8a`", + "StorePathType": "", + "StorePathValue": "", + "JobProperties": [] + }, { "Name": "Azure App Registration (Application)", "ShortName": "AzureApp", @@ -2896,8 +2980,8 @@ "ShortName": "HPiLO", "Capability": "HPiLO", "LocalStore": false, - "StorePathDescription": "This should contain the path pointing to the HPiLO instance address, IP or domain name.", - "ClientMachineDescription": "Should contain a copy of the store path for compatibility reasons but is currently unused.", + "StorePathDescription": "This should contain the full URI pointing to the HPiLO instance, using IP (e.g. `https://10.1.1.1/`) or domain name (e.g. `https://hpilo.test.local/`). The orchestrator will connect to the iLO instance using the iLO API.", + "ClientMachineDescription": "Currently unused.", "SupportedOperations": { "Add": true, "Create": false, @@ -2955,11 +3039,11 @@ "StoreRequired": false, "Style": "Default" }, - "PrivateKeyAllowed": "Optional", + "PrivateKeyAllowed": "Required", "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": false, - "CustomAliasAllowed": "Optional" + "CustomAliasAllowed": "Required" }, { "Name": "IIS Bound Certificate", @@ -3133,7 +3217,7 @@ "DependsOn": "", "DefaultValue": "", "Options": "", - "Description": "Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server." + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" }, { "Name": "SAN", @@ -4055,6 +4139,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4169,6 +4262,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4283,6 +4385,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4406,6 +4517,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4556,6 +4676,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -4670,6 +4799,15 @@ "Type": "String", "DefaultValue": "", "Description": "Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting." + }, + { + "Name": "UseShellCommands", + "DisplayName": "Use Shell Commands", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": "True", + "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" } ], "EntryParameters": [], @@ -5015,7 +5153,7 @@ "DependsOn": "", "DefaultValue": "", "Options": "", - "Description": "Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server." + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" }, { "Name": "SAN", @@ -5150,7 +5288,7 @@ "DependsOn": "", "DefaultValue": "", "Options": "", - "Description": "Optional string value specifying the name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing private keys. Example: 'Microsoft Strong Cryptographic Provider'." + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" }, { "Name": "SAN", From 21aa6151c9fb1f0c1725ac59e332e24b0aa12fd7 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 30 Apr 2026 16:21:25 +0000 Subject: [PATCH 02/17] Update store_types.json for all:latest --- cmd/store_types.json | 1379 ++++++++++++++++++++++++++++++++---------- store_types.json | 1379 ++++++++++++++++++++++++++++++++---------- 2 files changed, 2150 insertions(+), 608 deletions(-) diff --git a/cmd/store_types.json b/cmd/store_types.json index 418e37d0..96550457 100644 --- a/cmd/store_types.json +++ b/cmd/store_types.json @@ -30,6 +30,19 @@ "OnRemove": false, "OnReenrollment": false } + }, + { + "Name": "NonExportable", + "DisplayName": "Non Exportable Private Key", + "Description": "If true, this will mark the certificate as having a non-exportable private key when importing into Azure KeyVault", + "Type": "Bool", + "DefaultValue": "False", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } } ], "JobProperties": [], @@ -956,6 +969,20 @@ }, "DefaultValue": "SET-DEFAULT", "Description": "Required field for Akamai Tech contact." + }, + { + "Name": "deployment-network", + "DisplayName": "Deployment Network", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "Options": "Standard TLS,Enhanced TLS", + "DefaultValue": "Standard TLS", + "Description": "Required field for Deployment Network." } ], "PasswordOptions": { @@ -976,42 +1003,31 @@ { "Name": "Alteon Load Balancer", "ShortName": "AlteonLB", - "Capability": "AlteonLB", - "ClientMachineDescription": "The Alteon Load Balancer Server and port", - "StorePathDescription": "This value isn't used for this integration (other than to uniquely identify the cert store in certificate searches).", + "LocalStore": false, + "BlueprintAllowed": false, + "PowerShell": false, + "ServerRequired": true, + "ClientMachineDescription": "The hostname or IP address of the Alteon Load Balancer device (example: https://alteonlb.test.com).", + "StorePathType": "", + "StorePathValue": "", + "StorePathDescription": "", "SupportedOperations": { "Add": true, "Remove": true, "Enrollment": false, "Discovery": false, - "Inventory": true + "Create": false }, - "Properties": [ - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "Description": "Alteon user ID with sufficient permissions to manage certs in the Alteon Load Balancer.", - "Required": true - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "Description": "Password associated with Alteon user ID entered above.", - "Required": true - } - ], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, "Style": "Default" }, + "CustomAliasAllowed": "Optional", "PrivateKeyAllowed": "Optional", - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Optional" + "JobProperties": [], + "Properties": [], + "EntryParameters": [] }, { "Name": "Azure Application Gateway Certificate Binding", @@ -1077,6 +1093,98 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Required" }, + { + "Name": "Aruba", + "ShortName": "Aruba", + "Capability": "Aruba", + "LocalStore": false, + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": false + }, + "EntryParameters": [ + { + "Name": "SAN", + "DisplayName": "SAN", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of : entries separated by comma; Example: 'DNS:www.example.com,DNS:www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. Allowed SAN types are email, URI, DNS, RID or IP." + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Forbidden", + "ClientMachineDescription": "The base URL / IP address of the Aruba instance without the scheme. (i.e. my-server-name.com if the Aruba URL is https://my-server-name.com)", + "StorePathDescription": "A semicolon-delimited string that in the format `;` (i.e. clearpass.localhost;HTTP(RSA)). Please see orchestrator documentation for more information.", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden", + "Properties": [ + { + "Name": "FileServerType", + "DisplayName": "File Server Type", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "Amazon S3", + "Required": true, + "Description": "The type of file server that the certificate will be uploaded to. The file server must be able to serve the file via HTTPS." + }, + { + "Name": "FileServerHost", + "DisplayName": "File Server Host", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Required. The base URL for the file server host without the scheme. (i.e. my-server-name.com if the file server URL is https://my-server-name.com). See File Server Configuration section in the orchestrator documentation for more details." + }, + { + "Name": "FileServerUsername", + "DisplayName": "File Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Optional. The username used to access the file server. See File Server Configuration section in the orchestrator documentation for more details." + }, + { + "Name": "FileServerPassword", + "DisplayName": "File Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Optional. The password used to access the file server. See File Server Configuration section in the orchestrator documentation for more details." + }, + { + "Name": "DigestAlgorithm", + "DisplayName": "Digest Algorithm", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "SHA-256,SHA-1,SHA-224,SHA-384,SHA-512", + "Required": true, + "Description": "The hash digest algorithm used for the certificate signing request (CSR)." + } + ] + }, { "Name": "Axis IP Camera", "ShortName": "AxisIPCamera", @@ -1473,102 +1581,169 @@ "CustomAliasAllowed": "Required" }, { - "Name": "Bosch IP Camera", - "ShortName": "BIPCamera", - "Capability": "BIPCamera", - "PrivateKeyAllowed": "Optional", - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": true, - "CustomAliasAllowed": "Required", + "Name": "BMC Orchestrator Solution", + "ShortName": "BMC", + "Capability": "BMC", + "LocalStore": false, + "StorePathDescription": "Path points to a BMC Keyring.", + "ClientMachineDescription": "Runs on a Windows or Linux based machine.", "SupportedOperations": { - "Add": false, - "Create": false, - "Discovery": false, + "Add": true, + "Create": true, + "Discovery": true, "Enrollment": true, - "Remove": false - }, - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" + "Remove": true }, "Properties": [ { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", - "DependsOn": "", - "DefaultValue": "", - "Required": false, - "Description": "Enter the username of the configured \"service\" user on the camera" + "DependsOn": null, + "DefaultValue": null, + "Required": false }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", - "DependsOn": "", - "DefaultValue": "", - "Required": false, - "Description": "Enter the password of the configured \"service\" user on the camera" + "DependsOn": null, + "DefaultValue": null, + "Required": false }, { "Name": "ServerUseSsl", "DisplayName": "Use SSL", "Type": "Bool", - "DependsOn": "", + "DependsOn": null, "DefaultValue": "true", - "Required": true, - "Description": "Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera." + "Required": true } ], "EntryParameters": [ { - "Name": "CertificateUsage", - "DisplayName": "Certificate Usage", - "Type": "MultipleChoice", + "Name": "CertLabel", + "DisplayName": "CertLabel", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Cert label as it appears in the BMC API (without the suffix)." + }, + { + "Name": "CertOwner", + "DisplayName": "CertOwner", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Cert owner as it appears in the BMC API." + }, + { + "Name": "CertUse", + "DisplayName": "CertUse", + "Type": "String", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, "OnRemove": false, "OnReenrollment": false }, - "Options": ",HTTPS,EAP-TLS-client,TLS-DATE-client", - "Description": "The Certificate Usage to assign to the cert after upload. Can be left blank to be assigned later." + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Cert use as returned by the BMC API." }, { - "Name": "Name", - "DisplayName": "Name (Alias)", - "Type": "String", + "Name": "ImplementCert", + "DisplayName": "ImplementCert", + "Type": "Bool", "RequiredWhen": { "HasPrivateKey": false, - "OnAdd": false, + "OnAdd": true, "OnRemove": false, "OnReenrollment": true }, - "Description": "The certificate Alias, entered again." + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Is used to pass an implement cert command to BMC." }, { - "Name": "Overwrite", - "DisplayName": "Overwrite", + "Name": "IsCertDefault", + "DisplayName": "IsCertDefault", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Indicates whether a given cert is set as default in a keyring." + }, + { + "StoreTypeId": 104, + "Name": "RemoveFromAllKeyrings", + "DisplayName": "RemoveFromAllKeyrings", "Type": "Bool", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, + "OnRemove": true, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "false", + "Options": "", + "Description": "A bool to indicate whether a given cert is to be removed from all keyrings." + }, + { + "StoreTypeId": 104, + "Name": "RollbackCert", + "DisplayName": "RollbackCert", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, "OnRemove": false, "OnReenrollment": false }, + "DependsOn": "", "DefaultValue": "false", - "Description": "Select `True` if using an existing Alias name to remove and replace an existing certificate." + "Options": "", + "Description": "A bool to indicate whether a given cert is to be rolled back." } ], - "ClientMachineDescription": "The IP address of the Camera. Sample is \"192.167.231.174:44444\". Include the port if necessary.", - "StorePathDescription": "Enter the Serial Number of the camera e.g. `068745431065110085`" + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": true, + "Style": "Default" + }, + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Forbidden" }, { - "Name": "CiscoAsa", - "ShortName": "CiscoAsa", - "Capability": "CiscoAsa", + "Name": "Barracuda WAF", + "ShortName": "BarracudaWaf", + "Capability": "BarracudaWaf", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -1579,19 +1754,178 @@ }, "Properties": [ { - "Name": "CommitToDisk", - "DisplayName": "Commit To Disk", + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", "Type": "Bool", "DependsOn": "", - "DefaultValue": "false", - "Required": true, - "IsPAMEligible": false, - "Description": "This controls if you will write to the disk or memory on the device when adding or removing certificates." + "DefaultValue": "true", + "Required": false, + "Description": "Determines whether to connect to the Barracuda WAF management interface over HTTPS (port 8443) or HTTP (port 8000). Default is true (HTTPS)." }, { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", + "Name": "ApiVersion", + "DisplayName": "API Version", + "Type": "String", + "DependsOn": "", + "DefaultValue": "v3.2", + "Required": false, + "Description": "The Barracuda WAF REST API version to use for all requests. Defaults to 'v3.2'. Only change this if your WAF firmware requires a different API version." + }, + { + "Name": "InventorySelfSignedCerts", + "DisplayName": "Inventory Self-Signed Certificates", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": false, + "Description": "When enabled, the inventory job will include self-signed certificates from the WAF in addition to signed certificates. Default is true." + }, + { + "Name": "InventoryTrustedCerts", + "DisplayName": "Inventory Trusted Certificates", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false, + "Description": "When enabled, the inventory job will include trusted CA certificates and trusted server certificates from the WAF. Default is false." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "/", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "ClientMachineDescription": "The hostname or IP address of the Barracuda WAF appliance. This is used to connect to the REST API on port 8443 (HTTPS) or 8000 (HTTP).", + "StorePathDescription": "Not used for this integration. Set to '/' or leave at the default value." + }, + { + "Name": "Bosch IP Camera", + "ShortName": "BoschIPCamera", + "Capability": "BoschIPCamera", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": false + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Enter the username of the configured \"service\" user on the camera" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Enter the password of the configured \"service\" user on the camera" + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera." + } + ], + "EntryParameters": [ + { + "Name": "CertificateUsage", + "DisplayName": "Certificate Usage", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Options": ",HTTPS,EAP-TLS-client,TLS-DATE-client", + "Description": "The Certificate Usage to assign to the cert after upload. Can be left blank to be assigned later." + }, + { + "Name": "Name", + "DisplayName": "Name (Alias)", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "Description": "The certificate Alias, entered again." + }, + { + "Name": "Overwrite", + "DisplayName": "Overwrite", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "false", + "Description": "Select `True` if using an existing Alias name to remove and replace an existing certificate." + } + ], + "ClientMachineDescription": "The IP address of the Camera. Sample is \"192.167.231.174:44444\". Include the port if necessary.", + "StorePathDescription": "Enter the Serial Number of the camera e.g. `068745431065110085`" + }, + { + "Name": "CiscoAsa", + "ShortName": "CiscoAsa", + "Capability": "CiscoAsa", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "CommitToDisk", + "DisplayName": "Commit To Disk", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "This controls if you will write to the disk or memory on the device when adding or removing certificates." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", "DependsOn": "", "DefaultValue": "", "Required": false, @@ -1663,9 +1997,13 @@ "Remove": true }, "PasswordOptions": { + "Style": "Default", "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" + "StoreRequired": true, + "StorePassword": { + "Description": "Enter a password that matches your Citrix validation rules to encrypt private keys when adding/replacing certificates. Select 'No Value' if you desire an unencrypted private key to be uploaded.", + "IsPAMEligible": true + } }, "Properties": [ { @@ -1696,6 +2034,15 @@ "DefaultValue": "false", "Required": false, "Description": "Determines whether an attempt will be made to link the added certificate (via a Management-Add job) to its issuing CA certificate." + }, + { + "Name": "timeout", + "DisplayName": "Login Timeout in seconds", + "Type": "String", + "DependsOn": "", + "DefaultValue": "3600", + "Required": false, + "Description": "Determines timeout in seconds for all Citrix ADC API calls." } ], "EntryParameters": [ @@ -1904,53 +2251,7 @@ "Description": "Login password for the F5 Big IQ device." } ], - "EntryParameters": [ - { - "Name": "Alias", - "DisplayName": "Alias (Reenrollment only)", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "The name F5 Big IQ uses to identify the certificate" - }, - { - "Name": "Overwrite", - "DisplayName": "Overwrite (Reenrollment only)", - "Type": "Bool", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "False", - "Options": "", - "Description": "Allow overwriting an existing certificate when reenrolling?" - }, - { - "Name": "SANs", - "DisplayName": "SANs (Reenrollment only)", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": false - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "External SANs for the requested certificate. Each SAN must be prefixed with the type (DNS: or IP:) and multiple SANs must be delimitted by an ampersand (&). Example: DNS:server.domain.com&IP:127.0.0.1&DNS:server2.domain.com. This is an optional field." - } - ] + "EntryParameters": [] }, { "Name": "F5 CA Profiles REST", @@ -2408,7 +2709,7 @@ } }, "ClientMachineDescription": "The IP address or DNS of the Fortigate server", - "StorePathDescription": "This is not used in this integration, but is a required field in the UI. Just enter any value here" + "StorePathDescription": "Value must contain the VDOM this certificate store will be managing. `root` must be entered to manage the default 'root' VDOM." }, { "Name": "GCP Load Balancer", @@ -2447,6 +2748,70 @@ "StorePathDescription": "Your Google Cloud Project ID only if you choose to use global resources. Append a forward slash '/' and valid GCP region to process against a specific [GCP region](https://gist.github.com/rpkim/084046e02fd8c452ba6ddef3a61d5d59).", "EntryParameters": [] }, + { + "Name": "GCPScrtMgr", + "ShortName": "GCPScrtMgr", + "Capability": "GCPScrtMgr", + "ServerRequired": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", + "PowerShell": false, + "PrivateKeyAllowed": "Optional", + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": true, + "Style": "Default", + "StorePassword": { + "Description": "Password used to encrypt the private key of ALL certificate secrets. Please see [Certificate Encryption Details](#certificate-encryption-details) for more information", + "IsPAMEligible": true + } + }, + "Properties": [ + { + "Name": "PasswordSecretSuffix", + "DisplayName": "Password Secret Location Suffix", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "If storing a certificate with an encrypted private key, this is the suffix to add to the certificate (secret) alias name where the encrypted private key password will be stored. Please see [Certificate Encryption Details](#certificate-encryption-details) for more information" + }, + { + "Name": "IncludeChain", + "DisplayName": "Include Chain", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "True", + "Required": false, + "IsPAMEligible": false, + "Description": "Determines whether to include the certificate chain when adding a certificate as a secret." + } + ], + "EntryParameters": [ + { + "Name": "tags", + "DisplayName": "Tags", + "Type": "String", + "Description": "One-to-many Organization level tag Key:Value combinations, comma delimited - i.e. tagKey1:tagVal1,tagKey2:tagVal2,...tagKeyN:tagValN", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + } + ], + "ClientMachineDescription": "Not used", + "StorePathDescription": "The Project ID of the Google Secret Manager being managed." + }, { "Name": "Google Cloud Provider Apigee", "ShortName": "GcpApigee", @@ -2620,7 +2985,7 @@ "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, "StorePathType": "", - "StorePathValue": "", + "StorePathValue": "example: '/mycerts/certstore.jks?b64cert'", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -2672,9 +3037,18 @@ "DependsOn": "", "DefaultValue": "", "Required": false - } - ], - "EntryParameters": [], + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." + } + ], + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -2693,7 +3067,7 @@ "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, "StorePathType": "", - "StorePathValue": "", + "StorePathValue": "example: '/mycerts/certstore.p12?b64cert'", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -2745,6 +3119,15 @@ "DependsOn": "", "DefaultValue": "", "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." } ], "EntryParameters": [], @@ -2846,7 +3229,7 @@ "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, "StorePathType": "", - "StorePathValue": "", + "StorePathValue": "example: '/mycerts/certstore.pfx?b64cert'", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -2898,6 +3281,15 @@ "DependsOn": "", "DefaultValue": "", "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." } ], "EntryParameters": [], @@ -2962,6 +3354,15 @@ "DependsOn": "", "DefaultValue": "", "Required": true + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." } ], "EntryParameters": [], @@ -3092,7 +3493,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" }, { "Name": "ServerPassword", @@ -3101,7 +3502,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" }, { "Name": "ServerUseSsl", @@ -3218,21 +3619,6 @@ "DefaultValue": "", "Options": "", "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA." } ], "PasswordOptions": { @@ -3283,6 +3669,7 @@ "Name": "K8SCert", "ShortName": "K8SCert", "Capability": "K8SCert", + "ClientMachineDescription": "The Kubernetes cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": false, @@ -3293,31 +3680,34 @@ }, "Properties": [ { - "Name": "KubeNamespace", - "DisplayName": "KubeNamespace", - "Type": "String", + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", "DependsOn": "", - "DefaultValue": "default", + "DefaultValue": null, "Required": false }, { - "Name": "KubeSecretName", - "DisplayName": "KubeSecretName", - "Type": "String", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", "DependsOn": "", "DefaultValue": null, - "Required": false + "Required": true }, { - "Name": "KubeSecretType", - "DisplayName": "KubeSecretType", + "Name": "KubeSecretName", + "DisplayName": "KubeSecretName", + "Description": "The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster.", "Type": "String", "DependsOn": "", - "DefaultValue": "cert", - "Required": true + "DefaultValue": "", + "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3336,6 +3726,7 @@ "Name": "K8SCluster", "ShortName": "K8SCluster", "Capability": "K8SCluster", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3345,22 +3736,44 @@ "Remove": true }, "Properties": [ + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." + }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3379,6 +3792,7 @@ "Name": "K8SJKS", "ShortName": "K8SJKS", "Capability": "K8SJKS", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3391,6 +3805,7 @@ { "Name": "KubeNamespace", "DisplayName": "KubeNamespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": "default", @@ -3399,6 +3814,7 @@ { "Name": "KubeSecretName", "DisplayName": "KubeSecretName", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3407,22 +3823,25 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`.", "Type": "String", "DependsOn": "", "DefaultValue": "jks", - "Required": true + "Required": false }, { "Name": "CertificateDataFieldName", "DisplayName": "CertificateDataFieldName", + "Description": "The field name to use when looking for certificate data in the K8S secret.", "Type": "String", "DependsOn": "", - "DefaultValue": ".jks", - "Required": true + "DefaultValue": null, + "Required": false }, { "Name": "PasswordFieldName", "DisplayName": "PasswordFieldName", + "Description": "The field name to use when looking for the JKS keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`.", "Type": "String", "DependsOn": "", "DefaultValue": "password", @@ -3430,25 +3849,54 @@ }, { "Name": "PasswordIsK8SSecret", - "DisplayName": "Password Is K8S Secret", + "DisplayName": "PasswordIsK8SSecret", + "Description": "Indicates whether the password to the JKS keystore is stored in a separate K8S secret.", "Type": "Bool", "DependsOn": "", "DefaultValue": "false", "Required": false }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." + }, { "Name": "StorePasswordPath", "DisplayName": "StorePasswordPath", + "Description": "The path to the K8S secret object to use as the password to the JKS keystore. Example: `/`", "Type": "String", "DependsOn": "", "DefaultValue": null, "Required": false + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, - "StoreRequired": false, + "StoreRequired": true, "Style": "Default" }, "StorePathType": "", @@ -3464,6 +3912,7 @@ "Name": "K8SNS", "ShortName": "K8SNS", "Capability": "K8SNS", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3476,27 +3925,50 @@ { "Name": "KubeNamespace", "DisplayName": "Kube Namespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": "default", "Required": false }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." + }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3515,6 +3987,7 @@ "Name": "K8SPKCS12", "ShortName": "K8SPKCS12", "Capability": "K8SPKCS12", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3525,12 +3998,13 @@ }, "Properties": [ { - "Name": "KubeSecretType", - "DisplayName": "Kube Secret Type", - "Type": "String", - "DependsOn": "", - "DefaultValue": "pkcs12", - "Required": true + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "CertificateDataFieldName", @@ -3543,6 +4017,7 @@ { "Name": "PasswordFieldName", "DisplayName": "Password Field Name", + "Description": "The field name to use when looking for the PKCS12 keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`.", "Type": "String", "DependsOn": "", "DefaultValue": "password", @@ -3551,6 +4026,7 @@ { "Name": "PasswordIsK8SSecret", "DisplayName": "Password Is K8S Secret", + "Description": "Indicates whether the password to the PKCS12 keystore is stored in a separate K8S secret object.", "Type": "Bool", "DependsOn": "", "DefaultValue": "false", @@ -3559,6 +4035,7 @@ { "Name": "KubeNamespace", "DisplayName": "Kube Namespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": "default", @@ -3567,24 +4044,53 @@ { "Name": "KubeSecretName", "DisplayName": "Kube Secret Name", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, "Required": false }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "KubeSecretType", + "DisplayName": "Kube Secret Type", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`.", + "Type": "String", + "DependsOn": "", + "DefaultValue": "pkcs12", + "Required": false + }, { "Name": "StorePasswordPath", "DisplayName": "StorePasswordPath", + "Description": "The path to the K8S secret object to use as the password to the PFX/PKCS12 data. Example: `/`", "Type": "String", "DependsOn": "", "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, - "StoreRequired": false, + "StoreRequired": true, "Style": "Default" }, "StorePathType": "", @@ -3600,6 +4106,7 @@ "Name": "K8SSecret", "ShortName": "K8SSecret", "Capability": "K8SSecret", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3612,6 +4119,7 @@ { "Name": "KubeNamespace", "DisplayName": "KubeNamespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3620,6 +4128,7 @@ { "Name": "KubeSecretName", "DisplayName": "KubeSecretName", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3628,27 +4137,50 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`.", "Type": "String", "DependsOn": "", "DefaultValue": "secret", - "Required": true + "Required": false + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3667,6 +4199,7 @@ "Name": "K8STLSSecr", "ShortName": "K8STLSSecr", "Capability": "K8STLSSecr", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3679,6 +4212,7 @@ { "Name": "KubeNamespace", "DisplayName": "KubeNamespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3687,6 +4221,7 @@ { "Name": "KubeSecretName", "DisplayName": "KubeSecretName", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3695,27 +4230,50 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`.", "Type": "String", "DependsOn": "", "DefaultValue": "tls_secret", - "Required": true + "Required": false + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3730,6 +4288,65 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Forbidden" }, + { + "Name": "Kemp", + "ShortName": "Kemp", + "Capability": "Kemp", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "Not used." + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "Kemp Api Password. (or valid PAM key if the username is stored in a KF Command configured PAM integration)." + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "IsPAMEligible": false, + "Description": "Should be true, http is not supported." + } + ], + "EntryParameters": [], + "ClientMachineDescription": "Kemp Load Balancer Client Machine and port example TestKemp:8443.", + "StorePathDescription": "Not used just put a /", + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, { "Name": "MyOrchestratorStoreType", "ShortName": "MOST", @@ -4035,7 +4652,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4122,15 +4739,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4167,7 +4775,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4245,15 +4853,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4271,6 +4870,15 @@ "Type": "Bool", "DefaultValue": "True", "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" + }, + { + "Name": "PostJobApplicationRestart", + "DisplayName": "Post Job Application Restart", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": "Apache Tomcat Restart,Jetty Restart", + "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired." } ], "EntryParameters": [], @@ -4368,15 +4976,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4500,15 +5099,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4545,7 +5135,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4659,15 +5249,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4685,6 +5266,15 @@ "Type": "Bool", "DefaultValue": "True", "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" + }, + { + "Name": "PostJobApplicationRestart", + "DisplayName": "Post Job Application Restart", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": "Apache HTTPD Restart,NGNIX Restart,HAProxy Restart,Envoy Proxy Restart", + "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired." } ], "EntryParameters": [], @@ -4704,7 +5294,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4782,15 +5372,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4819,8 +5400,8 @@ "ShortName": "SOS", "Capability": "SOS", "LocalStore": false, - "StorePathDescription": "Path points to a local .json file. Orchestrator and its account should have read/write access.", - "ClientMachineDescription": "Runs on a Windows based machine.", + "StorePathDescription": "The name of the store as defined in the SOS system (i.e. SampleKeyStore2).", + "ClientMachineDescription": "The base URL of the SOS API (i.e. http://localhost:8080)", "SupportedOperations": { "Add": true, "Create": true, @@ -4871,7 +5452,7 @@ "HasPrivateKey": false, "OnAdd": false, "OnRemove": false, - "OnReenrollment": false + "OnReenrollment": true }, "Description": "SAN string." }, @@ -4918,14 +5499,14 @@ ], "PasswordOptions": { "EntrySupported": true, - "StoreRequired": false, + "StoreRequired": true, "Style": "Default" }, "PrivateKeyAllowed": "Optional", "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": true, - "CustomAliasAllowed": "Optional" + "CustomAliasAllowed": "Forbidden" }, { "Name": "Signum", @@ -4974,6 +5555,127 @@ "Style": "Default" } }, + { + "Name": "A10 Thunder Management Certificates", + "ShortName": "ThunderMgmt", + "Capability": "ThunderMgmt", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "OrchToScpServerIp", + "DisplayName": "Orch To Scp Server Ip", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "IP address or hostname of the SCP server that the Universal Orchestrator will connect to for uploading certificate files. This SCP server acts as an intermediary storage location before the A10 device retrieves the certificates." + }, + { + "Name": "ScpPort", + "DisplayName": "Port Used For Scp", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "TCP port number used for SSH/SCP connections to the SCP server. Typically port 22 for standard SSH/SCP operations." + }, + { + "Name": "ScpUserName", + "DisplayName": "UserName Used For Scp", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Username credential for authenticating to the SCP server. This account must have write permissions to the target directory path specified in the certificate store configuration. Supports PAM integration for secure credential retrieval." + }, + { + "Name": "ScpPassword", + "DisplayName": "Password Used For Scp", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Password credential for authenticating to the SCP server. Used in conjunction with ScpUserName for SSH/SCP authentication. Supports PAM integration for secure credential retrieval." + }, + { + "Name": "A10ToScpServerIp", + "DisplayName": "A10 Device To Scp Server Ip", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "IP address or hostname that the A10 vThunder device uses to connect to the SCP server for retrieving certificate files. This may differ from OrchToScpServerIp due to network topology, routing, or firewall configurations where the A10 device and orchestrator access the SCP server through different network paths." + }, + { + "Name": "allowInvalidCert", + "DisplayName": "Allow Invalid Cert on A10 Management API", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections used during the certificate installation process." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "", + "ClientMachineDescription": "Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to trigger certificate installation on the management interface after uploading files via SCP.", + "StorePathDescription": "Absolute directory path on the SCP server where certificate files (.crt and .key) will be uploaded. The A10 device will retrieve certificate files from this location. Example: '/home/certuser'. The specified path must exist and the SCP user must have write permissions to this directory.", + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, + { + "Name": "A10 Thunder Ssl Certificates", + "ShortName": "ThunderSsl", + "Capability": "ThunderSsl", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "allowInvalidCert", + "DisplayName": "Allow Invalid Cert on A10 Management API", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "", + "ClientMachineDescription": "Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to manage SSL certificates directly on the device.", + "StorePathDescription": "A10 partition name where certificates will be managed. Use 'shared' for the default shared partition, or specify a custom partition name (e.g., 'tenant-prod') for multi-tenant deployments. The partition must already exist on the A10 device. Leave empty to default to the shared partition.", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, { "Name": "VMware-NSX", "ShortName": "VMware-NSX", @@ -5035,6 +5737,105 @@ "ClientMachineDescription": "This is the URL for the VMware NSX instance. It also includes an optional tenant in square brackets before the URL. A tenant value is required when the certificates being managed are in a different tenant from the default tenant set for the NSX User specified for the store. This should look like either: [optional-tenant-name]https://my.nsx.url/ OR https://my.nsx.url/ ", "StorePathDescription": "A selection from the different certificate types supported: Application, Controller, or CA." }, + { + "Name": "ADFS Rotation Manager", + "ShortName": "WinAdfs", + "Capability": "WinAdfs", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": false + }, + "Properties": [ + { + "Name": "spnwithport", + "DisplayName": "SPN With Port", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false, + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "WinRM Protocol", + "DisplayName": "WinRM Protocol", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "https,http,ssh", + "Required": true, + "Description": "Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment." + }, + { + "Name": "WinRM Port", + "DisplayName": "WinRM Port", + "Type": "String", + "DependsOn": "", + "DefaultValue": "5986", + "Required": true, + "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Determine whether the server uses SSL or not (This field is automatically created)" + } + ], + "EntryParameters": [ + { + "Name": "ProviderName", + "DisplayName": "Crypto Provider Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "My", + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "Since this extension type must run as an agent (The UO Must be installed on the PRIMARY ADFS Server), the ClientMachine must follow the naming convention as outlined in the Client Machine Instructions. Secondary ADFS Nodes will be automatically be updated with the same certificate added on the PRIMARY ADFS server.", + "StorePathDescription": "Fixed string value of 'My' indicating the Personal store on the Local Machine. All ADFS Service-Communications certificates are located in the 'My' personal store by default." + }, { "Name": "WinCerMgmt", "ShortName": "WinCerMgmt", @@ -5118,7 +5919,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" }, { "Name": "ServerPassword", @@ -5127,7 +5928,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" }, { "Name": "ServerUseSsl", @@ -5154,21 +5955,6 @@ "DefaultValue": "", "Options": "", "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA." } ], "PasswordOptions": { @@ -5232,7 +6018,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" }, { "Name": "ServerPassword", @@ -5241,7 +6027,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" }, { "Name": "ServerUseSsl", @@ -5289,21 +6075,6 @@ "DefaultValue": "", "Options": "", "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs." } ], "PasswordOptions": { @@ -5501,7 +6272,7 @@ "DependsOn": "", "DefaultValue": "", "Required": true, - "IsPamEligable": false, + "IsPamEligable": true, "Description": "The vCenter username used to manage the vCenter connection" }, { @@ -5511,7 +6282,7 @@ "DependsOn": "", "DefaultValue": "", "Required": true, - "IsPamEligable": false, + "IsPamEligable": true, "Description": "The secret vCenter password used to manage the vCenter connection" } ] diff --git a/store_types.json b/store_types.json index 418e37d0..96550457 100644 --- a/store_types.json +++ b/store_types.json @@ -30,6 +30,19 @@ "OnRemove": false, "OnReenrollment": false } + }, + { + "Name": "NonExportable", + "DisplayName": "Non Exportable Private Key", + "Description": "If true, this will mark the certificate as having a non-exportable private key when importing into Azure KeyVault", + "Type": "Bool", + "DefaultValue": "False", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } } ], "JobProperties": [], @@ -956,6 +969,20 @@ }, "DefaultValue": "SET-DEFAULT", "Description": "Required field for Akamai Tech contact." + }, + { + "Name": "deployment-network", + "DisplayName": "Deployment Network", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "Options": "Standard TLS,Enhanced TLS", + "DefaultValue": "Standard TLS", + "Description": "Required field for Deployment Network." } ], "PasswordOptions": { @@ -976,42 +1003,31 @@ { "Name": "Alteon Load Balancer", "ShortName": "AlteonLB", - "Capability": "AlteonLB", - "ClientMachineDescription": "The Alteon Load Balancer Server and port", - "StorePathDescription": "This value isn't used for this integration (other than to uniquely identify the cert store in certificate searches).", + "LocalStore": false, + "BlueprintAllowed": false, + "PowerShell": false, + "ServerRequired": true, + "ClientMachineDescription": "The hostname or IP address of the Alteon Load Balancer device (example: https://alteonlb.test.com).", + "StorePathType": "", + "StorePathValue": "", + "StorePathDescription": "", "SupportedOperations": { "Add": true, "Remove": true, "Enrollment": false, "Discovery": false, - "Inventory": true + "Create": false }, - "Properties": [ - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "Description": "Alteon user ID with sufficient permissions to manage certs in the Alteon Load Balancer.", - "Required": true - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "Description": "Password associated with Alteon user ID entered above.", - "Required": true - } - ], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, "Style": "Default" }, + "CustomAliasAllowed": "Optional", "PrivateKeyAllowed": "Optional", - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Optional" + "JobProperties": [], + "Properties": [], + "EntryParameters": [] }, { "Name": "Azure Application Gateway Certificate Binding", @@ -1077,6 +1093,98 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Required" }, + { + "Name": "Aruba", + "ShortName": "Aruba", + "Capability": "Aruba", + "LocalStore": false, + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": false + }, + "EntryParameters": [ + { + "Name": "SAN", + "DisplayName": "SAN", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of : entries separated by comma; Example: 'DNS:www.example.com,DNS:www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. Allowed SAN types are email, URI, DNS, RID or IP." + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Forbidden", + "ClientMachineDescription": "The base URL / IP address of the Aruba instance without the scheme. (i.e. my-server-name.com if the Aruba URL is https://my-server-name.com)", + "StorePathDescription": "A semicolon-delimited string that in the format `;` (i.e. clearpass.localhost;HTTP(RSA)). Please see orchestrator documentation for more information.", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden", + "Properties": [ + { + "Name": "FileServerType", + "DisplayName": "File Server Type", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "Amazon S3", + "Required": true, + "Description": "The type of file server that the certificate will be uploaded to. The file server must be able to serve the file via HTTPS." + }, + { + "Name": "FileServerHost", + "DisplayName": "File Server Host", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Required. The base URL for the file server host without the scheme. (i.e. my-server-name.com if the file server URL is https://my-server-name.com). See File Server Configuration section in the orchestrator documentation for more details." + }, + { + "Name": "FileServerUsername", + "DisplayName": "File Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Optional. The username used to access the file server. See File Server Configuration section in the orchestrator documentation for more details." + }, + { + "Name": "FileServerPassword", + "DisplayName": "File Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Optional. The password used to access the file server. See File Server Configuration section in the orchestrator documentation for more details." + }, + { + "Name": "DigestAlgorithm", + "DisplayName": "Digest Algorithm", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "SHA-256,SHA-1,SHA-224,SHA-384,SHA-512", + "Required": true, + "Description": "The hash digest algorithm used for the certificate signing request (CSR)." + } + ] + }, { "Name": "Axis IP Camera", "ShortName": "AxisIPCamera", @@ -1473,102 +1581,169 @@ "CustomAliasAllowed": "Required" }, { - "Name": "Bosch IP Camera", - "ShortName": "BIPCamera", - "Capability": "BIPCamera", - "PrivateKeyAllowed": "Optional", - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": true, - "CustomAliasAllowed": "Required", + "Name": "BMC Orchestrator Solution", + "ShortName": "BMC", + "Capability": "BMC", + "LocalStore": false, + "StorePathDescription": "Path points to a BMC Keyring.", + "ClientMachineDescription": "Runs on a Windows or Linux based machine.", "SupportedOperations": { - "Add": false, - "Create": false, - "Discovery": false, + "Add": true, + "Create": true, + "Discovery": true, "Enrollment": true, - "Remove": false - }, - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" + "Remove": true }, "Properties": [ { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", - "DependsOn": "", - "DefaultValue": "", - "Required": false, - "Description": "Enter the username of the configured \"service\" user on the camera" + "DependsOn": null, + "DefaultValue": null, + "Required": false }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", - "DependsOn": "", - "DefaultValue": "", - "Required": false, - "Description": "Enter the password of the configured \"service\" user on the camera" + "DependsOn": null, + "DefaultValue": null, + "Required": false }, { "Name": "ServerUseSsl", "DisplayName": "Use SSL", "Type": "Bool", - "DependsOn": "", + "DependsOn": null, "DefaultValue": "true", - "Required": true, - "Description": "Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera." + "Required": true } ], "EntryParameters": [ { - "Name": "CertificateUsage", - "DisplayName": "Certificate Usage", - "Type": "MultipleChoice", + "Name": "CertLabel", + "DisplayName": "CertLabel", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Cert label as it appears in the BMC API (without the suffix)." + }, + { + "Name": "CertOwner", + "DisplayName": "CertOwner", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Cert owner as it appears in the BMC API." + }, + { + "Name": "CertUse", + "DisplayName": "CertUse", + "Type": "String", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, "OnRemove": false, "OnReenrollment": false }, - "Options": ",HTTPS,EAP-TLS-client,TLS-DATE-client", - "Description": "The Certificate Usage to assign to the cert after upload. Can be left blank to be assigned later." + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Cert use as returned by the BMC API." }, { - "Name": "Name", - "DisplayName": "Name (Alias)", - "Type": "String", + "Name": "ImplementCert", + "DisplayName": "ImplementCert", + "Type": "Bool", "RequiredWhen": { "HasPrivateKey": false, - "OnAdd": false, + "OnAdd": true, "OnRemove": false, "OnReenrollment": true }, - "Description": "The certificate Alias, entered again." + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Is used to pass an implement cert command to BMC." }, { - "Name": "Overwrite", - "DisplayName": "Overwrite", + "Name": "IsCertDefault", + "DisplayName": "IsCertDefault", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Indicates whether a given cert is set as default in a keyring." + }, + { + "StoreTypeId": 104, + "Name": "RemoveFromAllKeyrings", + "DisplayName": "RemoveFromAllKeyrings", "Type": "Bool", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, + "OnRemove": true, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "false", + "Options": "", + "Description": "A bool to indicate whether a given cert is to be removed from all keyrings." + }, + { + "StoreTypeId": 104, + "Name": "RollbackCert", + "DisplayName": "RollbackCert", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, "OnRemove": false, "OnReenrollment": false }, + "DependsOn": "", "DefaultValue": "false", - "Description": "Select `True` if using an existing Alias name to remove and replace an existing certificate." + "Options": "", + "Description": "A bool to indicate whether a given cert is to be rolled back." } ], - "ClientMachineDescription": "The IP address of the Camera. Sample is \"192.167.231.174:44444\". Include the port if necessary.", - "StorePathDescription": "Enter the Serial Number of the camera e.g. `068745431065110085`" + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": true, + "Style": "Default" + }, + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Forbidden" }, { - "Name": "CiscoAsa", - "ShortName": "CiscoAsa", - "Capability": "CiscoAsa", + "Name": "Barracuda WAF", + "ShortName": "BarracudaWaf", + "Capability": "BarracudaWaf", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -1579,19 +1754,178 @@ }, "Properties": [ { - "Name": "CommitToDisk", - "DisplayName": "Commit To Disk", + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", "Type": "Bool", "DependsOn": "", - "DefaultValue": "false", - "Required": true, - "IsPAMEligible": false, - "Description": "This controls if you will write to the disk or memory on the device when adding or removing certificates." + "DefaultValue": "true", + "Required": false, + "Description": "Determines whether to connect to the Barracuda WAF management interface over HTTPS (port 8443) or HTTP (port 8000). Default is true (HTTPS)." }, { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", + "Name": "ApiVersion", + "DisplayName": "API Version", + "Type": "String", + "DependsOn": "", + "DefaultValue": "v3.2", + "Required": false, + "Description": "The Barracuda WAF REST API version to use for all requests. Defaults to 'v3.2'. Only change this if your WAF firmware requires a different API version." + }, + { + "Name": "InventorySelfSignedCerts", + "DisplayName": "Inventory Self-Signed Certificates", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": false, + "Description": "When enabled, the inventory job will include self-signed certificates from the WAF in addition to signed certificates. Default is true." + }, + { + "Name": "InventoryTrustedCerts", + "DisplayName": "Inventory Trusted Certificates", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false, + "Description": "When enabled, the inventory job will include trusted CA certificates and trusted server certificates from the WAF. Default is false." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "/", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "ClientMachineDescription": "The hostname or IP address of the Barracuda WAF appliance. This is used to connect to the REST API on port 8443 (HTTPS) or 8000 (HTTP).", + "StorePathDescription": "Not used for this integration. Set to '/' or leave at the default value." + }, + { + "Name": "Bosch IP Camera", + "ShortName": "BoschIPCamera", + "Capability": "BoschIPCamera", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": false + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Enter the username of the configured \"service\" user on the camera" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Enter the password of the configured \"service\" user on the camera" + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera." + } + ], + "EntryParameters": [ + { + "Name": "CertificateUsage", + "DisplayName": "Certificate Usage", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Options": ",HTTPS,EAP-TLS-client,TLS-DATE-client", + "Description": "The Certificate Usage to assign to the cert after upload. Can be left blank to be assigned later." + }, + { + "Name": "Name", + "DisplayName": "Name (Alias)", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "Description": "The certificate Alias, entered again." + }, + { + "Name": "Overwrite", + "DisplayName": "Overwrite", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "false", + "Description": "Select `True` if using an existing Alias name to remove and replace an existing certificate." + } + ], + "ClientMachineDescription": "The IP address of the Camera. Sample is \"192.167.231.174:44444\". Include the port if necessary.", + "StorePathDescription": "Enter the Serial Number of the camera e.g. `068745431065110085`" + }, + { + "Name": "CiscoAsa", + "ShortName": "CiscoAsa", + "Capability": "CiscoAsa", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "CommitToDisk", + "DisplayName": "Commit To Disk", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "IsPAMEligible": false, + "Description": "This controls if you will write to the disk or memory on the device when adding or removing certificates." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", "DependsOn": "", "DefaultValue": "", "Required": false, @@ -1663,9 +1997,13 @@ "Remove": true }, "PasswordOptions": { + "Style": "Default", "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" + "StoreRequired": true, + "StorePassword": { + "Description": "Enter a password that matches your Citrix validation rules to encrypt private keys when adding/replacing certificates. Select 'No Value' if you desire an unencrypted private key to be uploaded.", + "IsPAMEligible": true + } }, "Properties": [ { @@ -1696,6 +2034,15 @@ "DefaultValue": "false", "Required": false, "Description": "Determines whether an attempt will be made to link the added certificate (via a Management-Add job) to its issuing CA certificate." + }, + { + "Name": "timeout", + "DisplayName": "Login Timeout in seconds", + "Type": "String", + "DependsOn": "", + "DefaultValue": "3600", + "Required": false, + "Description": "Determines timeout in seconds for all Citrix ADC API calls." } ], "EntryParameters": [ @@ -1904,53 +2251,7 @@ "Description": "Login password for the F5 Big IQ device." } ], - "EntryParameters": [ - { - "Name": "Alias", - "DisplayName": "Alias (Reenrollment only)", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "The name F5 Big IQ uses to identify the certificate" - }, - { - "Name": "Overwrite", - "DisplayName": "Overwrite (Reenrollment only)", - "Type": "Bool", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "False", - "Options": "", - "Description": "Allow overwriting an existing certificate when reenrolling?" - }, - { - "Name": "SANs", - "DisplayName": "SANs (Reenrollment only)", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": false - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "External SANs for the requested certificate. Each SAN must be prefixed with the type (DNS: or IP:) and multiple SANs must be delimitted by an ampersand (&). Example: DNS:server.domain.com&IP:127.0.0.1&DNS:server2.domain.com. This is an optional field." - } - ] + "EntryParameters": [] }, { "Name": "F5 CA Profiles REST", @@ -2408,7 +2709,7 @@ } }, "ClientMachineDescription": "The IP address or DNS of the Fortigate server", - "StorePathDescription": "This is not used in this integration, but is a required field in the UI. Just enter any value here" + "StorePathDescription": "Value must contain the VDOM this certificate store will be managing. `root` must be entered to manage the default 'root' VDOM." }, { "Name": "GCP Load Balancer", @@ -2447,6 +2748,70 @@ "StorePathDescription": "Your Google Cloud Project ID only if you choose to use global resources. Append a forward slash '/' and valid GCP region to process against a specific [GCP region](https://gist.github.com/rpkim/084046e02fd8c452ba6ddef3a61d5d59).", "EntryParameters": [] }, + { + "Name": "GCPScrtMgr", + "ShortName": "GCPScrtMgr", + "Capability": "GCPScrtMgr", + "ServerRequired": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required", + "PowerShell": false, + "PrivateKeyAllowed": "Optional", + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": true, + "Style": "Default", + "StorePassword": { + "Description": "Password used to encrypt the private key of ALL certificate secrets. Please see [Certificate Encryption Details](#certificate-encryption-details) for more information", + "IsPAMEligible": true + } + }, + "Properties": [ + { + "Name": "PasswordSecretSuffix", + "DisplayName": "Password Secret Location Suffix", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": false, + "Description": "If storing a certificate with an encrypted private key, this is the suffix to add to the certificate (secret) alias name where the encrypted private key password will be stored. Please see [Certificate Encryption Details](#certificate-encryption-details) for more information" + }, + { + "Name": "IncludeChain", + "DisplayName": "Include Chain", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "True", + "Required": false, + "IsPAMEligible": false, + "Description": "Determines whether to include the certificate chain when adding a certificate as a secret." + } + ], + "EntryParameters": [ + { + "Name": "tags", + "DisplayName": "Tags", + "Type": "String", + "Description": "One-to-many Organization level tag Key:Value combinations, comma delimited - i.e. tagKey1:tagVal1,tagKey2:tagVal2,...tagKeyN:tagValN", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + } + ], + "ClientMachineDescription": "Not used", + "StorePathDescription": "The Project ID of the Google Secret Manager being managed." + }, { "Name": "Google Cloud Provider Apigee", "ShortName": "GcpApigee", @@ -2620,7 +2985,7 @@ "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, "StorePathType": "", - "StorePathValue": "", + "StorePathValue": "example: '/mycerts/certstore.jks?b64cert'", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -2672,9 +3037,18 @@ "DependsOn": "", "DefaultValue": "", "Required": false - } - ], - "EntryParameters": [], + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." + } + ], + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -2693,7 +3067,7 @@ "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, "StorePathType": "", - "StorePathValue": "", + "StorePathValue": "example: '/mycerts/certstore.p12?b64cert'", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -2745,6 +3119,15 @@ "DependsOn": "", "DefaultValue": "", "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." } ], "EntryParameters": [], @@ -2846,7 +3229,7 @@ "StorePathDescription": "This is the path to the secret containing the store.", "LocalStore": false, "StorePathType": "", - "StorePathValue": "", + "StorePathValue": "example: '/mycerts/certstore.pfx?b64cert'", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -2898,6 +3281,15 @@ "DependsOn": "", "DefaultValue": "", "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." } ], "EntryParameters": [], @@ -2962,6 +3354,15 @@ "DependsOn": "", "DefaultValue": "", "Required": true + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." } ], "EntryParameters": [], @@ -3092,7 +3493,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" }, { "Name": "ServerPassword", @@ -3101,7 +3502,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" }, { "Name": "ServerUseSsl", @@ -3218,21 +3619,6 @@ "DefaultValue": "", "Options": "", "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA." } ], "PasswordOptions": { @@ -3283,6 +3669,7 @@ "Name": "K8SCert", "ShortName": "K8SCert", "Capability": "K8SCert", + "ClientMachineDescription": "The Kubernetes cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": false, @@ -3293,31 +3680,34 @@ }, "Properties": [ { - "Name": "KubeNamespace", - "DisplayName": "KubeNamespace", - "Type": "String", + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", "DependsOn": "", - "DefaultValue": "default", + "DefaultValue": null, "Required": false }, { - "Name": "KubeSecretName", - "DisplayName": "KubeSecretName", - "Type": "String", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", "DependsOn": "", "DefaultValue": null, - "Required": false + "Required": true }, { - "Name": "KubeSecretType", - "DisplayName": "KubeSecretType", + "Name": "KubeSecretName", + "DisplayName": "KubeSecretName", + "Description": "The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster.", "Type": "String", "DependsOn": "", - "DefaultValue": "cert", - "Required": true + "DefaultValue": "", + "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3336,6 +3726,7 @@ "Name": "K8SCluster", "ShortName": "K8SCluster", "Capability": "K8SCluster", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3345,22 +3736,44 @@ "Remove": true }, "Properties": [ + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." + }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3379,6 +3792,7 @@ "Name": "K8SJKS", "ShortName": "K8SJKS", "Capability": "K8SJKS", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3391,6 +3805,7 @@ { "Name": "KubeNamespace", "DisplayName": "KubeNamespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": "default", @@ -3399,6 +3814,7 @@ { "Name": "KubeSecretName", "DisplayName": "KubeSecretName", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3407,22 +3823,25 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`.", "Type": "String", "DependsOn": "", "DefaultValue": "jks", - "Required": true + "Required": false }, { "Name": "CertificateDataFieldName", "DisplayName": "CertificateDataFieldName", + "Description": "The field name to use when looking for certificate data in the K8S secret.", "Type": "String", "DependsOn": "", - "DefaultValue": ".jks", - "Required": true + "DefaultValue": null, + "Required": false }, { "Name": "PasswordFieldName", "DisplayName": "PasswordFieldName", + "Description": "The field name to use when looking for the JKS keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`.", "Type": "String", "DependsOn": "", "DefaultValue": "password", @@ -3430,25 +3849,54 @@ }, { "Name": "PasswordIsK8SSecret", - "DisplayName": "Password Is K8S Secret", + "DisplayName": "PasswordIsK8SSecret", + "Description": "Indicates whether the password to the JKS keystore is stored in a separate K8S secret.", "Type": "Bool", "DependsOn": "", "DefaultValue": "false", "Required": false }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." + }, { "Name": "StorePasswordPath", "DisplayName": "StorePasswordPath", + "Description": "The path to the K8S secret object to use as the password to the JKS keystore. Example: `/`", "Type": "String", "DependsOn": "", "DefaultValue": null, "Required": false + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, - "StoreRequired": false, + "StoreRequired": true, "Style": "Default" }, "StorePathType": "", @@ -3464,6 +3912,7 @@ "Name": "K8SNS", "ShortName": "K8SNS", "Capability": "K8SNS", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3476,27 +3925,50 @@ { "Name": "KubeNamespace", "DisplayName": "Kube Namespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": "default", "Required": false }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." + }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3515,6 +3987,7 @@ "Name": "K8SPKCS12", "ShortName": "K8SPKCS12", "Capability": "K8SPKCS12", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3525,12 +3998,13 @@ }, "Properties": [ { - "Name": "KubeSecretType", - "DisplayName": "Kube Secret Type", - "Type": "String", - "DependsOn": "", - "DefaultValue": "pkcs12", - "Required": true + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "CertificateDataFieldName", @@ -3543,6 +4017,7 @@ { "Name": "PasswordFieldName", "DisplayName": "Password Field Name", + "Description": "The field name to use when looking for the PKCS12 keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`.", "Type": "String", "DependsOn": "", "DefaultValue": "password", @@ -3551,6 +4026,7 @@ { "Name": "PasswordIsK8SSecret", "DisplayName": "Password Is K8S Secret", + "Description": "Indicates whether the password to the PKCS12 keystore is stored in a separate K8S secret object.", "Type": "Bool", "DependsOn": "", "DefaultValue": "false", @@ -3559,6 +4035,7 @@ { "Name": "KubeNamespace", "DisplayName": "Kube Namespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": "default", @@ -3567,24 +4044,53 @@ { "Name": "KubeSecretName", "DisplayName": "Kube Secret Name", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, "Required": false }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "KubeSecretType", + "DisplayName": "Kube Secret Type", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`.", + "Type": "String", + "DependsOn": "", + "DefaultValue": "pkcs12", + "Required": false + }, { "Name": "StorePasswordPath", "DisplayName": "StorePasswordPath", + "Description": "The path to the K8S secret object to use as the password to the PFX/PKCS12 data. Example: `/`", "Type": "String", "DependsOn": "", "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, - "StoreRequired": false, + "StoreRequired": true, "Style": "Default" }, "StorePathType": "", @@ -3600,6 +4106,7 @@ "Name": "K8SSecret", "ShortName": "K8SSecret", "Capability": "K8SSecret", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3612,6 +4119,7 @@ { "Name": "KubeNamespace", "DisplayName": "KubeNamespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3620,6 +4128,7 @@ { "Name": "KubeSecretName", "DisplayName": "KubeSecretName", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3628,27 +4137,50 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`.", "Type": "String", "DependsOn": "", "DefaultValue": "secret", - "Required": true + "Required": false + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3667,6 +4199,7 @@ "Name": "K8STLSSecr", "ShortName": "K8STLSSecr", "Capability": "K8STLSSecr", + "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": true, @@ -3679,6 +4212,7 @@ { "Name": "KubeNamespace", "DisplayName": "KubeNamespace", + "Description": "The K8S namespace to use to manage the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3687,6 +4221,7 @@ { "Name": "KubeSecretName", "DisplayName": "KubeSecretName", + "Description": "The name of the K8S secret object.", "Type": "String", "DependsOn": "", "DefaultValue": null, @@ -3695,27 +4230,50 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`.", "Type": "String", "DependsOn": "", "DefaultValue": "tls_secret", - "Required": true + "Required": false + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": false, + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", + "DisplayName": "Separate Chain", "Type": "Bool", + "DependsOn": null, "DefaultValue": "false", + "Required": false, + "Description": "Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Description": "This should be no value or `kubeconfig`", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Description": "The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -3730,6 +4288,65 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Forbidden" }, + { + "Name": "Kemp", + "ShortName": "Kemp", + "Capability": "Kemp", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "Not used." + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "IsPAMEligible": true, + "Description": "Kemp Api Password. (or valid PAM key if the username is stored in a KF Command configured PAM integration)." + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "IsPAMEligible": false, + "Description": "Should be true, http is not supported." + } + ], + "EntryParameters": [], + "ClientMachineDescription": "Kemp Load Balancer Client Machine and port example TestKemp:8443.", + "StorePathDescription": "Not used just put a /", + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, { "Name": "MyOrchestratorStoreType", "ShortName": "MOST", @@ -4035,7 +4652,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4122,15 +4739,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4167,7 +4775,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4245,15 +4853,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4271,6 +4870,15 @@ "Type": "Bool", "DefaultValue": "True", "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" + }, + { + "Name": "PostJobApplicationRestart", + "DisplayName": "Post Job Application Restart", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": "Apache Tomcat Restart,Jetty Restart", + "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired." } ], "EntryParameters": [], @@ -4368,15 +4976,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4500,15 +5099,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4545,7 +5135,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4659,15 +5249,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4685,6 +5266,15 @@ "Type": "Bool", "DefaultValue": "True", "Description": "Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)" + }, + { + "Name": "PostJobApplicationRestart", + "DisplayName": "Post Job Application Restart", + "Required": false, + "DependsOn": "", + "Type": "MultipleChoice", + "DefaultValue": "Apache HTTPD Restart,NGNIX Restart,HAProxy Restart,Envoy Proxy Restart", + "Description": "Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired." } ], "EntryParameters": [], @@ -4704,7 +5294,7 @@ "Add": true, "Create": true, "Discovery": true, - "Enrollment": false, + "Enrollment": true, "Remove": true }, "PasswordOptions": { @@ -4782,15 +5372,6 @@ "DefaultValue": "False", "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." }, - { - "Name": "FileTransferProtocol", - "DisplayName": "File Transfer Protocol to Use", - "Required": false, - "DependsOn": "", - "Type": "MultipleChoice", - "DefaultValue": ",SCP,SFTP,Both", - "Description": "Which protocol should be used when uploading/downloading files - SCP, SFTP, or Both (try one, and then if necessary, the other). Overrides FileTransferProtocol [config.json](#post-installation) setting." - }, { "Name": "SSHPort", "DisplayName": "SSH Port", @@ -4819,8 +5400,8 @@ "ShortName": "SOS", "Capability": "SOS", "LocalStore": false, - "StorePathDescription": "Path points to a local .json file. Orchestrator and its account should have read/write access.", - "ClientMachineDescription": "Runs on a Windows based machine.", + "StorePathDescription": "The name of the store as defined in the SOS system (i.e. SampleKeyStore2).", + "ClientMachineDescription": "The base URL of the SOS API (i.e. http://localhost:8080)", "SupportedOperations": { "Add": true, "Create": true, @@ -4871,7 +5452,7 @@ "HasPrivateKey": false, "OnAdd": false, "OnRemove": false, - "OnReenrollment": false + "OnReenrollment": true }, "Description": "SAN string." }, @@ -4918,14 +5499,14 @@ ], "PasswordOptions": { "EntrySupported": true, - "StoreRequired": false, + "StoreRequired": true, "Style": "Default" }, "PrivateKeyAllowed": "Optional", "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": true, - "CustomAliasAllowed": "Optional" + "CustomAliasAllowed": "Forbidden" }, { "Name": "Signum", @@ -4974,6 +5555,127 @@ "Style": "Default" } }, + { + "Name": "A10 Thunder Management Certificates", + "ShortName": "ThunderMgmt", + "Capability": "ThunderMgmt", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "OrchToScpServerIp", + "DisplayName": "Orch To Scp Server Ip", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "IP address or hostname of the SCP server that the Universal Orchestrator will connect to for uploading certificate files. This SCP server acts as an intermediary storage location before the A10 device retrieves the certificates." + }, + { + "Name": "ScpPort", + "DisplayName": "Port Used For Scp", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "TCP port number used for SSH/SCP connections to the SCP server. Typically port 22 for standard SSH/SCP operations." + }, + { + "Name": "ScpUserName", + "DisplayName": "UserName Used For Scp", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Username credential for authenticating to the SCP server. This account must have write permissions to the target directory path specified in the certificate store configuration. Supports PAM integration for secure credential retrieval." + }, + { + "Name": "ScpPassword", + "DisplayName": "Password Used For Scp", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "Password credential for authenticating to the SCP server. Used in conjunction with ScpUserName for SSH/SCP authentication. Supports PAM integration for secure credential retrieval." + }, + { + "Name": "A10ToScpServerIp", + "DisplayName": "A10 Device To Scp Server Ip", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "Description": "IP address or hostname that the A10 vThunder device uses to connect to the SCP server for retrieving certificate files. This may differ from OrchToScpServerIp due to network topology, routing, or firewall configurations where the A10 device and orchestrator access the SCP server through different network paths." + }, + { + "Name": "allowInvalidCert", + "DisplayName": "Allow Invalid Cert on A10 Management API", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections used during the certificate installation process." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "", + "ClientMachineDescription": "Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to trigger certificate installation on the management interface after uploading files via SCP.", + "StorePathDescription": "Absolute directory path on the SCP server where certificate files (.crt and .key) will be uploaded. The A10 device will retrieve certificate files from this location. Example: '/home/certuser'. The specified path must exist and the SCP user must have write permissions to this directory.", + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, + { + "Name": "A10 Thunder Ssl Certificates", + "ShortName": "ThunderSsl", + "Capability": "ThunderSsl", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "allowInvalidCert", + "DisplayName": "Allow Invalid Cert on A10 Management API", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "", + "ClientMachineDescription": "Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to manage SSL certificates directly on the device.", + "StorePathDescription": "A10 partition name where certificates will be managed. Use 'shared' for the default shared partition, or specify a custom partition name (e.g., 'tenant-prod') for multi-tenant deployments. The partition must already exist on the A10 device. Leave empty to default to the shared partition.", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, { "Name": "VMware-NSX", "ShortName": "VMware-NSX", @@ -5035,6 +5737,105 @@ "ClientMachineDescription": "This is the URL for the VMware NSX instance. It also includes an optional tenant in square brackets before the URL. A tenant value is required when the certificates being managed are in a different tenant from the default tenant set for the NSX User specified for the store. This should look like either: [optional-tenant-name]https://my.nsx.url/ OR https://my.nsx.url/ ", "StorePathDescription": "A selection from the different certificate types supported: Application, Controller, or CA." }, + { + "Name": "ADFS Rotation Manager", + "ShortName": "WinAdfs", + "Capability": "WinAdfs", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": false + }, + "Properties": [ + { + "Name": "spnwithport", + "DisplayName": "SPN With Port", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false, + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "WinRM Protocol", + "DisplayName": "WinRM Protocol", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "https,http,ssh", + "Required": true, + "Description": "Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment." + }, + { + "Name": "WinRM Port", + "DisplayName": "WinRM Port", + "Type": "String", + "DependsOn": "", + "DefaultValue": "5986", + "Required": true, + "Description": "String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Determine whether the server uses SSL or not (This field is automatically created)" + } + ], + "EntryParameters": [ + { + "Name": "ProviderName", + "DisplayName": "Crypto Provider Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "My", + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "Since this extension type must run as an agent (The UO Must be installed on the PRIMARY ADFS Server), the ClientMachine must follow the naming convention as outlined in the Client Machine Instructions. Secondary ADFS Nodes will be automatically be updated with the same certificate added on the PRIMARY ADFS server.", + "StorePathDescription": "Fixed string value of 'My' indicating the Personal store on the Local Machine. All ADFS Service-Communications certificates are located in the 'My' personal store by default." + }, { "Name": "WinCerMgmt", "ShortName": "WinCerMgmt", @@ -5118,7 +5919,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" }, { "Name": "ServerPassword", @@ -5127,7 +5928,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" }, { "Name": "ServerUseSsl", @@ -5154,21 +5955,6 @@ "DefaultValue": "", "Options": "", "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA." } ], "PasswordOptions": { @@ -5232,7 +6018,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'. (This field is automatically created)" }, { "Name": "ServerPassword", @@ -5241,7 +6027,7 @@ "DependsOn": "", "DefaultValue": "", "Required": false, - "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key." + "Description": "Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created)" }, { "Name": "ServerUseSsl", @@ -5289,21 +6075,6 @@ "DefaultValue": "", "Options": "", "Description": "Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers'" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "", - "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs." } ], "PasswordOptions": { @@ -5501,7 +6272,7 @@ "DependsOn": "", "DefaultValue": "", "Required": true, - "IsPamEligable": false, + "IsPamEligable": true, "Description": "The vCenter username used to manage the vCenter connection" }, { @@ -5511,7 +6282,7 @@ "DependsOn": "", "DefaultValue": "", "Required": true, - "IsPamEligable": false, + "IsPamEligable": true, "Description": "The secret vCenter password used to manage the vCenter connection" } ] From 414394b057c0955d938ada69b62695c32ff3aa95 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Fri, 1 May 2026 11:14:27 -0700 Subject: [PATCH 03/17] fix: support PAM-backed store CSV sync --- CHANGELOG.md | 14 + README.md | 16 +- cmd/storesBulkOperations.go | 12 +- cmd/stores_test.go | 28 ++ docs/use-cases/README.md | 6 + .../bulk-certificate-store-updates.md | 279 ++++++++++++++++++ ...migrate-static-store-credentials-to-pam.md | 134 +++++++++ pkg/version/version.go | 4 +- 8 files changed, 488 insertions(+), 5 deletions(-) create mode 100644 docs/use-cases/README.md create mode 100644 docs/use-cases/bulk-certificate-store-updates.md create mode 100644 docs/use-cases/migrate-static-store-credentials-to-pam.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 6452765e..b9ebe7eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +# v1.9.2 + +## Fixes + +### CLI + +- `stores import csv`: Support create and sync workflows for certificate stores that use PAM provider-backed + `ServerUsername`, `ServerPassword`, and store password values. + +### Docs + +- Add use-case documentation for bulk certificate store updates. +- Add use-case documentation for migrating certificate store credentials from static values to a PAM provider. + # v1.9.1 ## Fixes diff --git a/README.md b/README.md index 28efd8da..8362c218 100644 --- a/README.md +++ b/README.md @@ -235,7 +235,7 @@ This will attempt to process a CSV input file of certificate stores to create. T running: `kfutil stores import generate-template` command. ```bash -kfutil stores import create --file --store-type-id --store-type-name --results-path --dry-run [flags] +kfutil stores import csv --file --store-type-id --store-type-name --results-path --dry-run [flags] ``` ```bash @@ -246,7 +246,7 @@ Usage: kfutil stores import [command] Available Commands: - create Create certificate stores + csv Create certificate stores from CSV file. generate-template For generating a CSV template with headers for bulk store creation. Flags: @@ -255,6 +255,18 @@ Flags: Use "kfutil stores import [command] --help" for more information about a command. ``` +#### Bulk update cert stores + +For a task-oriented walkthrough, see [Bulk Certificate Store Updates](docs/use-cases/bulk-certificate-store-updates.md). + +Bulk updates use the CSV import command with `--sync`. Export the target stores, edit the exported CSV, preserve the +`Id` column, then sync the changes back to Keyfactor Command. + +```bash +kfutil stores export --store-type-name +kfutil stores import csv --file --store-type-name --sync --no-prompt +``` + #### Bulk create cert store types For full documentation, see [store-types](docs/kfutil_store-types.md). diff --git a/cmd/storesBulkOperations.go b/cmd/storesBulkOperations.go index c58faea6..bc4a5318 100644 --- a/cmd/storesBulkOperations.go +++ b/cmd/storesBulkOperations.go @@ -82,6 +82,16 @@ func formatProperties(propsJson *gabs.Container, reqPropertiesForStoreType []str if name == "ServerUsername" || name == "ServerPassword" { reformatted := reformatPamSecretForPost(prop.Data().(map[string]interface{})) if reformatted != nil { + if provider, ok := reformatted["Provider"]; ok && provider != nil { + managedValue := map[string]interface{}{ + "Provider": provider, + } + if params, paramsOk := reformatted["Parameters"]; paramsOk && params != nil { + managedValue["Parameters"] = params + } + propsJson.Set(map[string]interface{}{"value": managedValue}, "Properties", name) + break + } if _, ok := reformatted["value"].(string); ok { propsJson.Set(reformatted["value"], "Properties", name) } else { @@ -424,7 +434,7 @@ If you do not wish to include credentials in your CSV file they can be provided updateReqParameters.Password = &api.UpdateStorePasswordConfig{ Provider: passwdParams.Provider, - Parameters: nil, + Parameters: passwdParams.Parameters, SecretValue: passwdParams.SecretValue, } updateReqParameters.Properties = props diff --git a/cmd/stores_test.go b/cmd/stores_test.go index b5a792c9..7e1becb2 100644 --- a/cmd/stores_test.go +++ b/cmd/stores_test.go @@ -328,6 +328,34 @@ func Test_Stores_GenerateImportTemplateCmd(t *testing.T) { } +func Test_FormatProperties_FormatsManagedPamSecretPropertiesForPost(t *testing.T) { + header := []string{ + "Properties.ServerPassword.Provider", + "Properties.ServerPassword.Parameters.SecretName", + "Properties.ServerPassword.Parameters.SecretType", + "Properties.ServerPassword.Parameters.StaticSecretFieldName", + } + row := []string{"30", "dev/aks/kf-integrations", "static_json", " "} + + reqJson := getJsonForRequest(header, row) + reqJson = formatProperties(reqJson, nil) + + serverPassword := reqJson.S("Properties", "ServerPassword").Data() + serverPasswordMap, ok := serverPassword.(map[string]interface{}) + assert.True(t, ok) + valueMap, ok := serverPasswordMap["value"].(map[string]interface{}) + assert.True(t, ok) + assert.Equal(t, 30, valueMap["Provider"]) + assert.NotContains(t, serverPasswordMap, "Provider") + assert.NotContains(t, serverPasswordMap, "ProviderId") + + params, ok := valueMap["Parameters"].(map[string]string) + assert.True(t, ok) + assert.Equal(t, "dev/aks/kf-integrations", params["SecretName"]) + assert.Equal(t, "static_json", params["SecretType"]) + assert.Equal(t, " ", params["StaticSecretFieldName"]) +} + func testExportStore(t *testing.T, storeTypeName string) (string, []string) { var ( output string diff --git a/docs/use-cases/README.md b/docs/use-cases/README.md new file mode 100644 index 00000000..de1b09c9 --- /dev/null +++ b/docs/use-cases/README.md @@ -0,0 +1,6 @@ +# Use Cases + +Task-oriented guides for common `kfutil` workflows. + +- [Bulk Certificate Store Updates](bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](migrate-static-store-credentials-to-pam.md) diff --git a/docs/use-cases/bulk-certificate-store-updates.md b/docs/use-cases/bulk-certificate-store-updates.md new file mode 100644 index 00000000..06635c27 --- /dev/null +++ b/docs/use-cases/bulk-certificate-store-updates.md @@ -0,0 +1,279 @@ +# Bulk Certificate Store Updates + +Use this workflow when you need to update many existing Keyfactor Command certificate stores from a CSV file instead of editing each store in the Command UI. + +Common examples include: + +- Moving stores to a different orchestrator agent. +- Updating inventory schedules. +- Changing store metadata such as client machine, store path, container, or store-type properties. +- Correcting repeated configuration values after onboarding, migration, or environment changes. + +`kfutil` performs bulk certificate store updates through the CSV import command with the `--sync` flag. The usual flow is: + +```text +export stores -> edit CSV -> sync import -> review results -> verify changes +``` + +## Contents + +- [Before You Begin](#before-you-begin) +- [Step 1: Export Stores](#step-1-export-stores) +- [Step 2: Edit The CSV](#step-2-edit-the-csv) +- [Step 3: Sync The Updates](#step-3-sync-the-updates) +- [Step 4: Review Results](#step-4-review-results) +- [Step 5: Verify Changes](#step-5-verify-changes) +- [Credentials](#credentials) +- [PAM Provider Credentials](#pam-provider-credentials) +- [Template Option](#template-option) +- [Operational Guidance](#operational-guidance) +- [Related Commands](#related-commands) + +## Before You Begin + +You need: + +- `kfutil` configured to authenticate to Keyfactor Command. +- Permission to list, export, and update certificate stores. +- The certificate store type already created in Command. +- The store type short name, or the store type ID. + +Keep one CSV file per certificate store type. The import command accepts one `--store-type-name` or `--store-type-id` per run, and store-type-specific properties differ by type. + +## Step 1: Export Stores + +Export the stores you want to update. For a single store type, use the store type short name: + +```bash +kfutil stores export --store-type-name K8SSecret +``` + +Or use the store type ID: + +```bash +kfutil stores export --store-type-id 154 +``` + +To export all stores, grouped into separate CSV files by store type: + +```bash +kfutil stores export --all +``` + +The export command writes files named like: + +```text +K8SSecret_stores_export_1765743627.csv +``` + +The exported CSV includes an `Id` column. Preserve this column for every row you want to update. + +## Step 2: Edit The CSV + +Open the exported CSV and edit only the fields you intend to change. + +For example, to move stores to another orchestrator, update the `AgentId` column: + +```csv +Id,ClientMachine,StorePath,AgentId +6d1c7e86-0000-0000-0000-000000000000,k8s-worker-01,default/web-tls,275bcd31-0000-0000-0000-000000000000 +``` + +For store-type properties, edit the `Properties.` columns exported for that store type, such as: + +```text +Properties.KubeNamespace +Properties.KubeSecretName +Properties.KubeSecretType +Properties.IncludeCertChain +``` + +For schedules, use one schedule shape per row: + +```text +InventorySchedule.Immediate +InventorySchedule.Interval.Minutes +InventorySchedule.Daily.Time +InventorySchedule.Weekly.Days +InventorySchedule.Weekly.Time +``` + +Do not remove `Id` for update rows. When `--sync` is used, rows with an `Id` are updated. Rows without an `Id` are treated as create requests. + +## Step 3: Sync The Updates + +Run the CSV import command with `--sync`: + +```bash +kfutil stores import csv \ + --file K8SSecret_stores_export_1765743627.csv \ + --store-type-name K8SSecret \ + --sync \ + --no-prompt +``` + +The equivalent command using a store type ID is: + +```bash +kfutil stores import csv \ + --file K8SSecret_stores_export_1765743627.csv \ + --store-type-id 154 \ + --sync \ + --no-prompt +``` + +Use `--results-path` to choose where the results CSV is written: + +```bash +kfutil stores import csv \ + --file K8SSecret_stores_export_1765743627.csv \ + --store-type-name K8SSecret \ + --sync \ + --no-prompt \ + --results-path K8SSecret_update_results.csv +``` + +## Step 4: Review Results + +The command prints a summary: + +```text +1 records processed. +1 certificate stores successfully updated. +Import results written to K8SSecret_update_results.csv +``` + +By default, the results file is named from the input file: + +```text +_results.csv +``` + +The results CSV contains the original row data and an `Errors` column. Successful rows have an empty `Errors` value. Failed rows include the API error message and should be corrected before rerunning. + +Bulk sync is row-based, not all-or-nothing. One failed row does not mean every row failed. + +## Step 5: Verify Changes + +Verify the update by exporting the store type again: + +```bash +kfutil stores export --store-type-name K8SSecret +``` + +Compare the updated columns against the original export and results file. For spot checks, fetch an individual store by ID: + +```bash +kfutil stores get --id 6d1c7e86-0000-0000-0000-000000000000 +``` + +## Credentials + +Credential values can be supplied in the CSV, by flags, by environment variables, or by interactive prompts. + +CSV columns: + +```text +Properties.ServerUsername +Properties.ServerPassword +Password +``` + +Flags: + +```bash +--server-username +--server-password +--store-password +``` + +Environment variables: + +```text +KFUTIL_CSV_SERVER_USERNAME +KFUTIL_CSV_SERVER_PASSWORD +KFUTIL_CSV_STORE_PASSWORD +``` + +Values in the CSV take precedence over flags, environment variables, and prompts. + +Avoid putting secrets in CSV files unless your operating procedures allow it. If you do use CSV-based secrets, protect the file, results file, and shell history accordingly. + +## PAM Provider Credentials + +Certificate store credentials can also reference a Keyfactor PAM provider instead of carrying a direct secret value. This is supported for CSV create and sync workflows when the CSV uses the provider columns exported by `kfutil`. + +For an existing PAM-backed store, export the store type and use the exported credential columns as the pattern: + +```bash +kfutil stores export --store-type-name K8SCluster +``` + +A PAM-backed `ServerPassword` uses columns like: + +```text +Properties.ServerPassword.Provider +Properties.ServerPassword.Parameters.SecretName +Properties.ServerPassword.Parameters.SecretType +Properties.ServerPassword.Parameters.StaticSecretFieldName +``` + +Example: + +```csv +Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretName,Properties.ServerPassword.Parameters.SecretType,Properties.ServerPassword.Parameters.StaticSecretFieldName +13b0b2c5-eb27-4885-91ec-fad35d0268df,kf-integrations,fresh,30,dev/aks/kf-integrations,static_json," " +``` + +To convert direct `ServerPassword` values to the same PAM provider, add the provider columns if they are not already present, fill in the provider ID and parameters, and leave any direct `Properties.ServerPassword.SecretValue` column empty. + +Then run the normal sync command: + +```bash +kfutil stores import csv \ + --file K8SCluster_pam_sync.csv \ + --store-type-name K8SCluster \ + --sync \ + --no-prompt +``` + +For a new store, leave the `Id` column empty or omit it and provide the same provider-backed credential columns: + +```bash +kfutil stores import csv \ + --file K8SCluster_create_with_pam.csv \ + --store-type-name K8SCluster \ + --no-prompt +``` + +If the exported CSV contains masked direct credential values such as `********************`, prefer changing only the PAM-backed credential columns you intend to update. Do not copy masked values into new rows as real secrets. + +## Template Option + +If you need a blank CSV for a store type instead of exporting existing stores, generate a template: + +```bash +kfutil stores import generate-template \ + --store-type-name K8SSecret \ + --outpath K8SSecret_bulk_import_template.csv +``` + +The template includes the common certificate store columns and the properties required for the selected store type. For updates, exporting existing stores is usually safer because it includes the `Id` values needed by `--sync`. + +## Operational Guidance + +- Start with a small CSV containing one or two stores. +- Keep the original export unchanged as a rollback/reference artifact. +- Preserve the `Id` column for update rows. +- Keep separate CSV files per store type. +- Edit only the columns needed for the change. +- Review the results CSV before rerunning failed rows. +- Rerun only corrected failed rows when possible. + +## Related Commands + +- [kfutil stores export](../kfutil_stores_export.md) +- [kfutil stores import csv](../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../kfutil_stores_import_generate-template.md) +- [kfutil stores get](../kfutil_stores_get.md) +- [Migrate Static Store Credentials To A PAM Provider](migrate-static-store-credentials-to-pam.md) diff --git a/docs/use-cases/migrate-static-store-credentials-to-pam.md b/docs/use-cases/migrate-static-store-credentials-to-pam.md new file mode 100644 index 00000000..5a9075f1 --- /dev/null +++ b/docs/use-cases/migrate-static-store-credentials-to-pam.md @@ -0,0 +1,134 @@ +# Migrate Static Store Credentials To A PAM Provider + +Use this workflow when existing certificate stores have static Keyfactor-encrypted credential values and you want those stores to reference a Keyfactor PAM provider instead. + +This is a specialized bulk certificate store update. The workflow uses exported CSV files, edits the `Properties.ServerPassword` credential columns, then syncs the changes back to Keyfactor Command. + +## Contents + +- [Before You Begin](#before-you-begin) +- [Step 1: Export Stores](#step-1-export-stores) +- [Step 2: Identify The PAM Provider Columns](#step-2-identify-the-pam-provider-columns) +- [Step 3: Build The Sync CSV](#step-3-build-the-sync-csv) +- [Step 4: Sync The Migration](#step-4-sync-the-migration) +- [Step 5: Verify The Migration](#step-5-verify-the-migration) +- [Notes](#notes) +- [Related Commands](#related-commands) + +## Before You Begin + +You need: + +- `kfutil` configured to authenticate to Keyfactor Command. +- Permission to export and update certificate stores. +- A configured PAM provider in Keyfactor Command. +- The PAM provider ID and any provider parameter names and values required by that provider. +- The target store type short name or store type ID. + +Keep each CSV scoped to one certificate store type. The import command accepts one `--store-type-name` or `--store-type-id` per run. + +## Step 1: Export Stores + +Export the stores you want to migrate: + +```bash +kfutil stores export --store-type-name K8SCluster +``` + +For all store types: + +```bash +kfutil stores export --all +``` + +The export includes the `Id` column required for sync updates. + +## Step 2: Identify The PAM Provider Columns + +If you already have a store using the target PAM provider, export that store type and use its columns as the pattern. + +For a PAM-backed `ServerPassword`, the CSV uses columns like: + +```text +Properties.ServerPassword.Provider +Properties.ServerPassword.Parameters.SecretName +Properties.ServerPassword.Parameters.SecretType +Properties.ServerPassword.Parameters.StaticSecretFieldName +``` + +Example values: + +```text +Properties.ServerPassword.Provider=30 +Properties.ServerPassword.Parameters.SecretName=dev/aks/kf-integrations +Properties.ServerPassword.Parameters.SecretType=static_json +Properties.ServerPassword.Parameters.StaticSecretFieldName=" " +``` + +The parameter names depend on the PAM provider type. Use the names exported from a known-good store or from the PAM provider type definition. + +## Step 3: Build The Sync CSV + +For each row you want to migrate: + +- Preserve `Id`. +- Preserve `ClientMachine`, `StorePath`, `AgentId`, and other store configuration values. +- Add the PAM provider columns if they are not already present. +- Set `Properties.ServerPassword.Provider` to the PAM provider ID. +- Set the `Properties.ServerPassword.Parameters.*` columns to the provider parameter values. +- Leave `Properties.ServerPassword.SecretValue` empty if that column exists. + +Example: + +```csv +Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretName,Properties.ServerPassword.Parameters.SecretType,Properties.ServerPassword.Parameters.StaticSecretFieldName,Properties.ServerPassword.SecretValue +13b0b2c5-eb27-4885-91ec-fad35d0268df,kf-integrations,fresh,30,dev/aks/kf-integrations,static_json," ", +``` + +Do not put the masked export value `********************` into a new direct secret value column. That is a placeholder, not the original secret. + +## Step 4: Sync The Migration + +Run the import command with `--sync`: + +```bash +kfutil stores import csv \ + --file K8SCluster_pam_sync.csv \ + --store-type-name K8SCluster \ + --sync \ + --no-prompt +``` + +Use one command per store type CSV. + +## Step 5: Verify The Migration + +Export the store type again: + +```bash +kfutil stores export --store-type-name K8SCluster +``` + +Confirm the migrated rows include: + +```text +Properties.ServerPassword.Provider +Properties.ServerPassword.Parameters. +``` + +Confirm `Properties.ServerPassword.SecretValue` is empty or absent for migrated rows. + +Review the sync results file and confirm the `Errors` column is empty for each migrated row. + +## Notes + +- This workflow changes where Keyfactor retrieves the store credential. It does not rotate the credential in the target system. +- For provider-backed `ServerUsername`, use the same pattern with `Properties.ServerUsername.Provider` and `Properties.ServerUsername.Parameters.*`. +- For store-level passwords, use `Password.ProviderId` and `Password.Parameters.*`. +- Test with one store before applying the same provider values to many stores. + +## Related Commands + +- [kfutil stores export](../kfutil_stores_export.md) +- [kfutil stores import csv](../kfutil_stores_import_csv.md) +- [Bulk Certificate Store Updates](bulk-certificate-store-updates.md) diff --git a/pkg/version/version.go b/pkg/version/version.go index cad31813..132741ff 100644 --- a/pkg/version/version.go +++ b/pkg/version/version.go @@ -15,7 +15,7 @@ package version var ( - VERSION = "1.9.1" - BUILD_DATE = "2026-02-04" + VERSION = "1.9.2" + BUILD_DATE = "2026-05-01" COMMIT = "HEAD" ) From ecb60cb886cbe6135fb01e5e2d7a6c22ec166ef2 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Fri, 1 May 2026 12:08:37 -0700 Subject: [PATCH 04/17] fix: preserve JSON secret values in store CSV import --- cmd/storesBulkOperations.go | 13 ++++++++++++- cmd/stores_test.go | 13 +++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/cmd/storesBulkOperations.go b/cmd/storesBulkOperations.go index bc4a5318..f0721337 100644 --- a/cmd/storesBulkOperations.go +++ b/cmd/storesBulkOperations.go @@ -1154,7 +1154,9 @@ func getJsonForRequest(headerRow []string, row []string) *gabs.Container { reqJson := gabs.New() for hIdx, header := range headerRow { log.Debug().Msgf("Processing header '%s'", header) - if strings.ToUpper(row[hIdx]) == "TRUE" { + if shouldTreatCSVValueAsSecretString(header) && row[hIdx] != "" { + reqJson.Set(row[hIdx], strings.Split(header, ".")...) + } else if strings.ToUpper(row[hIdx]) == "TRUE" { reqJson.Set(true, strings.Split(header, ".")...) } else if strings.ToUpper(row[hIdx]) == "FALSE" { reqJson.Set(false, strings.Split(header, ".")...) @@ -1176,6 +1178,15 @@ func getJsonForRequest(headerRow []string, row []string) *gabs.Container { return reqJson } +func shouldTreatCSVValueAsSecretString(header string) bool { + switch header { + case "Properties.ServerUsername", "Properties.ServerPassword", "Password": + return true + default: + return strings.HasSuffix(header, ".SecretValue") + } +} + func writeCsvFile(outpath string, rows [][]string) error { log.Debug().Msgf("Writing CSV file '%s'", outpath) csvFile, err := os.Create(outpath) diff --git a/cmd/stores_test.go b/cmd/stores_test.go index 7e1becb2..adaae224 100644 --- a/cmd/stores_test.go +++ b/cmd/stores_test.go @@ -356,6 +356,19 @@ func Test_FormatProperties_FormatsManagedPamSecretPropertiesForPost(t *testing.T assert.Equal(t, " ", params["StaticSecretFieldName"]) } +func Test_GetJsonForRequest_TreatsJsonSecretValuesAsStrings(t *testing.T) { + header := []string{"Properties.ServerPassword", "Properties.ServerUsername.SecretValue"} + row := []string{ + `{"kind":"Config","apiVersion":"v1"}`, + `{"username":"kubeconfig"}`, + } + + reqJson := getJsonForRequest(header, row) + + assert.Equal(t, row[0], reqJson.S("Properties", "ServerPassword").Data()) + assert.Equal(t, row[1], reqJson.S("Properties", "ServerUsername", "SecretValue").Data()) +} + func testExportStore(t *testing.T, storeTypeName string) (string, []string) { var ( output string From 4b6a2c555b2ac7a06e5b56233e87c19b7f21d089 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Fri, 1 May 2026 12:36:23 -0700 Subject: [PATCH 05/17] docs: organize certificate store use cases --- README.md | 5 +- .../Certificate Store Operations/README.md | 7 + .../bulk-certificate-store-creation.md | 159 ++++++++++++++++++ .../bulk-certificate-store-updates.md | 0 ...migrate-static-store-credentials-to-pam.md | 0 docs/use-cases/README.md | 3 +- 6 files changed, 170 insertions(+), 4 deletions(-) create mode 100644 docs/use-cases/Certificate Store Operations/README.md create mode 100644 docs/use-cases/Certificate Store Operations/bulk-certificate-store-creation.md rename docs/use-cases/{ => Certificate Store Operations}/bulk-certificate-store-updates.md (100%) rename docs/use-cases/{ => Certificate Store Operations}/migrate-static-store-credentials-to-pam.md (100%) diff --git a/README.md b/README.md index 8362c218..72bd5850 100644 --- a/README.md +++ b/README.md @@ -229,7 +229,8 @@ kfutil logout #### Bulk create cert stores -For full documentation, see [stores import](docs/kfutil_stores_import.md). +For command documentation, see [stores import](docs/kfutil_stores_import.md). For a task-oriented walkthrough, see +[Bulk Certificate Store Creation](docs/use-cases/Certificate%20Store%20Operations/bulk-certificate-store-creation.md). This will attempt to process a CSV input file of certificate stores to create. The template can be generated by running: `kfutil stores import generate-template` command. @@ -257,7 +258,7 @@ Use "kfutil stores import [command] --help" for more information about a command #### Bulk update cert stores -For a task-oriented walkthrough, see [Bulk Certificate Store Updates](docs/use-cases/bulk-certificate-store-updates.md). +For a task-oriented walkthrough, see [Bulk Certificate Store Updates](docs/use-cases/Certificate%20Store%20Operations/bulk-certificate-store-updates.md). Bulk updates use the CSV import command with `--sync`. Export the target stores, edit the exported CSV, preserve the `Id` column, then sync the changes back to Keyfactor Command. diff --git a/docs/use-cases/Certificate Store Operations/README.md b/docs/use-cases/Certificate Store Operations/README.md new file mode 100644 index 00000000..86751434 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/README.md @@ -0,0 +1,7 @@ +# Certificate Store Operations + +Use cases for bulk certificate store workflows. + +- [Bulk Certificate Store Creation](bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](migrate-static-store-credentials-to-pam.md) diff --git a/docs/use-cases/Certificate Store Operations/bulk-certificate-store-creation.md b/docs/use-cases/Certificate Store Operations/bulk-certificate-store-creation.md new file mode 100644 index 00000000..015fb003 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/bulk-certificate-store-creation.md @@ -0,0 +1,159 @@ +# Bulk Certificate Store Creation + +Use this workflow when you need to create many certificate stores of the same type from a CSV file. + +This example creates ten Kubernetes certificate stores: + +- Five `K8SSecret` stores. +- Five `K8STLSSecr` stores. +- Three stores of each type use static Keyfactor-encrypted credentials. +- Two stores of each type use a PAM provider-backed `ServerPassword`. + +## Contents + +- [Before You Begin](#before-you-begin) +- [Step 1: Choose The Store Types](#step-1-choose-the-store-types) +- [Step 2: Prepare Static Credential Rows](#step-2-prepare-static-credential-rows) +- [Step 3: Prepare PAM Provider Rows](#step-3-prepare-pam-provider-rows) +- [Step 4: Create K8SSecret Stores](#step-4-create-k8ssecret-stores) +- [Step 5: Create K8STLSSecr Stores](#step-5-create-k8stlssecr-stores) +- [Step 6: Verify The Created Stores](#step-6-verify-the-created-stores) +- [Notes](#notes) +- [Related Commands](#related-commands) + +## Before You Begin + +You need: + +- `kfutil` configured to authenticate to Keyfactor Command. +- Permission to create certificate stores. +- The target certificate store types already created in Command. +- A registered orchestrator agent ID. +- Static credential values or a configured PAM provider. + +For Kubernetes stores, `ClientMachine` should match the orchestrator target expected by the extension, and `StorePath` should identify the Kubernetes namespace and secret name. + +## Step 1: Choose The Store Types + +This demo uses: + +```text +K8SSecret +K8STLSSecr +``` + +Each type gets its own CSV because `kfutil stores import csv` accepts one store type per command. + +## Step 2: Prepare Static Credential Rows + +Static credential rows use direct credential columns: + +```text +Properties.ServerUsername +Properties.ServerPassword +``` + +Example `K8SSecret` static row: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeSecretName,Properties.KubeSecretType,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUseSsl,AgentId,Properties.ServerUsername,Properties.ServerPassword +0,kf-integrations,default/kfutil-demo-k8ssecret-1,true,kfutil-demo-k8ssecret-1,secret,true,true,true,275bcd31-9e7b-4c4a-bce9-1719e0c2168d,kubeconfig,"" +``` + +If the credential value is JSON, keep it as a CSV string. `kfutil` treats credential fields as secret strings even when the cell value looks like JSON. + +## Step 3: Prepare PAM Provider Rows + +PAM-backed rows use provider columns instead of a direct `Properties.ServerPassword` value: + +```text +Properties.ServerPassword.Provider +Properties.ServerPassword.Parameters.SecretName +Properties.ServerPassword.Parameters.SecretType +Properties.ServerPassword.Parameters.StaticSecretFieldName +``` + +Example `K8SSecret` PAM row: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeSecretName,Properties.KubeSecretType,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUseSsl,AgentId,Properties.ServerUsername,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretName,Properties.ServerPassword.Parameters.SecretType,Properties.ServerPassword.Parameters.StaticSecretFieldName +0,kf-integrations,default/kfutil-demo-k8ssecret-4,true,kfutil-demo-k8ssecret-4,secret,true,true,true,275bcd31-9e7b-4c4a-bce9-1719e0c2168d,kubeconfig,30,dev/aks/kf-integrations,static_json," " +``` + +The provider ID and parameter names depend on your PAM provider type. + +## Step 4: Create K8SSecret Stores + +Create a CSV named `k8ssecret_bulk_create.csv` with five rows: + +- Rows 1-3 use `Properties.ServerPassword`. +- Rows 4-5 use `Properties.ServerPassword.Provider` and `Properties.ServerPassword.Parameters.*`. + +Run: + +```bash +kfutil stores import csv \ + --file k8ssecret_bulk_create.csv \ + --store-type-name K8SSecret \ + --no-prompt \ + --results-path k8ssecret_bulk_create_results.csv +``` + +Expected output: + +```text +5 records processed. +5 certificate stores successfully created. +Import results written to k8ssecret_bulk_create_results.csv +``` + +## Step 5: Create K8STLSSecr Stores + +Create a CSV named `k8stlssecr_bulk_create.csv` with five rows. Use the same credential pattern, but set the Kubernetes secret type values for TLS secret stores. + +Run: + +```bash +kfutil stores import csv \ + --file k8stlssecr_bulk_create.csv \ + --store-type-name K8STLSSecr \ + --no-prompt \ + --results-path k8stlssecr_bulk_create_results.csv +``` + +Expected output: + +```text +5 records processed. +5 certificate stores successfully created. +Import results written to k8stlssecr_bulk_create_results.csv +``` + +## Step 6: Verify The Created Stores + +Export each store type: + +```bash +kfutil stores export --store-type-name K8SSecret +kfutil stores export --store-type-name K8STLSSecr +``` + +Verify that the five new rows for each store type are present. + +For the static rows, confirm that `Properties.ServerPassword.SecretValue` is present in the export. + +For the PAM-backed rows, confirm that `Properties.ServerPassword.Provider` and the expected `Properties.ServerPassword.Parameters.*` columns are present. + +## Notes + +- Use unique `StorePath` and `Properties.KubeSecretName` values for each row. +- Keep one CSV per store type. +- Check the `Errors` column in the results CSV after every import. +- CSV files may contain sensitive credentials. Protect the input and results files according to your operating procedures. + +## Related Commands + +- [kfutil stores import csv](../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../kfutil_stores_import_generate-template.md) +- [kfutil stores export](../../kfutil_stores_export.md) +- [Bulk Certificate Store Updates](bulk-certificate-store-updates.md) diff --git a/docs/use-cases/bulk-certificate-store-updates.md b/docs/use-cases/Certificate Store Operations/bulk-certificate-store-updates.md similarity index 100% rename from docs/use-cases/bulk-certificate-store-updates.md rename to docs/use-cases/Certificate Store Operations/bulk-certificate-store-updates.md diff --git a/docs/use-cases/migrate-static-store-credentials-to-pam.md b/docs/use-cases/Certificate Store Operations/migrate-static-store-credentials-to-pam.md similarity index 100% rename from docs/use-cases/migrate-static-store-credentials-to-pam.md rename to docs/use-cases/Certificate Store Operations/migrate-static-store-credentials-to-pam.md diff --git a/docs/use-cases/README.md b/docs/use-cases/README.md index de1b09c9..080bc2f2 100644 --- a/docs/use-cases/README.md +++ b/docs/use-cases/README.md @@ -2,5 +2,4 @@ Task-oriented guides for common `kfutil` workflows. -- [Bulk Certificate Store Updates](bulk-certificate-store-updates.md) -- [Migrate Static Store Credentials To A PAM Provider](migrate-static-store-credentials-to-pam.md) +- [Certificate Store Operations](Certificate%20Store%20Operations/README.md) From 8fab4882d659718864adf126cd6f9044689ed54d Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Fri, 1 May 2026 12:39:49 -0700 Subject: [PATCH 06/17] docs: clarify CSV secret formatting --- .../bulk-certificate-store-creation.md | 28 +++++++++++++++++ .../bulk-certificate-store-updates.md | 30 +++++++++++++++++++ ...migrate-static-store-credentials-to-pam.md | 2 ++ 3 files changed, 60 insertions(+) diff --git a/docs/use-cases/Certificate Store Operations/bulk-certificate-store-creation.md b/docs/use-cases/Certificate Store Operations/bulk-certificate-store-creation.md index 015fb003..d34f2aa3 100644 --- a/docs/use-cases/Certificate Store Operations/bulk-certificate-store-creation.md +++ b/docs/use-cases/Certificate Store Operations/bulk-certificate-store-creation.md @@ -15,6 +15,7 @@ This example creates ten Kubernetes certificate stores: - [Step 1: Choose The Store Types](#step-1-choose-the-store-types) - [Step 2: Prepare Static Credential Rows](#step-2-prepare-static-credential-rows) - [Step 3: Prepare PAM Provider Rows](#step-3-prepare-pam-provider-rows) +- [Formatting Secret Values In CSV](#formatting-secret-values-in-csv) - [Step 4: Create K8SSecret Stores](#step-4-create-k8ssecret-stores) - [Step 5: Create K8STLSSecr Stores](#step-5-create-k8stlssecr-stores) - [Step 6: Verify The Created Stores](#step-6-verify-the-created-stores) @@ -82,6 +83,33 @@ ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeSecretName,Pr The provider ID and parameter names depend on your PAM provider type. +## Formatting Secret Values In CSV + +Use normal CSV quoting rules for static credential values. + +For non-JSON secrets, put the value directly in the credential column. Quote the value if it contains commas, quotes, or line breaks: + +```csv +Properties.ServerUsername,Properties.ServerPassword +kubeconfig,"plain,password,with,commas" +``` + +For JSON secrets, put the complete JSON document in one CSV cell and escape inner quotes by doubling them: + +```csv +Properties.ServerUsername,Properties.ServerPassword +kubeconfig,"{""kind"":""Config"",""apiVersion"":""v1"",""clusters"":[]}" +``` + +Do not split JSON secrets across multiple property columns. The entire JSON value belongs in `Properties.ServerPassword`, `Properties.ServerUsername`, `Password`, or a `*.SecretValue` column. + +For PAM-backed credentials, do not put JSON in the direct secret column. Use the provider and parameter columns instead: + +```csv +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretName,Properties.ServerPassword.Parameters.SecretType +30,dev/aks/kf-integrations,static_json +``` + ## Step 4: Create K8SSecret Stores Create a CSV named `k8ssecret_bulk_create.csv` with five rows: diff --git a/docs/use-cases/Certificate Store Operations/bulk-certificate-store-updates.md b/docs/use-cases/Certificate Store Operations/bulk-certificate-store-updates.md index 06635c27..4d20fec7 100644 --- a/docs/use-cases/Certificate Store Operations/bulk-certificate-store-updates.md +++ b/docs/use-cases/Certificate Store Operations/bulk-certificate-store-updates.md @@ -24,6 +24,7 @@ export stores -> edit CSV -> sync import -> review results -> verify changes - [Step 4: Review Results](#step-4-review-results) - [Step 5: Verify Changes](#step-5-verify-changes) - [Credentials](#credentials) +- [Formatting Secret Values In CSV](#formatting-secret-values-in-csv) - [PAM Provider Credentials](#pam-provider-credentials) - [Template Option](#template-option) - [Operational Guidance](#operational-guidance) @@ -199,6 +200,35 @@ Values in the CSV take precedence over flags, environment variables, and prompts Avoid putting secrets in CSV files unless your operating procedures allow it. If you do use CSV-based secrets, protect the file, results file, and shell history accordingly. +## Formatting Secret Values In CSV + +Static credential values use normal CSV quoting rules. + +For non-JSON secrets, put the value directly in the credential column. Quote the value if it contains commas, quotes, or line breaks: + +```csv +Properties.ServerUsername,Properties.ServerPassword +kubeconfig,"plain,password,with,commas" +``` + +For JSON secrets such as kubeconfig content, put the complete JSON document in one CSV cell and escape inner quotes by doubling them: + +```csv +Properties.ServerUsername,Properties.ServerPassword +kubeconfig,"{""kind"":""Config"",""apiVersion"":""v1"",""clusters"":[]}" +``` + +`kfutil` treats credential fields as secret strings even when they look like JSON. This applies to: + +```text +Properties.ServerUsername +Properties.ServerPassword +Password +*.SecretValue +``` + +For PAM-backed credentials, use provider and parameter columns instead of a direct secret value. + ## PAM Provider Credentials Certificate store credentials can also reference a Keyfactor PAM provider instead of carrying a direct secret value. This is supported for CSV create and sync workflows when the CSV uses the provider columns exported by `kfutil`. diff --git a/docs/use-cases/Certificate Store Operations/migrate-static-store-credentials-to-pam.md b/docs/use-cases/Certificate Store Operations/migrate-static-store-credentials-to-pam.md index 5a9075f1..8984e54a 100644 --- a/docs/use-cases/Certificate Store Operations/migrate-static-store-credentials-to-pam.md +++ b/docs/use-cases/Certificate Store Operations/migrate-static-store-credentials-to-pam.md @@ -123,6 +123,8 @@ Review the sync results file and confirm the `Errors` column is empty for each m ## Notes - This workflow changes where Keyfactor retrieves the store credential. It does not rotate the credential in the target system. +- When moving the other direction, from PAM-backed credentials to static credentials, put JSON secrets in one CSV cell and escape inner quotes by doubling them, for example `"{""kind"":""Config""}"`. +- Non-JSON static secrets can be written directly in the credential column, with normal CSV quoting when the value contains commas, quotes, or line breaks. - For provider-backed `ServerUsername`, use the same pattern with `Properties.ServerUsername.Provider` and `Properties.ServerUsername.Parameters.*`. - For store-level passwords, use `Password.ProviderId` and `Password.Parameters.*`. - Test with one store before applying the same provider values to many stores. From f9d6c340843795f29dc412909c5c59892ee7e700 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Fri, 1 May 2026 12:43:44 -0700 Subject: [PATCH 07/17] docs: link use cases from README --- CHANGELOG.md | 2 ++ README.md | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b9ebe7eb..fc1443dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,8 @@ ### Docs +- Add top-level README link to the use-case documentation index. +- Add use-case documentation for bulk certificate store creation. - Add use-case documentation for bulk certificate store updates. - Add use-case documentation for migrating certificate store credentials from static values to a PAM provider. diff --git a/README.md b/README.md index 72bd5850..58f4879d 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,11 @@ at https://support.keyfactor.com/ To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. +## Documentation + +- [Command Reference](docs/kfutil.md) +- [Use Cases](docs/use-cases/README.md) + ## Quickstart ### Linux/MacOS From 95419e130dae992110e60f38008768bcbd3f8fe7 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Fri, 1 May 2026 12:55:46 -0700 Subject: [PATCH 08/17] docs: generate store type bulk operation guides --- CHANGELOG.md | 1 + GNUmakefile | 5 +- .../Certificate Store Operations/README.md | 1 + .../Store Types/README.md | 87 +++ .../Store Types/akamai.md | 157 +++++ .../Store Types/akv.md | 108 ++++ .../Store Types/alteonlb.md | 90 +++ .../Store Types/appgwbin.md | 116 ++++ .../Store Types/aruba.md | 122 ++++ .../Store Types/aws-acm-v3.md | 133 +++++ .../Store Types/aws-acm.md | 130 ++++ .../Store Types/axisipcamera.md | 120 ++++ .../Store Types/azureapp.md | 116 ++++ .../Store Types/azureapp2.md | 118 ++++ .../Store Types/azureappgw.md | 116 ++++ .../Store Types/azuresp.md | 116 ++++ .../Store Types/azuresp2.md | 118 ++++ .../Store Types/barracudawaf.md | 97 +++ .../Store Types/bmc.md | 126 ++++ .../Store Types/boschipcamera.md | 122 ++++ .../Store Types/ciscoasa.md | 121 ++++ .../Store Types/citrixadc.md | 124 ++++ .../Store Types/datapower.md | 116 ++++ .../Store Types/f5-bigiq.md | 111 ++++ .../Store Types/f5-ca-rest.md | 118 ++++ .../Store Types/f5-sl-rest.md | 129 ++++ .../Store Types/f5-ws-rest.md | 118 ++++ .../Store Types/f5wafca.md | 111 ++++ .../Store Types/f5waftls.md | 111 ++++ .../Store Types/fortigate.md | 96 +++ .../Store Types/fortiweb.md | 113 ++++ .../Store Types/gcpapigee.md | 109 ++++ .../Store Types/gcpcertmgr.md | 95 +++ .../Store Types/gcploadbal.md | 108 ++++ .../Store Types/gcpscrtmgr.md | 107 ++++ .../Store Types/hcvkv.md | 94 +++ .../Store Types/hcvkvjks.md | 116 ++++ .../Store Types/hcvkvp12.md | 116 ++++ .../Store Types/hcvkvpem.md | 116 ++++ .../Store Types/hcvkvpfx.md | 116 ++++ .../Store Types/hcvpki.md | 115 ++++ .../Store Types/hpilo.md | 104 ++++ .../Store Types/idrac.md | 111 ++++ .../Store Types/iisu.md | 129 ++++ .../Store Types/imperva.md | 96 +++ .../Store Types/k8scert.md | 110 ++++ .../Store Types/k8scluster.md | 111 ++++ .../Store Types/k8sjks.md | 117 ++++ .../Store Types/k8sns.md | 112 ++++ .../Store Types/k8spkcs12.md | 117 ++++ .../Store Types/k8ssecret.md | 114 ++++ .../Store Types/k8stlssecr.md | 114 ++++ .../Store Types/kemp.md | 112 ++++ .../Store Types/most.md | 91 +++ .../Store Types/nmap.md | 88 +++ .../Store Types/oktaapp.md | 103 ++++ .../Store Types/oktaidp.md | 103 ++++ .../Store Types/paloalto.md | 115 ++++ .../Store Types/rfder.md | 121 ++++ .../Store Types/rfjks.md | 121 ++++ .../Store Types/rfkdb.md | 120 ++++ .../Store Types/rfora.md | 121 ++++ .../Store Types/rfpem.md | 125 ++++ .../Store Types/rfpkcs12.md | 120 ++++ .../Store Types/signum.md | 111 ++++ .../Store Types/sos.md | 122 ++++ .../Store Types/thundermgmt.md | 115 ++++ .../Store Types/thunderssl.md | 94 +++ .../Store Types/vcenter.md | 111 ++++ .../Store Types/vmware-nsx.md | 112 ++++ .../Store Types/winadfs.md | 123 ++++ .../Store Types/wincermgmt.md | 90 +++ .../Store Types/wincert.md | 123 ++++ .../Store Types/winsql.md | 125 ++++ tools/storetypedocs/main.go | 564 ++++++++++++++++++ 75 files changed, 8623 insertions(+), 1 deletion(-) create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/README.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/akamai.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/akv.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/alteonlb.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/aruba.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/azureapp.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/azuresp.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/barracudawaf.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/bmc.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/datapower.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/fortigate.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/gcpcertmgr.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/hcvkv.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/hpilo.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/idrac.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/iisu.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/imperva.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/k8scert.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/k8sns.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/kemp.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/most.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/nmap.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/oktaapp.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/oktaidp.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/paloalto.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/rfder.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/rfjks.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/rfora.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/rfpem.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/signum.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/sos.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/thunderssl.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/vcenter.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/winadfs.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/wincermgmt.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/wincert.md create mode 100644 docs/use-cases/Certificate Store Operations/Store Types/winsql.md create mode 100644 tools/storetypedocs/main.go diff --git a/CHANGELOG.md b/CHANGELOG.md index fc1443dc..f4996cc6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ - Add use-case documentation for bulk certificate store creation. - Add use-case documentation for bulk certificate store updates. - Add use-case documentation for migrating certificate store credentials from static values to a PAM provider. +- Add generated per-store-type bulk create and update use-case guides. # v1.9.1 diff --git a/GNUmakefile b/GNUmakefile index 3ec82577..016bb492 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -83,5 +83,8 @@ generate_toc: @command -v markdown-toc >/dev/null 2>&1 || (echo "markdown-toc is not installed. Installing..." && npm install -g markdown-toc) markdown-toc -i $(MARKDOWN_FILE) --skip 'Table of Contents' +store-type-docs: + GOWORK=off GOCACHE=/tmp/kfutil-gocache go run ./tools/storetypedocs -.PHONY: build prerelease release install test fmt vendor version setversion \ No newline at end of file + +.PHONY: build prerelease release install test fmt vendor version setversion store-type-docs diff --git a/docs/use-cases/Certificate Store Operations/README.md b/docs/use-cases/Certificate Store Operations/README.md index 86751434..3526c78b 100644 --- a/docs/use-cases/Certificate Store Operations/README.md +++ b/docs/use-cases/Certificate Store Operations/README.md @@ -5,3 +5,4 @@ Use cases for bulk certificate store workflows. - [Bulk Certificate Store Creation](bulk-certificate-store-creation.md) - [Bulk Certificate Store Updates](bulk-certificate-store-updates.md) - [Migrate Static Store Credentials To A PAM Provider](migrate-static-store-credentials-to-pam.md) +- [Store Type Bulk Create And Update Guides](Store%20Types/README.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/README.md b/docs/use-cases/Certificate Store Operations/Store Types/README.md new file mode 100644 index 00000000..a930469f --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/README.md @@ -0,0 +1,87 @@ + +# Store Type Bulk Create And Update Guides + +These docs are generated from `cmd/store_types.json` and describe the CSV columns used by `kfutil stores import csv` for each embedded certificate store type. + +Regenerate after store type metadata changes: + +```bash +make store-type-docs +``` + +Use `kfutil stores import generate-template` against a live Command environment when you need a template that reflects deployed customizations. + +## Store Types + +| Store Type | Name | Store Password | Secret/PAM Columns | +| --- | --- | --- | --- | +| [`Akamai`](akamai.md) | Akamai Certificate Provisioning Service | Not required | 3 secret properties | +| [`AKV`](akv.md) | Azure Keyvault | Not required | None | +| [`AlteonLB`](alteonlb.md) | Alteon Load Balancer | Not required | None | +| [`AppGwBin`](appgwbin.md) | Azure Application Gateway Certificate Binding | Not required | 3 secret properties | +| [`Aruba`](aruba.md) | Aruba | Not required | 2 secret properties | +| [`AWS-ACM`](aws-acm.md) | AWS Certificate Manager | Not required | 2 secret properties | +| [`AWS-ACM-v3`](aws-acm-v3.md) | AWS Certificate Manager v3 | Not required | 4 secret properties | +| [`AxisIPCamera`](axisipcamera.md) | Axis IP Camera | Not required | 2 secret properties | +| [`AzureApp`](azureapp.md) | Azure App Registration (Application) | Not required | 3 secret properties | +| [`AzureApp2`](azureapp2.md) | Azure App Registration 2 (Application) | Not required | 4 secret properties | +| [`AzureAppGw`](azureappgw.md) | Azure Application Gateway Certificate | Not required | 3 secret properties | +| [`AzureSP`](azuresp.md) | Azure Enterprise Application (Service Principal) | Not required | 3 secret properties | +| [`AzureSP2`](azuresp2.md) | Azure Enterprise Application 2 (Service Principal) | Not required | 4 secret properties | +| [`BarracudaWaf`](barracudawaf.md) | Barracuda WAF | Not required | None | +| [`BMC`](bmc.md) | BMC Orchestrator Solution | Required | 2 secret properties | +| [`BoschIPCamera`](boschipcamera.md) | Bosch IP Camera | Not required | 2 secret properties | +| [`CiscoAsa`](ciscoasa.md) | CiscoAsa | Not required | 2 secret properties | +| [`CitrixAdc`](citrixadc.md) | CitrixAdc | Required; PAM eligible | 2 secret properties | +| [`DataPower`](datapower.md) | IBM Data Power | Not required | 2 secret properties | +| [`F5-BigIQ`](f5-bigiq.md) | F5 Big IQ | Not required | 2 secret properties | +| [`F5-CA-REST`](f5-ca-rest.md) | F5 CA Profiles REST | Not required | 2 secret properties | +| [`F5-SL-REST`](f5-sl-rest.md) | F5 SSL Profiles REST | Required; PAM eligible | 2 secret properties | +| [`F5-WS-REST`](f5-ws-rest.md) | F5 WS Profiles REST | Not required | 2 secret properties | +| [`f5WafCa`](f5wafca.md) | F5 WAF CA | Not required | 2 secret properties | +| [`f5WafTls`](f5waftls.md) | F5 WAF TLS | Not required | 2 secret properties | +| [`Fortigate`](fortigate.md) | Fortigate | Required; PAM eligible | None | +| [`FortiWeb`](fortiweb.md) | FortiWeb | Not required | 2 secret properties | +| [`GcpApigee`](gcpapigee.md) | Google Cloud Provider Apigee | Not required | 1 secret property | +| [`GcpCertMgr`](gcpcertmgr.md) | GCP Certificate Manager | Not required | None | +| [`GCPLoadBal`](gcploadbal.md) | GCP Load Balancer | Not required | 1 secret property | +| [`GCPScrtMgr`](gcpscrtmgr.md) | GCPScrtMgr | Required; PAM eligible | None | +| [`HCVKV`](hcvkv.md) | Hashicorp Vault Key-Value | Not required | None | +| [`HCVKVJKS`](hcvkvjks.md) | Hashicorp Vault Key-Value JKS | Optional; PAM eligible | 2 secret properties | +| [`HCVKVP12`](hcvkvp12.md) | Hashicorp Vault Key-Value PKCS12 | Optional; PAM eligible | 2 secret properties | +| [`HCVKVPEM`](hcvkvpem.md) | Hashicorp Vault Key-Value PEM | Optional; PAM eligible | 2 secret properties | +| [`HCVKVPFX`](hcvkvpfx.md) | Hashicorp Vault Key-Value PFX | Optional; PAM eligible | 2 secret properties | +| [`HCVPKI`](hcvpki.md) | Hashicorp Vault PKI | Optional; PAM eligible | 2 secret properties | +| [`HPiLO`](hpilo.md) | HP iLO Cert Store | Not required | None | +| [`iDRAC`](idrac.md) | iDRAC | Not required | 2 secret properties | +| [`IISU`](iisu.md) | IIS Bound Certificate | Not required | 2 secret properties | +| [`Imperva`](imperva.md) | Imperva | Required; PAM eligible | None | +| [`K8SCert`](k8scert.md) | K8SCert | Not required | 2 secret properties | +| [`K8SCluster`](k8scluster.md) | K8SCluster | Not required | 2 secret properties | +| [`K8SJKS`](k8sjks.md) | K8SJKS | Required | 2 secret properties | +| [`K8SNS`](k8sns.md) | K8SNS | Not required | 2 secret properties | +| [`K8SPKCS12`](k8spkcs12.md) | K8SPKCS12 | Required | 2 secret properties | +| [`K8SSecret`](k8ssecret.md) | K8SSecret | Not required | 2 secret properties | +| [`K8STLSSecr`](k8stlssecr.md) | K8STLSSecr | Not required | 2 secret properties | +| [`Kemp`](kemp.md) | Kemp | Not required | 2 secret properties | +| [`MOST`](most.md) | MyOrchestratorStoreType | Not required | None | +| [`Nmap`](nmap.md) | Nmap Orchestrator | Not required | None | +| [`OktaApp`](oktaapp.md) | OktaApp | Not required | None | +| [`OktaIdP`](oktaidp.md) | OktaIdP | Not required | None | +| [`PaloAlto`](paloalto.md) | PaloAlto | Not required | 2 secret properties | +| [`RFDER`](rfder.md) | RFDER | Required; PAM eligible | 2 secret properties | +| [`RFJKS`](rfjks.md) | RFJKS | Required; PAM eligible | 2 secret properties | +| [`RFKDB`](rfkdb.md) | RFKDB | Required; PAM eligible | 2 secret properties | +| [`RFORA`](rfora.md) | RFORA | Required; PAM eligible | 2 secret properties | +| [`RFPEM`](rfpem.md) | RFPEM | Required; PAM eligible | 2 secret properties | +| [`RFPkcs12`](rfpkcs12.md) | RFPkcs12 | Required; PAM eligible | 2 secret properties | +| [`Signum`](signum.md) | Signum | Not required | 2 secret properties | +| [`SOS`](sos.md) | Sample Orchestrator Solution | Required | 1 secret property | +| [`ThunderMgmt`](thundermgmt.md) | A10 Thunder Management Certificates | Not required | 2 secret properties | +| [`ThunderSsl`](thunderssl.md) | A10 Thunder Ssl Certificates | Not required | None | +| [`vCenter`](vcenter.md) | VMware vCenter | Not required | 2 secret properties | +| [`VMware-NSX`](vmware-nsx.md) | VMware-NSX | Not required | 2 secret properties | +| [`WinAdfs`](winadfs.md) | ADFS Rotation Manager | Not required | 2 secret properties | +| [`WinCerMgmt`](wincermgmt.md) | WinCerMgmt | Not required | None | +| [`WinCert`](wincert.md) | Windows Certificate | Not required | 2 secret properties | +| [`WinSql`](winsql.md) | WinSql | Not required | 2 secret properties | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/akamai.md b/docs/use-cases/Certificate Store Operations/Store Types/akamai.md new file mode 100644 index 00000000..fc4e2868 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/akamai.md @@ -0,0 +1,157 @@ + +# Akamai - Akamai Certificate Provisioning Service + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `Akamai` | +| Name | Akamai Certificate Provisioning Service | +| Capability | Akamai | +| Server required | No | +| Store path type | MultipleChoice | +| Store path value | ["Production","Staging"] | +| Custom alias | Forbidden | +| Private key | Forbidden | +| Store password | Not required | +| Supported operations | Enrollment | + +**ClientMachine:** The Client Machine field is the Akamai REST API URL. This should be equal to the "host" value from the API credentials file. + +**StorePath:** The Akamai network the certificate will be managed from. Value can be either "Production" or "Staging". + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.access_token,Properties.client_token,Properties.client_secret,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file akamai_bulk_create.csv \ + --store-type-name Akamai \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name Akamai \ + --outpath akamai_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name Akamai \ + --outpath akamai_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file akamai_export.csv \ + --store-type-name Akamai \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.access_token,Properties.client_token,Properties.client_secret,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.access_token` | Access Token | Secret | Yes | - | - | Secret | The Akamai access_token for authentication. | +| `Properties.client_token` | Client Token | Secret | Yes | - | - | Secret | The Akamai client_token for authentication. | +| `Properties.client_secret` | Client Secret | Secret | Yes | - | - | Secret | The Akamai client_secret for authentication. | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `EnrollmentId` | Enrollment ID | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Enrollment ID of a certificate enrollment in Akamai. This should only be supplied for ODKG when replacing an existing certificate. | +| `ContractId` | Contract ID | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | The Contract ID of your account in Akamai. | +| `Sans` | SANs | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | - | - | SANs for the new certificate. If multiple are supplied, they should be split with an ampersand character '&' | +| `admin-addressLineOne` | Admin - Address Line 1 | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. | +| `admin-addressLineTwo` | Admin - Address Line 2 | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Optional field for Administrator contact. | +| `admin-city` | Admin - City | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. | +| `admin-country` | Admin - Country | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. | +| `admin-email` | Admin - Email | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. | +| `admin-firstName` | Admin - First Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. | +| `admin-lastName` | Admin - Last Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. | +| `admin-organizationName` | Admin - Organization Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. | +| `admin-phone` | Admin - Phone | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. | +| `admin-postalCode` | Admin - Postal Code | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. | +| `admin-region` | Admin - Region | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. | +| `admin-title` | Admin - Title | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Administrator contact. | +| `org-addressLineOne` | Org - Address Line 1 | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. | +| `org-addressLineTwo` | Org - Address Line 2 | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Optional field for Organization contact. | +| `org-city` | Org - City | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. | +| `org-country` | Org - Country | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. | +| `org-organizationName` | Org - Organization Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. | +| `org-phone` | Org - Phone | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. | +| `org-postalCode` | Org - Postal Code | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. | +| `org-region` | Org - Region | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Organization contact. | +| `tech-addressLineOne` | Tech - Address Line 1 | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. | +| `tech-addressLineTwo` | Tech - Address Line 2 | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Optional field for Akamai Tech contact. | +| `tech-city` | Tech - City | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. | +| `tech-country` | Tech - Country | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. | +| `tech-email` | Tech - Email | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. Must be an akamai.com email address. | +| `tech-firstName` | Tech - First Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. | +| `tech-lastName` | Tech - Last Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. | +| `tech-organizationName` | Tech - Organization Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | Akamai | - | Required field for Akamai Tech contact. | +| `tech-phone` | Tech - Phone | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. | +| `tech-postalCode` | Tech - Postal Code | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. | +| `tech-region` | Tech - Region | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. | +| `tech-title` | Tech - Title | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | SET-DEFAULT | - | Required field for Akamai Tech contact. | +| `deployment-network` | Deployment Network | MultipleChoice | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | Standard TLS | - | Required field for Deployment Network. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.access_token +Properties.client_token +Properties.client_secret +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.access_token.Provider,Properties.access_token.Parameters. +Properties.client_token.Provider,Properties.client_token.Parameters. +Properties.client_secret.Provider,Properties.client_secret.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/akv.md b/docs/use-cases/Certificate Store Operations/Store Types/akv.md new file mode 100644 index 00000000..d44f1528 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/akv.md @@ -0,0 +1,108 @@ + +# AKV - Azure Keyvault + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `AKV` | +| Name | Azure Keyvault | +| Capability | AKV | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Optional | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Create, Discovery, Remove | + +**ClientMachine:** The GUID of the tenant ID of the Azure Keyvault instance; for example, '12345678-1234-1234-1234-123456789abc'. + +**StorePath:** A string formatted as '{subscription id}:{resource group name}:{vault name}'; for example, '12345678-1234-1234-1234-123456789abc:myResourceGroup:myVault'. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.TenantId,Properties.SkuType,Properties.VaultRegion,Properties.AzureCloud,Properties.PrivateEndpoint,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file akv_bulk_create.csv \ + --store-type-name AKV \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name AKV \ + --outpath akv_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name AKV \ + --outpath akv_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file akv_export.csv \ + --store-type-name AKV \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.TenantId,Properties.SkuType,Properties.VaultRegion,Properties.AzureCloud,Properties.PrivateEndpoint,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.TenantId` | Tenant Id | String | No | - | - | No | The ID of the primary Azure Tenant where the KeyVaults are hosted | +| `Properties.SkuType` | SKU Type | MultipleChoice | No | standard,premium | - | No | The SKU type for newly created KeyVaults (only needed if needing to create new KeyVaults in your Azure subscription via Command) | +| `Properties.VaultRegion` | Vault Region | MultipleChoice | No | eastus,eastus2,westus2,westus3,westus | - | No | The Azure Region to put newly created KeyVaults (only needed if needing to create new KeyVaults in your Azure subscription via Command) | +| `Properties.AzureCloud` | Azure Cloud | MultipleChoice | No | public,china,government | - | No | The Azure Cloud where the KeyVaults are located (only necessary if not using the standard Azure Public cloud) | +| `Properties.PrivateEndpoint` | Private KeyVault Endpoint | String | No | - | - | No | The private endpoint of your vault instance (if a private endpoint is configured in Azure) | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `CertificateTags` | Certificate Tags | string | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | If desired, tags can be applied to the KeyVault entries. Provide them as a JSON string of key-value pairs ie: '{'tag-name': 'tag-content', 'other-tag-name': 'other-tag-content'}' | +| `PreserveExistingTags` | Preserve Existing Tags | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | False | - | If true, this will perform a union of any tags provided with enrollment with the tags on the existing cert with the same alias and apply the result to the new certificate. | +| `NonExportable` | Non Exportable Private Key | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | False | - | If true, this will mark the certificate as having a non-exportable private key when importing into Azure KeyVault | + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/alteonlb.md b/docs/use-cases/Certificate Store Operations/Store Types/alteonlb.md new file mode 100644 index 00000000..7bbde8d7 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/alteonlb.md @@ -0,0 +1,90 @@ + +# AlteonLB - Alteon Load Balancer + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `AlteonLB` | +| Name | Alteon Load Balancer | +| Capability | - | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Optional | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Remove | + +**ClientMachine:** The hostname or IP address of the Alteon Load Balancer device (example: https://alteonlb.test.com). + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file alteonlb_bulk_create.csv \ + --store-type-name AlteonLB \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name AlteonLB \ + --outpath alteonlb_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name AlteonLB \ + --outpath alteonlb_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file alteonlb_export.csv \ + --store-type-name AlteonLB \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +This store type does not define additional `Properties.*` CSV columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md b/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md new file mode 100644 index 00000000..04bb5773 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md @@ -0,0 +1,116 @@ + +# AppGwBin - Azure Application Gateway Certificate Binding + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `AppGwBin` | +| Name | Azure Application Gateway Certificate Binding | +| Capability | AzureAppGwBin | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Discovery | + +**ClientMachine:** The Azure Tenant (directory) ID that owns the Service Principal. + +**StorePath:** Azure resource ID of the application gateway, following the format: /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/applicationGateways/<application-gateway-name>. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file appgwbin_bulk_create.csv \ + --store-type-name AppGwBin \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name AppGwBin \ + --outpath appgwbin_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name AppGwBin \ + --outpath appgwbin_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file appgwbin_export.csv \ + --store-type-name AppGwBin \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Application ID of the service principal, representing the identity used for managing the Application Gateway. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate | +| `Properties.ClientCertificate` | Client Certificate | Secret | No | - | - | Secret | The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information. | +| `Properties.AzureCloud` | Azure Global Cloud Authority Host | MultipleChoice | No | public,china,germany,government | - | No | Specifies the Azure Cloud instance used by the organization. | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +Properties.ClientCertificate +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/aruba.md b/docs/use-cases/Certificate Store Operations/Store Types/aruba.md new file mode 100644 index 00000000..08d8e36e --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/aruba.md @@ -0,0 +1,122 @@ + +# Aruba - Aruba + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `Aruba` | +| Name | Aruba | +| Capability | Aruba | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Forbidden | +| Store password | Not required | +| Supported operations | Enrollment | + +**ClientMachine:** The base URL / IP address of the Aruba instance without the scheme. (i.e. my-server-name.com if the Aruba URL is https://my-server-name.com) + +**StorePath:** A semicolon-delimited string that in the format `<server-hostname>;<service>` (i.e. clearpass.localhost;HTTP(RSA)). Please see orchestrator documentation for more information. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.FileServerType,Properties.FileServerHost,Properties.FileServerUsername,Properties.FileServerPassword,Properties.DigestAlgorithm,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file aruba_bulk_create.csv \ + --store-type-name Aruba \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name Aruba \ + --outpath aruba_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name Aruba \ + --outpath aruba_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file aruba_export.csv \ + --store-type-name Aruba \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.FileServerType,Properties.FileServerHost,Properties.FileServerUsername,Properties.FileServerPassword,Properties.DigestAlgorithm,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.FileServerType` | File Server Type | MultipleChoice | Yes | Amazon S3 | - | No | The type of file server that the certificate will be uploaded to. The file server must be able to serve the file via HTTPS. | +| `Properties.FileServerHost` | File Server Host | String | Yes | - | - | No | Required. The base URL for the file server host without the scheme. (i.e. my-server-name.com if the file server URL is https://my-server-name.com). See File Server Configuration section in the orchestrator documentation for more details. | +| `Properties.FileServerUsername` | File Server Username | Secret | No | - | - | Secret | Optional. The username used to access the file server. See File Server Configuration section in the orchestrator documentation for more details. | +| `Properties.FileServerPassword` | File Server Password | Secret | No | - | - | Secret | Optional. The password used to access the file server. See File Server Configuration section in the orchestrator documentation for more details. | +| `Properties.DigestAlgorithm` | Digest Algorithm | MultipleChoice | Yes | SHA-256,SHA-1,SHA-224,SHA-384,SHA-512 | - | No | The hash digest algorithm used for the certificate signing request (CSR). | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `SAN` | SAN | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | - | - | String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of <san_type>:<san_value> entries separated by comma; Example: 'DNS:www.example.com,DNS:www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. Allowed SAN types are email, URI, DNS, RID or IP. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.FileServerUsername +Properties.FileServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.FileServerUsername.Provider,Properties.FileServerUsername.Parameters. +Properties.FileServerPassword.Provider,Properties.FileServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md new file mode 100644 index 00000000..873f47c6 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md @@ -0,0 +1,133 @@ + +# AWS-ACM-v3 - AWS Certificate Manager v3 + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `AWS-ACM-v3` | +| Name | AWS Certificate Manager v3 | +| Capability | AWS-ACM-v3 | +| Server required | No | +| Store path type | - | +| Store path value | - | +| Custom alias | Optional | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Remove | + +**ClientMachine:** This is a full AWS ARN specifying a Role. This is the Role that will be assumed in any Auth scenario performing Assume Role. This will dictate what certificates are usable by the orchestrator. A preceding [profile] name should be included if a Credential Profile is to be used in Default Sdk Auth. + +**StorePath:** A single specified AWS Region the store will operate in. Additional regions should get their own store defined. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.UseDefaultSdkAuth,Properties.DefaultSdkAssumeRole,Properties.UseOAuth,Properties.OAuthScope,Properties.OAuthGrantType,Properties.OAuthUrl,Properties.OAuthClientId,Properties.OAuthClientSecret,Properties.UseIAM,Properties.IAMUserAccessKey,Properties.IAMUserAccessSecret,Properties.ExternalId,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file aws-acm-v3_bulk_create.csv \ + --store-type-name AWS-ACM-v3 \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name AWS-ACM-v3 \ + --outpath aws-acm-v3_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name AWS-ACM-v3 \ + --outpath aws-acm-v3_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file aws-acm-v3_export.csv \ + --store-type-name AWS-ACM-v3 \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.UseDefaultSdkAuth,Properties.DefaultSdkAssumeRole,Properties.UseOAuth,Properties.OAuthScope,Properties.OAuthGrantType,Properties.OAuthUrl,Properties.OAuthClientId,Properties.OAuthClientSecret,Properties.UseIAM,Properties.IAMUserAccessKey,Properties.IAMUserAccessSecret,Properties.ExternalId,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.UseDefaultSdkAuth` | Use Default SDK Auth | Bool | Yes | false | - | No | A switch to enable the store to use Default SDK credentials | +| `Properties.DefaultSdkAssumeRole` | Assume new Role using Default SDK Auth | Bool | No | false | UseDefaultSdkAuth | No | A switch to enable the store to assume a new Role when using Default SDK credentials | +| `Properties.UseOAuth` | Use OAuth 2.0 Provider | Bool | Yes | false | - | No | A switch to enable the store to use an OAuth provider workflow to authenticate with AWS | +| `Properties.OAuthScope` | OAuth Scope | String | No | - | UseOAuth | No | This is the OAuth Scope needed for Okta OAuth, defined in Okta | +| `Properties.OAuthGrantType` | OAuth Grant Type | String | No | client_credentials | UseOAuth | No | In OAuth 2.0, the term 'grant type' refers to the way an application gets an access token. In Okta this is `client_credentials` | +| `Properties.OAuthUrl` | OAuth Url | String | No | https://***/oauth2/default/v1/token | UseOAuth | No | An optional parameter sts:ExternalId to pass with Assume Role calls | +| `Properties.OAuthClientId` | OAuth Client ID | Secret | No | - | - | Secret; PAM eligible | The Client ID for OAuth. | +| `Properties.OAuthClientSecret` | OAuth Client Secret | Secret | No | - | - | Secret; PAM eligible | The Client Secret for OAuth. | +| `Properties.UseIAM` | Use IAM User Auth | Bool | Yes | false | - | No | A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS | +| `Properties.IAMUserAccessKey` | IAM User Access Key | Secret | No | - | - | Secret; PAM eligible | The AWS Access Key for an IAM User | +| `Properties.IAMUserAccessSecret` | IAM User Access Secret | Secret | No | - | - | Secret; PAM eligible | The AWS Access Secret for an IAM User. | +| `Properties.ExternalId` | sts:ExternalId | String | No | - | - | No | An optional parameter sts:ExternalId to pass with Assume Role calls | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `ACM Tags` | ACM Tags | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | The optional ACM tags that should be assigned to the certificate. Multiple name/value pairs may be entered in the format of `Name1=Value1,Name2=Value2,...,NameN=ValueN` | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.OAuthClientId +Properties.OAuthClientSecret +Properties.IAMUserAccessKey +Properties.IAMUserAccessSecret +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.OAuthClientId.Provider,Properties.OAuthClientId.Parameters. +Properties.OAuthClientSecret.Provider,Properties.OAuthClientSecret.Parameters. +Properties.IAMUserAccessKey.Provider,Properties.IAMUserAccessKey.Parameters. +Properties.IAMUserAccessSecret.Provider,Properties.IAMUserAccessSecret.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md new file mode 100644 index 00000000..9d1198c2 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md @@ -0,0 +1,130 @@ + +# AWS-ACM - AWS Certificate Manager + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `AWS-ACM` | +| Name | AWS Certificate Manager | +| Capability | AWS-ACM | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Optional | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Remove | + +**ClientMachine:** This is the AWS Account ID that will be used for access. This will dictate what certificates are usable by the orchestrator. Note: this does not have any effect on EC2 inferred credentials, which are limited to a specific role/account. + +**StorePath:** The AWS Region, or a comma-separated list of multiple regions, the store will operate in. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.UseEC2AssumeRole,Properties.UseOAuth,Properties.UseIAM,Properties.EC2AssumeRole,Properties.OAuthScope,Properties.OAuthGrantType,Properties.OAuthUrl,Properties.IAMAssumeRole,Properties.OAuthAssumeRole,Properties.ExternalId,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file aws-acm_bulk_create.csv \ + --store-type-name AWS-ACM \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name AWS-ACM \ + --outpath aws-acm_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name AWS-ACM \ + --outpath aws-acm_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file aws-acm_export.csv \ + --store-type-name AWS-ACM \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.UseEC2AssumeRole,Properties.UseOAuth,Properties.UseIAM,Properties.EC2AssumeRole,Properties.OAuthScope,Properties.OAuthGrantType,Properties.OAuthUrl,Properties.IAMAssumeRole,Properties.OAuthAssumeRole,Properties.ExternalId,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.UseEC2AssumeRole` | Assume new Account / Role in EC2 | Bool | Yes | false | - | No | A switch to enable the store to assume a new Account ID and Role when using EC2 credentials | +| `Properties.UseOAuth` | Use OAuth 2.0 Provider | Bool | Yes | false | - | No | A switch to enable the store to use an OAuth provider workflow to authenticate with AWS ACM | +| `Properties.UseIAM` | Use IAM User Auth | Bool | Yes | false | - | No | A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS ACM | +| `Properties.EC2AssumeRole` | AWS Role to Assume (EC2) | String | No | - | UseEC2AssumeRole | No | The AWS Role to assume using the EC2 instance credentials | +| `Properties.OAuthScope` | OAuth Scope | String | No | - | UseOAuth | No | This is the OAuth Scope needed for Okta OAuth, defined in Okta | +| `Properties.OAuthGrantType` | OAuth Grant Type | String | No | client_credentials | UseOAuth | No | In OAuth 2.0, the term �grant type� refers to the way an application gets an access token. In Okta this is `client_credentials` | +| `Properties.OAuthUrl` | OAuth Url | String | No | https://***/oauth2/default/v1/token | UseOAuth | No | An optional parameter sts:ExternalId to pass with Assume Role calls | +| `Properties.IAMAssumeRole` | AWS Role to Assume (IAM) | String | No | - | UseIAM | No | The AWS Role to assume as the IAM User. | +| `Properties.OAuthAssumeRole` | AWS Role to Assume (OAuth) | String | No | - | UseOAuth | No | The AWS Role to assume after getting an OAuth token. | +| `Properties.ExternalId` | sts:ExternalId | String | No | - | - | No | An optional parameter sts:ExternalId to pass with Assume Role calls | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | The AWS Access Key for an IAM User or Client ID for OAuth. Depends on Auth method in use. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | The AWS Access Secret for an IAM User or Client Secret for OAuth. Depends on Auth method in use. | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `AWS Region` | AWS Region | String | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":false,"OnRemove":false} | - | - | When adding, this is the Region that the Certificate will be added to | +| `ACM Tags` | ACM Tags | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | The optional ACM tags that should be assigned to the certificate. Multiple name/value pairs may be entered in the format of `Name1=Value1,Name2=Value2,...,NameN=ValueN` | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md b/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md new file mode 100644 index 00000000..aacfb658 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md @@ -0,0 +1,120 @@ + +# AxisIPCamera - Axis IP Camera + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `AxisIPCamera` | +| Name | Axis IP Camera | +| Capability | AxisIPCamera | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Forbidden | +| Store password | Not required | +| Supported operations | Add, Enrollment, Remove | + +**ClientMachine:** The IP address of the Camera. Sample is "192.167.231.174:44444". Include the port if necessary. + +**StorePath:** Enter the Serial Number of the camera e.g. `0b7c3d2f9e8a` + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file axisipcamera_bulk_create.csv \ + --store-type-name AxisIPCamera \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name AxisIPCamera \ + --outpath axisipcamera_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name AxisIPCamera \ + --outpath axisipcamera_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file axisipcamera_export.csv \ + --store-type-name AxisIPCamera \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret | Enter the username of the configured "service" user on the camera | +| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret | Enter the password of the configured "service" user on the camera | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera. This should always be "True" | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `CertUsage` | Certificate Usage | MultipleChoice | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":false} | - | - | The Certificate Usage to assign to the cert after enrollment. Can be left 'Other' to be assigned later. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md b/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md new file mode 100644 index 00000000..d1196c45 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md @@ -0,0 +1,116 @@ + +# AzureApp - Azure App Registration (Application) + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `AzureApp` | +| Name | Azure App Registration (Application) | +| Capability | AzureApp | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Forbidden | +| Store password | Not required | +| Supported operations | Add, Discovery, Inventory, Remove | + +**ClientMachine:** The Azure Tenant (directory) ID that owns the Service Principal. + +**StorePath:** The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file azureapp_bulk_create.csv \ + --store-type-name AzureApp \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name AzureApp \ + --outpath azureapp_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name AzureApp \ + --outpath azureapp_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file azureapp_export.csv \ + --store-type-name AzureApp \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field. | +| `Properties.ClientCertificate` | Client Certificate | Secret | No | - | - | Secret | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field. | +| `Properties.AzureCloud` | Azure Global Cloud Authority Host | MultipleChoice | No | public,china,germany,government | - | No | Specifies the Azure Cloud instance used by the organization. | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +Properties.ClientCertificate +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md b/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md new file mode 100644 index 00000000..78453322 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md @@ -0,0 +1,118 @@ + +# AzureApp2 - Azure App Registration 2 (Application) + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `AzureApp2` | +| Name | Azure App Registration 2 (Application) | +| Capability | AzureApp2 | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Forbidden | +| Store password | Not required | +| Supported operations | Add, Discovery, Inventory, Remove | + +**ClientMachine:** The Azure Tenant (directory) ID where the Application is instantiated + +**StorePath:** The Object ID of the target Application/App Registration that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.ClientCertificatePassword,Properties.AzureCloud,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file azureapp2_bulk_create.csv \ + --store-type-name AzureApp2 \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name AzureApp2 \ + --outpath azureapp2_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name AzureApp2 \ + --outpath azureapp2_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file azureapp2_export.csv \ + --store-type-name AzureApp2 \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.ClientCertificatePassword,Properties.AzureCloud,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/App Registration certificates. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | ServerUsername | Secret | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/App Registration certificates. If Client Certificate Auth is used, you **must** select 'No Value'. | +| `Properties.ClientCertificate` | Client Certificate | Secret | No | - | ServerUsername | Secret | The client certificate used to authenticate with Microsoft Graph for managing Application/App Registrations certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'. | +| `Properties.ClientCertificatePassword` | Client Certificate Password | Secret | No | - | ClientCertificate | Secret | The (optional) password that encrypts the private key in ClientCertificate. If Client Certificate Auth is not used, you **must** check 'No Value'. | +| `Properties.AzureCloud` | Azure Global Cloud Authority Host | MultipleChoice | No | public,china,germany,government | - | No | Specifies the Azure Cloud instance used by the organization. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +Properties.ClientCertificate +Properties.ClientCertificatePassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters. +Properties.ClientCertificatePassword.Provider,Properties.ClientCertificatePassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md b/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md new file mode 100644 index 00000000..4570d5e7 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md @@ -0,0 +1,116 @@ + +# AzureAppGw - Azure Application Gateway Certificate + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `AzureAppGw` | +| Name | Azure Application Gateway Certificate | +| Capability | AzureAppGw | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Discovery, Inventory, Remove | + +**ClientMachine:** The Azure Tenant (directory) ID that owns the Service Principal. + +**StorePath:** Azure resource ID of the application gateway, following the format: /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/applicationGateways/<application-gateway-name>. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file azureappgw_bulk_create.csv \ + --store-type-name AzureAppGw \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name AzureAppGw \ + --outpath azureappgw_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name AzureAppGw \ + --outpath azureappgw_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file azureappgw_export.csv \ + --store-type-name AzureAppGw \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Application ID of the service principal, representing the identity used for managing the Application Gateway. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate | +| `Properties.ClientCertificate` | Client Certificate | Secret | No | - | - | Secret | The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information. | +| `Properties.AzureCloud` | Azure Global Cloud Authority Host | MultipleChoice | No | public,china,germany,government | - | No | Specifies the Azure Cloud instance used by the organization. | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +Properties.ClientCertificate +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md b/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md new file mode 100644 index 00000000..36f81f2a --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md @@ -0,0 +1,116 @@ + +# AzureSP - Azure Enterprise Application (Service Principal) + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `AzureSP` | +| Name | Azure Enterprise Application (Service Principal) | +| Capability | AzureSP | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Discovery, Inventory, Remove | + +**ClientMachine:** The Azure Tenant (directory) ID that owns the Service Principal. + +**StorePath:** The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file azuresp_bulk_create.csv \ + --store-type-name AzureSP \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name AzureSP \ + --outpath azuresp_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name AzureSP \ + --outpath azuresp_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file azuresp_export.csv \ + --store-type-name AzureSP \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.AzureCloud,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field. | +| `Properties.ClientCertificate` | Client Certificate | Secret | No | - | - | Secret | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field. | +| `Properties.AzureCloud` | Azure Global Cloud Authority Host | MultipleChoice | No | public,china,germany,government | - | No | Specifies the Azure Cloud instance used by the organization. | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +Properties.ClientCertificate +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md b/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md new file mode 100644 index 00000000..430ea39e --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md @@ -0,0 +1,118 @@ + +# AzureSP2 - Azure Enterprise Application 2 (Service Principal) + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `AzureSP2` | +| Name | Azure Enterprise Application 2 (Service Principal) | +| Capability | AzureSP2 | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Discovery, Inventory, Remove | + +**ClientMachine:** The Azure Tenant (directory) ID where the Service Principal is instantiated + +**StorePath:** The Object ID of the target Service Principal/Enterprise Application that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.ClientCertificatePassword,Properties.AzureCloud,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file azuresp2_bulk_create.csv \ + --store-type-name AzureSP2 \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name AzureSP2 \ + --outpath azuresp2_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name AzureSP2 \ + --outpath azuresp2_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file azuresp2_export.csv \ + --store-type-name AzureSP2 \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ClientCertificate,Properties.ClientCertificatePassword,Properties.AzureCloud,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | ServerUsername | Secret | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. If Client Certificate Auth is used, you **must** check 'No Value'. | +| `Properties.ClientCertificate` | Client Certificate | Secret | No | - | ServerUsername | Secret | The client certificate used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'. | +| `Properties.ClientCertificatePassword` | Client Certificate Password | Secret | No | - | ClientCertificate | Secret | The (optional) password that encrypts the private key in ClientCertificate. If Client Certificate Auth is not used or the certificate's private key is not encrypted, you **must** check 'No Value'. | +| `Properties.AzureCloud` | Azure Global Cloud Authority Host | MultipleChoice | No | public,china,germany,government | - | No | Specifies the Azure Cloud instance used by the organization. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +Properties.ClientCertificate +Properties.ClientCertificatePassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters. +Properties.ClientCertificatePassword.Provider,Properties.ClientCertificatePassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/barracudawaf.md b/docs/use-cases/Certificate Store Operations/Store Types/barracudawaf.md new file mode 100644 index 00000000..a117b8ca --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/barracudawaf.md @@ -0,0 +1,97 @@ + +# BarracudaWaf - Barracuda WAF + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `BarracudaWaf` | +| Name | Barracuda WAF | +| Capability | BarracudaWaf | +| Server required | Yes | +| Store path type | - | +| Store path value | / | +| Custom alias | Required | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Remove | + +**ClientMachine:** The hostname or IP address of the Barracuda WAF appliance. This is used to connect to the REST API on port 8443 (HTTPS) or 8000 (HTTP). + +**StorePath:** Not used for this integration. Set to '/' or leave at the default value. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUseSsl,Properties.ApiVersion,Properties.InventorySelfSignedCerts,Properties.InventoryTrustedCerts,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file barracudawaf_bulk_create.csv \ + --store-type-name BarracudaWaf \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name BarracudaWaf \ + --outpath barracudawaf_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name BarracudaWaf \ + --outpath barracudawaf_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file barracudawaf_export.csv \ + --store-type-name BarracudaWaf \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUseSsl,Properties.ApiVersion,Properties.InventorySelfSignedCerts,Properties.InventoryTrustedCerts,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUseSsl` | Use SSL | Bool | No | true | - | No | Determines whether to connect to the Barracuda WAF management interface over HTTPS (port 8443) or HTTP (port 8000). Default is true (HTTPS). | +| `Properties.ApiVersion` | API Version | String | No | v3.2 | - | No | The Barracuda WAF REST API version to use for all requests. Defaults to 'v3.2'. Only change this if your WAF firmware requires a different API version. | +| `Properties.InventorySelfSignedCerts` | Inventory Self-Signed Certificates | Bool | No | true | - | No | When enabled, the inventory job will include self-signed certificates from the WAF in addition to signed certificates. Default is true. | +| `Properties.InventoryTrustedCerts` | Inventory Trusted Certificates | Bool | No | false | - | No | When enabled, the inventory job will include trusted CA certificates and trusted server certificates from the WAF. Default is false. | + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/bmc.md b/docs/use-cases/Certificate Store Operations/Store Types/bmc.md new file mode 100644 index 00000000..af6b9bc5 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/bmc.md @@ -0,0 +1,126 @@ + +# BMC - BMC Orchestrator Solution + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `BMC` | +| Name | BMC Orchestrator Solution | +| Capability | BMC | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Optional | +| Store password | Required | +| Supported operations | Add, Create, Discovery, Enrollment, Remove | + +**ClientMachine:** Runs on a Windows or Linux based machine. + +**StorePath:** Path points to a BMC Keyring. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file bmc_bulk_create.csv \ + --store-type-name BMC \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name BMC \ + --outpath bmc_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name BMC \ + --outpath bmc_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file bmc_export.csv \ + --store-type-name BMC \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | - | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | - | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | - | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `CertLabel` | CertLabel | String | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":true} | - | - | Cert label as it appears in the BMC API (without the suffix). | +| `CertOwner` | CertOwner | String | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":true} | - | - | Cert owner as it appears in the BMC API. | +| `CertUse` | CertUse | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Cert use as returned by the BMC API. | +| `ImplementCert` | ImplementCert | Bool | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":false} | - | - | Is used to pass an implement cert command to BMC. | +| `IsCertDefault` | IsCertDefault | Bool | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":false} | - | - | Indicates whether a given cert is set as default in a keyring. | +| `RemoveFromAllKeyrings` | RemoveFromAllKeyrings | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":true} | false | - | A bool to indicate whether a given cert is to be removed from all keyrings. | +| `RollbackCert` | RollbackCert | Bool | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":false,"OnRemove":false} | false | - | A bool to indicate whether a given cert is to be rolled back. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md b/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md new file mode 100644 index 00000000..d242c31b --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md @@ -0,0 +1,122 @@ + +# BoschIPCamera - Bosch IP Camera + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `BoschIPCamera` | +| Name | Bosch IP Camera | +| Capability | BoschIPCamera | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Enrollment | + +**ClientMachine:** The IP address of the Camera. Sample is "192.167.231.174:44444". Include the port if necessary. + +**StorePath:** Enter the Serial Number of the camera e.g. `068745431065110085` + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file boschipcamera_bulk_create.csv \ + --store-type-name BoschIPCamera \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name BoschIPCamera \ + --outpath boschipcamera_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name BoschIPCamera \ + --outpath boschipcamera_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file boschipcamera_export.csv \ + --store-type-name BoschIPCamera \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Enter the username of the configured "service" user on the camera | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | Enter the password of the configured "service" user on the camera | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Select True or False depending on if SSL (HTTPS) should be used to communicate with the camera. | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `CertificateUsage` | Certificate Usage | MultipleChoice | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | The Certificate Usage to assign to the cert after upload. Can be left blank to be assigned later. | +| `Name` | Name (Alias) | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | - | - | The certificate Alias, entered again. | +| `Overwrite` | Overwrite | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | false | - | Select `True` if using an existing Alias name to remove and replace an existing certificate. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md b/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md new file mode 100644 index 00000000..be85ce57 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md @@ -0,0 +1,121 @@ + +# CiscoAsa - CiscoAsa + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `CiscoAsa` | +| Name | CiscoAsa | +| Capability | CiscoAsa | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Remove | + +**ClientMachine:** Hostname or IP of the Cisco Asa Device without the http:// or https:// prefix same sample would be 10.5.0.4. + +**StorePath:** Cisco Asa Certificate Types to manage for Now all that is supported is /Identity. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.CommitToDisk,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file ciscoasa_bulk_create.csv \ + --store-type-name CiscoAsa \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name CiscoAsa \ + --outpath ciscoasa_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name CiscoAsa \ + --outpath ciscoasa_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file ciscoasa_export.csv \ + --store-type-name CiscoAsa \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.CommitToDisk,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.CommitToDisk` | Commit To Disk | Bool | Yes | false | - | No | This controls if you will write to the disk or memory on the device when adding or removing certificates. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | The username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | The password that matches the username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts. | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Determines whether the server uses SSL or not (This field is automatically created). | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `interfaces` | Interfaces Comma Separated | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Comma separated list of Interfaces to bind to. One can be the primary certificate and the other can be the load balancing certificate. For inside here is a sample of binding to both primary and load balancing inside,inside vpnlb-ip. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md b/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md new file mode 100644 index 00000000..ce32b6a2 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md @@ -0,0 +1,124 @@ + +# CitrixAdc - CitrixAdc + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `CitrixAdc` | +| Name | CitrixAdc | +| Capability | CitrixAdc | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Required | +| Store password | Required; PAM eligible | +| Supported operations | Add, Remove | + +**ClientMachine:** The DNS or IP Address of the Citrix ADC Appliance. + +**StorePath:** The path where certificate files are located on the Citrix ADC appliance. This value will likely be /nsconfig/ssl/ + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.linkToIssuer,Properties.timeout,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file citrixadc_bulk_create.csv \ + --store-type-name CitrixAdc \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name CitrixAdc \ + --outpath citrixadc_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name CitrixAdc \ + --outpath citrixadc_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file citrixadc_export.csv \ + --store-type-name CitrixAdc \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.linkToIssuer,Properties.timeout,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | The Citrix username (or valid PAM key if the username is stored in a KF Command configured PAM integration) to be used to log into the Citrix device. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | The Citrix password (or valid PAM key if the password is stored in a KF Command configured PAM integration) to be used to log into the Citrix device. | +| `Properties.linkToIssuer` | Link To Issuer | Bool | No | false | - | No | Determines whether an attempt will be made to link the added certificate (via a Management-Add job) to its issuing CA certificate. | +| `Properties.timeout` | Login Timeout in seconds | String | No | 3600 | - | No | Determines timeout in seconds for all Citrix ADC API calls. | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `virtualServerName` | Virtual Server Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | When adding a certificate, this can be a single VServer name or a comma separated list of VServers to bind to Note: must match the number of Virtual SNI Cert values. | +| `sniCert` | SNI Cert | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | When adding a certificate, this can be a single boolean value (true/false) or a comma separated list of boolean values to determine whether the binding should use server name indication. Note: must match the number of Virtual Server Name values. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/datapower.md b/docs/use-cases/Certificate Store Operations/Store Types/datapower.md new file mode 100644 index 00000000..8c95bb67 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/datapower.md @@ -0,0 +1,116 @@ + +# DataPower - IBM Data Power + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `DataPower` | +| Name | IBM Data Power | +| Capability | DataPower | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add | + +**ClientMachine:** The Client Machine field should contain the IP or Domain name and Port Needed for REST API Access. For SSH Access, Port 22 will be used. + +**StorePath:** The Store Path field should always be / unless we later determine there are alternate locations needed. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.InventoryBlackList,Properties.Protocol,Properties.PublicCertStoreName,Properties.InventoryPageSize,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file datapower_bulk_create.csv \ + --store-type-name DataPower \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name DataPower \ + --outpath datapower_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name DataPower \ + --outpath datapower_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file datapower_export.csv \ + --store-type-name DataPower \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.InventoryBlackList,Properties.Protocol,Properties.PublicCertStoreName,Properties.InventoryPageSize,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Api UserName for DataPower. (or valid PAM key if the username is stored in a KF Command configured PAM integration). | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password for DataPower API access. Used for inventory.(or valid PAM key if the password is stored in a KF Command configured PAM integration). | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Should be true, http is not supported. | +| `Properties.InventoryBlackList` | Inventory Black List | String | No | - | - | No | Comma seperated list of alias values you do not want to inventory from DataPower. | +| `Properties.Protocol` | Protocol Name | String | Yes | https | - | No | Comma seperated list of alias values you do not want to inventory from DataPower. | +| `Properties.PublicCertStoreName` | Public Cert Store Name | String | Yes | pubcert | - | No | This probably will remain pubcert unless someone changed the default name in DataPower. | +| `Properties.InventoryPageSize` | Inventory Page Size | String | Yes | 100 | - | No | This determines the page size during the inventory calls. (100 should be fine). | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md new file mode 100644 index 00000000..4dd41efe --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md @@ -0,0 +1,111 @@ + +# F5-BigIQ - F5 Big IQ + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `F5-BigIQ` | +| Name | F5 Big IQ | +| Capability | F5-BigIQ | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Enrollment, Remove | + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.DeployCertificateOnRenewal,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.LoginProviderName,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file f5-bigiq_bulk_create.csv \ + --store-type-name F5-BigIQ \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name F5-BigIQ \ + --outpath f5-bigiq_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name F5-BigIQ \ + --outpath f5-bigiq_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file f5-bigiq_export.csv \ + --store-type-name F5-BigIQ \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.DeployCertificateOnRenewal,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.LoginProviderName,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.DeployCertificateOnRenewal` | Deploy Certificate to Linked Big IP on Renewal | Bool | No | false | - | No | This optional setting determines whether renewed certificates (Management-Add jobs with Overwrite selected) will be deployed to all linked Big IP devices. Linked devices are determined by looking at all of the client-ssl profiles that reference the renewed certificate that have an associated virtual server linked to a Big IP device. An immediate deployment is then scheduled within F5 Big IQ for each linked Big IP device. | +| `Properties.IgnoreSSLWarning` | Ignore SSL Warning | Bool | No | false | - | No | If you use a self signed certificate for the F5 Big IQ portal, you will need to add this optional Custom Field and set the value to True on the managed certificate store. | +| `Properties.UseTokenAuth` | Use Token Authentication | Bool | No | false | - | No | If you prefer to use F5 Big IQ's Token Authentication to authenticate F5 Big IQ API calls, you will need to add this optional Custom Field and set the value to True on the managed certificate store. If set to True for the store, the userid/password credentials you set for the certificate store will be used once to receive a token. This token is then used for all subsequent API calls for the duration of the job. If this option does not exist or is set to False, the userid/password credentials you set for the certificate store will be used for all API calls. | +| `Properties.LoginProviderName` | Authentication Provider Name | String | No | - | UseTokenAuth | No | If Use Token Authentication is selected, you may optionally add a value for the authentication provider F5 Big IQ will use to retrieve the auth token. If you choose not to add this field or leave it blank on the certificate store (with no default value set), the default of "TMOS" will be used. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Login credential for the F5 Big IQ device. MUST be an Admin account. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | Login password for the F5 Big IQ device. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md new file mode 100644 index 00000000..fd24c0f0 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md @@ -0,0 +1,118 @@ + +# F5-CA-REST - F5 CA Profiles REST + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `F5-CA-REST` | +| Name | F5 CA Profiles REST | +| Capability | F5-CA-REST | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Forbidden | +| Store password | Not required | +| Supported operations | Add, Discovery, Remove | + +**ClientMachine:** The server name or IP Address for the F5 device. + +**StorePath:** Enter the name of the partition followed by the name of the bundle separated by a / (i.e. Common/BundleName). This value is case sensitive, so if the partition name is "Common/BundleName", it must be entered as "Common/BundleName" and not "common/bundlename", + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PrimaryNode,Properties.PrimaryNodeCheckRetryWaitSecs,Properties.PrimaryNodeCheckRetryMax,Properties.PrimaryNodeOnlineRequired,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file f5-ca-rest_bulk_create.csv \ + --store-type-name F5-CA-REST \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name F5-CA-REST \ + --outpath f5-ca-rest_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name F5-CA-REST \ + --outpath f5-ca-rest_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file f5-ca-rest_export.csv \ + --store-type-name F5-CA-REST \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PrimaryNode,Properties.PrimaryNodeCheckRetryWaitSecs,Properties.PrimaryNodeCheckRetryMax,Properties.PrimaryNodeOnlineRequired,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.PrimaryNode` | Primary Node | String | Yes | - | PrimaryNodeOnlineRequired | No | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. | +| `Properties.PrimaryNodeCheckRetryWaitSecs` | Primary Node Check Retry Wait Seconds | String | Yes | 120 | PrimaryNodeOnlineRequired | No | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. | +| `Properties.PrimaryNodeCheckRetryMax` | Primary Node Check Retry Maximum | String | Yes | 3 | PrimaryNodeOnlineRequired | No | Enter the number of times a Management-Add job will attempt to add/replace/renew a certificate if the node is inactive before failing. | +| `Properties.PrimaryNodeOnlineRequired` | Primary Node Online Required | Bool | Yes | - | - | No | Select this if you wish to stop the orchestrator from adding, replacing or renewing certificates on nodes that are inactive. If this is not selected, adding, replacing and renewing certificates on inactive nodes will be allowed. If you choose not to add this custom field, the default value of False will be assumed. | +| `Properties.IgnoreSSLWarning` | Ignore SSL Warning | Bool | Yes | False | - | No | Select this if you wish to ignore SSL warnings from F5 that occur during API calls when the site does not have a trusted certificate with the proper SAN bound to it. If you choose not to add this custom field, the default value of False will be assumed and SSL warnings will cause errors during orchestrator extension jobs. | +| `Properties.UseTokenAuth` | Use Token Authentication | Bool | Yes | false | - | No | Select this if you wish to use F5's token authentiation instead of basic authentication for all API requests. If you choose not to add this custom field, the default value of False will be assumed and basic authentication will be used for all API requests for all jobs. Setting this value to True will enable an initial basic authenticated request to acquire an authentication token, which will then be used for all subsequent API requests. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Login credential for the F5 device. MUST be an Admin account. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | Login password for the F5 device. | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | True if using https to access the F5 device. False if using http. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md new file mode 100644 index 00000000..558b2259 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md @@ -0,0 +1,129 @@ + +# F5-SL-REST - F5 SSL Profiles REST + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `F5-SL-REST` | +| Name | F5 SSL Profiles REST | +| Capability | F5-SL-REST | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Required; PAM eligible | +| Supported operations | Add, Discovery, Remove | + +**ClientMachine:** The server name or IP Address for the F5 device. + +**StorePath:** Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is "Common", it must be entered as "Common" and not "common", + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PrimaryNode,Properties.PrimaryNodeCheckRetryWaitSecs,Properties.PrimaryNodeCheckRetryMax,Properties.PrimaryNodeOnlineRequired,Properties.RemoveChain,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file f5-sl-rest_bulk_create.csv \ + --store-type-name F5-SL-REST \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name F5-SL-REST \ + --outpath f5-sl-rest_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name F5-SL-REST \ + --outpath f5-sl-rest_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file f5-sl-rest_export.csv \ + --store-type-name F5-SL-REST \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PrimaryNode,Properties.PrimaryNodeCheckRetryWaitSecs,Properties.PrimaryNodeCheckRetryMax,Properties.PrimaryNodeOnlineRequired,Properties.RemoveChain,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.PrimaryNode` | Primary Node | String | Yes | - | PrimaryNodeOnlineRequired | No | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. | +| `Properties.PrimaryNodeCheckRetryWaitSecs` | Primary Node Check Retry Wait Seconds | String | Yes | 120 | PrimaryNodeOnlineRequired | No | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. | +| `Properties.PrimaryNodeCheckRetryMax` | Primary Node Check Retry Maximum | String | Yes | 3 | PrimaryNodeOnlineRequired | No | Enter the number of times a Management-Add job will attempt to add/replace/renew a certificate if the node is inactive before failing. | +| `Properties.PrimaryNodeOnlineRequired` | Primary Node Online Required | Bool | Yes | - | - | No | Select this if you wish to stop the orchestrator from adding, replacing or renewing certificates on nodes that are inactive. If this is not selected, adding, replacing and renewing certificates on inactive nodes will be allowed. If you choose not to add this custom field, the default value of False will be assumed. | +| `Properties.RemoveChain` | Remove Chain on Add | Bool | No | False | - | No | Optional setting. Set this to true if you would like to remove the certificate chain before adding or replacing a certificate on your F5 device. | +| `Properties.IgnoreSSLWarning` | Ignore SSL Warning | Bool | Yes | False | - | No | Select this if you wish to ignore SSL warnings from F5 that occur during API calls when the site does not have a trusted certificate with the proper SAN bound to it. If you choose not to add this custom field, the default value of False will be assumed and SSL warnings will cause errors during orchestrator extension jobs. | +| `Properties.UseTokenAuth` | Use Token Authentication | Bool | Yes | false | - | No | Select this if you wish to use F5's token authentication instead of basic authentication for all API requests. If you choose not to add this custom field, the default value of False will be assumed and basic authentication will be used for all API requests for all jobs. Setting this value to True will enable an initial basic authenticated request to acquire an authentication token, which will then be used for all subsequent API requests. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Login credential for the F5 device. MUST be an Admin account. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | Login password for the F5 device. | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | True if using https to access the F5 device. False if using http. | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `SSLProfiles` | SSL Profiles | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | One to many comma delimited F5 SSL Profiles to bind the certificate to (new certificates ONLY) | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md new file mode 100644 index 00000000..5e515e40 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md @@ -0,0 +1,118 @@ + +# F5-WS-REST - F5 WS Profiles REST + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `F5-WS-REST` | +| Name | F5 WS Profiles REST | +| Capability | F5-WS-REST | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add | + +**ClientMachine:** The server name or IP Address for the F5 device. + +**StorePath:** Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is "Common", it must be entered as "Common" and not "common", + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PrimaryNode,Properties.PrimaryNodeCheckRetryWaitSecs,Properties.PrimaryNodeCheckRetryMax,Properties.PrimaryNodeOnlineRequired,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file f5-ws-rest_bulk_create.csv \ + --store-type-name F5-WS-REST \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name F5-WS-REST \ + --outpath f5-ws-rest_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name F5-WS-REST \ + --outpath f5-ws-rest_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file f5-ws-rest_export.csv \ + --store-type-name F5-WS-REST \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PrimaryNode,Properties.PrimaryNodeCheckRetryWaitSecs,Properties.PrimaryNodeCheckRetryMax,Properties.PrimaryNodeOnlineRequired,Properties.IgnoreSSLWarning,Properties.UseTokenAuth,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.PrimaryNode` | Primary Node | String | Yes | - | PrimaryNodeOnlineRequired | No | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. | +| `Properties.PrimaryNodeCheckRetryWaitSecs` | Primary Node Check Retry Wait Seconds | String | Yes | 120 | PrimaryNodeOnlineRequired | No | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. | +| `Properties.PrimaryNodeCheckRetryMax` | Primary Node Check Retry Maximum | String | Yes | 3 | PrimaryNodeOnlineRequired | No | Enter the number of times a Management-Add job will attempt to add/replace/renew a certificate if the node is inactive before failing. | +| `Properties.PrimaryNodeOnlineRequired` | Primary Node Online Required | Bool | Yes | - | - | No | Select this if you wish to stop the orchestrator from adding, replacing or renewing certificates on nodes that are inactive. If this is not selected, adding, replacing and renewing certificates on inactive nodes will be allowed. If you choose not to add this custom field, the default value of False will be assumed. | +| `Properties.IgnoreSSLWarning` | Ignore SSL Warning | Bool | Yes | False | - | No | Select this if you wish to ignore SSL warnings from F5 that occur during API calls when the site does not have a trusted certificate with the proper SAN bound to it. If you choose not to add this custom field, the default value of False will be assumed and SSL warnings will cause errors during orchestrator extension jobs. | +| `Properties.UseTokenAuth` | Use Token Authentication | Bool | Yes | false | - | No | Select this if you wish to use F5's token authentiation instead of basic authentication for all API requests. If you choose not to add this custom field, the default value of False will be assumed and basic authentication will be used for all API requests for all jobs. Setting this value to True will enable an initial basic authenticated request to acquire an authentication token, which will then be used for all subsequent API requests. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Login credential for the F5 device. MUST be an Admin account. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | Login password for the F5 device. | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | True if using https to access the F5 device. False if using http. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md b/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md new file mode 100644 index 00000000..dba6eb3d --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md @@ -0,0 +1,111 @@ + +# f5WafCa - F5 WAF CA + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `f5WafCa` | +| Name | F5 WAF CA | +| Capability | f5WafCa | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Forbidden | +| Store password | Not required | +| Supported operations | Add, Discovery, Remove | + +**ClientMachine:** The URL for the F5 Distributed Cloud instance (typically ending in '.console.ves.volterra.io'). + +**StorePath:** The Multi-Cloud App Connect namespace containing the certificates you wish to manage. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file f5wafca_bulk_create.csv \ + --store-type-name f5WafCa \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name f5WafCa \ + --outpath f5wafca_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name f5WafCa \ + --outpath f5wafca_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file f5wafca_export.csv \ + --store-type-name f5WafCa \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Not used. Set to No Value. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | The API Token configured in the F5 Distributed Cloud instance's Account Settings. Please review the Requirements & Prerequisites section in this README for more information on creating this API token. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md b/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md new file mode 100644 index 00000000..2fd6df88 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md @@ -0,0 +1,111 @@ + +# f5WafTls - F5 WAF TLS + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `f5WafTls` | +| Name | F5 WAF TLS | +| Capability | f5WafTls | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Discovery, Remove | + +**ClientMachine:** The URL for the F5 Distributed Cloud instance (typically ending in '.console.ves.volterra.io'). + +**StorePath:** The Multi-Cloud App Connect namespace containing the certificates you wish to manage. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file f5waftls_bulk_create.csv \ + --store-type-name f5WafTls \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name f5WafTls \ + --outpath f5waftls_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name f5WafTls \ + --outpath f5waftls_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file f5waftls_export.csv \ + --store-type-name f5WafTls \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Not used. Set to No Value. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The API Token configured in the F5 Distributed Cloud instance's Account Settings. Please review the Requirements & Prerequisites section in this README for more information on creating this API token. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md b/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md new file mode 100644 index 00000000..5486b8ef --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md @@ -0,0 +1,96 @@ + +# Fortigate - Fortigate + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `Fortigate` | +| Name | Fortigate | +| Capability | Fortigate | +| Server required | No | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Required | +| Store password | Required; PAM eligible | +| Supported operations | Add, Remove | + +**ClientMachine:** The IP address or DNS of the Fortigate server + +**StorePath:** Value must contain the VDOM this certificate store will be managing. `root` must be entered to manage the default 'root' VDOM. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file fortigate_bulk_create.csv \ + --store-type-name Fortigate \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name Fortigate \ + --outpath fortigate_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name Fortigate \ + --outpath fortigate_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file fortigate_export.csv \ + --store-type-name Fortigate \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +This store type does not define additional `Properties.*` CSV columns. + +## Secret And PAM Formatting + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md b/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md new file mode 100644 index 00000000..8595ac9d --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md @@ -0,0 +1,113 @@ + +# FortiWeb - FortiWeb + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `FortiWeb` | +| Name | FortiWeb | +| Capability | FortiWeb | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add | + +**ClientMachine:** The Client Machine field should contain the IP or Domain name and Port Needed for REST API Access. For SSH Access, Port 22 will be used. + +**StorePath:** The Store Path field should always be / unless we later determine there are alternate locations needed. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.ADom,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file fortiweb_bulk_create.csv \ + --store-type-name FortiWeb \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name FortiWeb \ + --outpath fortiweb_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name FortiWeb \ + --outpath fortiweb_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file fortiweb_export.csv \ + --store-type-name FortiWeb \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.ADom,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username for CLI/SSH and REST API access. Used for inventory. (or valid PAM key if the username is stored in a KF Command configured PAM integration). | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password for CLI/SSH and REST API access. Used for inventory.(or valid PAM key if the password is stored in a KF Command configured PAM integration). | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Should be true, http is not supported. | +| `Properties.ADom` | Administrative Domain | String | Yes | root | - | No | Specifies the administrative or virtual domain within the FortiWeb system that the API user is targeting. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md b/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md new file mode 100644 index 00000000..b42c68d0 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md @@ -0,0 +1,109 @@ + +# GcpApigee - Google Cloud Provider Apigee + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `GcpApigee` | +| Name | Google Cloud Provider Apigee | +| Capability | GcpApigee | +| Server required | No | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Create, Remove | + +**ClientMachine:** The Base URL for the GCP Apigee REST Api. Should be *apigee.googleapis.com* + +**StorePath:** The Apigee keystore being managed. Must be provided in the following format: organizations/{org}/environments/{env}/keystores/{keystore}, where {org}, {env}, and {keystore} will be replaced with your environment-specific values. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.isTrustStore,Properties.jsonKey,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file gcpapigee_bulk_create.csv \ + --store-type-name GcpApigee \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name GcpApigee \ + --outpath gcpapigee_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name GcpApigee \ + --outpath gcpapigee_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file gcpapigee_export.csv \ + --store-type-name GcpApigee \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.isTrustStore,Properties.jsonKey,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.isTrustStore` | Is Trust Store? | Bool | Yes | false | - | No | Should be checked if the Apigee keystore being managed is a truststore. | +| `Properties.jsonKey` | Google Json Key File | Secret | Yes | - | - | Secret | The JSON key tied to the Apigee service account. You can copy and paste the entire Json key in the textbox when creating a certificate store in the Keyfactor Command UI. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.jsonKey +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.jsonKey.Provider,Properties.jsonKey.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcpcertmgr.md b/docs/use-cases/Certificate Store Operations/Store Types/gcpcertmgr.md new file mode 100644 index 00000000..9d4cdedb --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcpcertmgr.md @@ -0,0 +1,95 @@ + +# GcpCertMgr - GCP Certificate Manager + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `GcpCertMgr` | +| Name | GCP Certificate Manager | +| Capability | GcpCertMgr | +| Server required | No | +| Store path type | - | +| Store path value | n/a | +| Custom alias | Required | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Create, Discovery, Remove | + +**ClientMachine:** GCP Project ID for your account. + +**StorePath:** This is not used and should be defaulted to n/a per the certificate store type set up. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.Location,Properties.ServiceAccountKey,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file gcpcertmgr_bulk_create.csv \ + --store-type-name GcpCertMgr \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name GcpCertMgr \ + --outpath gcpcertmgr_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name GcpCertMgr \ + --outpath gcpcertmgr_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file gcpcertmgr_export.csv \ + --store-type-name GcpCertMgr \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.Location,Properties.ServiceAccountKey,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.Location` | Location | String | Yes | global | - | No | The GCP region used for this Certificate Manager instance. **global** is the default but could be another region based on the project. | +| `Properties.ServiceAccountKey` | Service Account Key File Path | String | No | - | - | No | The file name of the Google Cloud Service Account Key File installed in the same folder as the orchestrator extension. Empty if the orchestrator server resides in GCP and you are not using a service account key. | + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md b/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md new file mode 100644 index 00000000..2f8d0943 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md @@ -0,0 +1,108 @@ + +# GCPLoadBal - GCP Load Balancer + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `GCPLoadBal` | +| Name | GCP Load Balancer | +| Capability | GCPLoadBal | +| Server required | No | +| Store path type | - | +| Store path value | - | +| Custom alias | Optional | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Remove | + +**ClientMachine:** Not used, but required when creating a store. Just enter any value. + +**StorePath:** Your Google Cloud Project ID only if you choose to use global resources. Append a forward slash '/' and valid GCP region to process against a specific [GCP region](https://gist.github.com/rpkim/084046e02fd8c452ba6ddef3a61d5d59). + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.jsonKey,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file gcploadbal_bulk_create.csv \ + --store-type-name GCPLoadBal \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name GCPLoadBal \ + --outpath gcploadbal_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name GCPLoadBal \ + --outpath gcploadbal_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file gcploadbal_export.csv \ + --store-type-name GCPLoadBal \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.jsonKey,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.jsonKey` | Service Account Key | Secret | Yes | - | - | Secret | If authenticating by passing credentials from Keyfactor Command, this is the JSON-based service account key created from within Google Cloud. If authenticating via Application Default Credentials (ADC), select No Value | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.jsonKey +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.jsonKey.Provider,Properties.jsonKey.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md b/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md new file mode 100644 index 00000000..45c4b9c0 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md @@ -0,0 +1,107 @@ + +# GCPScrtMgr - GCPScrtMgr + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `GCPScrtMgr` | +| Name | GCPScrtMgr | +| Capability | GCPScrtMgr | +| Server required | No | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Required; PAM eligible | +| Supported operations | Add, Remove | + +**ClientMachine:** Not used + +**StorePath:** The Project ID of the Google Secret Manager being managed. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PasswordSecretSuffix,Properties.IncludeChain,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file gcpscrtmgr_bulk_create.csv \ + --store-type-name GCPScrtMgr \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name GCPScrtMgr \ + --outpath gcpscrtmgr_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name GCPScrtMgr \ + --outpath gcpscrtmgr_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file gcpscrtmgr_export.csv \ + --store-type-name GCPScrtMgr \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.PasswordSecretSuffix,Properties.IncludeChain,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.PasswordSecretSuffix` | Password Secret Location Suffix | String | No | - | - | No | If storing a certificate with an encrypted private key, this is the suffix to add to the certificate (secret) alias name where the encrypted private key password will be stored. Please see [Certificate Encryption Details](#certificate-encryption-details) for more information | +| `Properties.IncludeChain` | Include Chain | Bool | No | True | - | No | Determines whether to include the certificate chain when adding a certificate as a secret. | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `tags` | Tags | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | One-to-many Organization level tag Key:Value combinations, comma delimited - i.e. tagKey1:tagVal1,tagKey2:tagVal2,...tagKeyN:tagValN | + +## Secret And PAM Formatting + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkv.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkv.md new file mode 100644 index 00000000..99ca33a9 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkv.md @@ -0,0 +1,94 @@ + +# HCVKV - Hashicorp Vault Key-Value + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `HCVKV` | +| Name | Hashicorp Vault Key-Value | +| Capability | HCVKV | +| Server required | No | +| Store path type | - | +| Store path value | - | +| Custom alias | Optional | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Create, Discovery, Remove | + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.MountPoint,Properties.VaultToken,Properties.VaultServerUrl,Properties.SubfolderInventory,Properties.IncludeCertChain,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file hcvkv_bulk_create.csv \ + --store-type-name HCVKV \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name HCVKV \ + --outpath hcvkv_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name HCVKV \ + --outpath hcvkv_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file hcvkv_export.csv \ + --store-type-name HCVKV \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.MountPoint,Properties.VaultToken,Properties.VaultServerUrl,Properties.SubfolderInventory,Properties.IncludeCertChain,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.MountPoint` | Mount Point | String | No | - | - | No | - | +| `Properties.VaultToken` | Vault Token | String | No | - | - | No | - | +| `Properties.VaultServerUrl` | Vault Server URL | String | No | - | - | No | - | +| `Properties.SubfolderInventory` | Subfolder Inventory | Bool | No | false | - | No | - | +| `Properties.IncludeCertChain` | Include Cert Chain | Bool | No | true | - | No | - | + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md new file mode 100644 index 00000000..2462184d --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md @@ -0,0 +1,116 @@ + +# HCVKVJKS - Hashicorp Vault Key-Value JKS + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `HCVKVJKS` | +| Name | Hashicorp Vault Key-Value JKS | +| Capability | HCVKVJKS | +| Server required | Yes | +| Store path type | - | +| Store path value | example: '/mycerts/certstore.jks?b64cert' | +| Custom alias | Required | +| Private key | Optional | +| Store password | Optional; PAM eligible | +| Supported operations | Add, Create, Discovery, Remove | + +**ClientMachine:** This can be any value to help uniquely identify the store. It is not used by this integration. + +**StorePath:** This is the path to the secret containing the store. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.IncludeCertChain,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file hcvkvjks_bulk_create.csv \ + --store-type-name HCVKVJKS \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name HCVKVJKS \ + --outpath hcvkvjks_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name HCVKVJKS \ + --outpath hcvkvjks_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file hcvkvjks_export.csv \ + --store-type-name HCVKVJKS \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.IncludeCertChain,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | +| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | +| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | false | - | No | Should the certificate chain be included when performing an enrollment? | +| `Properties.MountPoint` | Mount Point | String | No | - | - | No | The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. <namespace>/<mount point> | +| `Properties.PassphrasePath` | Passphrase Path | String | No | - | - | No | This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md new file mode 100644 index 00000000..f56e2674 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md @@ -0,0 +1,116 @@ + +# HCVKVP12 - Hashicorp Vault Key-Value PKCS12 + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `HCVKVP12` | +| Name | Hashicorp Vault Key-Value PKCS12 | +| Capability | HCVKVP12 | +| Server required | Yes | +| Store path type | - | +| Store path value | example: '/mycerts/certstore.p12?b64cert' | +| Custom alias | Required | +| Private key | Optional | +| Store password | Optional; PAM eligible | +| Supported operations | Add, Create, Discovery, Remove | + +**ClientMachine:** This can be any value to help uniquely identify the store. It is not used by this integration. + +**StorePath:** This is the path to the secret containing the store. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.IncludeCertChain,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file hcvkvp12_bulk_create.csv \ + --store-type-name HCVKVP12 \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name HCVKVP12 \ + --outpath hcvkvp12_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name HCVKVP12 \ + --outpath hcvkvp12_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file hcvkvp12_export.csv \ + --store-type-name HCVKVP12 \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.IncludeCertChain,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | +| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | +| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | false | - | No | Should the certificate chain be included when performing an enrollment? | +| `Properties.MountPoint` | Mount Point | String | No | - | - | No | The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. <namespace>/<mount point> | +| `Properties.PassphrasePath` | Passphrase Path | String | No | - | - | No | This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md new file mode 100644 index 00000000..e3f06975 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md @@ -0,0 +1,116 @@ + +# HCVKVPEM - Hashicorp Vault Key-Value PEM + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `HCVKVPEM` | +| Name | Hashicorp Vault Key-Value PEM | +| Capability | HCVKVPEM | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Optional; PAM eligible | +| Supported operations | Add, Create, Discovery, Remove | + +**ClientMachine:** This can be any value to help uniquely identify the store. It is not used by this integration. + +**StorePath:** This is the path after mount point where the certificates will be stored. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.SubfolderInventory,Properties.IncludeCertChain,Properties.MountPoint,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file hcvkvpem_bulk_create.csv \ + --store-type-name HCVKVPEM \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name HCVKVPEM \ + --outpath hcvkvpem_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name HCVKVPEM \ + --outpath hcvkvpem_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file hcvkvpem_export.csv \ + --store-type-name HCVKVPEM \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.SubfolderInventory,Properties.IncludeCertChain,Properties.MountPoint,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | +| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | +| `Properties.SubfolderInventory` | Subfolder Inventory | Bool | No | false | - | No | Should certificates found in sub-paths be included when performing an inventory? | +| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | false | - | No | Should the certificate chain be included when performing an enrollment? | +| `Properties.MountPoint` | Mount Point | String | No | - | - | No | The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. <namespace>/<mount point> | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md new file mode 100644 index 00000000..1d458ca4 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md @@ -0,0 +1,116 @@ + +# HCVKVPFX - Hashicorp Vault Key-Value PFX + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `HCVKVPFX` | +| Name | Hashicorp Vault Key-Value PFX | +| Capability | HCVKVPFX | +| Server required | Yes | +| Store path type | - | +| Store path value | example: '/mycerts/certstore.pfx?b64cert' | +| Custom alias | Required | +| Private key | Optional | +| Store password | Optional; PAM eligible | +| Supported operations | Add, Create, Discovery, Remove | + +**ClientMachine:** This can be any value to help uniquely identify the store. It is not used by this integration. + +**StorePath:** This is the path to the secret containing the store. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.IncludeCertChain,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file hcvkvpfx_bulk_create.csv \ + --store-type-name HCVKVPFX \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name HCVKVPFX \ + --outpath hcvkvpfx_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name HCVKVPFX \ + --outpath hcvkvpfx_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file hcvkvpfx_export.csv \ + --store-type-name HCVKVPFX \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.IncludeCertChain,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | +| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | +| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | false | - | No | Should the certificate chain be included when performing an enrollment? | +| `Properties.MountPoint` | Mount Point | String | No | - | - | No | The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. <namespace>/<mount point> | +| `Properties.PassphrasePath` | Passphrase Path | String | No | - | - | No | This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md new file mode 100644 index 00000000..22bf6aa1 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md @@ -0,0 +1,115 @@ + +# HCVPKI - Hashicorp Vault PKI + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `HCVPKI` | +| Name | Hashicorp Vault PKI | +| Capability | HCVPKI | +| Server required | Yes | +| Store path type | Fixed | +| Store path value | / | +| Custom alias | Forbidden | +| Private key | Forbidden | +| Store password | Optional; PAM eligible | +| Supported operations | None | + +**ClientMachine:** This can be any value to help uniquely identify the store. It is not used by this integration. + +**StorePath:** For HCVPKI, this will be '/' + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file hcvpki_bulk_create.csv \ + --store-type-name HCVPKI \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name HCVPKI \ + --outpath hcvpki_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name HCVPKI \ + --outpath hcvpki_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file hcvpki_export.csv \ + --store-type-name HCVPKI \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.MountPoint,Properties.PassphrasePath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | +| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | +| `Properties.MountPoint` | Mount Point | String | Yes | - | - | No | This is the mount point of the instance of the PKI or Keyfactor secrets engine plugin. If using enterprise namespaces: <namespace>/<mount point> | +| `Properties.PassphrasePath` | Passphrase Path | String | No | - | - | No | This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hpilo.md b/docs/use-cases/Certificate Store Operations/Store Types/hpilo.md new file mode 100644 index 00000000..fdca7ab8 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/hpilo.md @@ -0,0 +1,104 @@ + +# HPiLO - HP iLO Cert Store + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `HPiLO` | +| Name | HP iLO Cert Store | +| Capability | HPiLO | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Enrollment, Remove | + +**ClientMachine:** Currently unused. + +**StorePath:** This should contain the full URI pointing to the HPiLO instance, using IP (e.g. `https://10.1.1.1/`) or domain name (e.g. `https://hpilo.test.local/`). The orchestrator will connect to the iLO instance using the iLO API. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.InventoryAll,Properties.IgnoreValidation,Properties.HTTPSCertWaitTime,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file hpilo_bulk_create.csv \ + --store-type-name HPiLO \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name HPiLO \ + --outpath hpilo_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name HPiLO \ + --outpath hpilo_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file hpilo_export.csv \ + --store-type-name HPiLO \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.InventoryAll,Properties.IgnoreValidation,Properties.HTTPSCertWaitTime,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.InventoryAll` | InventoryAll | Bool | Yes | false | - | No | If true, allows for inventory of additional factory-installed certificates and their chains: `Platform Cert`,`SystemIAK`,`SystemIDevID`, `iLOIDevID/BMCIDevIDPCA` | +| `Properties.IgnoreValidation` | IgnoreValidation | Bool | Yes | false | - | No | WARNING: Only enable if testing. Used to disable certificate validation checks at the API endpoint. Should be set to false in any production scenario. | +| `Properties.HTTPSCertWaitTime` | HTTPS Cert Wait Time | String | Yes | 60 | - | No | The HPiLO API requires the user to wait while the HTTPS Cert CSR is generated. HP suggests a time of 60 seconds, as is the default setting, but it can be adjusted. | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `IncludeIP` | IncludeIP | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | false | - | Enables the addition of the device IP as a SAN to the CSR during reenrollment. Used particularly during HTTPSCert reenrollment, where it can be set as desired, and should be set to false during all other operations. | + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/idrac.md b/docs/use-cases/Certificate Store Operations/Store Types/idrac.md new file mode 100644 index 00000000..5b70933e --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/idrac.md @@ -0,0 +1,111 @@ + +# iDRAC - iDRAC + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `iDRAC` | +| Name | iDRAC | +| Capability | iDRAC | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add | + +**ClientMachine:** The IP address of the iDRAC instance being managed. + +**StorePath:** Enter the full path where the Racadm executable is installed on the orchestrator server. See [Requirements & Prerequisites](#requirements--prerequisites) above for more details. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file idrac_bulk_create.csv \ + --store-type-name iDRAC \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name iDRAC \ + --outpath idrac_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name iDRAC \ + --outpath idrac_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file idrac_export.csv \ + --store-type-name iDRAC \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The user ID (or, if using a PAM provider, the key pointing to the user ID) to log into the iDRAC instance being managed. | +| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | The password (or, if using a PAM provider, the key pointing to the password) for the user ID above. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/iisu.md b/docs/use-cases/Certificate Store Operations/Store Types/iisu.md new file mode 100644 index 00000000..a5cbd2be --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/iisu.md @@ -0,0 +1,129 @@ + +# IISU - IIS Bound Certificate + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `IISU` | +| Name | IIS Bound Certificate | +| Capability | IISU | +| Server required | Yes | +| Store path type | - | +| Store path value | ["My","WebHosting"] | +| Custom alias | Forbidden | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Enrollment, Remove | + +**ClientMachine:** Hostname of the Windows Server containing the IIS certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine). + +**StorePath:** Windows certificate store path to manage. Choose 'My' for the Personal store or 'WebHosting' for the Web Hosting store. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file iisu_bulk_create.csv \ + --store-type-name IISU \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name IISU \ + --outpath iisu_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name IISU \ + --outpath iisu_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file iisu_export.csv \ + --store-type-name IISU \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.spnwithport` | SPN With Port | Bool | No | false | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | +| `Properties.WinRM Protocol` | WinRM Protocol | MultipleChoice | Yes | https,http,ssh | - | No | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. | +| `Properties.WinRM Port` | WinRM Port | String | Yes | 5986 | - | No | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. (This field is automatically created) | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created) | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Determine whether the server uses SSL or not (This field is automatically created) | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `Port` | Port | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | 443 | - | String value specifying the IP port to bind the certificate to for the IIS site. Example: '443' for HTTPS. | +| `IPAddress` | IP Address | String | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":true} | * | - | String value specifying the IP address to bind the certificate to for the IIS site. Example: '*' for all IP addresses or '192.168.1.1' for a specific IP address. | +| `HostName` | Host Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | String value specifying the host name (host header) to bind the certificate to for the IIS site. Leave blank for all host names or enter a specific hostname such as 'www.example.com'. | +| `SiteName` | IIS Site Name | String | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":true} | Default Web Site | - | String value specifying the name of the IIS web site to bind the certificate to. Example: 'Default Web Site' or any custom site name such as 'MyWebsite'. | +| `SniFlag` | SSL Flags | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | 0 | - | A 128-Bit Flag that determines what type of SSL settings you wish to use. The default is 0, meaning No SNI. For more information, check IIS documentation for the appropriate bit setting.) | +| `Protocol` | Protocol | MultipleChoice | {"HasPrivateKey":false,"OnAdd":true,"OnReenrollment":true,"OnRemove":true} | https | - | Multiple choice value specifying the protocol to bind to. Example: 'https' for secure communication. | +| `ProviderName` | Crypto Provider Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers' | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/imperva.md b/docs/use-cases/Certificate Store Operations/Store Types/imperva.md new file mode 100644 index 00000000..d857d0e2 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/imperva.md @@ -0,0 +1,96 @@ + +# Imperva - Imperva + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `Imperva` | +| Name | Imperva | +| Capability | Imperva | +| Server required | No | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Required | +| Store password | Required; PAM eligible | +| Supported operations | Add, Remove | + +**ClientMachine:** The URL that will be used as the base URL for Imperva endpoint calls. Should be https://my.imperva.com + +**StorePath:** Your Imperva account id. Please refer to the [Imperva documentation](https://docs.imperva.com/howto/bd68301b) as to how to find your Imperva account id. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file imperva_bulk_create.csv \ + --store-type-name Imperva \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name Imperva \ + --outpath imperva_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name Imperva \ + --outpath imperva_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file imperva_export.csv \ + --store-type-name Imperva \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +This store type does not define additional `Properties.*` CSV columns. + +## Secret And PAM Formatting + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md b/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md new file mode 100644 index 00000000..17ff896e --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md @@ -0,0 +1,110 @@ + +# K8SCert - K8SCert + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `K8SCert` | +| Name | K8SCert | +| Capability | K8SCert | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Forbidden | +| Store password | Not required | +| Supported operations | Discovery | + +**ClientMachine:** The Kubernetes cluster name or identifier. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.KubeSecretName,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file k8scert_bulk_create.csv \ + --store-type-name K8SCert \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name K8SCert \ + --outpath k8scert_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name K8SCert \ + --outpath k8scert_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file k8scert_export.csv \ + --store-type-name K8SCert \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.KubeSecretName,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` | +| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | +| `Properties.KubeSecretName` | KubeSecretName | String | No | - | - | No | The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md b/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md new file mode 100644 index 00000000..03659699 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md @@ -0,0 +1,111 @@ + +# K8SCluster - K8SCluster + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `K8SCluster` | +| Name | K8SCluster | +| Capability | K8SCluster | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Create, Remove | + +**ClientMachine:** This can be anything useful, recommend using the k8s cluster name or identifier. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file k8scluster_bulk_create.csv \ + --store-type-name K8SCluster \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name K8SCluster \ + --outpath k8scluster_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name K8SCluster \ + --outpath k8scluster_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file k8scluster_export.csv \ + --store-type-name K8SCluster \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | true | - | No | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | +| `Properties.SeparateChain` | Separate Chain | Bool | No | false | - | No | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md b/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md new file mode 100644 index 00000000..c6a08601 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md @@ -0,0 +1,117 @@ + +# K8SJKS - K8SJKS + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `K8SJKS` | +| Name | K8SJKS | +| Capability | K8SJKS | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Required | +| Supported operations | Add, Create, Discovery, Remove | + +**ClientMachine:** This can be anything useful, recommend using the k8s cluster name or identifier. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.KubeSecretName,Properties.KubeSecretType,Properties.CertificateDataFieldName,Properties.PasswordFieldName,Properties.PasswordIsK8SSecret,Properties.IncludeCertChain,Properties.StorePasswordPath,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file k8sjks_bulk_create.csv \ + --store-type-name K8SJKS \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name K8SJKS \ + --outpath k8sjks_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name K8SJKS \ + --outpath k8sjks_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file k8sjks_export.csv \ + --store-type-name K8SJKS \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.KubeSecretName,Properties.KubeSecretType,Properties.CertificateDataFieldName,Properties.PasswordFieldName,Properties.PasswordIsK8SSecret,Properties.IncludeCertChain,Properties.StorePasswordPath,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.KubeNamespace` | KubeNamespace | String | No | default | - | No | The K8S namespace to use to manage the K8S secret object. | +| `Properties.KubeSecretName` | KubeSecretName | String | No | - | - | No | The name of the K8S secret object. | +| `Properties.KubeSecretType` | KubeSecretType | String | No | jks | - | No | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`. | +| `Properties.CertificateDataFieldName` | CertificateDataFieldName | String | No | - | - | No | The field name to use when looking for certificate data in the K8S secret. | +| `Properties.PasswordFieldName` | PasswordFieldName | String | No | password | - | No | The field name to use when looking for the JKS keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. | +| `Properties.PasswordIsK8SSecret` | PasswordIsK8SSecret | Bool | No | false | - | No | Indicates whether the password to the JKS keystore is stored in a separate K8S secret. | +| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | true | - | No | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | +| `Properties.StorePasswordPath` | StorePasswordPath | String | No | - | - | No | The path to the K8S secret object to use as the password to the JKS keystore. Example: `<namespace>/<secret_name>` | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md b/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md new file mode 100644 index 00000000..e0b1a3de --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md @@ -0,0 +1,112 @@ + +# K8SNS - K8SNS + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `K8SNS` | +| Name | K8SNS | +| Capability | K8SNS | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Create, Discovery, Remove | + +**ClientMachine:** This can be anything useful, recommend using the k8s cluster name or identifier. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file k8sns_bulk_create.csv \ + --store-type-name K8SNS \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name K8SNS \ + --outpath k8sns_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name K8SNS \ + --outpath k8sns_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file k8sns_export.csv \ + --store-type-name K8SNS \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.KubeNamespace` | Kube Namespace | String | No | default | - | No | The K8S namespace to use to manage the K8S secret object. | +| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | true | - | No | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | +| `Properties.SeparateChain` | Separate Chain | Bool | No | false | - | No | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md b/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md new file mode 100644 index 00000000..544a7d53 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md @@ -0,0 +1,117 @@ + +# K8SPKCS12 - K8SPKCS12 + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `K8SPKCS12` | +| Name | K8SPKCS12 | +| Capability | K8SPKCS12 | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Required | +| Supported operations | Add, Create, Discovery, Remove | + +**ClientMachine:** This can be anything useful, recommend using the k8s cluster name or identifier. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.IncludeCertChain,Properties.CertificateDataFieldName,Properties.PasswordFieldName,Properties.PasswordIsK8SSecret,Properties.KubeNamespace,Properties.KubeSecretName,Properties.ServerUsername,Properties.ServerPassword,Properties.KubeSecretType,Properties.StorePasswordPath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file k8spkcs12_bulk_create.csv \ + --store-type-name K8SPKCS12 \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name K8SPKCS12 \ + --outpath k8spkcs12_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name K8SPKCS12 \ + --outpath k8spkcs12_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file k8spkcs12_export.csv \ + --store-type-name K8SPKCS12 \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.IncludeCertChain,Properties.CertificateDataFieldName,Properties.PasswordFieldName,Properties.PasswordIsK8SSecret,Properties.KubeNamespace,Properties.KubeSecretName,Properties.ServerUsername,Properties.ServerPassword,Properties.KubeSecretType,Properties.StorePasswordPath,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | true | - | No | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | +| `Properties.CertificateDataFieldName` | CertificateDataFieldName | String | Yes | .p12 | - | No | - | +| `Properties.PasswordFieldName` | Password Field Name | String | No | password | - | No | The field name to use when looking for the PKCS12 keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. | +| `Properties.PasswordIsK8SSecret` | Password Is K8S Secret | Bool | No | false | - | No | Indicates whether the password to the PKCS12 keystore is stored in a separate K8S secret object. | +| `Properties.KubeNamespace` | Kube Namespace | String | No | default | - | No | The K8S namespace to use to manage the K8S secret object. | +| `Properties.KubeSecretName` | Kube Secret Name | String | No | - | - | No | The name of the K8S secret object. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | +| `Properties.KubeSecretType` | Kube Secret Type | String | No | pkcs12 | - | No | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`. | +| `Properties.StorePasswordPath` | StorePasswordPath | String | No | - | - | No | The path to the K8S secret object to use as the password to the PFX/PKCS12 data. Example: `<namespace>/<secret_name>` | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md b/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md new file mode 100644 index 00000000..8b95a808 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md @@ -0,0 +1,114 @@ + +# K8SSecret - K8SSecret + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `K8SSecret` | +| Name | K8SSecret | +| Capability | K8SSecret | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Create, Discovery, Remove | + +**ClientMachine:** This can be anything useful, recommend using the k8s cluster name or identifier. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.KubeSecretName,Properties.KubeSecretType,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file k8ssecret_bulk_create.csv \ + --store-type-name K8SSecret \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name K8SSecret \ + --outpath k8ssecret_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name K8SSecret \ + --outpath k8ssecret_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file k8ssecret_export.csv \ + --store-type-name K8SSecret \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.KubeSecretName,Properties.KubeSecretType,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.KubeNamespace` | KubeNamespace | String | No | - | - | No | The K8S namespace to use to manage the K8S secret object. | +| `Properties.KubeSecretName` | KubeSecretName | String | No | - | - | No | The name of the K8S secret object. | +| `Properties.KubeSecretType` | KubeSecretType | String | No | secret | - | No | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`. | +| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | true | - | No | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | +| `Properties.SeparateChain` | Separate Chain | Bool | No | false | - | No | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md b/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md new file mode 100644 index 00000000..cba16fd4 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md @@ -0,0 +1,114 @@ + +# K8STLSSecr - K8STLSSecr + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `K8STLSSecr` | +| Name | K8STLSSecr | +| Capability | K8STLSSecr | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Create, Discovery, Remove | + +**ClientMachine:** This can be anything useful, recommend using the k8s cluster name or identifier. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.KubeSecretName,Properties.KubeSecretType,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file k8stlssecr_bulk_create.csv \ + --store-type-name K8STLSSecr \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name K8STLSSecr \ + --outpath k8stlssecr_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name K8STLSSecr \ + --outpath k8stlssecr_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file k8stlssecr_export.csv \ + --store-type-name K8STLSSecr \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.KubeNamespace,Properties.KubeSecretName,Properties.KubeSecretType,Properties.IncludeCertChain,Properties.SeparateChain,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.KubeNamespace` | KubeNamespace | String | No | - | - | No | The K8S namespace to use to manage the K8S secret object. | +| `Properties.KubeSecretName` | KubeSecretName | String | No | - | - | No | The name of the K8S secret object. | +| `Properties.KubeSecretType` | KubeSecretType | String | No | tls_secret | - | No | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`. | +| `Properties.IncludeCertChain` | Include Certificate Chain | Bool | No | true | - | No | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | +| `Properties.SeparateChain` | Separate Chain | Bool | No | false | - | No | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | This should be no value or `kubeconfig` | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/kemp.md b/docs/use-cases/Certificate Store Operations/Store Types/kemp.md new file mode 100644 index 00000000..861b8981 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/kemp.md @@ -0,0 +1,112 @@ + +# Kemp - Kemp + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `Kemp` | +| Name | Kemp | +| Capability | Kemp | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Remove | + +**ClientMachine:** Kemp Load Balancer Client Machine and port example TestKemp:8443. + +**StorePath:** Not used just put a / + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file kemp_bulk_create.csv \ + --store-type-name Kemp \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name Kemp \ + --outpath kemp_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name Kemp \ + --outpath kemp_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file kemp_export.csv \ + --store-type-name Kemp \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Not used. | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | Kemp Api Password. (or valid PAM key if the username is stored in a KF Command configured PAM integration). | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Should be true, http is not supported. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/most.md b/docs/use-cases/Certificate Store Operations/Store Types/most.md new file mode 100644 index 00000000..6c3e262a --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/most.md @@ -0,0 +1,91 @@ + +# MOST - MyOrchestratorStoreType + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `MOST` | +| Name | MyOrchestratorStoreType | +| Capability | MOST | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Forbidden | +| Store password | Not required | +| Supported operations | Discovery | + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.CustomField1,Properties.CustomField2,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file most_bulk_create.csv \ + --store-type-name MOST \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name MOST \ + --outpath most_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name MOST \ + --outpath most_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file most_export.csv \ + --store-type-name MOST \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.CustomField1,Properties.CustomField2,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.CustomField1` | CustomField1 | String | Yes | default | - | No | - | +| `Properties.CustomField2` | CustomField2 | String | Yes | - | - | No | - | + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/nmap.md b/docs/use-cases/Certificate Store Operations/Store Types/nmap.md new file mode 100644 index 00000000..88fb247e --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/nmap.md @@ -0,0 +1,88 @@ + +# Nmap - Nmap Orchestrator + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `Nmap` | +| Name | Nmap Orchestrator | +| Capability | Nmap | +| Server required | No | +| Store path type | Freeform | +| Store path value | - | +| Custom alias | Optional | +| Private key | Forbidden | +| Store password | Not required | +| Supported operations | Inventory, Remove | + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file nmap_bulk_create.csv \ + --store-type-name Nmap \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name Nmap \ + --outpath nmap_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name Nmap \ + --outpath nmap_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file nmap_export.csv \ + --store-type-name Nmap \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +This store type does not define additional `Properties.*` CSV columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/oktaapp.md b/docs/use-cases/Certificate Store Operations/Store Types/oktaapp.md new file mode 100644 index 00000000..ce3c5acf --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/oktaapp.md @@ -0,0 +1,103 @@ + +# OktaApp - OktaApp + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `OktaApp` | +| Name | OktaApp | +| Capability | - | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Forbidden | +| Store password | Not required | +| Supported operations | Discovery, Enrollment | + +**ClientMachine:** This should contain your Okta URL (e.g. https://trial-1111.okta.com). + +**StorePath:** This should contain the Okta App ID (please see overview for description). + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.DefaultValidityYears,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file oktaapp_bulk_create.csv \ + --store-type-name OktaApp \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name OktaApp \ + --outpath oktaapp_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name OktaApp \ + --outpath oktaapp_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file oktaapp_export.csv \ + --store-type-name OktaApp \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.DefaultValidityYears,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.DefaultValidityYears` | DefaultValidityYears | String | Yes | 1 | - | No | Number of years the certificate will be valid for by default. Required by Okta. | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `SANList` | SANList | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | - | - | This is a comma-separated list of Subject Alternative Names (SANs) to be included in the certificate. Required by Okta. Must contain at least one SAN. | +| `ActivateCredential` | ActivateCredential | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | false | - | This is a boolean indicating whether to activate the certificate in Okta after reenrollment/ODKG. | + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/oktaidp.md b/docs/use-cases/Certificate Store Operations/Store Types/oktaidp.md new file mode 100644 index 00000000..72575be3 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/oktaidp.md @@ -0,0 +1,103 @@ + +# OktaIdP - OktaIdP + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `OktaIdP` | +| Name | OktaIdP | +| Capability | - | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Forbidden | +| Store password | Not required | +| Supported operations | Discovery, Enrollment | + +**ClientMachine:** This should contain your Okta URL (e.g. https://trial-1111.okta.com). + +**StorePath:** This should contain the Okta IdP ID (please see overview for description). + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.DefaultValidityYears,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file oktaidp_bulk_create.csv \ + --store-type-name OktaIdP \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name OktaIdP \ + --outpath oktaidp_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name OktaIdP \ + --outpath oktaidp_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file oktaidp_export.csv \ + --store-type-name OktaIdP \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.DefaultValidityYears,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.DefaultValidityYears` | DefaultValidityYears | String | Yes | 1 | - | No | Number of years the certificate will be valid for by default. Required by Okta. | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `SANList` | SANList | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | - | - | This is a comma-separated list of Subject Alternative Names (SANs) to be included in the certificate. Required by Okta. Must contain at least one SAN. | +| `ActivateCredential` | ActivateCredential | Bool | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | true | - | This is a boolean indicating whether to activate the certificate in Okta after reenrollment/ODKG. | + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md b/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md new file mode 100644 index 00000000..46f2690c --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md @@ -0,0 +1,115 @@ + +# PaloAlto - PaloAlto + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `PaloAlto` | +| Name | PaloAlto | +| Capability | PaloAlto | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Remove | + +**ClientMachine:** Either the Panorama or Palo Alto Firewall URI or IP address. + +**StorePath:** The Store Path field should be reviewed in the store path explanation section. It varies depending on configuration. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.DeviceGroup,Properties.InventoryTrustedCerts,Properties.TemplateStack,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file paloalto_bulk_create.csv \ + --store-type-name PaloAlto \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name PaloAlto \ + --outpath paloalto_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name PaloAlto \ + --outpath paloalto_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file paloalto_export.csv \ + --store-type-name PaloAlto \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.DeviceGroup,Properties.InventoryTrustedCerts,Properties.TemplateStack,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | Palo Alto or Panorama Api User. (or valid PAM key if the username is stored in a KF Command configured PAM integration). | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | Palo Alto or Panorama Api Password. (or valid PAM key if the username is stored in a KF Command configured PAM integration). | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Should be true, http is not supported. | +| `Properties.DeviceGroup` | Device Group | String | No | - | - | No | A semicolon delimited list of Device Groups that Panorama will push changes to (i.e. 'Group 1', 'Group 1;Group 2', or 'Group 1; Group 2', etc.). | +| `Properties.InventoryTrustedCerts` | Inventory Trusted Certs | Bool | Yes | false | - | No | If false, will not inventory default trusted certs, saves time. | +| `Properties.TemplateStack` | Template Stack | String | No | - | - | No | Template stack used for device push of certificates via Template. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfder.md b/docs/use-cases/Certificate Store Operations/Store Types/rfder.md new file mode 100644 index 00000000..f2ee6226 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfder.md @@ -0,0 +1,121 @@ + +# RFDER - RFDER + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `RFDER` | +| Name | RFDER | +| Capability | RFDER | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Optional | +| Store password | Required; PAM eligible | +| Supported operations | Add, Create, Discovery, Enrollment, Remove | + +**ClientMachine:** The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. + +**StorePath:** The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\folder\path\storename.der) for Windows orchestrated servers. Example: '/folder/path/storename.der' or 'c:\folder\path\storename.der'. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.SeparatePrivateKeyFilePath,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file rfder_bulk_create.csv \ + --store-type-name RFDER \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name RFDER \ + --outpath rfder_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name RFDER \ + --outpath rfder_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file rfder_export.csv \ + --store-type-name RFDER \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.SeparatePrivateKeyFilePath,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* | +| `Properties.LinuxFilePermissionsOnStoreCreation` | Linux File Permissions on Store Creation | String | No | - | - | No | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. | +| `Properties.LinuxFileOwnerOnStoreCreation` | Linux File Owner on Store Creation | String | No | - | - | No | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. | +| `Properties.SudoImpersonatingUser` | Sudo Impersonating User | String | No | - | - | No | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. | +| `Properties.SeparatePrivateKeyFilePath` | Separate Private Key File Location | String | No | - | - | No | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.der'. | +| `Properties.RemoveRootCertificate` | Remove Root Certificate from Chain | Bool | No | False | - | No | Remove root certificate from chain when adding/renewing a certificate in a store. | +| `Properties.IncludePortInSPN` | Include Port in SPN for WinRM | Bool | No | False | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | +| `Properties.SSHPort` | SSH Port | String | No | - | - | No | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | +| `Properties.UseShellCommands` | Use Shell Commands | Bool | No | True | - | No | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md b/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md new file mode 100644 index 00000000..4711682d --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md @@ -0,0 +1,121 @@ + +# RFJKS - RFJKS + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `RFJKS` | +| Name | RFJKS | +| Capability | RFJKS | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Required; PAM eligible | +| Supported operations | Add, Create, Discovery, Enrollment, Remove | + +**ClientMachine:** The IP address or DNS of the server hosting the certificate store. For more information, see [Client Machine ](#client-machine-instructions) + +**StorePath:** The full path and file name, including file extension if one exists where the certificate store file is located. For Linux orchestrated servers, StorePath will begin with a forward slash (i.e. /folder/path/storename.ext). For Windows orchestrated servers, it should begin with a drive letter (i.e. c:\folder\path\storename.ext). + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,Properties.PostJobApplicationRestart,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file rfjks_bulk_create.csv \ + --store-type-name RFJKS \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name RFJKS \ + --outpath rfjks_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name RFJKS \ + --outpath rfjks_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file rfjks_export.csv \ + --store-type-name RFJKS \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,Properties.PostJobApplicationRestart,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* | +| `Properties.LinuxFilePermissionsOnStoreCreation` | Linux File Permissions on Store Creation | String | No | - | - | No | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. | +| `Properties.LinuxFileOwnerOnStoreCreation` | Linux File Owner on Store Creation | String | No | - | - | No | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. | +| `Properties.SudoImpersonatingUser` | Sudo Impersonating User | String | No | - | - | No | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting. | +| `Properties.RemoveRootCertificate` | Remove Root Certificate from Chain | Bool | No | False | - | No | Remove root certificate from chain when adding/renewing a certificate in a store. | +| `Properties.IncludePortInSPN` | Include Port in SPN for WinRM | Bool | No | False | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | +| `Properties.SSHPort` | SSH Port | String | No | - | - | No | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | +| `Properties.UseShellCommands` | Use Shell Commands | Bool | No | True | - | No | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | +| `Properties.PostJobApplicationRestart` | Post Job Application Restart | MultipleChoice | No | Apache Tomcat Restart,Jetty Restart | - | No | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md b/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md new file mode 100644 index 00000000..8b8e5ccd --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md @@ -0,0 +1,120 @@ + +# RFKDB - RFKDB + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `RFKDB` | +| Name | RFKDB | +| Capability | RFKDB | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Required; PAM eligible | +| Supported operations | Add, Create, Discovery, Remove | + +**ClientMachine:** The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. + +**StorePath:** The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\folder\path\storename.kdb) for Windows orchestrated servers. Example: '/folder/path/storename.kdb' or 'c:\folder\path\storename.kdb'. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file rfkdb_bulk_create.csv \ + --store-type-name RFKDB \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name RFKDB \ + --outpath rfkdb_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name RFKDB \ + --outpath rfkdb_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file rfkdb_export.csv \ + --store-type-name RFKDB \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* | +| `Properties.LinuxFilePermissionsOnStoreCreation` | Linux File Permissions on Store Creation | String | No | - | - | No | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. | +| `Properties.LinuxFileOwnerOnStoreCreation` | Linux File Owner on Store Creation | String | No | - | - | No | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. | +| `Properties.SudoImpersonatingUser` | Sudo Impersonating User | String | No | - | - | No | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. | +| `Properties.RemoveRootCertificate` | Remove Root Certificate from Chain | Bool | No | False | - | No | Remove root certificate from chain when adding/renewing a certificate in a store. | +| `Properties.IncludePortInSPN` | Include Port in SPN for WinRM | Bool | No | False | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | +| `Properties.SSHPort` | SSH Port | String | No | - | - | No | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | +| `Properties.UseShellCommands` | Use Shell Commands | Bool | No | True | - | No | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfora.md b/docs/use-cases/Certificate Store Operations/Store Types/rfora.md new file mode 100644 index 00000000..d345a44a --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfora.md @@ -0,0 +1,121 @@ + +# RFORA - RFORA + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `RFORA` | +| Name | RFORA | +| Capability | RFORA | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Required; PAM eligible | +| Supported operations | Add, Create, Discovery, Remove | + +**ClientMachine:** The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. + +**StorePath:** The Store Path field should contain the full path and file name of the Oracle Wallet, including the 'eWallet.p12' file name by convention. Example: '/path/to/eWallet.p12' or 'c:\path\to\eWallet.p12'. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.WorkFolder,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file rfora_bulk_create.csv \ + --store-type-name RFORA \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name RFORA \ + --outpath rfora_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name RFORA \ + --outpath rfora_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file rfora_export.csv \ + --store-type-name RFORA \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.WorkFolder,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* | +| `Properties.LinuxFilePermissionsOnStoreCreation` | Linux File Permissions on Store Creation | String | No | - | - | No | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. | +| `Properties.LinuxFileOwnerOnStoreCreation` | Linux File Owner on Store Creation | String | No | - | - | No | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. | +| `Properties.SudoImpersonatingUser` | Sudo Impersonating User | String | No | - | - | No | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting. | +| `Properties.WorkFolder` | Location to use for creation/removal of work files | String | Yes | - | - | No | The WorkFolder field should contain the path on the managed server where temporary work files can be created, modified, and deleted during Inventory and Management jobs. Example: '/path/to/workfolder'. | +| `Properties.RemoveRootCertificate` | Remove Root Certificate from Chain | Bool | No | False | - | No | Remove root certificate from chain when adding/renewing a certificate in a store. | +| `Properties.IncludePortInSPN` | Include Port in SPN for WinRM | Bool | No | False | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | +| `Properties.SSHPort` | SSH Port | String | No | - | - | No | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | +| `Properties.UseShellCommands` | Use Shell Commands | Bool | No | True | - | No | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md b/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md new file mode 100644 index 00000000..bc978cb9 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md @@ -0,0 +1,125 @@ + +# RFPEM - RFPEM + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `RFPEM` | +| Name | RFPEM | +| Capability | RFPEM | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Optional | +| Store password | Required; PAM eligible | +| Supported operations | Add, Create, Discovery, Enrollment, Remove | + +**ClientMachine:** The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. + +**StorePath:** The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\folder\path\storename.ext) for Windows orchestrated servers. Example: '/folder/path/storename.pem' or 'c:\folder\path\storename.pem'. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.IsTrustStore,Properties.IncludesChain,Properties.SeparatePrivateKeyFilePath,Properties.IgnorePrivateKeyOnInventory,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,Properties.PostJobApplicationRestart,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file rfpem_bulk_create.csv \ + --store-type-name RFPEM \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name RFPEM \ + --outpath rfpem_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name RFPEM \ + --outpath rfpem_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file rfpem_export.csv \ + --store-type-name RFPEM \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.IsTrustStore,Properties.IncludesChain,Properties.SeparatePrivateKeyFilePath,Properties.IgnorePrivateKeyOnInventory,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,Properties.PostJobApplicationRestart,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* | +| `Properties.LinuxFilePermissionsOnStoreCreation` | Linux File Permissions on Store Creation | String | No | - | - | No | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. | +| `Properties.LinuxFileOwnerOnStoreCreation` | Linux File Owner on Store Creation | String | No | - | - | No | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. | +| `Properties.SudoImpersonatingUser` | Sudo Impersonating User | String | No | - | - | No | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides [config.json](#post-installation) DefaultSudoImpersonatedUser setting.. | +| `Properties.IsTrustStore` | Trust Store | Bool | No | false | - | No | The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key. | +| `Properties.IncludesChain` | Store Includes Chain | Bool | No | false | - | No | The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it. | +| `Properties.SeparatePrivateKeyFilePath` | Separate Private Key File Location | String | No | - | - | No | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'. | +| `Properties.IgnorePrivateKeyOnInventory` | Ignore Private Key On Inventory | Bool | No | false | - | No | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it. | +| `Properties.RemoveRootCertificate` | Remove Root Certificate from Chain | Bool | No | False | - | No | Remove root certificate from chain when adding/renewing a certificate in a store. | +| `Properties.IncludePortInSPN` | Include Port in SPN for WinRM | Bool | No | False | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | +| `Properties.SSHPort` | SSH Port | String | No | - | - | No | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | +| `Properties.UseShellCommands` | Use Shell Commands | Bool | No | True | - | No | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | +| `Properties.PostJobApplicationRestart` | Post Job Application Restart | MultipleChoice | No | Apache HTTPD Restart,NGNIX Restart,HAProxy Restart,Envoy Proxy Restart | - | No | Select the command to be run after a Management Add or ODKG job executes. Leave unselected if no command is desired. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md b/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md new file mode 100644 index 00000000..cdf5a535 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md @@ -0,0 +1,120 @@ + +# RFPkcs12 - RFPkcs12 + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `RFPkcs12` | +| Name | RFPkcs12 | +| Capability | RFPkcs12 | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Required; PAM eligible | +| Supported operations | Add, Create, Discovery, Enrollment, Remove | + +**ClientMachine:** The Client Machine field should contain the DNS name or IP address of the remote orchestrated server for Linux orchestrated servers, formatted as a URL (protocol://dns-or-ip:port) for Windows orchestrated servers, or '1.1.1.1|LocalMachine' for local agents. Example: 'https://myserver.mydomain.com:5986' or '1.1.1.1|LocalMachine' for local access. + +**StorePath:** The Store Path field should contain the full path and file name, including file extension if applicable, beginning with a forward slash (/) for Linux orchestrated servers or a drive letter (i.e., c:\folder\path\storename.p12) for Windows orchestrated servers. Example: '/folder/path/storename.p12' or 'c:\folder\path\storename.p12'. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file rfpkcs12_bulk_create.csv \ + --store-type-name RFPkcs12 \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name RFPkcs12 \ + --outpath rfpkcs12_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name RFPkcs12 \ + --outpath rfpkcs12_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file rfpkcs12_export.csv \ + --store-type-name RFPkcs12 \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.LinuxFilePermissionsOnStoreCreation,Properties.LinuxFileOwnerOnStoreCreation,Properties.SudoImpersonatingUser,Properties.RemoveRootCertificate,Properties.IncludePortInSPN,Properties.SSHPort,Properties.UseShellCommands,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret; PAM eligible | A username (or valid PAM key if the username is stored in a KF Command configured PAM integration). If acting as an *agent* using local file access, just check *No Value* | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret; PAM eligible | A password (or valid PAM key if the password is stored in a KF Command configured PAM integration). The password can also be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check *No Value* | +| `Properties.LinuxFilePermissionsOnStoreCreation` | Linux File Permissions on Store Creation | String | No | - | - | No | The LinuxFilePermissionsOnStoreCreation field should contain a three-digit value between 000 and 777 representing the Linux file permissions to be set for the certificate store upon creation. Example: '600' or '755'. Overrides DefaultLinuxPermissionOnStoreCreation [config.json](#post-installation) setting. | +| `Properties.LinuxFileOwnerOnStoreCreation` | Linux File Owner on Store Creation | String | No | - | - | No | The LinuxFileOwnerOnStoreCreation field should contain a valid user ID recognized by the destination Linux server, optionally followed by a colon and a group ID if the group owner differs. Example: 'userID' or 'userID:groupID'. Overrides DefaultOwnerOnStoreCreation [config.json](#post-installation) setting. | +| `Properties.SudoImpersonatingUser` | Sudo Impersonating User | String | No | - | - | No | The SudoImpersonatingUser field should contain a valid user ID to impersonate using sudo on the destination Linux server. Example: 'impersonatedUserID'. Overrides DefaultSudoImpersonatedUser [config.json](#post-installation) setting. | +| `Properties.RemoveRootCertificate` | Remove Root Certificate from Chain | Bool | No | False | - | No | Remove root certificate from chain when adding/renewing a certificate in a store. | +| `Properties.IncludePortInSPN` | Include Port in SPN for WinRM | Bool | No | False | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | +| `Properties.SSHPort` | SSH Port | String | No | - | - | No | Integer value representing the port that should be used when connecting to Linux servers over SSH. Overrides SSHPort [config.json](#post-installation) setting. | +| `Properties.UseShellCommands` | Use Shell Commands | Bool | No | True | - | No | Recommended to be set to the default value of 'Y'. For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting) | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/signum.md b/docs/use-cases/Certificate Store Operations/Store Types/signum.md new file mode 100644 index 00000000..0c0c921e --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/signum.md @@ -0,0 +1,111 @@ + +# Signum - Signum + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `Signum` | +| Name | Signum | +| Capability | Signum | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Required | +| Store password | Not required | +| Supported operations | None | + +**ClientMachine:** The URL that will be used as the base URL for Signum endpoint calls. Should be something like https://{base url for your signum install}/rtadminservice.svc/basic. The API service port can be configured so yours may use something other than default https/443. The '/basic' at the end is required, as this integration makes use of Basic Authentication only when consuming the Signum SOAP API library. + +**StorePath:** Not used and hardcoded to NA for 'not applicable' + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file signum_bulk_create.csv \ + --store-type-name Signum \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name Signum \ + --outpath signum_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name Signum \ + --outpath signum_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file signum_export.csv \ + --store-type-name Signum \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The user ID (or PAM key pointing to the user ID) to use with authorization to execute Signum SOAP endpoints in your Signum environment. | +| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | The password (or PAM key pointing to the password) for the user ID you entered for Server User Name. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/sos.md b/docs/use-cases/Certificate Store Operations/Store Types/sos.md new file mode 100644 index 00000000..9150bd6c --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/sos.md @@ -0,0 +1,122 @@ + +# SOS - Sample Orchestrator Solution + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `SOS` | +| Name | Sample Orchestrator Solution | +| Capability | SOS | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Optional | +| Store password | Required | +| Supported operations | Add, Create, Discovery, Enrollment, Remove | + +**ClientMachine:** The base URL of the SOS API (i.e. http://localhost:8080) + +**StorePath:** The name of the store as defined in the SOS system (i.e. SampleKeyStore2). + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.StoreNameString,Properties.ForTestingOnlyBool,Properties.CollectionNameMultipleChoice,Properties.PrivateDetailsSecret,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file sos_bulk_create.csv \ + --store-type-name SOS \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name SOS \ + --outpath sos_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name SOS \ + --outpath sos_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file sos_export.csv \ + --store-type-name SOS \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.StoreNameString,Properties.ForTestingOnlyBool,Properties.CollectionNameMultipleChoice,Properties.PrivateDetailsSecret,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time,Password +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.StoreNameString` | Store Name | String | No | - | - | No | The Store name for the particular SOS store. | +| `Properties.ForTestingOnlyBool` | For Testing Only | Bool | No | true | - | No | Test bool variable. | +| `Properties.CollectionNameMultipleChoice` | Collection Name | MultipleChoice | Yes | internal | - | No | A test collection. | +| `Properties.PrivateDetailsSecret` | Private Details | Secret | No | test | - | Secret | A test secret. | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `CommaSeparatedSansString` | SANs | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":true,"OnRemove":false} | - | - | SAN string. | +| `CertColorMultipleChoice` | Certificate Color | MultipleChoice | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | red | - | A test variable with multiple choice. | +| `ForTestingOnlyBool` | For Testing Only | Bool | {"HasPrivateKey":true,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | true | - | Another test boolean. | +| `PrivateCertDetailsSecret` | Private Cert Details | Secret | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | test | - | A per cert secret. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.PrivateDetailsSecret +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.PrivateDetailsSecret.Provider,Properties.PrivateDetailsSecret.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md b/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md new file mode 100644 index 00000000..2bb5b496 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md @@ -0,0 +1,115 @@ + +# ThunderMgmt - A10 Thunder Management Certificates + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `ThunderMgmt` | +| Name | A10 Thunder Management Certificates | +| Capability | ThunderMgmt | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add, Remove | + +**ClientMachine:** Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to trigger certificate installation on the management interface after uploading files via SCP. + +**StorePath:** Absolute directory path on the SCP server where certificate files (.crt and .key) will be uploaded. The A10 device will retrieve certificate files from this location. Example: '/home/certuser'. The specified path must exist and the SCP user must have write permissions to this directory. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.OrchToScpServerIp,Properties.ScpPort,Properties.ScpUserName,Properties.ScpPassword,Properties.A10ToScpServerIp,Properties.allowInvalidCert,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file thundermgmt_bulk_create.csv \ + --store-type-name ThunderMgmt \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name ThunderMgmt \ + --outpath thundermgmt_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name ThunderMgmt \ + --outpath thundermgmt_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file thundermgmt_export.csv \ + --store-type-name ThunderMgmt \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.OrchToScpServerIp,Properties.ScpPort,Properties.ScpUserName,Properties.ScpPassword,Properties.A10ToScpServerIp,Properties.allowInvalidCert,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.OrchToScpServerIp` | Orch To Scp Server Ip | String | Yes | - | - | No | IP address or hostname of the SCP server that the Universal Orchestrator will connect to for uploading certificate files. This SCP server acts as an intermediary storage location before the A10 device retrieves the certificates. | +| `Properties.ScpPort` | Port Used For Scp | String | Yes | - | - | No | TCP port number used for SSH/SCP connections to the SCP server. Typically port 22 for standard SSH/SCP operations. | +| `Properties.ScpUserName` | UserName Used For Scp | Secret | Yes | - | - | Secret | Username credential for authenticating to the SCP server. This account must have write permissions to the target directory path specified in the certificate store configuration. Supports PAM integration for secure credential retrieval. | +| `Properties.ScpPassword` | Password Used For Scp | Secret | Yes | - | - | Secret | Password credential for authenticating to the SCP server. Used in conjunction with ScpUserName for SSH/SCP authentication. Supports PAM integration for secure credential retrieval. | +| `Properties.A10ToScpServerIp` | A10 Device To Scp Server Ip | String | Yes | - | - | No | IP address or hostname that the A10 vThunder device uses to connect to the SCP server for retrieving certificate files. This may differ from OrchToScpServerIp due to network topology, routing, or firewall configurations where the A10 device and orchestrator access the SCP server through different network paths. | +| `Properties.allowInvalidCert` | Allow Invalid Cert on A10 Management API | Bool | Yes | true | - | No | Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections used during the certificate installation process. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ScpUserName +Properties.ScpPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ScpUserName.Provider,Properties.ScpUserName.Parameters. +Properties.ScpPassword.Provider,Properties.ScpPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/thunderssl.md b/docs/use-cases/Certificate Store Operations/Store Types/thunderssl.md new file mode 100644 index 00000000..4b952cce --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/thunderssl.md @@ -0,0 +1,94 @@ + +# ThunderSsl - A10 Thunder Ssl Certificates + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `ThunderSsl` | +| Name | A10 Thunder Ssl Certificates | +| Capability | ThunderSsl | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Required | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Remove | + +**ClientMachine:** Hostname or IP address of the A10 vThunder appliance to be managed. The orchestrator will establish an AXAPI (REST API) connection using the credentials specified in the Server Username and Server Password fields to manage SSL certificates directly on the device. + +**StorePath:** A10 partition name where certificates will be managed. Use 'shared' for the default shared partition, or specify a custom partition name (e.g., 'tenant-prod') for multi-tenant deployments. The partition must already exist on the A10 device. Leave empty to default to the shared partition. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.allowInvalidCert,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file thunderssl_bulk_create.csv \ + --store-type-name ThunderSsl \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name ThunderSsl \ + --outpath thunderssl_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name ThunderSsl \ + --outpath thunderssl_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file thunderssl_export.csv \ + --store-type-name ThunderSsl \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.allowInvalidCert,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.allowInvalidCert` | Allow Invalid Cert on A10 Management API | Bool | Yes | true | - | No | Boolean value specifying whether to allow connections to the A10 vThunder management API when it presents an invalid or self-signed SSL/TLS certificate. Set to true to bypass certificate validation for AXAPI connections. | + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md b/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md new file mode 100644 index 00000000..c2f12475 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md @@ -0,0 +1,111 @@ + +# vCenter - VMware vCenter + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `vCenter` | +| Name | VMware vCenter | +| Capability | vCenter | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Optional | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Remove | + +**ClientMachine:** The domain name of the vSphere client managing vCenter (url to vCenter host without the 'https://'. + +**StorePath:** A unique identifier for this store. The actual value is unused by the orchestrator extension + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file vcenter_bulk_create.csv \ + --store-type-name vCenter \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name vCenter \ + --outpath vcenter_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name vCenter \ + --outpath vcenter_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file vcenter_export.csv \ + --store-type-name vCenter \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The vCenter username used to manage the vCenter connection | +| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | The secret vCenter password used to manage the vCenter connection | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md b/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md new file mode 100644 index 00000000..bab47908 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md @@ -0,0 +1,112 @@ + +# VMware-NSX - VMware-NSX + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `VMware-NSX` | +| Name | VMware-NSX | +| Capability | VMware-NSX | +| Server required | Yes | +| Store path type | MultipleChoice | +| Store path value | ["Application","Controller","CA"] | +| Custom alias | Required | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Remove | + +**ClientMachine:** This is the URL for the VMware NSX instance. It also includes an optional tenant in square brackets before the URL. A tenant value is required when the certificates being managed are in a different tenant from the default tenant set for the NSX User specified for the store. This should look like either: [optional-tenant-name]https://my.nsx.url/ OR https://my.nsx.url/ + +**StorePath:** A selection from the different certificate types supported: Application, Controller, or CA. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ApiVersion,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file vmware-nsx_bulk_create.csv \ + --store-type-name VMware-NSX \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name VMware-NSX \ + --outpath vmware-nsx_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name VMware-NSX \ + --outpath vmware-nsx_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file vmware-nsx_export.csv \ + --store-type-name VMware-NSX \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.ServerUsername,Properties.ServerPassword,Properties.ApiVersion,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.ServerUsername` | Server Username | Secret | Yes | - | - | Secret; PAM eligible | The username of the user to log on as in VMware NSX ALB. | +| `Properties.ServerPassword` | Server Password | Secret | Yes | - | - | Secret; PAM eligible | The password of the user to log on as in VMware NSX ALB. | +| `Properties.ApiVersion` | X-Avi-Version | String | Yes | 20.1.1 | - | No | The API Version of Avi / NSX to target. A default is set for the version this was originally developed and tested against. | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md b/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md new file mode 100644 index 00000000..aff784f4 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md @@ -0,0 +1,123 @@ + +# WinAdfs - ADFS Rotation Manager + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `WinAdfs` | +| Name | ADFS Rotation Manager | +| Capability | WinAdfs | +| Server required | Yes | +| Store path type | - | +| Store path value | My | +| Custom alias | Forbidden | +| Private key | Required | +| Store password | Not required | +| Supported operations | Add | + +**ClientMachine:** Since this extension type must run as an agent (The UO Must be installed on the PRIMARY ADFS Server), the ClientMachine must follow the naming convention as outlined in the Client Machine Instructions. Secondary ADFS Nodes will be automatically be updated with the same certificate added on the PRIMARY ADFS server. + +**StorePath:** Fixed string value of 'My' indicating the Personal store on the Local Machine. All ADFS Service-Communications certificates are located in the 'My' personal store by default. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file winadfs_bulk_create.csv \ + --store-type-name WinAdfs \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name WinAdfs \ + --outpath winadfs_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name WinAdfs \ + --outpath winadfs_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file winadfs_export.csv \ + --store-type-name WinAdfs \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.spnwithport` | SPN With Port | Bool | No | false | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | +| `Properties.WinRM Protocol` | WinRM Protocol | MultipleChoice | Yes | https,http,ssh | - | No | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. | +| `Properties.WinRM Port` | WinRM Port | String | Yes | 5986 | - | No | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. (This field is automatically created) | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created) | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Determine whether the server uses SSL or not (This field is automatically created) | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `ProviderName` | Crypto Provider Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers' | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/wincermgmt.md b/docs/use-cases/Certificate Store Operations/Store Types/wincermgmt.md new file mode 100644 index 00000000..5f481198 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/wincermgmt.md @@ -0,0 +1,90 @@ + +# WinCerMgmt - WinCerMgmt + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `WinCerMgmt` | +| Name | WinCerMgmt | +| Capability | WinCerMgmt | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Remove | + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file wincermgmt_bulk_create.csv \ + --store-type-name WinCerMgmt \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name WinCerMgmt \ + --outpath wincermgmt_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name WinCerMgmt \ + --outpath wincermgmt_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file wincermgmt_export.csv \ + --store-type-name WinCerMgmt \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.spnwithport` | spnwithport | Bool | No | false | - | No | - | + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/wincert.md b/docs/use-cases/Certificate Store Operations/Store Types/wincert.md new file mode 100644 index 00000000..7a6b3d86 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/wincert.md @@ -0,0 +1,123 @@ + +# WinCert - Windows Certificate + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `WinCert` | +| Name | Windows Certificate | +| Capability | WinCert | +| Server required | Yes | +| Store path type | - | +| Store path value | - | +| Custom alias | Forbidden | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Enrollment, Remove | + +**ClientMachine:** Hostname of the Windows Server containing the certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine). + +**StorePath:** Windows certificate store path to manage. The store must exist in the Local Machine store on the target server, e.g., 'My' for the Personal Store or 'Root' for the Trusted Root Certification Authorities Store. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file wincert_bulk_create.csv \ + --store-type-name WinCert \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name WinCert \ + --outpath wincert_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name WinCert \ + --outpath wincert_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file wincert_export.csv \ + --store-type-name WinCert \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.spnwithport` | SPN With Port | Bool | No | false | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | +| `Properties.WinRM Protocol` | WinRM Protocol | MultipleChoice | Yes | https,http,ssh | - | No | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. | +| `Properties.WinRM Port` | WinRM Port | String | Yes | 5986 | - | No | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. (This field is automatically created) | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created) | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Determine whether the server uses SSL or not (This field is automatically created) | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `ProviderName` | Crypto Provider Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers' | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/winsql.md b/docs/use-cases/Certificate Store Operations/Store Types/winsql.md new file mode 100644 index 00000000..f2438577 --- /dev/null +++ b/docs/use-cases/Certificate Store Operations/Store Types/winsql.md @@ -0,0 +1,125 @@ + +# WinSql - WinSql + +[Store Type Index](README.md) | [Certificate Store Operations](../README.md) + +Generated from `cmd/store_types.json`. Regenerate with: + +```bash +make store-type-docs +``` + +## Overview + +| Field | Value | +| --- | --- | +| Store type | `WinSql` | +| Name | WinSql | +| Capability | WinSql | +| Server required | Yes | +| Store path type | - | +| Store path value | My | +| Custom alias | Forbidden | +| Private key | Optional | +| Store password | Not required | +| Supported operations | Add, Remove | + +**ClientMachine:** Hostname of the Windows Server containing the SQL Server Certificate Store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine). + +**StorePath:** Fixed string value 'My' indicating the Personal store on the Local Machine. This denotes the Windows certificate store to be managed for SQL Server. + +## Bulk Create + +Use one CSV per store type. The generated create headers for this store type are: + +```csv +ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.RestartService,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +Create stores from the CSV: + +```bash +kfutil stores import csv \ + --file winsql_bulk_create.csv \ + --store-type-name WinSql \ + --no-prompt +``` + +To generate a live template from Command instead of using the static header list above: + +```bash +kfutil stores import generate-template \ + --store-type-name WinSql \ + --outpath winsql_bulk_create_template.csv \ + --no-prompt +``` + +## Bulk Update + +Export existing stores, edit the desired columns, then sync the rows back by `Id`: + +```bash +kfutil stores export \ + --store-type-name WinSql \ + --outpath winsql_export.csv \ + --no-prompt + +kfutil stores import csv \ + --file winsql_export.csv \ + --store-type-name WinSql \ + --sync \ + --no-prompt +``` + +Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them. + +Common update headers for this store type are: + +```csv +Id,ContainerId,ClientMachine,StorePath,CreateIfMissing,Properties.spnwithport,Properties.WinRM Protocol,Properties.WinRM Port,Properties.ServerUsername,Properties.ServerPassword,Properties.ServerUseSsl,Properties.RestartService,AgentId,InventorySchedule.Immediate,InventorySchedule.Interval.Minutes,InventorySchedule.Daily.Time,InventorySchedule.Weekly.Days,InventorySchedule.Weekly.Time +``` + +## Store Properties + +| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description | +| --- | --- | --- | --- | --- | --- | --- | --- | +| `Properties.spnwithport` | SPN With Port | Bool | No | false | - | No | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | +| `Properties.WinRM Protocol` | WinRM Protocol | MultipleChoice | Yes | https,http,ssh | - | No | Multiple choice value specifying which protocol to use. Protocols https or http use WinRM to connect from Windows to Windows Servers. Using ssh is only supported when running the orchestrator in a Linux environment. | +| `Properties.WinRM Port` | WinRM Port | String | Yes | 5986 | - | No | String value specifying the port number that the Windows target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. By default, when using ssh in a Linux environment, the default port number is 22. | +| `Properties.ServerUsername` | Server Username | Secret | No | - | - | Secret | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. (This field is automatically created) | +| `Properties.ServerPassword` | Server Password | Secret | No | - | - | Secret | Password corresponding to the Server Username used to log into the target server. When establishing a SSH session from a Linux environment, the password must include the full SSH Private key. (This field is automatically created) | +| `Properties.ServerUseSsl` | Use SSL | Bool | Yes | true | - | No | Determine whether the server uses SSL or not (This field is automatically created) | +| `Properties.RestartService` | Restart SQL Service After Cert Installed | Bool | Yes | false | - | No | Boolean value (true or false) indicating whether to restart the SQL Server service after installing the certificate. Example: 'true' to enable service restart after installation. | + +## Certificate Entry Parameters + +These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them. + +| Name | Display name | Type | Required when | Default | Depends on | Description | +| --- | --- | --- | --- | --- | --- | --- | +| `InstanceName` | Instance Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | String value specifying the SQL Server instance name to bind the certificate to. Example: 'MSSQLServer' for the default instance or 'Instance1' for a named instance. | +| `ProviderName` | Crypto Provider Name | String | {"HasPrivateKey":false,"OnAdd":false,"OnReenrollment":false,"OnRemove":false} | - | - | Name of the Windows cryptographic service provider to use when generating and storing private keys. For more information, refer to the section 'Using Crypto Service Providers' | + +## Secret And PAM Formatting + +Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell. + +```csv +Properties.ServerUsername +Properties.ServerPassword +``` + +PAM-backed property secrets use provider and parameter columns: + +```csv +Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. +Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. +``` + +## References + +- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) +- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md) +- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md) +- [kfutil stores import csv](../../../kfutil_stores_import_csv.md) +- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md) diff --git a/tools/storetypedocs/main.go b/tools/storetypedocs/main.go new file mode 100644 index 00000000..db494faf --- /dev/null +++ b/tools/storetypedocs/main.go @@ -0,0 +1,564 @@ +// Copyright 2026 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import ( + "bytes" + "encoding/json" + "flag" + "fmt" + "html" + "os" + "path/filepath" + "regexp" + "sort" + "strings" +) + +const generatedMarker = "" + +var ( + sourcePath = flag.String("source", "cmd/store_types.json", "path to store_types.json") + outputDir = flag.String("out", "docs/use-cases/Certificate Store Operations/Store Types", "output directory for generated docs") +) + +type storeType struct { + Name string `json:"Name"` + ShortName string `json:"ShortName"` + Capability string `json:"Capability"` + StorePathType string `json:"StorePathType"` + StorePathValue any `json:"StorePathValue"` + StorePathDescription string `json:"StorePathDescription"` + ClientMachineDescription string `json:"ClientMachineDescription"` + ServerRequired bool `json:"ServerRequired"` + CustomAliasAllowed string `json:"CustomAliasAllowed"` + PrivateKeyAllowed string `json:"PrivateKeyAllowed"` + LocalStore bool `json:"LocalStore"` + BlueprintAllowed bool `json:"BlueprintAllowed"` + PowerShell bool `json:"PowerShell"` + Properties []storeTypeProperty `json:"Properties"` + EntryParameters []entryParameter `json:"EntryParameters"` + PasswordOptions passwordOptions `json:"PasswordOptions"` + SupportedOperations map[string]bool `json:"SupportedOperations"` +} + +type storeTypeProperty struct { + Name string `json:"Name"` + DisplayName string `json:"DisplayName"` + Description string `json:"Description"` + Type string `json:"Type"` + DependsOn any `json:"DependsOn"` + DefaultValue any `json:"DefaultValue"` + Required bool `json:"Required"` + IsPAMEligible bool `json:"IsPAMEligible"` + IsPamEligable bool `json:"IsPamEligable"` + Options any `json:"Options"` +} + +type entryParameter struct { + Name string `json:"Name"` + DisplayName string `json:"DisplayName"` + Description string `json:"Description"` + Type string `json:"Type"` + DependsOn any `json:"DependsOn"` + DefaultValue any `json:"DefaultValue"` + RequiredWhen any `json:"RequiredWhen"` + Options any `json:"Options"` +} + +type passwordOptions struct { + Style string `json:"Style"` + EntrySupported bool `json:"EntrySupported"` + StoreRequired bool `json:"StoreRequired"` + StorePassword *storePassword `json:"StorePassword"` +} + +type storePassword struct { + Description string `json:"Description"` + IsPAMEligible bool `json:"IsPAMEligible"` +} + +func main() { + flag.Parse() + + storeTypes, err := readStoreTypes(*sourcePath) + if err != nil { + fatal(err) + } + + sort.Slice(storeTypes, func(i, j int) bool { + return strings.ToLower(storeTypes[i].ShortName) < strings.ToLower(storeTypes[j].ShortName) + }) + + slugs := uniqueSlugs(storeTypes) + + if err := os.MkdirAll(*outputDir, 0o755); err != nil { + fatal(err) + } + if err := removeStaleGeneratedDocs(*outputDir); err != nil { + fatal(err) + } + + for _, st := range storeTypes { + fileName := slugs[st.ShortName] + ".md" + path := filepath.Join(*outputDir, fileName) + if err := os.WriteFile(path, []byte(renderStoreTypeDoc(st)), 0o644); err != nil { + fatal(fmt.Errorf("write %s: %w", path, err)) + } + } + + indexPath := filepath.Join(*outputDir, "README.md") + if err := os.WriteFile(indexPath, []byte(renderIndex(storeTypes, slugs)), 0o644); err != nil { + fatal(fmt.Errorf("write %s: %w", indexPath, err)) + } + + fmt.Printf("Generated %d store type docs in %s\n", len(storeTypes), *outputDir) +} + +func readStoreTypes(path string) ([]storeType, error) { + data, err := os.ReadFile(path) + if err != nil { + return nil, fmt.Errorf("read %s: %w", path, err) + } + + var storeTypes []storeType + if err := json.Unmarshal(data, &storeTypes); err != nil { + return nil, fmt.Errorf("parse %s: %w", path, err) + } + if len(storeTypes) == 0 { + return nil, fmt.Errorf("%s did not contain any store types", path) + } + for i := range storeTypes { + if storeTypes[i].ShortName == "" { + return nil, fmt.Errorf("store type at index %d is missing ShortName", i) + } + } + return storeTypes, nil +} + +func removeStaleGeneratedDocs(dir string) error { + entries, err := os.ReadDir(dir) + if err != nil { + if os.IsNotExist(err) { + return nil + } + return err + } + + for _, entry := range entries { + if entry.IsDir() || filepath.Ext(entry.Name()) != ".md" { + continue + } + path := filepath.Join(dir, entry.Name()) + data, err := os.ReadFile(path) + if err != nil { + return err + } + if bytes.Contains(data, []byte(generatedMarker)) { + if err := os.Remove(path); err != nil { + return err + } + } + } + return nil +} + +func uniqueSlugs(storeTypes []storeType) map[string]string { + counts := map[string]int{} + slugs := map[string]string{} + for _, st := range storeTypes { + base := slugify(st.ShortName) + if base == "" { + base = slugify(st.Name) + } + if base == "" { + base = "store-type" + } + counts[base]++ + slug := base + if counts[base] > 1 { + slug = fmt.Sprintf("%s-%d", base, counts[base]) + } + slugs[st.ShortName] = slug + } + return slugs +} + +func slugify(value string) string { + value = strings.ToLower(value) + re := regexp.MustCompile(`[^a-z0-9]+`) + value = re.ReplaceAllString(value, "-") + return strings.Trim(value, "-") +} + +func renderIndex(storeTypes []storeType, slugs map[string]string) string { + var b strings.Builder + b.WriteString(generatedMarker + "\n") + b.WriteString("# Store Type Bulk Create And Update Guides\n\n") + b.WriteString("These docs are generated from `cmd/store_types.json` and describe the CSV columns used by `kfutil stores import csv` for each embedded certificate store type.\n\n") + b.WriteString("Regenerate after store type metadata changes:\n\n") + b.WriteString("```bash\n") + b.WriteString("make store-type-docs\n") + b.WriteString("```\n\n") + b.WriteString("Use `kfutil stores import generate-template` against a live Command environment when you need a template that reflects deployed customizations.\n\n") + b.WriteString("## Store Types\n\n") + b.WriteString("| Store Type | Name | Store Password | Secret/PAM Columns |\n") + b.WriteString("| --- | --- | --- | --- |\n") + for _, st := range storeTypes { + secretCount := 0 + for _, prop := range st.Properties { + if isSecretProperty(prop) { + secretCount++ + } + } + b.WriteString(fmt.Sprintf("| [`%s`](%s.md) | %s | %s | %s |\n", + mdTable(st.ShortName), + slugs[st.ShortName], + mdTable(st.Name), + mdTable(storePasswordSummary(st.PasswordOptions)), + mdTable(secretColumnSummary(secretCount)), + )) + } + return b.String() +} + +func renderStoreTypeDoc(st storeType) string { + var b strings.Builder + title := st.ShortName + if st.Name != "" { + title += " - " + st.Name + } + + b.WriteString(generatedMarker + "\n") + b.WriteString("# " + title + "\n\n") + b.WriteString("[Store Type Index](README.md) | [Certificate Store Operations](../README.md)\n\n") + b.WriteString("Generated from `cmd/store_types.json`. Regenerate with:\n\n") + b.WriteString("```bash\n") + b.WriteString("make store-type-docs\n") + b.WriteString("```\n\n") + + writeOverview(&b, st) + writeBulkCreate(&b, st) + writeBulkUpdate(&b, st) + writeProperties(&b, st) + writeEntryParameters(&b, st) + writeSecretFormatting(&b, st) + writeReferences(&b) + + return b.String() +} + +func writeOverview(b *strings.Builder, st storeType) { + b.WriteString("## Overview\n\n") + b.WriteString("| Field | Value |\n") + b.WriteString("| --- | --- |\n") + b.WriteString(fmt.Sprintf("| Store type | `%s` |\n", mdTable(st.ShortName))) + b.WriteString(fmt.Sprintf("| Name | %s |\n", mdTable(st.Name))) + b.WriteString(fmt.Sprintf("| Capability | %s |\n", mdTable(blank(st.Capability)))) + b.WriteString(fmt.Sprintf("| Server required | %s |\n", yesNo(st.ServerRequired))) + b.WriteString(fmt.Sprintf("| Store path type | %s |\n", mdTable(value(st.StorePathType)))) + b.WriteString(fmt.Sprintf("| Store path value | %s |\n", mdTable(value(st.StorePathValue)))) + b.WriteString(fmt.Sprintf("| Custom alias | %s |\n", mdTable(blank(st.CustomAliasAllowed)))) + b.WriteString(fmt.Sprintf("| Private key | %s |\n", mdTable(blank(st.PrivateKeyAllowed)))) + b.WriteString(fmt.Sprintf("| Store password | %s |\n", mdTable(storePasswordSummary(st.PasswordOptions)))) + b.WriteString(fmt.Sprintf("| Supported operations | %s |\n\n", mdTable(supportedOperations(st.SupportedOperations)))) + + if st.ClientMachineDescription != "" { + b.WriteString("**ClientMachine:** " + mdText(st.ClientMachineDescription) + "\n\n") + } + if st.StorePathDescription != "" { + b.WriteString("**StorePath:** " + mdText(st.StorePathDescription) + "\n\n") + } +} + +func writeBulkCreate(b *strings.Builder, st storeType) { + b.WriteString("## Bulk Create\n\n") + b.WriteString("Use one CSV per store type. The generated create headers for this store type are:\n\n") + b.WriteString("```csv\n") + b.WriteString(strings.Join(createHeaders(st), ",") + "\n") + b.WriteString("```\n\n") + b.WriteString("Create stores from the CSV:\n\n") + b.WriteString("```bash\n") + b.WriteString(fmt.Sprintf("kfutil stores import csv \\\n --file %s_bulk_create.csv \\\n --store-type-name %s \\\n --no-prompt\n", shellName(st.ShortName), shellQuote(st.ShortName))) + b.WriteString("```\n\n") + b.WriteString("To generate a live template from Command instead of using the static header list above:\n\n") + b.WriteString("```bash\n") + b.WriteString(fmt.Sprintf("kfutil stores import generate-template \\\n --store-type-name %s \\\n --outpath %s_bulk_create_template.csv \\\n --no-prompt\n", shellQuote(st.ShortName), shellName(st.ShortName))) + b.WriteString("```\n\n") +} + +func writeBulkUpdate(b *strings.Builder, st storeType) { + b.WriteString("## Bulk Update\n\n") + b.WriteString("Export existing stores, edit the desired columns, then sync the rows back by `Id`:\n\n") + b.WriteString("```bash\n") + b.WriteString(fmt.Sprintf("kfutil stores export \\\n --store-type-name %s \\\n --outpath %s_export.csv \\\n --no-prompt\n\n", shellQuote(st.ShortName), shellName(st.ShortName))) + b.WriteString(fmt.Sprintf("kfutil stores import csv \\\n --file %s_export.csv \\\n --store-type-name %s \\\n --sync \\\n --no-prompt\n", shellName(st.ShortName), shellQuote(st.ShortName))) + b.WriteString("```\n\n") + b.WriteString("Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.\n\n") + b.WriteString("Common update headers for this store type are:\n\n") + b.WriteString("```csv\n") + b.WriteString(strings.Join(updateHeaders(st), ",") + "\n") + b.WriteString("```\n\n") +} + +func writeProperties(b *strings.Builder, st storeType) { + b.WriteString("## Store Properties\n\n") + if len(st.Properties) == 0 { + b.WriteString("This store type does not define additional `Properties.*` CSV columns.\n\n") + return + } + + b.WriteString("| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |\n") + b.WriteString("| --- | --- | --- | --- | --- | --- | --- | --- |\n") + for _, prop := range st.Properties { + b.WriteString(fmt.Sprintf("| `Properties.%s` | %s | %s | %s | %s | %s | %s | %s |\n", + mdTable(prop.Name), + mdTable(blank(prop.DisplayName)), + mdTable(blank(prop.Type)), + yesNo(prop.Required), + mdTable(value(prop.DefaultValue)), + mdTable(value(prop.DependsOn)), + mdTable(secretPropertySummary(prop)), + mdTable(blank(prop.Description)), + )) + } + b.WriteString("\n") +} + +func writeEntryParameters(b *strings.Builder, st storeType) { + if len(st.EntryParameters) == 0 { + return + } + + b.WriteString("## Certificate Entry Parameters\n\n") + b.WriteString("These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.\n\n") + b.WriteString("| Name | Display name | Type | Required when | Default | Depends on | Description |\n") + b.WriteString("| --- | --- | --- | --- | --- | --- | --- |\n") + for _, param := range st.EntryParameters { + b.WriteString(fmt.Sprintf("| `%s` | %s | %s | %s | %s | %s | %s |\n", + mdTable(param.Name), + mdTable(blank(param.DisplayName)), + mdTable(blank(param.Type)), + mdTable(value(param.RequiredWhen)), + mdTable(value(param.DefaultValue)), + mdTable(value(param.DependsOn)), + mdTable(blank(param.Description)), + )) + } + b.WriteString("\n") +} + +func writeSecretFormatting(b *strings.Builder, st storeType) { + secretProps := secretProperties(st) + storePasswordEligible := st.PasswordOptions.StorePassword != nil && st.PasswordOptions.StorePassword.IsPAMEligible + if len(secretProps) == 0 && !storePasswordEligible { + return + } + + b.WriteString("## Secret And PAM Formatting\n\n") + if len(secretProps) > 0 { + b.WriteString("Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.\n\n") + b.WriteString("```csv\n") + for _, prop := range secretProps { + b.WriteString(fmt.Sprintf("Properties.%s\n", prop.Name)) + } + b.WriteString("```\n\n") + b.WriteString("PAM-backed property secrets use provider and parameter columns:\n\n") + b.WriteString("```csv\n") + for _, prop := range secretProps { + b.WriteString(fmt.Sprintf("Properties.%s.Provider,Properties.%s.Parameters.\n", prop.Name, prop.Name)) + } + b.WriteString("```\n\n") + } + if st.PasswordOptions.StorePassword != nil { + b.WriteString("The store password uses the `Password` column. ") + if st.PasswordOptions.StorePassword.IsPAMEligible { + b.WriteString("For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns.\n\n") + } else { + b.WriteString("This store type metadata does not mark the store password as PAM eligible.\n\n") + } + } +} + +func writeReferences(b *strings.Builder) { + b.WriteString("## References\n\n") + b.WriteString("- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)\n") + b.WriteString("- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)\n") + b.WriteString("- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)\n") + b.WriteString("- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)\n") + b.WriteString("- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)\n") +} + +func createHeaders(st storeType) []string { + headers := []string{ + "ContainerId", + "ClientMachine", + "StorePath", + "CreateIfMissing", + } + for _, prop := range st.Properties { + headers = append(headers, "Properties."+prop.Name) + } + headers = append(headers, + "AgentId", + "InventorySchedule.Immediate", + "InventorySchedule.Interval.Minutes", + "InventorySchedule.Daily.Time", + "InventorySchedule.Weekly.Days", + "InventorySchedule.Weekly.Time", + ) + if st.PasswordOptions.StoreRequired { + headers = append(headers, "Password") + } + return headers +} + +func updateHeaders(st storeType) []string { + headers := append([]string{"Id"}, createHeaders(st)...) + return headers +} + +func secretProperties(st storeType) []storeTypeProperty { + var props []storeTypeProperty + for _, prop := range st.Properties { + if isSecretProperty(prop) { + props = append(props, prop) + } + } + return props +} + +func isSecretProperty(prop storeTypeProperty) bool { + return strings.EqualFold(prop.Type, "Secret") || prop.IsPAMEligible || prop.IsPamEligable +} + +func secretPropertySummary(prop storeTypeProperty) string { + if !isSecretProperty(prop) { + return "No" + } + if prop.IsPAMEligible || prop.IsPamEligable { + return "Secret; PAM eligible" + } + return "Secret" +} + +func storePasswordSummary(options passwordOptions) string { + if options.StoreRequired { + if options.StorePassword != nil && options.StorePassword.IsPAMEligible { + return "Required; PAM eligible" + } + return "Required" + } + if options.StorePassword != nil && options.StorePassword.IsPAMEligible { + return "Optional; PAM eligible" + } + return "Not required" +} + +func secretColumnSummary(secretCount int) string { + switch secretCount { + case 0: + return "None" + case 1: + return "1 secret property" + default: + return fmt.Sprintf("%d secret properties", secretCount) + } +} + +func supportedOperations(ops map[string]bool) string { + if len(ops) == 0 { + return "-" + } + var enabled []string + for op, ok := range ops { + if ok { + enabled = append(enabled, op) + } + } + sort.Strings(enabled) + if len(enabled) == 0 { + return "None" + } + return strings.Join(enabled, ", ") +} + +func value(v any) string { + if v == nil { + return "-" + } + switch typed := v.(type) { + case string: + return blank(typed) + case bool: + return yesNo(typed) + case float64: + return fmt.Sprintf("%v", typed) + default: + data, err := json.Marshal(typed) + if err != nil { + return fmt.Sprintf("%v", typed) + } + return string(data) + } +} + +func blank(s string) string { + if strings.TrimSpace(s) == "" { + return "-" + } + return s +} + +func yesNo(v bool) string { + if v { + return "Yes" + } + return "No" +} + +func mdTable(s string) string { + s = mdText(s) + s = strings.ReplaceAll(s, "|", `\|`) + return s +} + +func mdText(s string) string { + s = strings.TrimSpace(s) + if s == "" { + return "-" + } + s = html.EscapeString(s) + s = strings.ReplaceAll(s, "\r\n", "\n") + s = strings.ReplaceAll(s, "\r", "\n") + s = strings.ReplaceAll(s, "\n", "
") + return s +} + +func shellName(value string) string { + return slugify(value) +} + +func shellQuote(value string) string { + if regexp.MustCompile(`^[A-Za-z0-9._-]+$`).MatchString(value) { + return value + } + return "'" + strings.ReplaceAll(value, "'", `'\''`) + "'" +} + +func fatal(err error) { + fmt.Fprintln(os.Stderr, err) + os.Exit(1) +} From 6d701d4e5d1b43df2dc8d1ae1dabfa7786f731bb Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Fri, 1 May 2026 13:15:17 -0700 Subject: [PATCH 09/17] docs: include PAM type parameters in store guides --- .../Store Types/README.md | 18 +++- .../Store Types/akamai.md | 16 +++- .../Store Types/appgwbin.md | 16 +++- .../Store Types/aruba.md | 16 +++- .../Store Types/aws-acm-v3.md | 16 +++- .../Store Types/aws-acm.md | 16 +++- .../Store Types/axisipcamera.md | 16 +++- .../Store Types/azureapp.md | 16 +++- .../Store Types/azureapp2.md | 16 +++- .../Store Types/azureappgw.md | 16 +++- .../Store Types/azuresp.md | 16 +++- .../Store Types/azuresp2.md | 16 +++- .../Store Types/bmc.md | 16 +++- .../Store Types/boschipcamera.md | 16 +++- .../Store Types/ciscoasa.md | 16 +++- .../Store Types/citrixadc.md | 18 +++- .../Store Types/datapower.md | 16 +++- .../Store Types/f5-bigiq.md | 16 +++- .../Store Types/f5-ca-rest.md | 16 +++- .../Store Types/f5-sl-rest.md | 18 +++- .../Store Types/f5-ws-rest.md | 16 +++- .../Store Types/f5wafca.md | 16 +++- .../Store Types/f5waftls.md | 16 +++- .../Store Types/fortigate.md | 14 ++- .../Store Types/fortiweb.md | 16 +++- .../Store Types/gcpapigee.md | 16 +++- .../Store Types/gcploadbal.md | 16 +++- .../Store Types/gcpscrtmgr.md | 14 ++- .../Store Types/hcvkvjks.md | 18 +++- .../Store Types/hcvkvp12.md | 18 +++- .../Store Types/hcvkvpem.md | 18 +++- .../Store Types/hcvkvpfx.md | 18 +++- .../Store Types/hcvpki.md | 18 +++- .../Store Types/idrac.md | 16 +++- .../Store Types/iisu.md | 16 +++- .../Store Types/imperva.md | 14 ++- .../Store Types/k8scert.md | 16 +++- .../Store Types/k8scluster.md | 16 +++- .../Store Types/k8sjks.md | 16 +++- .../Store Types/k8sns.md | 16 +++- .../Store Types/k8spkcs12.md | 16 +++- .../Store Types/k8ssecret.md | 16 +++- .../Store Types/k8stlssecr.md | 16 +++- .../Store Types/kemp.md | 16 +++- .../Store Types/paloalto.md | 16 +++- .../Store Types/rfder.md | 18 +++- .../Store Types/rfjks.md | 18 +++- .../Store Types/rfkdb.md | 18 +++- .../Store Types/rfora.md | 18 +++- .../Store Types/rfpem.md | 18 +++- .../Store Types/rfpkcs12.md | 18 +++- .../Store Types/signum.md | 16 +++- .../Store Types/sos.md | 16 +++- .../Store Types/thundermgmt.md | 16 +++- .../Store Types/vcenter.md | 16 +++- .../Store Types/vmware-nsx.md | 16 +++- .../Store Types/winadfs.md | 16 +++- .../Store Types/wincert.md | 16 +++- .../Store Types/winsql.md | 16 +++- tools/storetypedocs/main.go | 95 +++++++++++++++++-- 60 files changed, 980 insertions(+), 81 deletions(-) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/README.md b/docs/use-cases/Certificate Store Operations/Store Types/README.md index a930469f..88f3abd7 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/README.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/README.md @@ -1,7 +1,7 @@ # Store Type Bulk Create And Update Guides -These docs are generated from `cmd/store_types.json` and describe the CSV columns used by `kfutil stores import csv` for each embedded certificate store type. +These docs are generated from `cmd/store_types.json` and `cmd/pam_types.json` and describe the CSV columns used by `kfutil stores import csv` for each embedded certificate store type. Regenerate after store type metadata changes: @@ -11,6 +11,22 @@ make store-type-docs Use `kfutil stores import generate-template` against a live Command environment when you need a template that reflects deployed customizations. +## PAM Provider Parameter Columns + +PAM-backed secret columns vary by PAM provider type. Provider-level parameters are configured on the PAM provider. Store CSV rows use the instance-level parameter names with the secret column prefix, for example `Properties.ServerPassword.Parameters.SecretId` or `Password.Parameters.SecretId`. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## Store Types | Store Type | Name | Store Password | Secret/PAM Columns | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/akamai.md b/docs/use-cases/Certificate Store Operations/Store Types/akamai.md index fc4e2868..73860b11 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/akamai.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/akamai.md @@ -140,7 +140,7 @@ Properties.client_token Properties.client_secret ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.access_token.Provider,Properties.access_token.Parameters. @@ -148,6 +148,20 @@ Properties.client_token.Provider,Properties.client_token.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md b/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md index 04bb5773..4aadc5e2 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md @@ -99,7 +99,7 @@ Properties.ServerPassword Properties.ClientCertificate ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. @@ -107,6 +107,20 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/aruba.md b/docs/use-cases/Certificate Store Operations/Store Types/aruba.md index 08d8e36e..7ca889ca 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/aruba.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/aruba.md @@ -106,13 +106,27 @@ Properties.FileServerUsername Properties.FileServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.FileServerUsername.Provider,Properties.FileServerUsername.Parameters. Properties.FileServerPassword.Provider,Properties.FileServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md index 873f47c6..8085da37 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md @@ -115,7 +115,7 @@ Properties.IAMUserAccessKey Properties.IAMUserAccessSecret ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.OAuthClientId.Provider,Properties.OAuthClientId.Parameters. @@ -124,6 +124,20 @@ Properties.IAMUserAccessKey.Provider,Properties.IAMUserAccessKey.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md index 9d1198c2..d66c5dbd 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md @@ -114,13 +114,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md b/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md index aacfb658..d7559350 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md @@ -104,13 +104,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md b/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md index d1196c45..bfe44573 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md @@ -99,7 +99,7 @@ Properties.ServerPassword Properties.ClientCertificate ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. @@ -107,6 +107,20 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md b/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md index 78453322..fa0fd502 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md @@ -100,7 +100,7 @@ Properties.ClientCertificate Properties.ClientCertificatePassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. @@ -109,6 +109,20 @@ Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters.

``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md b/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md index 4570d5e7..268eb8b7 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md @@ -99,7 +99,7 @@ Properties.ServerPassword Properties.ClientCertificate ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. @@ -107,6 +107,20 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md b/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md index 36f81f2a..c25639a9 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md @@ -99,7 +99,7 @@ Properties.ServerPassword Properties.ClientCertificate ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. @@ -107,6 +107,20 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md b/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md index 430ea39e..7ab277ea 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md @@ -100,7 +100,7 @@ Properties.ClientCertificate Properties.ClientCertificatePassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. @@ -109,6 +109,20 @@ Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters.

``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/bmc.md b/docs/use-cases/Certificate Store Operations/Store Types/bmc.md index af6b9bc5..9032ad41 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/bmc.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/bmc.md @@ -110,13 +110,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md b/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md index d242c31b..ab0c1a27 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md @@ -106,13 +106,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md b/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md index be85ce57..d9fa60f2 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md @@ -105,13 +105,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md b/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md index ce32b6a2..cd19a445 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md @@ -106,14 +106,28 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/datapower.md b/docs/use-cases/Certificate Store Operations/Store Types/datapower.md index 8c95bb67..958526f1 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/datapower.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/datapower.md @@ -100,13 +100,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md index 4dd41efe..a8185202 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md @@ -95,13 +95,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md index fd24c0f0..30c0edfb 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md @@ -102,13 +102,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md index 558b2259..1cc3e5ee 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md @@ -111,14 +111,28 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md index 5e515e40..ddd12119 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md @@ -102,13 +102,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md b/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md index dba6eb3d..09d229aa 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md @@ -95,13 +95,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md b/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md index 2fd6df88..1b836402 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md @@ -95,13 +95,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md b/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md index 5486b8ef..5b861e04 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md @@ -85,7 +85,19 @@ This store type does not define additional `Properties.*` CSV columns. ## Secret And PAM Formatting -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md b/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md index 8595ac9d..964c6d99 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md @@ -97,13 +97,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md b/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md index b42c68d0..08ca3c20 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md @@ -94,12 +94,26 @@ Direct secret values go in the base property column. If the secret value is JSON Properties.jsonKey ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.jsonKey.Provider,Properties.jsonKey.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md b/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md index 2f8d0943..2a036cd8 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md @@ -93,12 +93,26 @@ Direct secret values go in the base property column. If the secret value is JSON Properties.jsonKey ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.jsonKey.Provider,Properties.jsonKey.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md b/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md index 45c4b9c0..ca060336 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md @@ -96,7 +96,19 @@ These parameters apply to certificate add/enrollment operations for this store t ## Secret And PAM Formatting -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md index 2462184d..47468c07 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md @@ -98,14 +98,28 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md index f56e2674..b2e67d6c 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md @@ -98,14 +98,28 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md index e3f06975..826dd951 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md @@ -98,14 +98,28 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md index 1d458ca4..107cec6e 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md @@ -98,14 +98,28 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md index 22bf6aa1..7381e6ab 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md @@ -97,14 +97,28 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/idrac.md b/docs/use-cases/Certificate Store Operations/Store Types/idrac.md index 5b70933e..918cb8f3 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/idrac.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/idrac.md @@ -95,13 +95,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/iisu.md b/docs/use-cases/Certificate Store Operations/Store Types/iisu.md index a5cbd2be..5c58796e 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/iisu.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/iisu.md @@ -113,13 +113,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/imperva.md b/docs/use-cases/Certificate Store Operations/Store Types/imperva.md index d857d0e2..91f0f269 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/imperva.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/imperva.md @@ -85,7 +85,19 @@ This store type does not define additional `Properties.*` CSV columns. ## Secret And PAM Formatting -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md b/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md index 17ff896e..6aae8fba 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md @@ -94,13 +94,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md b/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md index 03659699..1e7da80b 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md @@ -95,13 +95,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md b/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md index c6a08601..61d438a7 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md @@ -101,13 +101,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md b/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md index e0b1a3de..42a4fd73 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md @@ -96,13 +96,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md b/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md index 544a7d53..6032ccef 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md @@ -101,13 +101,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md b/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md index 8b95a808..10d7820b 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md @@ -98,13 +98,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md b/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md index cba16fd4..b4f9d774 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md @@ -98,13 +98,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/kemp.md b/docs/use-cases/Certificate Store Operations/Store Types/kemp.md index 861b8981..b1204b3a 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/kemp.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/kemp.md @@ -96,13 +96,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md b/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md index 46f2690c..28bf6e35 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md @@ -99,13 +99,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfder.md b/docs/use-cases/Certificate Store Operations/Store Types/rfder.md index f2ee6226..f54bafe8 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfder.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfder.md @@ -103,14 +103,28 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md b/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md index 4711682d..e7f2bd97 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md @@ -103,14 +103,28 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md b/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md index 8b8e5ccd..baf581a9 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md @@ -102,14 +102,28 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfora.md b/docs/use-cases/Certificate Store Operations/Store Types/rfora.md index d345a44a..e3c865b8 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfora.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfora.md @@ -103,14 +103,28 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md b/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md index bc978cb9..6142a3fb 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md @@ -107,14 +107,28 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md b/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md index cdf5a535..1cd2c010 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md @@ -102,14 +102,28 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/signum.md b/docs/use-cases/Certificate Store Operations/Store Types/signum.md index 0c0c921e..413748ca 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/signum.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/signum.md @@ -95,13 +95,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/sos.md b/docs/use-cases/Certificate Store Operations/Store Types/sos.md index 9150bd6c..56949481 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/sos.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/sos.md @@ -107,12 +107,26 @@ Direct secret values go in the base property column. If the secret value is JSON Properties.PrivateDetailsSecret ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.PrivateDetailsSecret.Provider,Properties.PrivateDetailsSecret.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md b/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md index 2bb5b496..ffc22f71 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md @@ -99,13 +99,27 @@ Properties.ScpUserName Properties.ScpPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ScpUserName.Provider,Properties.ScpUserName.Parameters. Properties.ScpPassword.Provider,Properties.ScpPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md b/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md index c2f12475..dd6ae968 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md @@ -95,13 +95,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md b/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md index bab47908..1a6f54db 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md @@ -96,13 +96,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md b/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md index aff784f4..178e19ce 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md @@ -107,13 +107,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/wincert.md b/docs/use-cases/Certificate Store Operations/Store Types/wincert.md index 7a6b3d86..b171fbd3 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/wincert.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/wincert.md @@ -107,13 +107,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/winsql.md b/docs/use-cases/Certificate Store Operations/Store Types/winsql.md index f2438577..9b17f134 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/winsql.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/winsql.md @@ -109,13 +109,27 @@ Properties.ServerUsername Properties.ServerPassword ``` -PAM-backed property secrets use provider and parameter columns: +PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type. ```csv Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters. Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. ``` +Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. + +| PAM type | Provider-level parameters | Store CSV instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + ## References - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md) diff --git a/tools/storetypedocs/main.go b/tools/storetypedocs/main.go index db494faf..bdf9df5b 100644 --- a/tools/storetypedocs/main.go +++ b/tools/storetypedocs/main.go @@ -31,6 +31,7 @@ const generatedMarker = "" var ( sourcePath = flag.String("source", "cmd/store_types.json", "path to store_types.json") + pamPath = flag.String("pam-source", "cmd/pam_types.json", "path to pam_types.json") outputDir = flag.String("out", "docs/use-cases/Certificate Store Operations/Store Types", "output directory for generated docs") ) @@ -90,6 +91,19 @@ type storePassword struct { IsPAMEligible bool `json:"IsPAMEligible"` } +type pamType struct { + Name string `json:"Name"` + Parameters []pamParameter `json:"Parameters"` +} + +type pamParameter struct { + Name string `json:"Name"` + DisplayName string `json:"DisplayName"` + Description string `json:"Description"` + DataType int `json:"DataType"` + InstanceLevel bool `json:"InstanceLevel"` +} + func main() { flag.Parse() @@ -97,10 +111,17 @@ func main() { if err != nil { fatal(err) } + pamTypes, err := readPAMTypes(*pamPath) + if err != nil { + fatal(err) + } sort.Slice(storeTypes, func(i, j int) bool { return strings.ToLower(storeTypes[i].ShortName) < strings.ToLower(storeTypes[j].ShortName) }) + sort.Slice(pamTypes, func(i, j int) bool { + return strings.ToLower(pamTypes[i].Name) < strings.ToLower(pamTypes[j].Name) + }) slugs := uniqueSlugs(storeTypes) @@ -114,13 +135,13 @@ func main() { for _, st := range storeTypes { fileName := slugs[st.ShortName] + ".md" path := filepath.Join(*outputDir, fileName) - if err := os.WriteFile(path, []byte(renderStoreTypeDoc(st)), 0o644); err != nil { + if err := os.WriteFile(path, []byte(renderStoreTypeDoc(st, pamTypes)), 0o644); err != nil { fatal(fmt.Errorf("write %s: %w", path, err)) } } indexPath := filepath.Join(*outputDir, "README.md") - if err := os.WriteFile(indexPath, []byte(renderIndex(storeTypes, slugs)), 0o644); err != nil { + if err := os.WriteFile(indexPath, []byte(renderIndex(storeTypes, slugs, pamTypes)), 0o644); err != nil { fatal(fmt.Errorf("write %s: %w", indexPath, err)) } @@ -148,6 +169,27 @@ func readStoreTypes(path string) ([]storeType, error) { return storeTypes, nil } +func readPAMTypes(path string) ([]pamType, error) { + data, err := os.ReadFile(path) + if err != nil { + return nil, fmt.Errorf("read %s: %w", path, err) + } + + var pamTypes []pamType + if err := json.Unmarshal(data, &pamTypes); err != nil { + return nil, fmt.Errorf("parse %s: %w", path, err) + } + if len(pamTypes) == 0 { + return nil, fmt.Errorf("%s did not contain any PAM types", path) + } + for i := range pamTypes { + if pamTypes[i].Name == "" { + return nil, fmt.Errorf("PAM type at index %d is missing Name", i) + } + } + return pamTypes, nil +} + func removeStaleGeneratedDocs(dir string) error { entries, err := os.ReadDir(dir) if err != nil { @@ -203,16 +245,17 @@ func slugify(value string) string { return strings.Trim(value, "-") } -func renderIndex(storeTypes []storeType, slugs map[string]string) string { +func renderIndex(storeTypes []storeType, slugs map[string]string, pamTypes []pamType) string { var b strings.Builder b.WriteString(generatedMarker + "\n") b.WriteString("# Store Type Bulk Create And Update Guides\n\n") - b.WriteString("These docs are generated from `cmd/store_types.json` and describe the CSV columns used by `kfutil stores import csv` for each embedded certificate store type.\n\n") + b.WriteString("These docs are generated from `cmd/store_types.json` and `cmd/pam_types.json` and describe the CSV columns used by `kfutil stores import csv` for each embedded certificate store type.\n\n") b.WriteString("Regenerate after store type metadata changes:\n\n") b.WriteString("```bash\n") b.WriteString("make store-type-docs\n") b.WriteString("```\n\n") b.WriteString("Use `kfutil stores import generate-template` against a live Command environment when you need a template that reflects deployed customizations.\n\n") + writePAMTypeIndex(&b, pamTypes) b.WriteString("## Store Types\n\n") b.WriteString("| Store Type | Name | Store Password | Secret/PAM Columns |\n") b.WriteString("| --- | --- | --- | --- |\n") @@ -234,7 +277,7 @@ func renderIndex(storeTypes []storeType, slugs map[string]string) string { return b.String() } -func renderStoreTypeDoc(st storeType) string { +func renderStoreTypeDoc(st storeType, pamTypes []pamType) string { var b strings.Builder title := st.ShortName if st.Name != "" { @@ -254,7 +297,7 @@ func renderStoreTypeDoc(st storeType) string { writeBulkUpdate(&b, st) writeProperties(&b, st) writeEntryParameters(&b, st) - writeSecretFormatting(&b, st) + writeSecretFormatting(&b, st, pamTypes) writeReferences(&b) return b.String() @@ -360,7 +403,7 @@ func writeEntryParameters(b *strings.Builder, st storeType) { b.WriteString("\n") } -func writeSecretFormatting(b *strings.Builder, st storeType) { +func writeSecretFormatting(b *strings.Builder, st storeType, pamTypes []pamType) { secretProps := secretProperties(st) storePasswordEligible := st.PasswordOptions.StorePassword != nil && st.PasswordOptions.StorePassword.IsPAMEligible if len(secretProps) == 0 && !storePasswordEligible { @@ -375,21 +418,55 @@ func writeSecretFormatting(b *strings.Builder, st storeType) { b.WriteString(fmt.Sprintf("Properties.%s\n", prop.Name)) } b.WriteString("```\n\n") - b.WriteString("PAM-backed property secrets use provider and parameter columns:\n\n") + b.WriteString("PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.\n\n") b.WriteString("```csv\n") for _, prop := range secretProps { b.WriteString(fmt.Sprintf("Properties.%s.Provider,Properties.%s.Parameters.\n", prop.Name, prop.Name)) } b.WriteString("```\n\n") + b.WriteString("Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.\n\n") } if st.PasswordOptions.StorePassword != nil { b.WriteString("The store password uses the `Password` column. ") if st.PasswordOptions.StorePassword.IsPAMEligible { - b.WriteString("For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns.\n\n") + b.WriteString("For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.\n\n") } else { b.WriteString("This store type metadata does not mark the store password as PAM eligible.\n\n") } } + writePAMParameterTable(b, pamTypes) +} + +func writePAMTypeIndex(b *strings.Builder, pamTypes []pamType) { + b.WriteString("## PAM Provider Parameter Columns\n\n") + b.WriteString("PAM-backed secret columns vary by PAM provider type. Provider-level parameters are configured on the PAM provider. Store CSV rows use the instance-level parameter names with the secret column prefix, for example `Properties.ServerPassword.Parameters.SecretId` or `Password.Parameters.SecretId`.\n\n") + writePAMParameterTable(b, pamTypes) +} + +func writePAMParameterTable(b *strings.Builder, pamTypes []pamType) { + b.WriteString("| PAM type | Provider-level parameters | Store CSV instance parameters |\n") + b.WriteString("| --- | --- | --- |\n") + for _, pamType := range pamTypes { + b.WriteString(fmt.Sprintf("| `%s` | %s | %s |\n", + mdTable(pamType.Name), + mdTable(strings.Join(parameterNames(pamType.Parameters, false), ", ")), + mdTable(strings.Join(parameterNames(pamType.Parameters, true), ", ")), + )) + } + b.WriteString("\n") +} + +func parameterNames(parameters []pamParameter, instanceLevel bool) []string { + var names []string + for _, parameter := range parameters { + if parameter.InstanceLevel == instanceLevel { + names = append(names, parameter.Name) + } + } + if len(names) == 0 { + return []string{"-"} + } + return names } func writeReferences(b *strings.Builder) { From fc8ebee6735f7e2a424e6cbb5c36df8ee7b9f588 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Fri, 1 May 2026 13:20:43 -0700 Subject: [PATCH 10/17] docs: omit provider-level PAM parameters from store guides --- .../Store Types/README.md | 24 +++++++++---------- .../Store Types/akamai.md | 22 ++++++++--------- .../Store Types/appgwbin.md | 22 ++++++++--------- .../Store Types/aruba.md | 22 ++++++++--------- .../Store Types/aws-acm-v3.md | 22 ++++++++--------- .../Store Types/aws-acm.md | 22 ++++++++--------- .../Store Types/axisipcamera.md | 22 ++++++++--------- .../Store Types/azureapp.md | 22 ++++++++--------- .../Store Types/azureapp2.md | 22 ++++++++--------- .../Store Types/azureappgw.md | 22 ++++++++--------- .../Store Types/azuresp.md | 22 ++++++++--------- .../Store Types/azuresp2.md | 22 ++++++++--------- .../Store Types/bmc.md | 22 ++++++++--------- .../Store Types/boschipcamera.md | 22 ++++++++--------- .../Store Types/ciscoasa.md | 22 ++++++++--------- .../Store Types/citrixadc.md | 22 ++++++++--------- .../Store Types/datapower.md | 22 ++++++++--------- .../Store Types/f5-bigiq.md | 22 ++++++++--------- .../Store Types/f5-ca-rest.md | 22 ++++++++--------- .../Store Types/f5-sl-rest.md | 22 ++++++++--------- .../Store Types/f5-ws-rest.md | 22 ++++++++--------- .../Store Types/f5wafca.md | 22 ++++++++--------- .../Store Types/f5waftls.md | 22 ++++++++--------- .../Store Types/fortigate.md | 22 ++++++++--------- .../Store Types/fortiweb.md | 22 ++++++++--------- .../Store Types/gcpapigee.md | 22 ++++++++--------- .../Store Types/gcploadbal.md | 22 ++++++++--------- .../Store Types/gcpscrtmgr.md | 22 ++++++++--------- .../Store Types/hcvkvjks.md | 22 ++++++++--------- .../Store Types/hcvkvp12.md | 22 ++++++++--------- .../Store Types/hcvkvpem.md | 22 ++++++++--------- .../Store Types/hcvkvpfx.md | 22 ++++++++--------- .../Store Types/hcvpki.md | 22 ++++++++--------- .../Store Types/idrac.md | 22 ++++++++--------- .../Store Types/iisu.md | 22 ++++++++--------- .../Store Types/imperva.md | 22 ++++++++--------- .../Store Types/k8scert.md | 22 ++++++++--------- .../Store Types/k8scluster.md | 22 ++++++++--------- .../Store Types/k8sjks.md | 22 ++++++++--------- .../Store Types/k8sns.md | 22 ++++++++--------- .../Store Types/k8spkcs12.md | 22 ++++++++--------- .../Store Types/k8ssecret.md | 22 ++++++++--------- .../Store Types/k8stlssecr.md | 22 ++++++++--------- .../Store Types/kemp.md | 22 ++++++++--------- .../Store Types/paloalto.md | 22 ++++++++--------- .../Store Types/rfder.md | 22 ++++++++--------- .../Store Types/rfjks.md | 22 ++++++++--------- .../Store Types/rfkdb.md | 22 ++++++++--------- .../Store Types/rfora.md | 22 ++++++++--------- .../Store Types/rfpem.md | 22 ++++++++--------- .../Store Types/rfpkcs12.md | 22 ++++++++--------- .../Store Types/signum.md | 22 ++++++++--------- .../Store Types/sos.md | 22 ++++++++--------- .../Store Types/thundermgmt.md | 22 ++++++++--------- .../Store Types/vcenter.md | 22 ++++++++--------- .../Store Types/vmware-nsx.md | 22 ++++++++--------- .../Store Types/winadfs.md | 22 ++++++++--------- .../Store Types/wincert.md | 22 ++++++++--------- .../Store Types/winsql.md | 22 ++++++++--------- tools/storetypedocs/main.go | 15 ++++++------ 60 files changed, 657 insertions(+), 658 deletions(-) diff --git a/docs/use-cases/Certificate Store Operations/Store Types/README.md b/docs/use-cases/Certificate Store Operations/Store Types/README.md index 88f3abd7..4b08f875 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/README.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/README.md @@ -13,19 +13,19 @@ Use `kfutil stores import generate-template` against a live Command environment ## PAM Provider Parameter Columns -PAM-backed secret columns vary by PAM provider type. Provider-level parameters are configured on the PAM provider. Store CSV rows use the instance-level parameter names with the secret column prefix, for example `Properties.ServerPassword.Parameters.SecretId` or `Password.Parameters.SecretId`. +PAM-backed secret columns vary by PAM provider type. Certificate store CSV rows can only set the instance-level parameter names exposed to certificate stores, with the secret column prefix. For example, use `Properties.ServerPassword.Parameters.SecretId` or `Password.Parameters.SecretId`. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## Store Types diff --git a/docs/use-cases/Certificate Store Operations/Store Types/akamai.md b/docs/use-cases/Certificate Store Operations/Store Types/akamai.md index 73860b11..5becd5e8 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/akamai.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/akamai.md @@ -150,17 +150,17 @@ Properties.client_secret.Provider,Properties.client_secret.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/datapower.md b/docs/use-cases/Certificate Store Operations/Store Types/datapower.md index 958526f1..1a5f7b81 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/datapower.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/datapower.md @@ -109,17 +109,17 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md index ddd12119..bbaa98fa 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md @@ -111,17 +111,17 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md b/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md index 964c6d99..6eff7c6e 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md @@ -106,17 +106,17 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md b/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md index 2a036cd8..e7cf711e 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md @@ -101,17 +101,17 @@ Properties.jsonKey.Provider,Properties.jsonKey.Parameters. Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md b/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md index ca060336..033e6888 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md @@ -98,17 +98,17 @@ These parameters apply to certificate add/enrollment operations for this store t The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md index 47468c07..ad29d771 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md @@ -109,17 +109,17 @@ Use the PAM parameter names in the table below, or check the provider type in Co The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md index b2e67d6c..5fad0d00 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md @@ -109,17 +109,17 @@ Use the PAM parameter names in the table below, or check the provider type in Co The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md index 826dd951..6e6fe948 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md @@ -109,17 +109,17 @@ Use the PAM parameter names in the table below, or check the provider type in Co The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md index 107cec6e..12eed201 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md @@ -109,17 +109,17 @@ Use the PAM parameter names in the table below, or check the provider type in Co The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md index 7381e6ab..25e42523 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md @@ -108,17 +108,17 @@ Use the PAM parameter names in the table below, or check the provider type in Co The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/idrac.md b/docs/use-cases/Certificate Store Operations/Store Types/idrac.md index 918cb8f3..2bad82e1 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/idrac.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/idrac.md @@ -104,17 +104,17 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md b/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md index 6aae8fba..acfbec4b 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md @@ -103,17 +103,17 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md b/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md index e7f2bd97..54b53948 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md @@ -114,17 +114,17 @@ Use the PAM parameter names in the table below, or check the provider type in Co The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md b/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md index baf581a9..39f2f4ff 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md @@ -113,17 +113,17 @@ Use the PAM parameter names in the table below, or check the provider type in Co The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfora.md b/docs/use-cases/Certificate Store Operations/Store Types/rfora.md index e3c865b8..60d6cc9d 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfora.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfora.md @@ -114,17 +114,17 @@ Use the PAM parameter names in the table below, or check the provider type in Co The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md b/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md index 6142a3fb..f6f57aef 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md @@ -118,17 +118,17 @@ Use the PAM parameter names in the table below, or check the provider type in Co The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md b/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md index 1cd2c010..1faef09b 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md @@ -113,17 +113,17 @@ Use the PAM parameter names in the table below, or check the provider type in Co The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. -| PAM type | Provider-level parameters | Store CSV instance parameters | -| --- | --- | --- | -| `1Password-CLI` | Vault, Token | Item, Field | -| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | -| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | -| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | -| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | -| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | -| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | -| `GCP-SecretManager` | projectId | secretId | -| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | +| PAM type | Store CSV parameter names | +| --- | --- | +| `1Password-CLI` | Item, Field | +| `Azure-KeyVault` | SecretId | +| `Azure-KeyVault-ServicePrincipal` | SecretId | +| `BeyondTrust-PasswordSafe` | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | Safe, Folder, Object | +| `Delinea-SecretServer` | SecretId, SecretFieldName | +| `GCP-SecretManager` | secretId | +| `Hashicorp-Vault` | Secret, Key | ## References diff --git a/docs/use-cases/Certificate Store Operations/Store Types/signum.md b/docs/use-cases/Certificate Store Operations/Store Types/signum.md index 413748ca..d44c76f3 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/signum.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/signum.md @@ -104,17 +104,17 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters. Date: Fri, 1 May 2026 13:56:30 -0700 Subject: [PATCH 11/17] docs: add generated PAM operation use cases --- CHANGELOG.md | 1 + GNUmakefile | 4 +- docs/use-cases/PAM Operations/README.md | 28 + .../PAM Operations/create-pam-providers.md | 746 ++++++++++++++++++ .../PAM Operations/create-pam-types.md | 89 +++ docs/use-cases/README.md | 1 + tools/pamdocs/main.go | 344 ++++++++ 7 files changed, 1212 insertions(+), 1 deletion(-) create mode 100644 docs/use-cases/PAM Operations/README.md create mode 100644 docs/use-cases/PAM Operations/create-pam-providers.md create mode 100644 docs/use-cases/PAM Operations/create-pam-types.md create mode 100644 tools/pamdocs/main.go diff --git a/CHANGELOG.md b/CHANGELOG.md index f4996cc6..9f07ea23 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ - Add use-case documentation for bulk certificate store updates. - Add use-case documentation for migrating certificate store credentials from static values to a PAM provider. - Add generated per-store-type bulk create and update use-case guides. +- Add generated PAM Operations use-case documentation for PAM type and provider creation. # v1.9.1 diff --git a/GNUmakefile b/GNUmakefile index 016bb492..08c2b368 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -86,5 +86,7 @@ generate_toc: store-type-docs: GOWORK=off GOCACHE=/tmp/kfutil-gocache go run ./tools/storetypedocs +pam-operation-docs: + GOWORK=off GOCACHE=/tmp/kfutil-gocache go run ./tools/pamdocs -.PHONY: build prerelease release install test fmt vendor version setversion store-type-docs +.PHONY: build prerelease release install test fmt vendor version setversion store-type-docs pam-operation-docs diff --git a/docs/use-cases/PAM Operations/README.md b/docs/use-cases/PAM Operations/README.md new file mode 100644 index 00000000..bdfdcea0 --- /dev/null +++ b/docs/use-cases/PAM Operations/README.md @@ -0,0 +1,28 @@ + +# PAM Operations + +Use cases for creating PAM provider types and PAM providers with `kfutil`. + +These docs are generated from `cmd/pam_types.json`. Regenerate after PAM type metadata changes: + +```bash +make pam-operation-docs +``` + +- [Create PAM Types](create-pam-types.md) +- [Create PAM Providers](create-pam-providers.md) + +## Embedded PAM Types + +| PAM type | Provider configuration parameters | Certificate store instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + diff --git a/docs/use-cases/PAM Operations/create-pam-providers.md b/docs/use-cases/PAM Operations/create-pam-providers.md new file mode 100644 index 00000000..7208ce29 --- /dev/null +++ b/docs/use-cases/PAM Operations/create-pam-providers.md @@ -0,0 +1,746 @@ + +# Create PAM Providers + +[PAM Operations](README.md) | [Use Cases](../README.md) + +This use case creates PAM providers from JSON files. `kfutil pam create` currently accepts provider configuration with `--from-file`. + +Create the PAM provider type first, then create the provider that uses it: + +```bash +kfutil pam-types create --name Hashicorp-Vault --no-prompt +kfutil pam create --from-file hashicorp-vault-provider.json --no-prompt +``` + +Provider JSON contains provider-level connection settings only. Certificate-store instance parameters are not set on the provider; they are supplied later on certificate store CSV columns such as `Properties.ServerPassword.Parameters.SecretId`. + +Provider type IDs and provider parameter IDs are assigned by Command when PAM types are created. Get the live provider type first and replace the `Id` placeholders in the generated template before running `kfutil pam create`: + +```bash +kfutil pam-types get --name Hashicorp-Vault --no-prompt +``` + +## Embedded PAM Types + +| PAM type | Provider configuration parameters | Certificate store instance parameters | +| --- | --- | --- | +| `1Password-CLI` | Vault, Token | Item, Field | +| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId | +| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId | +| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId | +| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object | +| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object | +| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | +| `GCP-SecretManager` | projectId | secretId | +| `Hashicorp-Vault` | Host, Token, Path | Secret, Key | + +## Provider Examples + +### 1Password-CLI + +Write a provider config file: + +```json +{ + "Area": 1, + "Name": "example-1password-cli", + "Remote": false, + "ProviderType": { + "Id": "", + "Name": "1Password-CLI", + "ProviderTypeParams": [ + { + "Id": "", + "Name": "Vault", + "DisplayName": "1Password Secret Vault", + "DataType": 1, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "Token", + "DisplayName": "1Password Service Account Token", + "DataType": 2, + "InstanceLevel": false + } + ] + }, + "ProviderTypeParamValues": [ + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "Vault", + "DisplayName": "1Password Secret Vault", + "DataType": 1, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "Token", + "DisplayName": "1Password Service Account Token", + "DataType": 2, + "InstanceLevel": false + } + } + ], + "SecuredAreaId": null +} +``` + +Create the provider: + +```bash +kfutil pam create --from-file 1password-cli-provider.json --no-prompt +``` + +### Azure-KeyVault + +Write a provider config file: + +```json +{ + "Area": 1, + "Name": "example-azure-keyvault", + "Remote": false, + "ProviderType": { + "Id": "", + "Name": "Azure-KeyVault", + "ProviderTypeParams": [ + { + "Id": "", + "Name": "KeyVaultUri", + "DisplayName": "Key Vault URI", + "DataType": 1, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "AuthorityHost", + "DisplayName": "Authority Host", + "DataType": 1, + "InstanceLevel": false + } + ] + }, + "ProviderTypeParamValues": [ + { + "Value": "https://example.invalid", + "ProviderTypeParam": { + "Id": "", + "Name": "KeyVaultUri", + "DisplayName": "Key Vault URI", + "DataType": 1, + "InstanceLevel": false + } + }, + { + "Value": "https://example.invalid", + "ProviderTypeParam": { + "Id": "", + "Name": "AuthorityHost", + "DisplayName": "Authority Host", + "DataType": 1, + "InstanceLevel": false + } + } + ], + "SecuredAreaId": null +} +``` + +Create the provider: + +```bash +kfutil pam create --from-file azure-keyvault-provider.json --no-prompt +``` + +### Azure-KeyVault-ServicePrincipal + +Write a provider config file: + +```json +{ + "Area": 1, + "Name": "example-azure-keyvault-serviceprincipal", + "Remote": false, + "ProviderType": { + "Id": "", + "Name": "Azure-KeyVault-ServicePrincipal", + "ProviderTypeParams": [ + { + "Id": "", + "Name": "KeyVaultUri", + "DisplayName": "Key Vault URI", + "DataType": 1, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "AuthorityHost", + "DisplayName": "Authority Host", + "DataType": 1, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "TenantId", + "DisplayName": "Tenant ID", + "DataType": 1, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "ClientId", + "DisplayName": "Client ID", + "DataType": 1, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "ClientSecret", + "DisplayName": "ClientSecret", + "DataType": 2, + "InstanceLevel": false + } + ] + }, + "ProviderTypeParamValues": [ + { + "Value": "https://example.invalid", + "ProviderTypeParam": { + "Id": "", + "Name": "KeyVaultUri", + "DisplayName": "Key Vault URI", + "DataType": 1, + "InstanceLevel": false + } + }, + { + "Value": "https://example.invalid", + "ProviderTypeParam": { + "Id": "", + "Name": "AuthorityHost", + "DisplayName": "Authority Host", + "DataType": 1, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "TenantId", + "DisplayName": "Tenant ID", + "DataType": 1, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "ClientId", + "DisplayName": "Client ID", + "DataType": 1, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "ClientSecret", + "DisplayName": "ClientSecret", + "DataType": 2, + "InstanceLevel": false + } + } + ], + "SecuredAreaId": null +} +``` + +Create the provider: + +```bash +kfutil pam create --from-file azure-keyvault-serviceprincipal-provider.json --no-prompt +``` + +### BeyondTrust-PasswordSafe + +Write a provider config file: + +```json +{ + "Area": 1, + "Name": "example-beyondtrust-passwordsafe", + "Remote": false, + "ProviderType": { + "Id": "", + "Name": "BeyondTrust-PasswordSafe", + "ProviderTypeParams": [ + { + "Id": "", + "Name": "Host", + "DisplayName": "BeyondTrust Host", + "DataType": 1, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "APIKey", + "DisplayName": "BeyondTrust API Key", + "DataType": 2, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "Username", + "DisplayName": "BeyondTrust Username", + "DataType": 1, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "ClientCertificate", + "DisplayName": "BeyondTrust Client Certificate Thumbprint", + "DataType": 1, + "InstanceLevel": false + } + ] + }, + "ProviderTypeParamValues": [ + { + "Value": "https://example.invalid", + "ProviderTypeParam": { + "Id": "", + "Name": "Host", + "DisplayName": "BeyondTrust Host", + "DataType": 1, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "APIKey", + "DisplayName": "BeyondTrust API Key", + "DataType": 2, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "Username", + "DisplayName": "BeyondTrust Username", + "DataType": 1, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "ClientCertificate", + "DisplayName": "BeyondTrust Client Certificate Thumbprint", + "DataType": 1, + "InstanceLevel": false + } + } + ], + "SecuredAreaId": null +} +``` + +Create the provider: + +```bash +kfutil pam create --from-file beyondtrust-passwordsafe-provider.json --no-prompt +``` + +### CyberArk-CentralCredentialProvider + +Write a provider config file: + +```json +{ + "Area": 1, + "Name": "example-cyberark-centralcredentialprovider", + "Remote": false, + "ProviderType": { + "Id": "", + "Name": "CyberArk-CentralCredentialProvider", + "ProviderTypeParams": [ + { + "Id": "", + "Name": "AppId", + "DisplayName": "Application ID", + "DataType": 1, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "Host", + "DisplayName": "CyberArk Host and Port", + "DataType": 1, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "Site", + "DisplayName": "CyberArk API Site", + "DataType": 1, + "InstanceLevel": false + } + ] + }, + "ProviderTypeParamValues": [ + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "AppId", + "DisplayName": "Application ID", + "DataType": 1, + "InstanceLevel": false + } + }, + { + "Value": "https://example.invalid", + "ProviderTypeParam": { + "Id": "", + "Name": "Host", + "DisplayName": "CyberArk Host and Port", + "DataType": 1, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "Site", + "DisplayName": "CyberArk API Site", + "DataType": 1, + "InstanceLevel": false + } + } + ], + "SecuredAreaId": null +} +``` + +Create the provider: + +```bash +kfutil pam create --from-file cyberark-centralcredentialprovider-provider.json --no-prompt +``` + +### CyberArk-SdkCredentialProvider + +Write a provider config file: + +```json +{ + "Area": 1, + "Name": "example-cyberark-sdkcredentialprovider", + "Remote": false, + "ProviderType": { + "Id": "", + "Name": "CyberArk-SdkCredentialProvider", + "ProviderTypeParams": [ + { + "Id": "", + "Name": "AppId", + "DisplayName": "Application ID", + "DataType": 1, + "InstanceLevel": false + } + ] + }, + "ProviderTypeParamValues": [ + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "AppId", + "DisplayName": "Application ID", + "DataType": 1, + "InstanceLevel": false + } + } + ], + "SecuredAreaId": null +} +``` + +Create the provider: + +```bash +kfutil pam create --from-file cyberark-sdkcredentialprovider-provider.json --no-prompt +``` + +### Delinea-SecretServer + +Write a provider config file: + +```json +{ + "Area": 1, + "Name": "example-delinea-secretserver", + "Remote": false, + "ProviderType": { + "Id": "", + "Name": "Delinea-SecretServer", + "ProviderTypeParams": [ + { + "Id": "", + "Name": "Host", + "DisplayName": "Secret Server URL", + "DataType": 1, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "Username", + "DisplayName": "Secret Server Username", + "DataType": 2, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "Password", + "DisplayName": "Secret Server Password", + "DataType": 2, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "ClientId", + "DisplayName": "Secret Server Client ID", + "DataType": 2, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "ClientSecret", + "DisplayName": "Secret Server Client Secret", + "DataType": 2, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "GrantType", + "DisplayName": "Grant Type", + "DataType": 1, + "InstanceLevel": false + } + ] + }, + "ProviderTypeParamValues": [ + { + "Value": "https://example.invalid", + "ProviderTypeParam": { + "Id": "", + "Name": "Host", + "DisplayName": "Secret Server URL", + "DataType": 1, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "Username", + "DisplayName": "Secret Server Username", + "DataType": 2, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "Password", + "DisplayName": "Secret Server Password", + "DataType": 2, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "ClientId", + "DisplayName": "Secret Server Client ID", + "DataType": 2, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "ClientSecret", + "DisplayName": "Secret Server Client Secret", + "DataType": 2, + "InstanceLevel": false + } + }, + { + "Value": "client_credentials", + "ProviderTypeParam": { + "Id": "", + "Name": "GrantType", + "DisplayName": "Grant Type", + "DataType": 1, + "InstanceLevel": false + } + } + ], + "SecuredAreaId": null +} +``` + +Create the provider: + +```bash +kfutil pam create --from-file delinea-secretserver-provider.json --no-prompt +``` + +### GCP-SecretManager + +Write a provider config file: + +```json +{ + "Area": 1, + "Name": "example-gcp-secretmanager", + "Remote": false, + "ProviderType": { + "Id": "", + "Name": "GCP-SecretManager", + "ProviderTypeParams": [ + { + "Id": "", + "Name": "projectId", + "DisplayName": "Unique Google Cloud Project ID", + "DataType": 1, + "InstanceLevel": false + } + ] + }, + "ProviderTypeParamValues": [ + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "projectId", + "DisplayName": "Unique Google Cloud Project ID", + "DataType": 1, + "InstanceLevel": false + } + } + ], + "SecuredAreaId": null +} +``` + +Create the provider: + +```bash +kfutil pam create --from-file gcp-secretmanager-provider.json --no-prompt +``` + +### Hashicorp-Vault + +Write a provider config file: + +```json +{ + "Area": 1, + "Name": "example-hashicorp-vault", + "Remote": false, + "ProviderType": { + "Id": "", + "Name": "Hashicorp-Vault", + "ProviderTypeParams": [ + { + "Id": "", + "Name": "Host", + "DisplayName": "Vault Host", + "DataType": 1, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "Token", + "DisplayName": "Vault Token", + "DataType": 2, + "InstanceLevel": false + }, + { + "Id": "", + "Name": "Path", + "DisplayName": "KV Engine Path", + "DataType": 1, + "InstanceLevel": false + } + ] + }, + "ProviderTypeParamValues": [ + { + "Value": "https://example.invalid", + "ProviderTypeParam": { + "Id": "", + "Name": "Host", + "DisplayName": "Vault Host", + "DataType": 1, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "Token", + "DisplayName": "Vault Token", + "DataType": 2, + "InstanceLevel": false + } + }, + { + "Value": "", + "ProviderTypeParam": { + "Id": "", + "Name": "Path", + "DisplayName": "KV Engine Path", + "DataType": 1, + "InstanceLevel": false + } + } + ], + "SecuredAreaId": null +} +``` + +Create the provider: + +```bash +kfutil pam create --from-file hashicorp-vault-provider.json --no-prompt +``` + +## References + +- [kfutil pam create](../../kfutil_pam_create.md) +- [kfutil pam list](../../kfutil_pam_list.md) +- [kfutil pam-types create](../../kfutil_pam-types_create.md) +- [kfutil pam-types list](../../kfutil_pam-types_list.md) diff --git a/docs/use-cases/PAM Operations/create-pam-types.md b/docs/use-cases/PAM Operations/create-pam-types.md new file mode 100644 index 00000000..312c3447 --- /dev/null +++ b/docs/use-cases/PAM Operations/create-pam-types.md @@ -0,0 +1,89 @@ + +# Create PAM Types + +[PAM Operations](README.md) | [Use Cases](../README.md) + +This use case installs the PAM provider type definitions embedded in `cmd/pam_types.json`. + +## Create All Embedded PAM Types + +```bash +kfutil pam-types create --all --no-prompt +``` + +## Create One PAM Type + +Use `--name` when you only want one provider type: + +```bash +kfutil pam-types create --name Hashicorp-Vault --no-prompt +``` + +## Commands For Each Embedded PAM Type + +### 1Password-CLI + +```bash +kfutil pam-types create --name 1Password-CLI --no-prompt +``` + +### Azure-KeyVault + +```bash +kfutil pam-types create --name Azure-KeyVault --no-prompt +``` + +### Azure-KeyVault-ServicePrincipal + +```bash +kfutil pam-types create --name Azure-KeyVault-ServicePrincipal --no-prompt +``` + +### BeyondTrust-PasswordSafe + +```bash +kfutil pam-types create --name BeyondTrust-PasswordSafe --no-prompt +``` + +### CyberArk-CentralCredentialProvider + +```bash +kfutil pam-types create --name CyberArk-CentralCredentialProvider --no-prompt +``` + +### CyberArk-SdkCredentialProvider + +```bash +kfutil pam-types create --name CyberArk-SdkCredentialProvider --no-prompt +``` + +### Delinea-SecretServer + +```bash +kfutil pam-types create --name Delinea-SecretServer --no-prompt +``` + +### GCP-SecretManager + +```bash +kfutil pam-types create --name GCP-SecretManager --no-prompt +``` + +### Hashicorp-Vault + +```bash +kfutil pam-types create --name Hashicorp-Vault --no-prompt +``` + +## Verify + +```bash +kfutil pam-types list --no-prompt +``` + +## References + +- [kfutil pam create](../../kfutil_pam_create.md) +- [kfutil pam list](../../kfutil_pam_list.md) +- [kfutil pam-types create](../../kfutil_pam-types_create.md) +- [kfutil pam-types list](../../kfutil_pam-types_list.md) diff --git a/docs/use-cases/README.md b/docs/use-cases/README.md index 080bc2f2..40799303 100644 --- a/docs/use-cases/README.md +++ b/docs/use-cases/README.md @@ -3,3 +3,4 @@ Task-oriented guides for common `kfutil` workflows. - [Certificate Store Operations](Certificate%20Store%20Operations/README.md) +- [PAM Operations](PAM%20Operations/README.md) diff --git a/tools/pamdocs/main.go b/tools/pamdocs/main.go new file mode 100644 index 00000000..d495cc78 --- /dev/null +++ b/tools/pamdocs/main.go @@ -0,0 +1,344 @@ +// Copyright 2026 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import ( + "bytes" + "encoding/json" + "flag" + "fmt" + "html" + "os" + "path/filepath" + "regexp" + "sort" + "strings" +) + +const generatedMarker = "" + +var ( + sourcePath = flag.String("source", "cmd/pam_types.json", "path to pam_types.json") + outputDir = flag.String("out", "docs/use-cases/PAM Operations", "output directory for generated docs") +) + +type pamType struct { + Name string `json:"Name"` + Parameters []pamParameter `json:"Parameters"` +} + +type pamParameter struct { + Name string `json:"Name"` + DisplayName string `json:"DisplayName"` + Description string `json:"Description"` + DataType int `json:"DataType"` + InstanceLevel bool `json:"InstanceLevel"` +} + +type providerTemplate struct { + Area int `json:"Area"` + Name string `json:"Name"` + Remote bool `json:"Remote"` + ProviderType providerTemplateType `json:"ProviderType"` + ProviderTypeParamValues []providerTemplateParamValue `json:"ProviderTypeParamValues"` + SecuredAreaId *int `json:"SecuredAreaId"` +} + +type providerTemplateType struct { + Id string `json:"Id"` + Name string `json:"Name"` + ProviderTypeParams []providerTemplateParameter `json:"ProviderTypeParams"` +} + +type providerTemplateParamValue struct { + Value string `json:"Value"` + ProviderTypeParam providerTemplateParameter `json:"ProviderTypeParam"` +} + +type providerTemplateParameter struct { + Id string `json:"Id"` + Name string `json:"Name"` + DisplayName string `json:"DisplayName,omitempty"` + DataType int `json:"DataType"` + InstanceLevel bool `json:"InstanceLevel"` +} + +func main() { + flag.Parse() + + pamTypes, err := readPAMTypes(*sourcePath) + if err != nil { + fatal(err) + } + sort.Slice(pamTypes, func(i, j int) bool { + return strings.ToLower(pamTypes[i].Name) < strings.ToLower(pamTypes[j].Name) + }) + + if err := os.MkdirAll(*outputDir, 0o755); err != nil { + fatal(err) + } + + files := map[string]string{ + "README.md": renderIndex(pamTypes), + "create-pam-types.md": renderCreatePAMTypes(pamTypes), + "create-pam-providers.md": renderCreatePAMProviders(pamTypes), + } + + for name, content := range files { + path := filepath.Join(*outputDir, name) + if err := os.WriteFile(path, []byte(content), 0o644); err != nil { + fatal(fmt.Errorf("write %s: %w", path, err)) + } + } + + fmt.Printf("Generated PAM operation docs for %d PAM types in %s\n", len(pamTypes), *outputDir) +} + +func readPAMTypes(path string) ([]pamType, error) { + data, err := os.ReadFile(path) + if err != nil { + return nil, fmt.Errorf("read %s: %w", path, err) + } + + var pamTypes []pamType + if err := json.Unmarshal(data, &pamTypes); err != nil { + return nil, fmt.Errorf("parse %s: %w", path, err) + } + if len(pamTypes) == 0 { + return nil, fmt.Errorf("%s did not contain any PAM types", path) + } + for i := range pamTypes { + if pamTypes[i].Name == "" { + return nil, fmt.Errorf("PAM type at index %d is missing Name", i) + } + } + return pamTypes, nil +} + +func renderIndex(pamTypes []pamType) string { + var b strings.Builder + b.WriteString(generatedMarker + "\n") + b.WriteString("# PAM Operations\n\n") + b.WriteString("Use cases for creating PAM provider types and PAM providers with `kfutil`.\n\n") + b.WriteString("These docs are generated from `cmd/pam_types.json`. Regenerate after PAM type metadata changes:\n\n") + b.WriteString("```bash\n") + b.WriteString("make pam-operation-docs\n") + b.WriteString("```\n\n") + b.WriteString("- [Create PAM Types](create-pam-types.md)\n") + b.WriteString("- [Create PAM Providers](create-pam-providers.md)\n\n") + writePAMTypeTable(&b, pamTypes) + return b.String() +} + +func renderCreatePAMTypes(pamTypes []pamType) string { + var b strings.Builder + b.WriteString(generatedMarker + "\n") + b.WriteString("# Create PAM Types\n\n") + b.WriteString("[PAM Operations](README.md) | [Use Cases](../README.md)\n\n") + b.WriteString("This use case installs the PAM provider type definitions embedded in `cmd/pam_types.json`.\n\n") + b.WriteString("## Create All Embedded PAM Types\n\n") + b.WriteString("```bash\n") + b.WriteString("kfutil pam-types create --all --no-prompt\n") + b.WriteString("```\n\n") + b.WriteString("## Create One PAM Type\n\n") + b.WriteString("Use `--name` when you only want one provider type:\n\n") + b.WriteString("```bash\n") + b.WriteString("kfutil pam-types create --name Hashicorp-Vault --no-prompt\n") + b.WriteString("```\n\n") + b.WriteString("## Commands For Each Embedded PAM Type\n\n") + for _, pamType := range pamTypes { + b.WriteString("### " + pamType.Name + "\n\n") + b.WriteString("```bash\n") + b.WriteString(fmt.Sprintf("kfutil pam-types create --name %s --no-prompt\n", shellQuote(pamType.Name))) + b.WriteString("```\n\n") + } + b.WriteString("## Verify\n\n") + b.WriteString("```bash\n") + b.WriteString("kfutil pam-types list --no-prompt\n") + b.WriteString("```\n\n") + writeReferences(&b) + return b.String() +} + +func renderCreatePAMProviders(pamTypes []pamType) string { + var b strings.Builder + b.WriteString(generatedMarker + "\n") + b.WriteString("# Create PAM Providers\n\n") + b.WriteString("[PAM Operations](README.md) | [Use Cases](../README.md)\n\n") + b.WriteString("This use case creates PAM providers from JSON files. `kfutil pam create` currently accepts provider configuration with `--from-file`.\n\n") + b.WriteString("Create the PAM provider type first, then create the provider that uses it:\n\n") + b.WriteString("```bash\n") + b.WriteString("kfutil pam-types create --name Hashicorp-Vault --no-prompt\n") + b.WriteString("kfutil pam create --from-file hashicorp-vault-provider.json --no-prompt\n") + b.WriteString("```\n\n") + b.WriteString("Provider JSON contains provider-level connection settings only. Certificate-store instance parameters are not set on the provider; they are supplied later on certificate store CSV columns such as `Properties.ServerPassword.Parameters.SecretId`.\n\n") + b.WriteString("Provider type IDs and provider parameter IDs are assigned by Command when PAM types are created. Get the live provider type first and replace the `Id` placeholders in the generated template before running `kfutil pam create`:\n\n") + b.WriteString("```bash\n") + b.WriteString("kfutil pam-types get --name Hashicorp-Vault --no-prompt\n") + b.WriteString("```\n\n") + writePAMTypeTable(&b, pamTypes) + b.WriteString("## Provider Examples\n\n") + for _, pamType := range pamTypes { + writeProviderExample(&b, pamType) + } + writeReferences(&b) + return b.String() +} + +func writePAMTypeTable(b *strings.Builder, pamTypes []pamType) { + b.WriteString("## Embedded PAM Types\n\n") + b.WriteString("| PAM type | Provider configuration parameters | Certificate store instance parameters |\n") + b.WriteString("| --- | --- | --- |\n") + for _, pamType := range pamTypes { + b.WriteString(fmt.Sprintf("| `%s` | %s | %s |\n", + mdTable(pamType.Name), + mdTable(strings.Join(parameterNames(pamType.Parameters, false), ", ")), + mdTable(strings.Join(parameterNames(pamType.Parameters, true), ", ")), + )) + } + b.WriteString("\n") +} + +func writeProviderExample(b *strings.Builder, pamType pamType) { + fileName := slugify(pamType.Name) + "-provider.json" + b.WriteString("### " + pamType.Name + "\n\n") + b.WriteString("Write a provider config file:\n\n") + b.WriteString("```json\n") + b.WriteString(providerJSON(pamType)) + b.WriteString("\n```\n\n") + b.WriteString("Create the provider:\n\n") + b.WriteString("```bash\n") + b.WriteString(fmt.Sprintf("kfutil pam create --from-file %s --no-prompt\n", fileName)) + b.WriteString("```\n\n") +} + +func providerJSON(pamType pamType) string { + providerParams := filterParameters(pamType.Parameters, false) + templateParams := make([]providerTemplateParameter, 0, len(providerParams)) + templateValues := make([]providerTemplateParamValue, 0, len(providerParams)) + for _, param := range providerParams { + templateParam := providerTemplateParameter{ + Id: "<" + param.Name + "-parameter-id>", + Name: param.Name, + DisplayName: param.DisplayName, + DataType: param.DataType, + InstanceLevel: param.InstanceLevel, + } + templateParams = append(templateParams, templateParam) + templateValues = append(templateValues, providerTemplateParamValue{ + Value: placeholderValue(param), + ProviderTypeParam: templateParam, + }) + } + + template := providerTemplate{ + Area: 1, + Name: "example-" + slugify(pamType.Name), + Remote: false, + ProviderType: providerTemplateType{ + Id: "", + Name: pamType.Name, + ProviderTypeParams: templateParams, + }, + ProviderTypeParamValues: templateValues, + SecuredAreaId: nil, + } + + var out bytes.Buffer + encoder := json.NewEncoder(&out) + encoder.SetEscapeHTML(false) + encoder.SetIndent("", " ") + err := encoder.Encode(template) + if err != nil { + panic(err) + } + return strings.TrimSpace(out.String()) +} + +func parameterNames(parameters []pamParameter, instanceLevel bool) []string { + params := filterParameters(parameters, instanceLevel) + if len(params) == 0 { + return []string{"-"} + } + names := make([]string, 0, len(params)) + for _, param := range params { + names = append(names, param.Name) + } + return names +} + +func filterParameters(parameters []pamParameter, instanceLevel bool) []pamParameter { + var filtered []pamParameter + for _, param := range parameters { + if param.InstanceLevel == instanceLevel { + filtered = append(filtered, param) + } + } + return filtered +} + +func placeholderValue(param pamParameter) string { + name := strings.ToLower(param.Name) + if strings.Contains(name, "uri") || strings.Contains(name, "url") || strings.Contains(name, "host") { + return "https://example.invalid" + } + if param.DataType == 2 || strings.Contains(name, "secret") || strings.Contains(name, "token") || strings.Contains(name, "password") || strings.Contains(name, "key") { + return "" + } + if strings.Contains(name, "grant") { + return "client_credentials" + } + return "<" + param.Name + ">" +} + +func writeReferences(b *strings.Builder) { + b.WriteString("## References\n\n") + b.WriteString("- [kfutil pam create](../../kfutil_pam_create.md)\n") + b.WriteString("- [kfutil pam list](../../kfutil_pam_list.md)\n") + b.WriteString("- [kfutil pam-types create](../../kfutil_pam-types_create.md)\n") + b.WriteString("- [kfutil pam-types list](../../kfutil_pam-types_list.md)\n") +} + +func slugify(value string) string { + value = strings.ToLower(value) + re := regexp.MustCompile(`[^a-z0-9]+`) + value = re.ReplaceAllString(value, "-") + return strings.Trim(value, "-") +} + +func shellQuote(value string) string { + if regexp.MustCompile(`^[A-Za-z0-9._-]+$`).MatchString(value) { + return value + } + return "'" + strings.ReplaceAll(value, "'", `'\''`) + "'" +} + +func mdTable(s string) string { + s = strings.TrimSpace(s) + if s == "" { + return "-" + } + s = html.EscapeString(s) + s = strings.ReplaceAll(s, "|", `\|`) + s = strings.ReplaceAll(s, "\r\n", "\n") + s = strings.ReplaceAll(s, "\r", "\n") + s = strings.ReplaceAll(s, "\n", "
") + return s +} + +func fatal(err error) { + fmt.Fprintln(os.Stderr, err) + os.Exit(1) +} From d2629a33eb550030c8c637e8e607e9c06b66e429 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Fri, 1 May 2026 14:08:24 -0700 Subject: [PATCH 12/17] docs: update changelog for JSON secret import fix --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9f07ea23..e4be1f3c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,8 @@ - `stores import csv`: Support create and sync workflows for certificate stores that use PAM provider-backed `ServerUsername`, `ServerPassword`, and store password values. +- `stores import csv`: Preserve JSON-shaped secret values as secret strings instead of parsing them into nested + request objects. ### Docs From 716927ef26e39b66879e96965dc765a1e1061bd9 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Sat, 2 May 2026 10:16:39 -0700 Subject: [PATCH 13/17] test: cover PAM-backed store password import --- cmd/storesBulkOperations.go | 49 ++++++++++++------- cmd/stores_test.go | 25 ++++++++++ .../Store Types/citrixadc.md | 2 +- .../Store Types/f5-sl-rest.md | 2 +- .../Store Types/fortigate.md | 2 +- .../Store Types/gcpscrtmgr.md | 2 +- .../Store Types/hcvkvjks.md | 2 +- .../Store Types/hcvkvp12.md | 2 +- .../Store Types/hcvkvpem.md | 2 +- .../Store Types/hcvkvpfx.md | 2 +- .../Store Types/hcvpki.md | 2 +- .../Store Types/imperva.md | 2 +- .../Store Types/rfder.md | 2 +- .../Store Types/rfjks.md | 2 +- .../Store Types/rfkdb.md | 2 +- .../Store Types/rfora.md | 2 +- .../Store Types/rfpem.md | 2 +- .../Store Types/rfpkcs12.md | 2 +- tools/storetypedocs/main.go | 2 +- 19 files changed, 72 insertions(+), 36 deletions(-) diff --git a/cmd/storesBulkOperations.go b/cmd/storesBulkOperations.go index f0721337..7404b89c 100644 --- a/cmd/storesBulkOperations.go +++ b/cmd/storesBulkOperations.go @@ -393,29 +393,11 @@ If you do not wish to include credentials in your CSV file they can be provided reqJson.Delete("Properties") // todo: why is this deleting the properties from the request json? rowStorePassword := reqJson.S("Password").Data() - passwdParams := api.UpdateStorePasswordConfig{ - SecretValue: nil, - } + passwdParams := buildUpdateStorePasswordConfig(rowStorePassword) switch rowStorePassword.(type) { case string: if rowStorePassword != "" { reqJson.Delete("Password") - passwdValue := rowStorePassword.(string) - passwdParams.SecretValue = &passwdValue - } - case map[string]interface{}: - // try to convert it to api.UpdateStorePasswordConfig - rowPasswordMap := rowStorePassword.(map[string]interface{}) - if providerId, ok := rowPasswordMap["ProviderId"].(int); ok { - passwdParams.Provider = providerId - } - if params, ok := rowPasswordMap["Parameters"].(map[string]interface{}); ok { - for k, v := range params { - if passwdParams.Parameters == nil { - passwdParams.Parameters = make(map[string]string) - } - passwdParams.Parameters[k] = fmt.Sprintf("%v", v) - } } } @@ -1187,6 +1169,35 @@ func shouldTreatCSVValueAsSecretString(header string) bool { } } +func buildUpdateStorePasswordConfig(rowStorePassword interface{}) api.UpdateStorePasswordConfig { + passwdParams := api.UpdateStorePasswordConfig{ + SecretValue: nil, + } + + switch typedPassword := rowStorePassword.(type) { + case string: + if typedPassword != "" { + passwdParams.SecretValue = &typedPassword + } + case map[string]interface{}: + if providerId, ok := typedPassword["ProviderId"].(int); ok { + passwdParams.Provider = providerId + } else if providerId, ok := typedPassword["Provider"].(int); ok { + passwdParams.Provider = providerId + } + if params, ok := typedPassword["Parameters"].(map[string]interface{}); ok { + for k, v := range params { + if passwdParams.Parameters == nil { + passwdParams.Parameters = make(map[string]string) + } + passwdParams.Parameters[k] = fmt.Sprintf("%v", v) + } + } + } + + return passwdParams +} + func writeCsvFile(outpath string, rows [][]string) error { log.Debug().Msgf("Writing CSV file '%s'", outpath) csvFile, err := os.Create(outpath) diff --git a/cmd/stores_test.go b/cmd/stores_test.go index adaae224..692782a3 100644 --- a/cmd/stores_test.go +++ b/cmd/stores_test.go @@ -369,6 +369,31 @@ func Test_GetJsonForRequest_TreatsJsonSecretValuesAsStrings(t *testing.T) { assert.Equal(t, row[1], reqJson.S("Properties", "ServerUsername", "SecretValue").Data()) } +func Test_BuildUpdateStorePasswordConfig_FormatsManagedPamStorePassword(t *testing.T) { + header := []string{ + "Password.ProviderId", + "Password.Parameters.SecretName", + "Password.Parameters.SecretType", + "Password.Parameters.StaticSecretFieldName", + } + row := []string{"30", "dev/aks/kf-integrations", "static_json", " "} + + reqJson := getJsonForRequest(header, row) + storePassword := buildUpdateStorePasswordConfig(reqJson.S("Password").Data()) + + assert.Equal(t, 30, storePassword.Provider) + assert.Nil(t, storePassword.SecretValue) + assert.Equal( + t, + map[string]string{ + "SecretName": "dev/aks/kf-integrations", + "SecretType": "static_json", + "StaticSecretFieldName": " ", + }, + storePassword.Parameters, + ) +} + func testExportStore(t *testing.T, storeTypeName string) (string, []string) { var ( output string diff --git a/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md b/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md index 3656cbf2..5d745cbc 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md @@ -115,7 +115,7 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md index 6b6ef371..4032249a 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md @@ -120,7 +120,7 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md b/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md index b68d686c..4e961ce3 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md @@ -85,7 +85,7 @@ This store type does not define additional `Properties.*` CSV columns. ## Secret And PAM Formatting -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md b/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md index 033e6888..00bc9997 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md @@ -96,7 +96,7 @@ These parameters apply to certificate add/enrollment operations for this store t ## Secret And PAM Formatting -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md index ad29d771..d3d1e5d5 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md @@ -107,7 +107,7 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md index 5fad0d00..0c3f92aa 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md @@ -107,7 +107,7 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md index 6e6fe948..8b421077 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md @@ -107,7 +107,7 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md index 12eed201..782e6b7d 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md @@ -107,7 +107,7 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md index 25e42523..bf23b77b 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md @@ -106,7 +106,7 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/imperva.md b/docs/use-cases/Certificate Store Operations/Store Types/imperva.md index d2dcd0b5..baf9fdb2 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/imperva.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/imperva.md @@ -85,7 +85,7 @@ This store type does not define additional `Properties.*` CSV columns. ## Secret And PAM Formatting -The store password uses the `Password` column. For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfder.md b/docs/use-cases/Certificate Store Operations/Store Types/rfder.md index 1b137a06..e2d3c403 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfder.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfder.md @@ -112,7 +112,7 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md b/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md index 54b53948..ee7f549c 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md @@ -112,7 +112,7 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md b/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md index 39f2f4ff..62a6484a 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md @@ -111,7 +111,7 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfora.md b/docs/use-cases/Certificate Store Operations/Store Types/rfora.md index 60d6cc9d..eef3c535 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfora.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfora.md @@ -112,7 +112,7 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md b/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md index f6f57aef..aa8ee60c 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md @@ -116,7 +116,7 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md b/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md index 1faef09b..37aa206b 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md @@ -111,7 +111,7 @@ Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. +The store password uses the `Password` column. For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type. | PAM type | Store CSV parameter names | | --- | --- | diff --git a/tools/storetypedocs/main.go b/tools/storetypedocs/main.go index c36f7958..ed687cda 100644 --- a/tools/storetypedocs/main.go +++ b/tools/storetypedocs/main.go @@ -429,7 +429,7 @@ func writeSecretFormatting(b *strings.Builder, st storeType, pamTypes []pamType) if st.PasswordOptions.StorePassword != nil { b.WriteString("The store password uses the `Password` column. ") if st.PasswordOptions.StorePassword.IsPAMEligible { - b.WriteString("For a PAM-backed store password, use `Password.Provider` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.\n\n") + b.WriteString("For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.\n\n") } else { b.WriteString("This store type metadata does not mark the store password as PAM eligible.\n\n") } From bf11d6417209747830c470aad4669414cb33de67 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Sat, 2 May 2026 12:20:35 -0700 Subject: [PATCH 14/17] fix: add login skip validation and unified docs generation --- CHANGELOG.md | 3 + artifacts/pam/pam-create-template.json | 53 +- cmd/login.go | 124 +++- cmd/login_test.go | 10 +- cmd/pam.go | 5 +- cmd/pam_test.go | 11 +- cmd/root.go | 66 +- cmd/test_auth_config_test.go | 172 +++++ docs/auth_providers.md | 8 +- docs/kfutil.md | 8 +- docs/kfutil_completion.md | 2 - docs/kfutil_completion_bash.md | 2 - docs/kfutil_completion_fish.md | 2 - docs/kfutil_completion_powershell.md | 2 - docs/kfutil_completion_zsh.md | 2 - docs/kfutil_containers.md | 2 - docs/kfutil_containers_get.md | 2 - docs/kfutil_containers_list.md | 2 - docs/kfutil_export.md | 2 - docs/kfutil_helm.md | 2 - docs/kfutil_helm_uo.md | 2 - docs/kfutil_import.md | 2 - docs/kfutil_login.md | 8 +- docs/kfutil_logout.md | 2 - docs/kfutil_migrate.md | 13 +- docs/kfutil_migrate_check.md | 4 +- docs/kfutil_migrate_pam.md | 4 +- docs/kfutil_orchs.md | 2 - docs/kfutil_orchs_approve.md | 2 - docs/kfutil_orchs_disapprove.md | 2 - docs/kfutil_orchs_ext.md | 2 - docs/kfutil_orchs_get.md | 2 - docs/kfutil_orchs_list.md | 2 - docs/kfutil_orchs_logs.md | 2 - docs/kfutil_orchs_reset.md | 2 - docs/kfutil_pam-types.md | 12 +- docs/kfutil_pam-types_create.md | 10 +- docs/kfutil_pam-types_delete.md | 4 +- docs/kfutil_pam-types_get.md | 4 +- docs/kfutil_pam-types_list.md | 4 +- docs/kfutil_pam.md | 6 +- docs/kfutil_pam_create.md | 2 - docs/kfutil_pam_delete.md | 2 - docs/kfutil_pam_get.md | 2 - docs/kfutil_pam_list.md | 2 - docs/kfutil_pam_update.md | 2 - docs/kfutil_status.md | 2 - docs/kfutil_store-types.md | 2 - docs/kfutil_store-types_create.md | 4 +- docs/kfutil_store-types_delete.md | 2 - docs/kfutil_store-types_get.md | 2 - docs/kfutil_store-types_list.md | 2 - docs/kfutil_store-types_templates-fetch.md | 2 - docs/kfutil_stores.md | 7 +- docs/kfutil_stores_delete.md | 2 - docs/kfutil_stores_export.md | 2 - docs/kfutil_stores_get.md | 2 - docs/kfutil_stores_import.md | 2 - docs/kfutil_stores_import_csv.md | 29 +- .../kfutil_stores_import_generate-template.md | 5 +- docs/kfutil_stores_inventory.md | 2 - docs/kfutil_stores_inventory_add.md | 2 - docs/kfutil_stores_inventory_remove.md | 2 - docs/kfutil_stores_inventory_show.md | 2 - docs/kfutil_stores_list.md | 2 - docs/kfutil_stores_rot.md | 2 - docs/kfutil_stores_rot_audit.md | 2 - docs/kfutil_stores_rot_generate-template.md | 2 - docs/kfutil_stores_rot_reconcile.md | 2 - docs/kfutil_version.md | 2 - .../Store Types/README.md | 2 +- .../Store Types/akamai.md | 2 +- .../Store Types/akv.md | 2 +- .../Store Types/alteonlb.md | 2 +- .../Store Types/appgwbin.md | 2 +- .../Store Types/aruba.md | 2 +- .../Store Types/aws-acm-v3.md | 2 +- .../Store Types/aws-acm.md | 2 +- .../Store Types/axisipcamera.md | 2 +- .../Store Types/azureapp.md | 2 +- .../Store Types/azureapp2.md | 2 +- .../Store Types/azureappgw.md | 2 +- .../Store Types/azuresp.md | 2 +- .../Store Types/azuresp2.md | 2 +- .../Store Types/barracudawaf.md | 2 +- .../Store Types/bmc.md | 2 +- .../Store Types/boschipcamera.md | 2 +- .../Store Types/ciscoasa.md | 2 +- .../Store Types/citrixadc.md | 2 +- .../Store Types/datapower.md | 2 +- .../Store Types/f5-bigiq.md | 2 +- .../Store Types/f5-ca-rest.md | 2 +- .../Store Types/f5-sl-rest.md | 2 +- .../Store Types/f5-ws-rest.md | 2 +- .../Store Types/f5wafca.md | 2 +- .../Store Types/f5waftls.md | 2 +- .../Store Types/fortigate.md | 2 +- .../Store Types/fortiweb.md | 2 +- .../Store Types/gcpapigee.md | 2 +- .../Store Types/gcpcertmgr.md | 2 +- .../Store Types/gcploadbal.md | 2 +- .../Store Types/gcpscrtmgr.md | 2 +- .../Store Types/hcvkv.md | 2 +- .../Store Types/hcvkvjks.md | 2 +- .../Store Types/hcvkvp12.md | 2 +- .../Store Types/hcvkvpem.md | 2 +- .../Store Types/hcvkvpfx.md | 2 +- .../Store Types/hcvpki.md | 2 +- .../Store Types/hpilo.md | 2 +- .../Store Types/idrac.md | 2 +- .../Store Types/iisu.md | 2 +- .../Store Types/imperva.md | 2 +- .../Store Types/k8scert.md | 2 +- .../Store Types/k8scluster.md | 2 +- .../Store Types/k8sjks.md | 2 +- .../Store Types/k8sns.md | 2 +- .../Store Types/k8spkcs12.md | 2 +- .../Store Types/k8ssecret.md | 2 +- .../Store Types/k8stlssecr.md | 2 +- .../Store Types/kemp.md | 2 +- .../Store Types/most.md | 2 +- .../Store Types/nmap.md | 2 +- .../Store Types/oktaapp.md | 2 +- .../Store Types/oktaidp.md | 2 +- .../Store Types/paloalto.md | 2 +- .../Store Types/rfder.md | 2 +- .../Store Types/rfjks.md | 2 +- .../Store Types/rfkdb.md | 2 +- .../Store Types/rfora.md | 2 +- .../Store Types/rfpem.md | 2 +- .../Store Types/rfpkcs12.md | 2 +- .../Store Types/signum.md | 2 +- .../Store Types/sos.md | 2 +- .../Store Types/thundermgmt.md | 2 +- .../Store Types/thunderssl.md | 2 +- .../Store Types/vcenter.md | 2 +- .../Store Types/vmware-nsx.md | 2 +- .../Store Types/winadfs.md | 2 +- .../Store Types/wincermgmt.md | 2 +- .../Store Types/wincert.md | 2 +- .../Store Types/winsql.md | 2 +- docs/use-cases/PAM Operations/README.md | 3 +- .../PAM Operations/create-pam-providers.md | 10 +- internal/docgen/pamdocs/pamdocs.go | 347 ++++++++++ .../docgen/storetypedocs/storetypedocs.go | 643 ++++++++++++++++++ tools/pamdocs/main.go | 322 +-------- tools/storetypedocs/main.go | 619 +---------------- 147 files changed, 1556 insertions(+), 1196 deletions(-) create mode 100644 cmd/test_auth_config_test.go create mode 100644 internal/docgen/pamdocs/pamdocs.go create mode 100644 internal/docgen/storetypedocs/storetypedocs.go diff --git a/CHANGELOG.md b/CHANGELOG.md index e4be1f3c..1897501b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ `ServerUsername`, `ServerPassword`, and store password values. - `stores import csv`: Preserve JSON-shaped secret values as secret strings instead of parsing them into nested request objects. +- `login`: Add `--skip-validate` to save login configuration without validating credentials against Keyfactor Command. ### Docs @@ -17,6 +18,8 @@ - Add use-case documentation for migrating certificate store credentials from static values to a PAM provider. - Add generated per-store-type bulk create and update use-case guides. - Add generated PAM Operations use-case documentation for PAM type and provider creation. +- `makedocs` now regenerates command docs, store-type use cases, and PAM operation use cases without date-based + generated footers. # v1.9.1 diff --git a/artifacts/pam/pam-create-template.json b/artifacts/pam/pam-create-template.json index 80a516c1..91a39981 100644 --- a/artifacts/pam/pam-create-template.json +++ b/artifacts/pam/pam-create-template.json @@ -26,6 +26,27 @@ "DataType": 2, "InstanceLevel": false }, + { + "Id": -1, + "Name": "ClientId", + "DisplayName": "Client ID", + "DataType": 2, + "InstanceLevel": false + }, + { + "Id": -1, + "Name": "ClientSecret", + "DisplayName": "ClientSecret", + "DataType": 2, + "InstanceLevel": false + }, + { + "Id": -1, + "Name": "GrantType", + "DisplayName": "Grant Type", + "DataType": 1, + "InstanceLevel": false + }, { "Id": -1, "Name": "SecretId", @@ -72,6 +93,36 @@ "DataType": 1, "InstanceLevel": false } + }, + { + "Value": "N/A", + "ProviderTypeParam": { + "Id": -1, + "Name": "ClientId", + "DisplayName": "Client ID", + "DataType": 2, + "InstanceLevel": false + } + }, + { + "Value": "N/A", + "ProviderTypeParam": { + "Id": -1, + "Name": "ClientSecret", + "DisplayName": "ClientSecret", + "DataType": 2, + "InstanceLevel": false + } + }, + { + "Value": "password", + "ProviderTypeParam": { + "Id": -1, + "Name": "GrantType", + "DisplayName": "Grant Type", + "DataType": 1, + "InstanceLevel": false + } } ] -} \ No newline at end of file +} diff --git a/cmd/login.go b/cmd/login.go index 3d64dfdc..97fa8ff7 100644 --- a/cmd/login.go +++ b/cmd/login.go @@ -19,6 +19,7 @@ import ( "fmt" "os" "path" + "strconv" "strings" "github.com/Keyfactor/keyfactor-auth-client-go/auth_providers" @@ -28,6 +29,8 @@ import ( "golang.org/x/term" ) +var loginSkipValidate bool + var loginCmd = &cobra.Command{ Use: "login", Aliases: nil, @@ -78,16 +81,27 @@ WARNING: This will write the environmental credentials to disk and will be store kfcOAuth *auth_providers.CommandConfigOauth kfcBasicAuth *auth_providers.CommandAuthConfigBasic ) + skipValidate := loginSkipValidate log.Debug().Msg("calling getEnvConfig()") - envConfig, envErr := getServerConfigFromEnv() + var envConfig *auth_providers.Server + var envErr error + if skipValidate { + envConfig, envErr = getServerConfigFromEnvNoValidate() + } else { + envConfig, envErr = getServerConfigFromEnv() + } if envErr == nil { log.Debug().Msg("getEnvConfig() returned") + message := fmt.Sprintf("Login successful via environment variables to %s", envConfig.Host) + if skipValidate { + message = fmt.Sprintf("Login configuration saved from environment variables to %s; credential validation skipped", envConfig.Host) + } log.Info(). Str("host", envConfig.Host). Str("authType", envConfig.AuthType). Msg("Login successful via environment variables") - outputResult(fmt.Sprintf("Login successful via environment variables to %s", envConfig.Host), outputFormat) + outputResult(message, outputFormat) if profile == "" { profile = "default" } @@ -227,6 +241,9 @@ WARNING: This will write the environmental credentials to disk and will be store log.Error().Msg("unable to determine auth type from interactive configuration") } } + if !skipValidate { + skipValidate = !promptForInteractiveYesNo("Validate credentials with Keyfactor Command now?") + } } if !isValidConfig { @@ -234,6 +251,17 @@ WARNING: This will write the environmental credentials to disk and will be store return fmt.Errorf("unable to determine valid configuration") } + if skipValidate { + log.Info(). + Str("profile", profile). + Str("configFile", configFile). + Str("host", outputServer.Host). + Str("authType", authType). + Msg("Login configuration saved; credential validation skipped") + outputResult(fmt.Sprintf("Login configuration saved to %s; credential validation skipped", outputServer.Host), outputFormat) + return nil + } + if authType == "oauth" { log.Debug(). Str("profile", profile). @@ -297,6 +325,98 @@ WARNING: This will write the environmental credentials to disk and will be store func init() { RootCmd.AddCommand(loginCmd) + loginCmd.Flags().BoolVar( + &loginSkipValidate, + "skip-validate", + false, + "Save the login configuration without validating credentials against Keyfactor Command.", + ) +} + +func getServerConfigFromEnvNoValidate() (*auth_providers.Server, error) { + hostname, hOk := os.LookupEnv(auth_providers.EnvKeyfactorHostName) + if !hOk || hostname == "" { + return nil, fmt.Errorf("environment variable %s is required", auth_providers.EnvKeyfactorHostName) + } + + apiPath := os.Getenv(auth_providers.EnvKeyfactorAPIPath) + if apiPath == "" { + apiPath = auth_providers.DefaultCommandAPIPath + } + skipVerify := skipVerifyFromEnv() + + username, uOk := os.LookupEnv(auth_providers.EnvKeyfactorUsername) + password, pOk := os.LookupEnv(auth_providers.EnvKeyfactorPassword) + if uOk && pOk { + serverConfig := &auth_providers.Server{ + Host: hostname, + APIPath: apiPath, + Username: username, + Password: password, + Domain: os.Getenv(auth_providers.EnvKeyfactorDomain), + SkipTLSVerify: skipVerify, + AuthType: "basic", + } + if _, err := serverConfig.GetBasicAuthClientConfig(); err != nil { + return nil, err + } + return serverConfig, nil + } + + clientID, cOk := os.LookupEnv(auth_providers.EnvKeyfactorClientID) + clientSecret, csOk := os.LookupEnv(auth_providers.EnvKeyfactorClientSecret) + tokenURL, tOk := os.LookupEnv(auth_providers.EnvKeyfactorAuthTokenURL) + if cOk && csOk && tOk { + serverConfig := &auth_providers.Server{ + Host: hostname, + APIPath: apiPath, + ClientID: clientID, + ClientSecret: clientSecret, + OAuthTokenUrl: tokenURL, + Scopes: authScopesFromCSV(os.Getenv(auth_providers.EnvKeyfactorAuthScopes)), + Audience: os.Getenv(auth_providers.EnvKeyfactorAuthAudience), + SkipTLSVerify: skipVerify, + AuthType: "oauth", + } + if _, err := serverConfig.GetOAuthClientConfig(); err != nil { + return nil, err + } + return serverConfig, nil + } + + return nil, fmt.Errorf( + "incomplete environment variable configuration, " + + "please provide basic auth credentials or oAuth credentials", + ) +} + +func skipVerifyFromEnv() bool { + if skipVerifyFlag { + return true + } + value := strings.ToLower(os.Getenv(auth_providers.EnvKeyfactorSkipVerify)) + parsed, err := strconv.ParseBool(value) + if err == nil { + return parsed + } + return value == "yes" || value == "y" +} + +func authScopesFromCSV(scopesCSV string) []string { + if scopesCSV == "" { + return auth_providers.DefaultScopes + } + var scopes []string + for _, scope := range strings.Split(scopesCSV, ",") { + scope = strings.TrimSpace(scope) + if scope != "" { + scopes = append(scopes, scope) + } + } + if len(scopes) == 0 { + return auth_providers.DefaultScopes + } + return scopes } func writeConfigFile(configFile *auth_providers.Config, configPath string) error { diff --git a/cmd/login_test.go b/cmd/login_test.go index ff1c60f4..4a45e742 100644 --- a/cmd/login_test.go +++ b/cmd/login_test.go @@ -96,7 +96,9 @@ func Test_LoginFileNoPrompt(t *testing.T) { defer setBasicEnvVariables(username, password, domain) npfCmd := RootCmd - npfCmd.SetArgs([]string{"login", "--no-prompt"}) + npfCmd.SetArgs( + []string{"login", "--no-prompt", "--skip-validate", "--config", configFilePath, "--profile", "default"}, + ) output := captureOutput( func() { @@ -108,7 +110,7 @@ func Test_LoginFileNoPrompt(t *testing.T) { }, ) t.Logf("output: %s", output) - assert.Contains(t, output, "Login successful to") + assert.Contains(t, output, "Login configuration saved") testConfigExists(t, configFilePath, true) testConfigValid(t) //testLogout(t) @@ -165,7 +167,7 @@ func testLogout(t *testing.T, configFilePath string, restoreConfig bool) { t.FailNow() } } - testCmd.SetArgs([]string{"logout"}) + testCmd.SetArgs([]string{"logout", "--no-prompt"}) output := captureOutput( func() { err := testCmd.Execute() @@ -174,7 +176,7 @@ func testLogout(t *testing.T, configFilePath string, restoreConfig bool) { ) t.Logf("output: %s", output) - assert.Contains(t, output, "Logged out successfully!") + assert.Contains(t, output, "Logged out successfully") // Test that the config file does not exist if _, fErr := os.Stat(configFile); !os.IsNotExist(fErr) { diff --git a/cmd/pam.go b/cmd/pam.go index a6b72273..cfe12e39 100644 --- a/cmd/pam.go +++ b/cmd/pam.go @@ -328,6 +328,7 @@ var pamProvidersUpdateCmd = &cobra.Command{ log.Debug().Msg("call: PAMProviderUpdatePamProvider()") updateRequest := keyfactor.ProviderUpdateRequestLegacy{ + Id: pamProvider.Id, Name: pamProvider.Name, Remote: pamProvider.Remote, Area: pamProvider.Area, @@ -339,8 +340,8 @@ var pamProvidersUpdateCmd = &cobra.Command{ updatedPamProvider, cErr := kfClient.UpdatePAMProvider(&updateRequest) log.Debug().Msg("returned: PAMProviderUpdatePamProvider()") - if err != nil { - return err + if cErr != nil { + return cErr } log.Debug().Msg(convertResponseMsg) diff --git a/cmd/pam_test.go b/cmd/pam_test.go index 322ac4ff..10a5cfd1 100644 --- a/cmd/pam_test.go +++ b/cmd/pam_test.go @@ -993,8 +993,7 @@ func testListPamProviders(t *testing.T) ([]any, error) { assert.NotEmpty(t, providerConfig["Id"]) assert.NotEmpty(t, providerConfig["ProviderType"]) - pTypeParams := providerConfig["ProviderType"].(map[string]any)["ProviderTypeParams"].([]any) - assert.NotEmpty(t, pTypeParams) + pTypeParams, _ := providerConfig["ProviderType"].(map[string]any)["ProviderTypeParams"].([]any) assert.GreaterOrEqual(t, len(pTypeParams), 0) if len(pTypeParams) > 0 { for _, param := range pTypeParams { @@ -1194,10 +1193,14 @@ func testFormatPamCreateConfig(t *testing.T, inputFileName string, providerName case map[string]any: aProviderType := apiProviderType.(map[string]any) cProviderType["Id"] = aProviderType["Id"] - cProviderType["ProviderTypeParams"] = aProviderType["ProviderTypeParams"] + apiProviderTypeParams, ok := aProviderType["ProviderTypeParams"] + if !ok || apiProviderTypeParams == nil { + apiProviderTypeParams = aProviderType["Parameters"] + } + cProviderType["ProviderTypeParams"] = apiProviderTypeParams nameToIdMap := make(map[string]int) paramsFieldName := "ProviderTypeParams" - _, ok := cProviderType[paramsFieldName] + _, ok = cProviderType[paramsFieldName] if ok && cProviderType[paramsFieldName] != nil { t.Logf("PAM definition is v10 or earlier") for _, cParam := range cProviderType[paramsFieldName].([]any) { diff --git a/cmd/root.go b/cmd/root.go index e55e724b..960fdfeb 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -17,8 +17,10 @@ package cmd import ( _ "embed" "fmt" + "io/fs" stdlog "log" "os" + "path/filepath" "strings" "github.com/Keyfactor/keyfactor-auth-client-go/auth_providers" @@ -28,6 +30,8 @@ import ( "github.com/spf13/cobra" "github.com/spf13/cobra/doc" "golang.org/x/crypto/bcrypt" + "kfutil/internal/docgen/pamdocs" + "kfutil/internal/docgen/storetypedocs" ) var ( @@ -839,13 +843,71 @@ var makeDocsCmd = &cobra.Command{ Short: "Generate markdown documentation for kfutil", Long: `Generate markdown documentation for kfutil.`, Hidden: true, - Run: func(cmd *cobra.Command, args []string) { + RunE: func(cmd *cobra.Command, args []string) error { log.Debug().Msg("Enter makeDocsCmd.Run()") - doc.GenMarkdownTree(RootCmd, "./docs") + disableGeneratedDocFooters(RootCmd) + if err := doc.GenMarkdownTree(RootCmd, "./docs"); err != nil { + return err + } + if err := storetypedocs.Generate("", "", ""); err != nil { + return err + } + if err := pamdocs.Generate("", ""); err != nil { + return err + } + if err := normalizeGeneratedMarkdownDocs("./docs"); err != nil { + return err + } log.Debug().Msg("complete: makeDocsCmd.Run()") + return nil }, } +func disableGeneratedDocFooters(cmd *cobra.Command) { + cmd.DisableAutoGenTag = true + for _, child := range cmd.Commands() { + disableGeneratedDocFooters(child) + } +} + +func normalizeGeneratedMarkdownDocs(root string) error { + return filepath.WalkDir(root, func(path string, entry fs.DirEntry, err error) error { + if err != nil { + return err + } + if entry.IsDir() || filepath.Ext(path) != ".md" { + return nil + } + + data, err := os.ReadFile(path) + if err != nil { + return err + } + normalized := normalizeMarkdown(string(data)) + if normalized == string(data) { + return nil + } + return os.WriteFile(path, []byte(normalized), 0o644) + }) +} + +func normalizeMarkdown(content string) string { + content = strings.ReplaceAll(content, "\r\n", "\n") + content = strings.ReplaceAll(content, "\r", "\n") + + lines := strings.Split(content, "\n") + for i := range lines { + lines[i] = strings.TrimRight(lines[i], " \t") + } + for len(lines) > 0 && lines[len(lines)-1] == "" { + lines = lines[:len(lines)-1] + } + if len(lines) == 0 { + return "" + } + return strings.Join(lines, "\n") + "\n" +} + // RootCmd represents the base command when called without any subcommands var RootCmd = &cobra.Command{ Use: "kfutil", diff --git a/cmd/test_auth_config_test.go b/cmd/test_auth_config_test.go new file mode 100644 index 00000000..41043e39 --- /dev/null +++ b/cmd/test_auth_config_test.go @@ -0,0 +1,172 @@ +// Copyright 2025 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cmd + +import ( + "os" + "path/filepath" + "strings" + "testing" + + "github.com/Keyfactor/keyfactor-auth-client-go/auth_providers" +) + +func TestMain(m *testing.M) { + cleanups := ensureTestAuthConfigs() + code := m.Run() + for i := len(cleanups) - 1; i >= 0; i-- { + cleanups[i]() + } + os.Exit(code) +} + +func ensureTestAuthConfigs() []func() { + if os.Getenv(auth_providers.EnvKeyfactorHostName) == "" { + return nil + } + + config := buildTestAuthConfig() + if len(config.Servers) == 0 { + return nil + } + + type authConfigPath struct { + path string + overwrite bool + } + + var paths []authConfigPath + homeDir, err := os.UserHomeDir() + if err == nil { + paths = append(paths, authConfigPath{path: filepath.Join(homeDir, auth_providers.DefaultConfigFilePath)}) + } + paths = append(paths, authConfigPath{ + path: filepath.Join("$HOME", ".keyfactor", "extra_config.json"), + overwrite: true, + }) + + var cleanups []func() + for _, configPath := range paths { + if configPath.path == "" { + continue + } + previousConfig, readErr := auth_providers.ReadConfigFromJSON(configPath.path) + existed := readErr == nil + if existed && !configPath.overwrite { + if _, ok := previousConfig.Servers[auth_providers.DefaultConfigProfile]; ok { + continue + } + merged := &auth_providers.Config{Servers: map[string]auth_providers.Server{}} + for name, server := range previousConfig.Servers { + merged.Servers[name] = server + } + for name, server := range config.Servers { + if _, ok := merged.Servers[name]; !ok || name == auth_providers.DefaultConfigProfile { + merged.Servers[name] = server + } + } + if err := auth_providers.WriteConfigToJSON(configPath.path, merged); err == nil { + pathToRestore := configPath.path + configToRestore := previousConfig + cleanups = append(cleanups, func() { + _ = auth_providers.WriteConfigToJSON(pathToRestore, configToRestore) + }) + } + continue + } + if err := os.MkdirAll(filepath.Dir(configPath.path), 0700); err != nil { + continue + } + if err := auth_providers.WriteConfigToJSON(configPath.path, config); err == nil { + pathToCleanup := configPath.path + if existed { + configToRestore := previousConfig + cleanups = append(cleanups, func() { + _ = auth_providers.WriteConfigToJSON(pathToCleanup, configToRestore) + }) + } else { + cleanups = append(cleanups, func() { + _ = os.Remove(pathToCleanup) + }) + } + } + } + return cleanups +} + +func buildTestAuthConfig() *auth_providers.Config { + config := &auth_providers.Config{ + Servers: map[string]auth_providers.Server{}, + } + + host := os.Getenv(auth_providers.EnvKeyfactorHostName) + apiPath := os.Getenv(auth_providers.EnvKeyfactorAPIPath) + if apiPath == "" { + apiPath = auth_providers.DefaultCommandAPIPath + } + + username := os.Getenv(auth_providers.EnvKeyfactorUsername) + password := os.Getenv(auth_providers.EnvKeyfactorPassword) + domain := os.Getenv(auth_providers.EnvKeyfactorDomain) + if username != "" && password != "" { + config.Servers[auth_providers.DefaultConfigProfile] = auth_providers.Server{ + Host: host, + APIPath: apiPath, + Username: username, + Password: password, + Domain: domain, + SkipTLSVerify: true, + AuthType: "basic", + } + } + + clientID := os.Getenv(auth_providers.EnvKeyfactorClientID) + clientSecret := os.Getenv(auth_providers.EnvKeyfactorClientSecret) + tokenURL := os.Getenv(auth_providers.EnvKeyfactorAuthTokenURL) + if clientID != "" && clientSecret != "" && tokenURL != "" { + oauthServer := auth_providers.Server{ + Host: host, + APIPath: apiPath, + ClientID: clientID, + ClientSecret: clientSecret, + OAuthTokenUrl: tokenURL, + Scopes: testAuthScopes(), + Audience: os.Getenv(auth_providers.EnvKeyfactorAuthAudience), + SkipTLSVerify: true, + AuthType: "oauth", + } + config.Servers["oauth"] = oauthServer + if _, ok := config.Servers[auth_providers.DefaultConfigProfile]; !ok { + config.Servers[auth_providers.DefaultConfigProfile] = oauthServer + } + } + + return config +} + +func testAuthScopes() []string { + scopesCSV := os.Getenv(auth_providers.EnvKeyfactorAuthScopes) + if scopesCSV == "" { + return []string{"openid"} + } + var scopes []string + for _, scope := range strings.Split(scopesCSV, ",") { + scope = strings.TrimSpace(scope) + if scope != "" { + scopes = append(scopes, scope) + } + } + return scopes +} diff --git a/docs/auth_providers.md b/docs/auth_providers.md index ee0070f8..a99c9d17 100644 --- a/docs/auth_providers.md +++ b/docs/auth_providers.md @@ -16,7 +16,7 @@ Command API from a secure location rather than a file on disk or environment var ## Azure Key Vault The Azure Key Vault auth provider allows you to source credentials from an Azure Key Vault instance using Azure Managed -Identity. +Identity. ### Configuration Below is an example configuration for the Azure Key Vault auth provider. This can be placed in the `$HOME/.keyfactor/command_config.json` @@ -39,7 +39,7 @@ file and will be used by `kfutil` to source credentials for the Keyfactor produc ``` ### Azure Key Vault Secret Format -The format of the Azure Key Vault secret should be the same as if you were to run `kfutil login` and go through the +The format of the Azure Key Vault secret should be the same as if you were to run `kfutil login` and go through the interactive auth flow. Here's an example of what that would look like: #### Basic Auth Example @@ -76,7 +76,7 @@ interactive auth flow. Here's an example of what that would look like: #### Usage ##### Default -With the above configuration in placed in the default path `$HOME/.keyfactor/command_config.json` the utility will +With the above configuration in placed in the default path `$HOME/.keyfactor/command_config.json` the utility will implicitly attempt to source credentials from the Azure Key Vault instance. ```bash kfutil stores list @@ -94,4 +94,4 @@ kfutil \ ``` The above explicitly tells the utility to only attempt to use the Azure Key Vault auth provider. This mode will not fail to user interactive or environmental variable auth if provided. The example also shows how to specify a custom path to -the auth provider configuration file and what profile to look for in the configuration file stored in Azure. \ No newline at end of file +the auth provider configuration file and what profile to look for in the configuration file stored in Azure. diff --git a/docs/kfutil.md b/docs/kfutil.md index eb42ad04..a775de3f 100644 --- a/docs/kfutil.md +++ b/docs/kfutil.md @@ -38,14 +38,12 @@ A CLI wrapper around the Keyfactor Platform API. * [kfutil helm](kfutil_helm.md) - Helm utilities for configuring Keyfactor Helm charts * [kfutil import](kfutil_import.md) - Keyfactor instance import utilities. * [kfutil login](kfutil_login.md) - User interactive login to Keyfactor. Stores the credentials in the config file '$HOME/.keyfactor/command_config.json'. -* [kfutil logout](kfutil_logout.md) - Unsets environment variables and removes the stored credentials file. -* [kfutil migrate](kfutil_migrate.md) - Keyfactor Migration Tools. +* [kfutil logout](kfutil_logout.md) - Unsets environment variables and removes the stored credentials file. +* [kfutil migrate](kfutil_migrate.md) - Keyfactor Migration Tools. * [kfutil orchs](kfutil_orchs.md) - Keyfactor agents/orchestrators APIs and utilities. * [kfutil pam](kfutil_pam.md) - Keyfactor PAM Provider APIs. -* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities. +* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities. * [kfutil status](kfutil_status.md) - List the status of Keyfactor services. * [kfutil store-types](kfutil_store-types.md) - Keyfactor certificate store types APIs and utilities. * [kfutil stores](kfutil_stores.md) - Keyfactor certificate stores APIs and utilities. * [kfutil version](kfutil_version.md) - Shows version of kfutil - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_completion.md b/docs/kfutil_completion.md index df1bd2ab..eef9b0e4 100644 --- a/docs/kfutil_completion.md +++ b/docs/kfutil_completion.md @@ -44,5 +44,3 @@ See each sub-command's help for details on how to use the generated script. * [kfutil completion fish](kfutil_completion_fish.md) - Generate the autocompletion script for fish * [kfutil completion powershell](kfutil_completion_powershell.md) - Generate the autocompletion script for powershell * [kfutil completion zsh](kfutil_completion_zsh.md) - Generate the autocompletion script for zsh - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_completion_bash.md b/docs/kfutil_completion_bash.md index c2f3f95c..d61f49ac 100644 --- a/docs/kfutil_completion_bash.md +++ b/docs/kfutil_completion_bash.md @@ -63,5 +63,3 @@ kfutil completion bash ### SEE ALSO * [kfutil completion](kfutil_completion.md) - Generate the autocompletion script for the specified shell - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_completion_fish.md b/docs/kfutil_completion_fish.md index 7d6f7cca..04aed08c 100644 --- a/docs/kfutil_completion_fish.md +++ b/docs/kfutil_completion_fish.md @@ -54,5 +54,3 @@ kfutil completion fish [flags] ### SEE ALSO * [kfutil completion](kfutil_completion.md) - Generate the autocompletion script for the specified shell - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_completion_powershell.md b/docs/kfutil_completion_powershell.md index 3b6c4947..1bf3f34e 100644 --- a/docs/kfutil_completion_powershell.md +++ b/docs/kfutil_completion_powershell.md @@ -51,5 +51,3 @@ kfutil completion powershell [flags] ### SEE ALSO * [kfutil completion](kfutil_completion.md) - Generate the autocompletion script for the specified shell - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_completion_zsh.md b/docs/kfutil_completion_zsh.md index 585624d2..f00c9778 100644 --- a/docs/kfutil_completion_zsh.md +++ b/docs/kfutil_completion_zsh.md @@ -65,5 +65,3 @@ kfutil completion zsh [flags] ### SEE ALSO * [kfutil completion](kfutil_completion.md) - Generate the autocompletion script for the specified shell - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_containers.md b/docs/kfutil_containers.md index f0725128..cffb1b58 100644 --- a/docs/kfutil_containers.md +++ b/docs/kfutil_containers.md @@ -40,5 +40,3 @@ A collections of APIs and utilities for interacting with Keyfactor certificate s * [kfutil](kfutil.md) - Keyfactor CLI utilities * [kfutil containers get](kfutil_containers_get.md) - Get certificate store container by ID or name. * [kfutil containers list](kfutil_containers_list.md) - List certificate store containers. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_containers_get.md b/docs/kfutil_containers_get.md index 42492dfc..7b305247 100644 --- a/docs/kfutil_containers_get.md +++ b/docs/kfutil_containers_get.md @@ -43,5 +43,3 @@ kfutil containers get [flags] ### SEE ALSO * [kfutil containers](kfutil_containers.md) - Keyfactor certificate store container API and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_containers_list.md b/docs/kfutil_containers_list.md index cc6f6399..67e820fc 100644 --- a/docs/kfutil_containers_list.md +++ b/docs/kfutil_containers_list.md @@ -42,5 +42,3 @@ kfutil containers list [flags] ### SEE ALSO * [kfutil containers](kfutil_containers.md) - Keyfactor certificate store container API and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_export.md b/docs/kfutil_export.md index ab76ecf6..954c719b 100644 --- a/docs/kfutil_export.md +++ b/docs/kfutil_export.md @@ -54,5 +54,3 @@ kfutil export [flags] ### SEE ALSO * [kfutil](kfutil.md) - Keyfactor CLI utilities - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_helm.md b/docs/kfutil_helm.md index 10e798e5..95a0a5e4 100644 --- a/docs/kfutil_helm.md +++ b/docs/kfutil_helm.md @@ -45,5 +45,3 @@ kubectl helm uo | helm install -f - keyfactor-universal-orchestrator keyfactor/k * [kfutil](kfutil.md) - Keyfactor CLI utilities * [kfutil helm uo](kfutil_helm_uo.md) - Configure the Keyfactor Universal Orchestrator Helm Chart - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_helm_uo.md b/docs/kfutil_helm_uo.md index bb390917..4f611e2f 100644 --- a/docs/kfutil_helm_uo.md +++ b/docs/kfutil_helm_uo.md @@ -49,5 +49,3 @@ kfutil helm uo [-t ] [-o ] [-f ] [-e -e @,@ -o ./app/extension ### SEE ALSO * [kfutil orchs](kfutil_orchs.md) - Keyfactor agents/orchestrators APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_orchs_get.md b/docs/kfutil_orchs_get.md index 8c3566c2..de6827a8 100644 --- a/docs/kfutil_orchs_get.md +++ b/docs/kfutil_orchs_get.md @@ -43,5 +43,3 @@ kfutil orchs get [flags] ### SEE ALSO * [kfutil orchs](kfutil_orchs.md) - Keyfactor agents/orchestrators APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_orchs_list.md b/docs/kfutil_orchs_list.md index 790d5b77..a013ce3b 100644 --- a/docs/kfutil_orchs_list.md +++ b/docs/kfutil_orchs_list.md @@ -42,5 +42,3 @@ kfutil orchs list [flags] ### SEE ALSO * [kfutil orchs](kfutil_orchs.md) - Keyfactor agents/orchestrators APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_orchs_logs.md b/docs/kfutil_orchs_logs.md index 8d259fcb..f3fcb0f6 100644 --- a/docs/kfutil_orchs_logs.md +++ b/docs/kfutil_orchs_logs.md @@ -43,5 +43,3 @@ kfutil orchs logs [flags] ### SEE ALSO * [kfutil orchs](kfutil_orchs.md) - Keyfactor agents/orchestrators APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_orchs_reset.md b/docs/kfutil_orchs_reset.md index 385743c4..f1eb4875 100644 --- a/docs/kfutil_orchs_reset.md +++ b/docs/kfutil_orchs_reset.md @@ -43,5 +43,3 @@ kfutil orchs reset [flags] ### SEE ALSO * [kfutil orchs](kfutil_orchs.md) - Keyfactor agents/orchestrators APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_pam-types.md b/docs/kfutil_pam-types.md index 407b7246..fda896b5 100644 --- a/docs/kfutil_pam-types.md +++ b/docs/kfutil_pam-types.md @@ -37,10 +37,8 @@ A collections of APIs and utilities for interacting with Keyfactor PAM types. ### SEE ALSO -* [kfutil](kfutil.md) - Keyfactor CLI utilities -* [kfutil pam-types create](kfutil_pam-types_create.md) - Creates a new PAM provider type. -* [kfutil pam-types delete](kfutil_pam-types_delete.md) - Deletes a defined PAM Provider type by ID or Name. -* [kfutil pam-types get](kfutil_pam-types_get.md) - Get a specific defined PAM Provider type by ID or Name. -* [kfutil pam-types list](kfutil_pam-types_list.md) - Returns a list of all available PAM provider types. - -###### Auto generated on 26-Jan-2026 +* [kfutil](kfutil.md) - Keyfactor CLI utilities +* [kfutil pam-types create](kfutil_pam-types_create.md) - Creates a new PAM provider type. +* [kfutil pam-types delete](kfutil_pam-types_delete.md) - Deletes a defined PAM Provider type by ID or Name. +* [kfutil pam-types get](kfutil_pam-types_get.md) - Get a specific defined PAM Provider type by ID or Name. +* [kfutil pam-types list](kfutil_pam-types_list.md) - Returns a list of all available PAM provider types. diff --git a/docs/kfutil_pam-types_create.md b/docs/kfutil_pam-types_create.md index 5e251062..624a4f8f 100644 --- a/docs/kfutil_pam-types_create.md +++ b/docs/kfutil_pam-types_create.md @@ -4,9 +4,9 @@ Creates a new PAM provider type. ### Synopsis -Creates a new PAM Provider type, currently only supported from JSON file and from GitHub. To install from -Github. To install from GitHub, use the --repo flag to specify the GitHub repository and optionally the branch to use. -NOTE: the file from Github must be named integration-manifest.json and must use the same schema as +Creates a new PAM Provider type, currently only supported from JSON file and from GitHub. To install from +Github. To install from GitHub, use the --repo flag to specify the GitHub repository and optionally the branch to use. +NOTE: the file from Github must be named integration-manifest.json and must use the same schema as https://github.com/Keyfactor/hashicorp-vault-pam/blob/main/integration-manifest.json. To install from a local file, use --from-file to specify the path to the JSON file. @@ -50,6 +50,4 @@ kfutil pam-types create [flags] ### SEE ALSO -* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities. - -###### Auto generated on 26-Jan-2026 +* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities. diff --git a/docs/kfutil_pam-types_delete.md b/docs/kfutil_pam-types_delete.md index 33a38850..1545e376 100644 --- a/docs/kfutil_pam-types_delete.md +++ b/docs/kfutil_pam-types_delete.md @@ -44,6 +44,4 @@ kfutil pam-types delete [flags] ### SEE ALSO -* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities. - -###### Auto generated on 26-Jan-2026 +* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities. diff --git a/docs/kfutil_pam-types_get.md b/docs/kfutil_pam-types_get.md index cfb4cd4a..2c2a8894 100644 --- a/docs/kfutil_pam-types_get.md +++ b/docs/kfutil_pam-types_get.md @@ -43,6 +43,4 @@ kfutil pam-types get [flags] ### SEE ALSO -* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities. - -###### Auto generated on 26-Jan-2026 +* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities. diff --git a/docs/kfutil_pam-types_list.md b/docs/kfutil_pam-types_list.md index c1a82c89..928ae938 100644 --- a/docs/kfutil_pam-types_list.md +++ b/docs/kfutil_pam-types_list.md @@ -41,6 +41,4 @@ kfutil pam-types list [flags] ### SEE ALSO -* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities. - -###### Auto generated on 26-Jan-2026 +* [kfutil pam-types](kfutil_pam-types.md) - Keyfactor PAM types APIs and utilities. diff --git a/docs/kfutil_pam.md b/docs/kfutil_pam.md index c81bb8ae..799af94d 100644 --- a/docs/kfutil_pam.md +++ b/docs/kfutil_pam.md @@ -4,8 +4,8 @@ Keyfactor PAM Provider APIs. ### Synopsis -Privileged Access Management (PAM) functionality in Keyfactor Web APIs allows for configuration of third -party PAM providers to secure certificate stores. The PAM component of the Keyfactor API includes methods necessary to +Privileged Access Management (PAM) functionality in Keyfactor Web APIs allows for configuration of third +party PAM providers to secure certificate stores. The PAM component of the Keyfactor API includes methods necessary to programmatically create, delete, edit, and list PAM Providers. ### Options @@ -45,5 +45,3 @@ programmatically create, delete, edit, and list PAM Providers. * [kfutil pam get](kfutil_pam_get.md) - Get a specific defined PAM Provider by ID. * [kfutil pam list](kfutil_pam_list.md) - Returns a list of all the configured PAM providers. * [kfutil pam update](kfutil_pam_update.md) - Updates an existing PAM Provider, currently only supported from file. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_pam_create.md b/docs/kfutil_pam_create.md index 9e705305..4200a70b 100644 --- a/docs/kfutil_pam_create.md +++ b/docs/kfutil_pam_create.md @@ -43,5 +43,3 @@ kfutil pam create [flags] ### SEE ALSO * [kfutil pam](kfutil_pam.md) - Keyfactor PAM Provider APIs. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_pam_delete.md b/docs/kfutil_pam_delete.md index 97011087..59b556f5 100644 --- a/docs/kfutil_pam_delete.md +++ b/docs/kfutil_pam_delete.md @@ -44,5 +44,3 @@ kfutil pam delete [flags] ### SEE ALSO * [kfutil pam](kfutil_pam.md) - Keyfactor PAM Provider APIs. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_pam_get.md b/docs/kfutil_pam_get.md index c5781c84..373d5fcd 100644 --- a/docs/kfutil_pam_get.md +++ b/docs/kfutil_pam_get.md @@ -44,5 +44,3 @@ kfutil pam get [flags] ### SEE ALSO * [kfutil pam](kfutil_pam.md) - Keyfactor PAM Provider APIs. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_pam_list.md b/docs/kfutil_pam_list.md index c876e565..a06f1b36 100644 --- a/docs/kfutil_pam_list.md +++ b/docs/kfutil_pam_list.md @@ -42,5 +42,3 @@ kfutil pam list [flags] ### SEE ALSO * [kfutil pam](kfutil_pam.md) - Keyfactor PAM Provider APIs. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_pam_update.md b/docs/kfutil_pam_update.md index 59dd1f4f..67fdd309 100644 --- a/docs/kfutil_pam_update.md +++ b/docs/kfutil_pam_update.md @@ -43,5 +43,3 @@ kfutil pam update [flags] ### SEE ALSO * [kfutil pam](kfutil_pam.md) - Keyfactor PAM Provider APIs. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_status.md b/docs/kfutil_status.md index 86a239d5..cd437eed 100644 --- a/docs/kfutil_status.md +++ b/docs/kfutil_status.md @@ -42,5 +42,3 @@ kfutil status [flags] ### SEE ALSO * [kfutil](kfutil.md) - Keyfactor CLI utilities - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_store-types.md b/docs/kfutil_store-types.md index a30e94e3..bbe92554 100644 --- a/docs/kfutil_store-types.md +++ b/docs/kfutil_store-types.md @@ -43,5 +43,3 @@ A collections of APIs and utilities for interacting with Keyfactor certificate s * [kfutil store-types get](kfutil_store-types_get.md) - Get a specific store type by either name or ID. * [kfutil store-types list](kfutil_store-types_list.md) - List certificate store types. * [kfutil store-types templates-fetch](kfutil_store-types_templates-fetch.md) - Fetches store type templates from Keyfactor's Github. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_store-types_create.md b/docs/kfutil_store-types_create.md index 2eef609b..bdb606fd 100644 --- a/docs/kfutil_store-types_create.md +++ b/docs/kfutil_store-types_create.md @@ -18,7 +18,7 @@ kfutil store-types create [flags] -b, --git-ref string The git branch or tag to reference when pulling store-types from the internet. (default "main") -h, --help help for create -l, --list List valid store types. - -n, --name string Short name of the certificate store type to get. Valid choices are: Akamai, AKV, AlteonLB, AppGwBin, AWS-ACM, AWS-ACM-v3, AxisIPCamera, AzureApp, AzureApp2, AzureAppGw, AzureSP, AzureSP2, BoschIPCamera, CiscoAsa, CitrixAdc, DataPower, F5-BigIQ, F5-CA-REST, F5-SL-REST, F5-WS-REST, f5WafCa, f5WafTls, Fortigate, FortiWeb, GcpApigee, GcpCertMgr, GCPLoadBal, HCVKV, HCVKVJKS, HCVKVP12, HCVKVPEM, HCVKVPFX, HCVPKI, HPiLO, iDRAC, IISU, Imperva, K8SCert, K8SCluster, K8SJKS, K8SNS, K8SPKCS12, K8SSecret, K8STLSSecr, Kemp, Nmap, OktaApp, OktaIdP, PaloAlto, RFDER, RFJKS, RFKDB, RFORA, RFPEM, RFPkcs12, Signum, SOS, vCenter, VMware-NSX, WinCerMgmt, WinCert, WinSql + -n, --name string Short name of the certificate store type to get. Valid choices are: Akamai, AKV, AlteonLB, AppGwBin, Aruba, AWS-ACM, AWS-ACM-v3, AxisIPCamera, AzureApp, AzureApp2, AzureAppGw, AzureSP, AzureSP2, BarracudaWaf, BMC, BoschIPCamera, CiscoAsa, CitrixAdc, DataPower, F5-BigIQ, F5-CA-REST, F5-SL-REST, F5-WS-REST, f5WafCa, f5WafTls, Fortigate, FortiWeb, GcpApigee, GcpCertMgr, GCPLoadBal, GCPScrtMgr, HCVKV, HCVKVJKS, HCVKVP12, HCVKVPEM, HCVKVPFX, HCVPKI, HPiLO, iDRAC, IISU, Imperva, K8SCert, K8SCluster, K8SJKS, K8SNS, K8SPKCS12, K8SSecret, K8STLSSecr, Kemp, MOST, Nmap, OktaApp, OktaIdP, PaloAlto, RFDER, RFJKS, RFKDB, RFORA, RFPEM, RFPkcs12, Signum, SOS, ThunderMgmt, ThunderSsl, vCenter, VMware-NSX, WinAdfs, WinCerMgmt, WinCert, WinSql -r, --repo string The repository to pull store-types definitions from. (default "kfutil") ``` @@ -48,5 +48,3 @@ kfutil store-types create [flags] ### SEE ALSO * [kfutil store-types](kfutil_store-types.md) - Keyfactor certificate store types APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_store-types_delete.md b/docs/kfutil_store-types_delete.md index b83c9728..ceccd963 100644 --- a/docs/kfutil_store-types_delete.md +++ b/docs/kfutil_store-types_delete.md @@ -46,5 +46,3 @@ kfutil store-types delete [flags] ### SEE ALSO * [kfutil store-types](kfutil_store-types.md) - Keyfactor certificate store types APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_store-types_get.md b/docs/kfutil_store-types_get.md index b3e52b50..32a15c1c 100644 --- a/docs/kfutil_store-types_get.md +++ b/docs/kfutil_store-types_get.md @@ -47,5 +47,3 @@ kfutil store-types get [-i | -n ] [-b ### SEE ALSO * [kfutil store-types](kfutil_store-types.md) - Keyfactor certificate store types APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_store-types_list.md b/docs/kfutil_store-types_list.md index 3dc0242d..121b13f0 100644 --- a/docs/kfutil_store-types_list.md +++ b/docs/kfutil_store-types_list.md @@ -42,5 +42,3 @@ kfutil store-types list [flags] ### SEE ALSO * [kfutil store-types](kfutil_store-types.md) - Keyfactor certificate store types APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_store-types_templates-fetch.md b/docs/kfutil_store-types_templates-fetch.md index d8d00f4d..a42307fe 100644 --- a/docs/kfutil_store-types_templates-fetch.md +++ b/docs/kfutil_store-types_templates-fetch.md @@ -44,5 +44,3 @@ kfutil store-types templates-fetch [flags] ### SEE ALSO * [kfutil store-types](kfutil_store-types.md) - Keyfactor certificate store types APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_stores.md b/docs/kfutil_stores.md index 8b512215..92471fe3 100644 --- a/docs/kfutil_stores.md +++ b/docs/kfutil_stores.md @@ -41,10 +41,7 @@ A collections of APIs and utilities for interacting with Keyfactor certificate s * [kfutil stores delete](kfutil_stores_delete.md) - Delete a certificate store by ID. * [kfutil stores export](kfutil_stores_export.md) - Export existing defined certificate stores by type or store Id. * [kfutil stores get](kfutil_stores_get.md) - Get a certificate store by ID. -* [kfutil stores import](kfutil_stores_import.md) - Import a file with certificate store definitions and create them - in Keyfactor Command. +* [kfutil stores import](kfutil_stores_import.md) - Import a file with certificate store definitions and create them in Keyfactor Command. * [kfutil stores inventory](kfutil_stores_inventory.md) - Commands related to certificate store inventory management * [kfutil stores list](kfutil_stores_list.md) - List certificate stores. -* [kfutil stores rot](kfutil_stores_rot.md) - Root of trust utility - -###### Auto generated on 26-Jan-2026 +* [kfutil stores rot](kfutil_stores_rot.md) - Root of trust utility diff --git a/docs/kfutil_stores_delete.md b/docs/kfutil_stores_delete.md index 733dfce1..3761d475 100644 --- a/docs/kfutil_stores_delete.md +++ b/docs/kfutil_stores_delete.md @@ -45,5 +45,3 @@ kfutil stores delete [flags] ### SEE ALSO * [kfutil stores](kfutil_stores.md) - Keyfactor certificate stores APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_stores_export.md b/docs/kfutil_stores_export.md index 9cd56c48..e244ff91 100644 --- a/docs/kfutil_stores_export.md +++ b/docs/kfutil_stores_export.md @@ -46,5 +46,3 @@ kfutil stores export [flags] ### SEE ALSO * [kfutil stores](kfutil_stores.md) - Keyfactor certificate stores APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_stores_get.md b/docs/kfutil_stores_get.md index 1c50c23d..f1d45038 100644 --- a/docs/kfutil_stores_get.md +++ b/docs/kfutil_stores_get.md @@ -43,5 +43,3 @@ kfutil stores get [flags] ### SEE ALSO * [kfutil stores](kfutil_stores.md) - Keyfactor certificate stores APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_stores_import.md b/docs/kfutil_stores_import.md index a151a3f6..0203cedc 100644 --- a/docs/kfutil_stores_import.md +++ b/docs/kfutil_stores_import.md @@ -40,5 +40,3 @@ Tools for generating import templates and importing certificate stores * [kfutil stores](kfutil_stores.md) - Keyfactor certificate stores APIs and utilities. * [kfutil stores import csv](kfutil_stores_import_csv.md) - Create certificate stores from CSV file. * [kfutil stores import generate-template](kfutil_stores_import_generate-template.md) - For generating a CSV template with headers for bulk store creation. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_stores_import_csv.md b/docs/kfutil_stores_import_csv.md index c7683ab9..2215f41a 100644 --- a/docs/kfutil_stores_import_csv.md +++ b/docs/kfutil_stores_import_csv.md @@ -17,29 +17,27 @@ Required Flags: ###### Credential Fields -| Header | Description | -|---------------------------|---------------------------------------------------------------------------------------| +| Header | Description | +| --- | --- | | Properties.ServerUsername | This is equivalent to the 'ServerUsername' field in the Command Certificate Store UI. | | Properties.ServerPassword | This is equivalent to the 'ServerPassword' field in the Command Certificate Store UI. | -| Password | This is equivalent to the 'StorePassword' field in the Command Certificate Store UI. | +| Password | This is equivalent to the 'StorePassword' field in the Command Certificate Store UI. | ###### Inventory Schedule Fields - -For full information on certificate store schedules -visit: https://software.keyfactor.com/Core-OnPrem/v25.1.1/Content/WebAPI/KeyfactorAPI/CertificateStoresPostSchedule.htm#API-Table-Schedule +For full information on certificate store schedules visit: https://software.keyfactor.com/Core-OnPrem/v25.1.1/Content/WebAPI/KeyfactorAPI/CertificateStoresPostSchedule.htm#API-Table-Schedule > [!NOTE] > Only one type of schedule can be specified in the CSV file. If multiple are specified, > the last one will be used. For example you can't schedule both "InventorySchedule.Immediate" and "InventorySchedule. > Interval.Minutes", in which case the value of "InventorySchedule.Interval.Minutes" would be used. -| Header | Description | -|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| InventorySchedule.Immediate | A Boolean that indicates a job scheduled to run immediately (TRUE) or not (FALSE). | -| InventorySchedule.Interval.Minutes | An integer indicating the number of minutes between each interval. | -| InventorySchedule.Daily.Time | The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format "YYYY-MM-DDTHH:mm:ss.000Z"" (e.g. 2023-11-19T16:23:01Z). | -| InventorySchedule.Weekly.Days | An array of values representing the days of the week on which to run the job. These can either be entered as integers (0 for Sunday, 1 for Monday, etc.) or as days of the week (e.g. "Sunday"). | -| InventorySchedule.Weekly.Time | The time of day to inventory daily, RFC3339 format. Ex. "2023-10-01T12:00:00Z" for noon UTC. | +| Header | Description | +| --- | --- | +| InventorySchedule.Immediate | A Boolean that indicates a job scheduled to run immediately (TRUE) or not (FALSE). | +| InventorySchedule.Interval.Minutes | An integer indicating the number of minutes between each interval. | +| InventorySchedule.Daily.Time | The date and time to next run the job. The date and time should be given using the ISO 8601 UTC time format "YYYY-MM-DDTHH:mm:ss.000Z"" (e.g. 2023-11-19T16:23:01Z). | +| InventorySchedule.Weekly.Days | An array of values representing the days of the week on which to run the job. These can either be entered as integers (0 for Sunday, 1 for Monday, etc.) or as days of the week (e.g. "Sunday"). | +| InventorySchedule.Weekly.Time | The time of day to inventory daily, RFC3339 format. Ex. "2023-10-01T12:00:00Z" for noon UTC. | ##### Outside CSV file: If you do not wish to include credentials in your CSV file they can be provided one of three ways: @@ -92,7 +90,4 @@ kfutil stores import csv --file --store-type-id --store-t ### SEE ALSO -* [kfutil stores import](kfutil_stores_import.md) - Import a file with certificate store definitions and create them - in Keyfactor Command. - -###### Auto generated on 26-Jan-2026 +* [kfutil stores import](kfutil_stores_import.md) - Import a file with certificate store definitions and create them in Keyfactor Command. diff --git a/docs/kfutil_stores_inventory.md b/docs/kfutil_stores_inventory.md index ade5aae5..db7481f2 100644 --- a/docs/kfutil_stores_inventory.md +++ b/docs/kfutil_stores_inventory.md @@ -41,5 +41,3 @@ Commands related to certificate store inventory management * [kfutil stores inventory add](kfutil_stores_inventory_add.md) - Adds one or more certificates to one or more certificate store inventories. * [kfutil stores inventory remove](kfutil_stores_inventory_remove.md) - Removes a certificate from the certificate store inventory. * [kfutil stores inventory show](kfutil_stores_inventory_show.md) - Show the inventory of a certificate store. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_stores_inventory_add.md b/docs/kfutil_stores_inventory_add.md index b4f15262..ad150411 100644 --- a/docs/kfutil_stores_inventory_add.md +++ b/docs/kfutil_stores_inventory_add.md @@ -56,5 +56,3 @@ kfutil stores inventory add [flags] ### SEE ALSO * [kfutil stores inventory](kfutil_stores_inventory.md) - Commands related to certificate store inventory management - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_stores_inventory_remove.md b/docs/kfutil_stores_inventory_remove.md index ff071c0c..fa9a7069 100644 --- a/docs/kfutil_stores_inventory_remove.md +++ b/docs/kfutil_stores_inventory_remove.md @@ -52,5 +52,3 @@ kfutil stores inventory remove [flags] ### SEE ALSO * [kfutil stores inventory](kfutil_stores_inventory.md) - Commands related to certificate store inventory management - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_stores_inventory_show.md b/docs/kfutil_stores_inventory_show.md index 08ecf61b..823f899b 100644 --- a/docs/kfutil_stores_inventory_show.md +++ b/docs/kfutil_stores_inventory_show.md @@ -46,5 +46,3 @@ kfutil stores inventory show [flags] ### SEE ALSO * [kfutil stores inventory](kfutil_stores_inventory.md) - Commands related to certificate store inventory management - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_stores_list.md b/docs/kfutil_stores_list.md index 5b79ff9a..d7d9a205 100644 --- a/docs/kfutil_stores_list.md +++ b/docs/kfutil_stores_list.md @@ -42,5 +42,3 @@ kfutil stores list [flags] ### SEE ALSO * [kfutil stores](kfutil_stores.md) - Keyfactor certificate stores APIs and utilities. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_stores_rot.md b/docs/kfutil_stores_rot.md index 0a62c7ac..61159e03 100644 --- a/docs/kfutil_stores_rot.md +++ b/docs/kfutil_stores_rot.md @@ -53,5 +53,3 @@ kfutil stores rot reconcile --import-csv * [kfutil stores rot audit](kfutil_stores_rot_audit.md) - Audit generates a CSV report of what actions will be taken based on input CSV files. * [kfutil stores rot generate-template](kfutil_stores_rot_generate-template.md) - For generating Root Of Trust template(s) * [kfutil stores rot reconcile](kfutil_stores_rot_reconcile.md) - Reconcile either takes in or will generate an audit report and then add/remove certs as needed. - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_stores_rot_audit.md b/docs/kfutil_stores_rot_audit.md index e2612432..1f3a83cb 100644 --- a/docs/kfutil_stores_rot_audit.md +++ b/docs/kfutil_stores_rot_audit.md @@ -50,5 +50,3 @@ kfutil stores rot audit [flags] ### SEE ALSO * [kfutil stores rot](kfutil_stores_rot.md) - Root of trust utility - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_stores_rot_generate-template.md b/docs/kfutil_stores_rot_generate-template.md index 6c3f46b0..eb5ff54f 100644 --- a/docs/kfutil_stores_rot_generate-template.md +++ b/docs/kfutil_stores_rot_generate-template.md @@ -48,5 +48,3 @@ kfutil stores rot generate-template [flags] ### SEE ALSO * [kfutil stores rot](kfutil_stores_rot.md) - Root of trust utility - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_stores_rot_reconcile.md b/docs/kfutil_stores_rot_reconcile.md index 9e85606a..7b6ed7b8 100644 --- a/docs/kfutil_stores_rot_reconcile.md +++ b/docs/kfutil_stores_rot_reconcile.md @@ -55,5 +55,3 @@ kfutil stores rot reconcile [flags] ### SEE ALSO * [kfutil stores rot](kfutil_stores_rot.md) - Root of trust utility - -###### Auto generated on 26-Jan-2026 diff --git a/docs/kfutil_version.md b/docs/kfutil_version.md index 73c7df04..27bef179 100644 --- a/docs/kfutil_version.md +++ b/docs/kfutil_version.md @@ -42,5 +42,3 @@ kfutil version [flags] ### SEE ALSO * [kfutil](kfutil.md) - Keyfactor CLI utilities - -###### Auto generated on 26-Jan-2026 diff --git a/docs/use-cases/Certificate Store Operations/Store Types/README.md b/docs/use-cases/Certificate Store Operations/Store Types/README.md index 4b08f875..06f214dd 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/README.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/README.md @@ -6,7 +6,7 @@ These docs are generated from `cmd/store_types.json` and `cmd/pam_types.json` an Regenerate after store type metadata changes: ```bash -make store-type-docs +kfutil makedocs ``` Use `kfutil stores import generate-template` against a live Command environment when you need a template that reflects deployed customizations. diff --git a/docs/use-cases/Certificate Store Operations/Store Types/akamai.md b/docs/use-cases/Certificate Store Operations/Store Types/akamai.md index 5becd5e8..739112fb 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/akamai.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/akamai.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/akv.md b/docs/use-cases/Certificate Store Operations/Store Types/akv.md index d44f1528..7a6b719b 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/akv.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/akv.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/alteonlb.md b/docs/use-cases/Certificate Store Operations/Store Types/alteonlb.md index 7bbde8d7..46305676 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/alteonlb.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/alteonlb.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md b/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md index 7cbc2b9d..d91fb014 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/aruba.md b/docs/use-cases/Certificate Store Operations/Store Types/aruba.md index 160f1042..cab0254e 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/aruba.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/aruba.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md index 3b30d9a7..5f410220 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md index 4f54239d..7285bfbc 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md b/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md index c55b3f65..f5d0b38b 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md b/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md index edb91c87..e3bddde7 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/azureapp.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md b/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md index 8aaae049..6b21a08a 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md b/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md index c4b9282f..8aa45677 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md b/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md index 461b0e70..80a3044b 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/azuresp.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md b/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md index 66d8609b..f8377c6a 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/azuresp2.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/barracudawaf.md b/docs/use-cases/Certificate Store Operations/Store Types/barracudawaf.md index a117b8ca..94bd5470 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/barracudawaf.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/barracudawaf.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/bmc.md b/docs/use-cases/Certificate Store Operations/Store Types/bmc.md index 811e15eb..7ebc5ff9 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/bmc.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/bmc.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md b/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md index 642d6d2c..150b6db6 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/boschipcamera.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md b/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md index beed41e0..63ad619f 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/ciscoasa.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md b/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md index 5d745cbc..60960e51 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/citrixadc.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/datapower.md b/docs/use-cases/Certificate Store Operations/Store Types/datapower.md index 1a5f7b81..213c3d2f 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/datapower.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/datapower.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md index ebf72739..9ae5453b 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-bigiq.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md index f1c4d068..d5c295fa 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-ca-rest.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md index 4032249a..a1bbcb44 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-sl-rest.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md b/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md index bbaa98fa..c0a6f4da 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5-ws-rest.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md b/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md index f48e2956..ded638df 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5wafca.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md b/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md index c21e9b1f..73cdbe1a 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/f5waftls.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md b/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md index 4e961ce3..f8c06e2a 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/fortigate.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md b/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md index 6eff7c6e..518b9af0 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/fortiweb.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md b/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md index 81d4ebf8..0c6db912 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcpapigee.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcpcertmgr.md b/docs/use-cases/Certificate Store Operations/Store Types/gcpcertmgr.md index 9d4cdedb..97d0d3cb 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/gcpcertmgr.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcpcertmgr.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md b/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md index e7cf711e..4336ec26 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcploadbal.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md b/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md index 00bc9997..de1ddf84 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/gcpscrtmgr.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkv.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkv.md index 99ca33a9..d5928929 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkv.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkv.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md index d3d1e5d5..ca388f4c 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvjks.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md index 0c3f92aa..7aeb5d61 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvp12.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md index 8b421077..9161afc8 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpem.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md index 782e6b7d..0017503a 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvkvpfx.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md b/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md index bf23b77b..3f50c623 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hcvpki.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/hpilo.md b/docs/use-cases/Certificate Store Operations/Store Types/hpilo.md index fdca7ab8..0f32ec73 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/hpilo.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/hpilo.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/idrac.md b/docs/use-cases/Certificate Store Operations/Store Types/idrac.md index 2bad82e1..39de5707 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/idrac.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/idrac.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/iisu.md b/docs/use-cases/Certificate Store Operations/Store Types/iisu.md index 050484e1..f2167bb7 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/iisu.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/iisu.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/imperva.md b/docs/use-cases/Certificate Store Operations/Store Types/imperva.md index baf9fdb2..badf5089 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/imperva.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/imperva.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md b/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md index acfbec4b..79142ce1 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8scert.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md b/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md index 352aa42a..8a146ca2 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8scluster.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md b/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md index 86621374..a8b9ab8a 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8sjks.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md b/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md index ffa6fc70..1013d740 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8sns.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md b/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md index 3b8db6e7..79dedf55 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8spkcs12.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md b/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md index aba58d89..7612eb54 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8ssecret.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md b/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md index dbf58d6a..d90fa13e 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/k8stlssecr.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/kemp.md b/docs/use-cases/Certificate Store Operations/Store Types/kemp.md index b7199a5a..e5dec4d8 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/kemp.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/kemp.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/most.md b/docs/use-cases/Certificate Store Operations/Store Types/most.md index 6c3e262a..5f83ed7d 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/most.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/most.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/nmap.md b/docs/use-cases/Certificate Store Operations/Store Types/nmap.md index 88fb247e..604a96b5 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/nmap.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/nmap.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/oktaapp.md b/docs/use-cases/Certificate Store Operations/Store Types/oktaapp.md index ce3c5acf..f309fb19 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/oktaapp.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/oktaapp.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/oktaidp.md b/docs/use-cases/Certificate Store Operations/Store Types/oktaidp.md index 72575be3..d0c9f58e 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/oktaidp.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/oktaidp.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md b/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md index fa256991..18fdbf00 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/paloalto.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfder.md b/docs/use-cases/Certificate Store Operations/Store Types/rfder.md index e2d3c403..6d0b6dc8 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfder.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfder.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md b/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md index ee7f549c..f7769265 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfjks.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md b/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md index 62a6484a..69b9fe55 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfkdb.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfora.md b/docs/use-cases/Certificate Store Operations/Store Types/rfora.md index eef3c535..0f21dd32 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfora.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfora.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md b/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md index aa8ee60c..27a70024 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfpem.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md b/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md index 37aa206b..e6bb4161 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/rfpkcs12.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/signum.md b/docs/use-cases/Certificate Store Operations/Store Types/signum.md index d44c76f3..ba8f21cb 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/signum.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/signum.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/sos.md b/docs/use-cases/Certificate Store Operations/Store Types/sos.md index bc64d8d5..b9e9cb17 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/sos.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/sos.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md b/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md index 15980186..5cdf8088 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/thundermgmt.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/thunderssl.md b/docs/use-cases/Certificate Store Operations/Store Types/thunderssl.md index 4b952cce..08451210 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/thunderssl.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/thunderssl.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md b/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md index 8083176a..7308460b 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/vcenter.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md b/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md index 765c3afb..d8eadc52 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/vmware-nsx.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md b/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md index b462ab67..a4579eb0 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/winadfs.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/wincermgmt.md b/docs/use-cases/Certificate Store Operations/Store Types/wincermgmt.md index 5f481198..f8afa297 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/wincermgmt.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/wincermgmt.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/wincert.md b/docs/use-cases/Certificate Store Operations/Store Types/wincert.md index 42778677..f19e4964 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/wincert.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/wincert.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/Certificate Store Operations/Store Types/winsql.md b/docs/use-cases/Certificate Store Operations/Store Types/winsql.md index 2d5550f2..3ade021b 100644 --- a/docs/use-cases/Certificate Store Operations/Store Types/winsql.md +++ b/docs/use-cases/Certificate Store Operations/Store Types/winsql.md @@ -6,7 +6,7 @@ Generated from `cmd/store_types.json`. Regenerate with: ```bash -make store-type-docs +kfutil makedocs ``` ## Overview diff --git a/docs/use-cases/PAM Operations/README.md b/docs/use-cases/PAM Operations/README.md index bdfdcea0..31a018b9 100644 --- a/docs/use-cases/PAM Operations/README.md +++ b/docs/use-cases/PAM Operations/README.md @@ -6,7 +6,7 @@ Use cases for creating PAM provider types and PAM providers with `kfutil`. These docs are generated from `cmd/pam_types.json`. Regenerate after PAM type metadata changes: ```bash -make pam-operation-docs +kfutil makedocs ``` - [Create PAM Types](create-pam-types.md) @@ -25,4 +25,3 @@ make pam-operation-docs | `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName | | `GCP-SecretManager` | projectId | secretId | | `Hashicorp-Vault` | Host, Token, Path | Secret, Key | - diff --git a/docs/use-cases/PAM Operations/create-pam-providers.md b/docs/use-cases/PAM Operations/create-pam-providers.md index 7208ce29..74b88f03 100644 --- a/docs/use-cases/PAM Operations/create-pam-providers.md +++ b/docs/use-cases/PAM Operations/create-pam-providers.md @@ -240,7 +240,7 @@ Write a provider config file: } }, { - "Value": "", + "Value": "N/A", "ProviderTypeParam": { "Id": "", "Name": "ClientId", @@ -250,7 +250,7 @@ Write a provider config file: } }, { - "Value": "", + "Value": "N/A", "ProviderTypeParam": { "Id": "", "Name": "ClientSecret", @@ -576,7 +576,7 @@ Write a provider config file: } }, { - "Value": "", + "Value": "N/A", "ProviderTypeParam": { "Id": "", "Name": "ClientId", @@ -586,7 +586,7 @@ Write a provider config file: } }, { - "Value": "", + "Value": "N/A", "ProviderTypeParam": { "Id": "", "Name": "ClientSecret", @@ -596,7 +596,7 @@ Write a provider config file: } }, { - "Value": "client_credentials", + "Value": "password", "ProviderTypeParam": { "Id": "", "Name": "GrantType", diff --git a/internal/docgen/pamdocs/pamdocs.go b/internal/docgen/pamdocs/pamdocs.go new file mode 100644 index 00000000..35547ffa --- /dev/null +++ b/internal/docgen/pamdocs/pamdocs.go @@ -0,0 +1,347 @@ +// Copyright 2026 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package pamdocs + +import ( + "bytes" + "encoding/json" + "fmt" + "html" + "os" + "path/filepath" + "regexp" + "sort" + "strings" +) + +const generatedMarker = "" + +const ( + DefaultSourcePath = "cmd/pam_types.json" + DefaultOutputDir = "docs/use-cases/PAM Operations" +) + +type pamType struct { + Name string `json:"Name"` + Parameters []pamParameter `json:"Parameters"` +} + +type pamParameter struct { + Name string `json:"Name"` + DisplayName string `json:"DisplayName"` + Description string `json:"Description"` + DataType int `json:"DataType"` + InstanceLevel bool `json:"InstanceLevel"` +} + +type providerTemplate struct { + Area int `json:"Area"` + Name string `json:"Name"` + Remote bool `json:"Remote"` + ProviderType providerTemplateType `json:"ProviderType"` + ProviderTypeParamValues []providerTemplateParamValue `json:"ProviderTypeParamValues"` + SecuredAreaId *int `json:"SecuredAreaId"` +} + +type providerTemplateType struct { + Id string `json:"Id"` + Name string `json:"Name"` + ProviderTypeParams []providerTemplateParameter `json:"ProviderTypeParams"` +} + +type providerTemplateParamValue struct { + Value string `json:"Value"` + ProviderTypeParam providerTemplateParameter `json:"ProviderTypeParam"` +} + +type providerTemplateParameter struct { + Id string `json:"Id"` + Name string `json:"Name"` + DisplayName string `json:"DisplayName,omitempty"` + DataType int `json:"DataType"` + InstanceLevel bool `json:"InstanceLevel"` +} + +func Generate(sourcePath, outputDir string) error { + if sourcePath == "" { + sourcePath = DefaultSourcePath + } + if outputDir == "" { + outputDir = DefaultOutputDir + } + + pamTypes, err := readPAMTypes(sourcePath) + if err != nil { + return err + } + sort.Slice(pamTypes, func(i, j int) bool { + return strings.ToLower(pamTypes[i].Name) < strings.ToLower(pamTypes[j].Name) + }) + + if err := os.MkdirAll(outputDir, 0o755); err != nil { + return err + } + + files := map[string]string{ + "README.md": renderIndex(pamTypes), + "create-pam-types.md": renderCreatePAMTypes(pamTypes), + "create-pam-providers.md": renderCreatePAMProviders(pamTypes), + } + + for name, content := range files { + path := filepath.Join(outputDir, name) + if err := os.WriteFile(path, []byte(content), 0o644); err != nil { + return fmt.Errorf("write %s: %w", path, err) + } + } + + fmt.Printf("Generated PAM operation docs for %d PAM types in %s\n", len(pamTypes), outputDir) + return nil +} + +func readPAMTypes(path string) ([]pamType, error) { + data, err := os.ReadFile(path) + if err != nil { + return nil, fmt.Errorf("read %s: %w", path, err) + } + + var pamTypes []pamType + if err := json.Unmarshal(data, &pamTypes); err != nil { + return nil, fmt.Errorf("parse %s: %w", path, err) + } + if len(pamTypes) == 0 { + return nil, fmt.Errorf("%s did not contain any PAM types", path) + } + for i := range pamTypes { + if pamTypes[i].Name == "" { + return nil, fmt.Errorf("PAM type at index %d is missing Name", i) + } + } + return pamTypes, nil +} + +func renderIndex(pamTypes []pamType) string { + var b strings.Builder + b.WriteString(generatedMarker + "\n") + b.WriteString("# PAM Operations\n\n") + b.WriteString("Use cases for creating PAM provider types and PAM providers with `kfutil`.\n\n") + b.WriteString("These docs are generated from `cmd/pam_types.json`. Regenerate after PAM type metadata changes:\n\n") + b.WriteString("```bash\n") + b.WriteString("kfutil makedocs\n") + b.WriteString("```\n\n") + b.WriteString("- [Create PAM Types](create-pam-types.md)\n") + b.WriteString("- [Create PAM Providers](create-pam-providers.md)\n\n") + writePAMTypeTable(&b, pamTypes) + return b.String() +} + +func renderCreatePAMTypes(pamTypes []pamType) string { + var b strings.Builder + b.WriteString(generatedMarker + "\n") + b.WriteString("# Create PAM Types\n\n") + b.WriteString("[PAM Operations](README.md) | [Use Cases](../README.md)\n\n") + b.WriteString("This use case installs the PAM provider type definitions embedded in `cmd/pam_types.json`.\n\n") + b.WriteString("## Create All Embedded PAM Types\n\n") + b.WriteString("```bash\n") + b.WriteString("kfutil pam-types create --all --no-prompt\n") + b.WriteString("```\n\n") + b.WriteString("## Create One PAM Type\n\n") + b.WriteString("Use `--name` when you only want one provider type:\n\n") + b.WriteString("```bash\n") + b.WriteString("kfutil pam-types create --name Hashicorp-Vault --no-prompt\n") + b.WriteString("```\n\n") + b.WriteString("## Commands For Each Embedded PAM Type\n\n") + for _, pamType := range pamTypes { + b.WriteString("### " + pamType.Name + "\n\n") + b.WriteString("```bash\n") + b.WriteString(fmt.Sprintf("kfutil pam-types create --name %s --no-prompt\n", shellQuote(pamType.Name))) + b.WriteString("```\n\n") + } + b.WriteString("## Verify\n\n") + b.WriteString("```bash\n") + b.WriteString("kfutil pam-types list --no-prompt\n") + b.WriteString("```\n\n") + writeReferences(&b) + return b.String() +} + +func renderCreatePAMProviders(pamTypes []pamType) string { + var b strings.Builder + b.WriteString(generatedMarker + "\n") + b.WriteString("# Create PAM Providers\n\n") + b.WriteString("[PAM Operations](README.md) | [Use Cases](../README.md)\n\n") + b.WriteString("This use case creates PAM providers from JSON files. `kfutil pam create` currently accepts provider configuration with `--from-file`.\n\n") + b.WriteString("Create the PAM provider type first, then create the provider that uses it:\n\n") + b.WriteString("```bash\n") + b.WriteString("kfutil pam-types create --name Hashicorp-Vault --no-prompt\n") + b.WriteString("kfutil pam create --from-file hashicorp-vault-provider.json --no-prompt\n") + b.WriteString("```\n\n") + b.WriteString("Provider JSON contains provider-level connection settings only. Certificate-store instance parameters are not set on the provider; they are supplied later on certificate store CSV columns such as `Properties.ServerPassword.Parameters.SecretId`.\n\n") + b.WriteString("Provider type IDs and provider parameter IDs are assigned by Command when PAM types are created. Get the live provider type first and replace the `Id` placeholders in the generated template before running `kfutil pam create`:\n\n") + b.WriteString("```bash\n") + b.WriteString("kfutil pam-types get --name Hashicorp-Vault --no-prompt\n") + b.WriteString("```\n\n") + writePAMTypeTable(&b, pamTypes) + b.WriteString("## Provider Examples\n\n") + for _, pamType := range pamTypes { + writeProviderExample(&b, pamType) + } + writeReferences(&b) + return b.String() +} + +func writePAMTypeTable(b *strings.Builder, pamTypes []pamType) { + b.WriteString("## Embedded PAM Types\n\n") + b.WriteString("| PAM type | Provider configuration parameters | Certificate store instance parameters |\n") + b.WriteString("| --- | --- | --- |\n") + for _, pamType := range pamTypes { + b.WriteString(fmt.Sprintf("| `%s` | %s | %s |\n", + mdTable(pamType.Name), + mdTable(strings.Join(parameterNames(pamType.Parameters, false), ", ")), + mdTable(strings.Join(parameterNames(pamType.Parameters, true), ", ")), + )) + } + b.WriteString("\n") +} + +func writeProviderExample(b *strings.Builder, pamType pamType) { + fileName := slugify(pamType.Name) + "-provider.json" + b.WriteString("### " + pamType.Name + "\n\n") + b.WriteString("Write a provider config file:\n\n") + b.WriteString("```json\n") + b.WriteString(providerJSON(pamType)) + b.WriteString("\n```\n\n") + b.WriteString("Create the provider:\n\n") + b.WriteString("```bash\n") + b.WriteString(fmt.Sprintf("kfutil pam create --from-file %s --no-prompt\n", fileName)) + b.WriteString("```\n\n") +} + +func providerJSON(pamType pamType) string { + providerParams := filterParameters(pamType.Parameters, false) + templateParams := make([]providerTemplateParameter, 0, len(providerParams)) + templateValues := make([]providerTemplateParamValue, 0, len(providerParams)) + for _, param := range providerParams { + templateParam := providerTemplateParameter{ + Id: "<" + param.Name + "-parameter-id>", + Name: param.Name, + DisplayName: param.DisplayName, + DataType: param.DataType, + InstanceLevel: param.InstanceLevel, + } + templateParams = append(templateParams, templateParam) + templateValues = append(templateValues, providerTemplateParamValue{ + Value: placeholderValue(param), + ProviderTypeParam: templateParam, + }) + } + + template := providerTemplate{ + Area: 1, + Name: "example-" + slugify(pamType.Name), + Remote: false, + ProviderType: providerTemplateType{ + Id: "", + Name: pamType.Name, + ProviderTypeParams: templateParams, + }, + ProviderTypeParamValues: templateValues, + SecuredAreaId: nil, + } + + var out bytes.Buffer + encoder := json.NewEncoder(&out) + encoder.SetEscapeHTML(false) + encoder.SetIndent("", " ") + err := encoder.Encode(template) + if err != nil { + panic(err) + } + return strings.TrimSpace(out.String()) +} + +func parameterNames(parameters []pamParameter, instanceLevel bool) []string { + params := filterParameters(parameters, instanceLevel) + if len(params) == 0 { + return []string{"-"} + } + names := make([]string, 0, len(params)) + for _, param := range params { + names = append(names, param.Name) + } + return names +} + +func filterParameters(parameters []pamParameter, instanceLevel bool) []pamParameter { + var filtered []pamParameter + for _, param := range parameters { + if param.InstanceLevel == instanceLevel { + filtered = append(filtered, param) + } + } + return filtered +} + +func placeholderValue(param pamParameter) string { + name := strings.ToLower(param.Name) + if name == "clientid" || name == "clientsecret" { + return "N/A" + } + if name == "granttype" { + return "password" + } + if strings.Contains(name, "uri") || strings.Contains(name, "url") || strings.Contains(name, "host") { + return "https://example.invalid" + } + if param.DataType == 2 || strings.Contains(name, "secret") || strings.Contains(name, "token") || strings.Contains(name, "password") || strings.Contains(name, "key") { + return "" + } + return "<" + param.Name + ">" +} + +func writeReferences(b *strings.Builder) { + b.WriteString("## References\n\n") + b.WriteString("- [kfutil pam create](../../kfutil_pam_create.md)\n") + b.WriteString("- [kfutil pam list](../../kfutil_pam_list.md)\n") + b.WriteString("- [kfutil pam-types create](../../kfutil_pam-types_create.md)\n") + b.WriteString("- [kfutil pam-types list](../../kfutil_pam-types_list.md)\n") +} + +func slugify(value string) string { + value = strings.ToLower(value) + re := regexp.MustCompile(`[^a-z0-9]+`) + value = re.ReplaceAllString(value, "-") + return strings.Trim(value, "-") +} + +func shellQuote(value string) string { + if regexp.MustCompile(`^[A-Za-z0-9._-]+$`).MatchString(value) { + return value + } + return "'" + strings.ReplaceAll(value, "'", `'\''`) + "'" +} + +func mdTable(s string) string { + s = strings.TrimSpace(s) + if s == "" { + return "-" + } + s = html.EscapeString(s) + s = strings.ReplaceAll(s, "|", `\|`) + s = strings.ReplaceAll(s, "\r\n", "\n") + s = strings.ReplaceAll(s, "\r", "\n") + s = strings.ReplaceAll(s, "\n", "
") + return s +} diff --git a/internal/docgen/storetypedocs/storetypedocs.go b/internal/docgen/storetypedocs/storetypedocs.go new file mode 100644 index 00000000..80967cf9 --- /dev/null +++ b/internal/docgen/storetypedocs/storetypedocs.go @@ -0,0 +1,643 @@ +// Copyright 2026 Keyfactor +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package storetypedocs + +import ( + "bytes" + "encoding/json" + "fmt" + "html" + "os" + "path/filepath" + "regexp" + "sort" + "strings" +) + +const generatedMarker = "" + +const ( + DefaultStoreTypesSource = "cmd/store_types.json" + DefaultPAMTypesSource = "cmd/pam_types.json" + DefaultOutputDir = "docs/use-cases/Certificate Store Operations/Store Types" +) + +type storeType struct { + Name string `json:"Name"` + ShortName string `json:"ShortName"` + Capability string `json:"Capability"` + StorePathType string `json:"StorePathType"` + StorePathValue any `json:"StorePathValue"` + StorePathDescription string `json:"StorePathDescription"` + ClientMachineDescription string `json:"ClientMachineDescription"` + ServerRequired bool `json:"ServerRequired"` + CustomAliasAllowed string `json:"CustomAliasAllowed"` + PrivateKeyAllowed string `json:"PrivateKeyAllowed"` + LocalStore bool `json:"LocalStore"` + BlueprintAllowed bool `json:"BlueprintAllowed"` + PowerShell bool `json:"PowerShell"` + Properties []storeTypeProperty `json:"Properties"` + EntryParameters []entryParameter `json:"EntryParameters"` + PasswordOptions passwordOptions `json:"PasswordOptions"` + SupportedOperations map[string]bool `json:"SupportedOperations"` +} + +type storeTypeProperty struct { + Name string `json:"Name"` + DisplayName string `json:"DisplayName"` + Description string `json:"Description"` + Type string `json:"Type"` + DependsOn any `json:"DependsOn"` + DefaultValue any `json:"DefaultValue"` + Required bool `json:"Required"` + IsPAMEligible bool `json:"IsPAMEligible"` + IsPamEligable bool `json:"IsPamEligable"` + Options any `json:"Options"` +} + +type entryParameter struct { + Name string `json:"Name"` + DisplayName string `json:"DisplayName"` + Description string `json:"Description"` + Type string `json:"Type"` + DependsOn any `json:"DependsOn"` + DefaultValue any `json:"DefaultValue"` + RequiredWhen any `json:"RequiredWhen"` + Options any `json:"Options"` +} + +type passwordOptions struct { + Style string `json:"Style"` + EntrySupported bool `json:"EntrySupported"` + StoreRequired bool `json:"StoreRequired"` + StorePassword *storePassword `json:"StorePassword"` +} + +type storePassword struct { + Description string `json:"Description"` + IsPAMEligible bool `json:"IsPAMEligible"` +} + +type pamType struct { + Name string `json:"Name"` + Parameters []pamParameter `json:"Parameters"` +} + +type pamParameter struct { + Name string `json:"Name"` + DisplayName string `json:"DisplayName"` + Description string `json:"Description"` + DataType int `json:"DataType"` + InstanceLevel bool `json:"InstanceLevel"` +} + +func Generate(sourcePath, pamPath, outputDir string) error { + if sourcePath == "" { + sourcePath = DefaultStoreTypesSource + } + if pamPath == "" { + pamPath = DefaultPAMTypesSource + } + if outputDir == "" { + outputDir = DefaultOutputDir + } + + storeTypes, err := readStoreTypes(sourcePath) + if err != nil { + return err + } + pamTypes, err := readPAMTypes(pamPath) + if err != nil { + return err + } + + sort.Slice(storeTypes, func(i, j int) bool { + return strings.ToLower(storeTypes[i].ShortName) < strings.ToLower(storeTypes[j].ShortName) + }) + sort.Slice(pamTypes, func(i, j int) bool { + return strings.ToLower(pamTypes[i].Name) < strings.ToLower(pamTypes[j].Name) + }) + + slugs := uniqueSlugs(storeTypes) + + if err := os.MkdirAll(outputDir, 0o755); err != nil { + return err + } + if err := removeStaleGeneratedDocs(outputDir); err != nil { + return err + } + + for _, st := range storeTypes { + fileName := slugs[st.ShortName] + ".md" + path := filepath.Join(outputDir, fileName) + if err := os.WriteFile(path, []byte(renderStoreTypeDoc(st, pamTypes)), 0o644); err != nil { + return fmt.Errorf("write %s: %w", path, err) + } + } + + indexPath := filepath.Join(outputDir, "README.md") + if err := os.WriteFile(indexPath, []byte(renderIndex(storeTypes, slugs, pamTypes)), 0o644); err != nil { + return fmt.Errorf("write %s: %w", indexPath, err) + } + + fmt.Printf("Generated %d store type docs in %s\n", len(storeTypes), outputDir) + return nil +} + +func readStoreTypes(path string) ([]storeType, error) { + data, err := os.ReadFile(path) + if err != nil { + return nil, fmt.Errorf("read %s: %w", path, err) + } + + var storeTypes []storeType + if err := json.Unmarshal(data, &storeTypes); err != nil { + return nil, fmt.Errorf("parse %s: %w", path, err) + } + if len(storeTypes) == 0 { + return nil, fmt.Errorf("%s did not contain any store types", path) + } + for i := range storeTypes { + if storeTypes[i].ShortName == "" { + return nil, fmt.Errorf("store type at index %d is missing ShortName", i) + } + } + return storeTypes, nil +} + +func readPAMTypes(path string) ([]pamType, error) { + data, err := os.ReadFile(path) + if err != nil { + return nil, fmt.Errorf("read %s: %w", path, err) + } + + var pamTypes []pamType + if err := json.Unmarshal(data, &pamTypes); err != nil { + return nil, fmt.Errorf("parse %s: %w", path, err) + } + if len(pamTypes) == 0 { + return nil, fmt.Errorf("%s did not contain any PAM types", path) + } + for i := range pamTypes { + if pamTypes[i].Name == "" { + return nil, fmt.Errorf("PAM type at index %d is missing Name", i) + } + } + return pamTypes, nil +} + +func removeStaleGeneratedDocs(dir string) error { + entries, err := os.ReadDir(dir) + if err != nil { + if os.IsNotExist(err) { + return nil + } + return err + } + + for _, entry := range entries { + if entry.IsDir() || filepath.Ext(entry.Name()) != ".md" { + continue + } + path := filepath.Join(dir, entry.Name()) + data, err := os.ReadFile(path) + if err != nil { + return err + } + if bytes.Contains(data, []byte(generatedMarker)) { + if err := os.Remove(path); err != nil { + return err + } + } + } + return nil +} + +func uniqueSlugs(storeTypes []storeType) map[string]string { + counts := map[string]int{} + slugs := map[string]string{} + for _, st := range storeTypes { + base := slugify(st.ShortName) + if base == "" { + base = slugify(st.Name) + } + if base == "" { + base = "store-type" + } + counts[base]++ + slug := base + if counts[base] > 1 { + slug = fmt.Sprintf("%s-%d", base, counts[base]) + } + slugs[st.ShortName] = slug + } + return slugs +} + +func slugify(value string) string { + value = strings.ToLower(value) + re := regexp.MustCompile(`[^a-z0-9]+`) + value = re.ReplaceAllString(value, "-") + return strings.Trim(value, "-") +} + +func renderIndex(storeTypes []storeType, slugs map[string]string, pamTypes []pamType) string { + var b strings.Builder + b.WriteString(generatedMarker + "\n") + b.WriteString("# Store Type Bulk Create And Update Guides\n\n") + b.WriteString("These docs are generated from `cmd/store_types.json` and `cmd/pam_types.json` and describe the CSV columns used by `kfutil stores import csv` for each embedded certificate store type.\n\n") + b.WriteString("Regenerate after store type metadata changes:\n\n") + b.WriteString("```bash\n") + b.WriteString("kfutil makedocs\n") + b.WriteString("```\n\n") + b.WriteString("Use `kfutil stores import generate-template` against a live Command environment when you need a template that reflects deployed customizations.\n\n") + writePAMTypeIndex(&b, pamTypes) + b.WriteString("## Store Types\n\n") + b.WriteString("| Store Type | Name | Store Password | Secret/PAM Columns |\n") + b.WriteString("| --- | --- | --- | --- |\n") + for _, st := range storeTypes { + secretCount := 0 + for _, prop := range st.Properties { + if isSecretProperty(prop) { + secretCount++ + } + } + b.WriteString(fmt.Sprintf("| [`%s`](%s.md) | %s | %s | %s |\n", + mdTable(st.ShortName), + slugs[st.ShortName], + mdTable(st.Name), + mdTable(storePasswordSummary(st.PasswordOptions)), + mdTable(secretColumnSummary(secretCount)), + )) + } + return b.String() +} + +func renderStoreTypeDoc(st storeType, pamTypes []pamType) string { + var b strings.Builder + title := st.ShortName + if st.Name != "" { + title += " - " + st.Name + } + + b.WriteString(generatedMarker + "\n") + b.WriteString("# " + title + "\n\n") + b.WriteString("[Store Type Index](README.md) | [Certificate Store Operations](../README.md)\n\n") + b.WriteString("Generated from `cmd/store_types.json`. Regenerate with:\n\n") + b.WriteString("```bash\n") + b.WriteString("kfutil makedocs\n") + b.WriteString("```\n\n") + + writeOverview(&b, st) + writeBulkCreate(&b, st) + writeBulkUpdate(&b, st) + writeProperties(&b, st) + writeEntryParameters(&b, st) + writeSecretFormatting(&b, st, pamTypes) + writeReferences(&b) + + return b.String() +} + +func writeOverview(b *strings.Builder, st storeType) { + b.WriteString("## Overview\n\n") + b.WriteString("| Field | Value |\n") + b.WriteString("| --- | --- |\n") + b.WriteString(fmt.Sprintf("| Store type | `%s` |\n", mdTable(st.ShortName))) + b.WriteString(fmt.Sprintf("| Name | %s |\n", mdTable(st.Name))) + b.WriteString(fmt.Sprintf("| Capability | %s |\n", mdTable(blank(st.Capability)))) + b.WriteString(fmt.Sprintf("| Server required | %s |\n", yesNo(st.ServerRequired))) + b.WriteString(fmt.Sprintf("| Store path type | %s |\n", mdTable(value(st.StorePathType)))) + b.WriteString(fmt.Sprintf("| Store path value | %s |\n", mdTable(value(st.StorePathValue)))) + b.WriteString(fmt.Sprintf("| Custom alias | %s |\n", mdTable(blank(st.CustomAliasAllowed)))) + b.WriteString(fmt.Sprintf("| Private key | %s |\n", mdTable(blank(st.PrivateKeyAllowed)))) + b.WriteString(fmt.Sprintf("| Store password | %s |\n", mdTable(storePasswordSummary(st.PasswordOptions)))) + b.WriteString(fmt.Sprintf("| Supported operations | %s |\n\n", mdTable(supportedOperations(st.SupportedOperations)))) + + if st.ClientMachineDescription != "" { + b.WriteString("**ClientMachine:** " + mdText(st.ClientMachineDescription) + "\n\n") + } + if st.StorePathDescription != "" { + b.WriteString("**StorePath:** " + mdText(st.StorePathDescription) + "\n\n") + } +} + +func writeBulkCreate(b *strings.Builder, st storeType) { + b.WriteString("## Bulk Create\n\n") + b.WriteString("Use one CSV per store type. The generated create headers for this store type are:\n\n") + b.WriteString("```csv\n") + b.WriteString(strings.Join(createHeaders(st), ",") + "\n") + b.WriteString("```\n\n") + b.WriteString("Create stores from the CSV:\n\n") + b.WriteString("```bash\n") + b.WriteString(fmt.Sprintf("kfutil stores import csv \\\n --file %s_bulk_create.csv \\\n --store-type-name %s \\\n --no-prompt\n", shellName(st.ShortName), shellQuote(st.ShortName))) + b.WriteString("```\n\n") + b.WriteString("To generate a live template from Command instead of using the static header list above:\n\n") + b.WriteString("```bash\n") + b.WriteString(fmt.Sprintf("kfutil stores import generate-template \\\n --store-type-name %s \\\n --outpath %s_bulk_create_template.csv \\\n --no-prompt\n", shellQuote(st.ShortName), shellName(st.ShortName))) + b.WriteString("```\n\n") +} + +func writeBulkUpdate(b *strings.Builder, st storeType) { + b.WriteString("## Bulk Update\n\n") + b.WriteString("Export existing stores, edit the desired columns, then sync the rows back by `Id`:\n\n") + b.WriteString("```bash\n") + b.WriteString(fmt.Sprintf("kfutil stores export \\\n --store-type-name %s \\\n --outpath %s_export.csv \\\n --no-prompt\n\n", shellQuote(st.ShortName), shellName(st.ShortName))) + b.WriteString(fmt.Sprintf("kfutil stores import csv \\\n --file %s_export.csv \\\n --store-type-name %s \\\n --sync \\\n --no-prompt\n", shellName(st.ShortName), shellQuote(st.ShortName))) + b.WriteString("```\n\n") + b.WriteString("Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.\n\n") + b.WriteString("Common update headers for this store type are:\n\n") + b.WriteString("```csv\n") + b.WriteString(strings.Join(updateHeaders(st), ",") + "\n") + b.WriteString("```\n\n") +} + +func writeProperties(b *strings.Builder, st storeType) { + b.WriteString("## Store Properties\n\n") + if len(st.Properties) == 0 { + b.WriteString("This store type does not define additional `Properties.*` CSV columns.\n\n") + return + } + + b.WriteString("| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |\n") + b.WriteString("| --- | --- | --- | --- | --- | --- | --- | --- |\n") + for _, prop := range st.Properties { + b.WriteString(fmt.Sprintf("| `Properties.%s` | %s | %s | %s | %s | %s | %s | %s |\n", + mdTable(prop.Name), + mdTable(blank(prop.DisplayName)), + mdTable(blank(prop.Type)), + yesNo(prop.Required), + mdTable(value(prop.DefaultValue)), + mdTable(value(prop.DependsOn)), + mdTable(secretPropertySummary(prop)), + mdTable(blank(prop.Description)), + )) + } + b.WriteString("\n") +} + +func writeEntryParameters(b *strings.Builder, st storeType) { + if len(st.EntryParameters) == 0 { + return + } + + b.WriteString("## Certificate Entry Parameters\n\n") + b.WriteString("These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.\n\n") + b.WriteString("| Name | Display name | Type | Required when | Default | Depends on | Description |\n") + b.WriteString("| --- | --- | --- | --- | --- | --- | --- |\n") + for _, param := range st.EntryParameters { + b.WriteString(fmt.Sprintf("| `%s` | %s | %s | %s | %s | %s | %s |\n", + mdTable(param.Name), + mdTable(blank(param.DisplayName)), + mdTable(blank(param.Type)), + mdTable(value(param.RequiredWhen)), + mdTable(value(param.DefaultValue)), + mdTable(value(param.DependsOn)), + mdTable(blank(param.Description)), + )) + } + b.WriteString("\n") +} + +func writeSecretFormatting(b *strings.Builder, st storeType, pamTypes []pamType) { + secretProps := secretProperties(st) + storePasswordEligible := st.PasswordOptions.StorePassword != nil && st.PasswordOptions.StorePassword.IsPAMEligible + if len(secretProps) == 0 && !storePasswordEligible { + return + } + + b.WriteString("## Secret And PAM Formatting\n\n") + if len(secretProps) > 0 { + b.WriteString("Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.\n\n") + b.WriteString("```csv\n") + for _, prop := range secretProps { + b.WriteString(fmt.Sprintf("Properties.%s\n", prop.Name)) + } + b.WriteString("```\n\n") + b.WriteString("PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.\n\n") + b.WriteString("```csv\n") + for _, prop := range secretProps { + b.WriteString(fmt.Sprintf("Properties.%s.Provider,Properties.%s.Parameters.\n", prop.Name, prop.Name)) + } + b.WriteString("```\n\n") + b.WriteString("Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.\n\n") + } + if st.PasswordOptions.StorePassword != nil { + b.WriteString("The store password uses the `Password` column. ") + if st.PasswordOptions.StorePassword.IsPAMEligible { + b.WriteString("For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.\n\n") + } else { + b.WriteString("This store type metadata does not mark the store password as PAM eligible.\n\n") + } + } + writePAMParameterTable(b, pamTypes) +} + +func writePAMTypeIndex(b *strings.Builder, pamTypes []pamType) { + b.WriteString("## PAM Provider Parameter Columns\n\n") + b.WriteString("PAM-backed secret columns vary by PAM provider type. Certificate store CSV rows can only set the instance-level parameter names exposed to certificate stores, with the secret column prefix. For example, use `Properties.ServerPassword.Parameters.SecretId` or `Password.Parameters.SecretId`.\n\n") + writePAMParameterTable(b, pamTypes) +} + +func writePAMParameterTable(b *strings.Builder, pamTypes []pamType) { + b.WriteString("| PAM type | Store CSV parameter names |\n") + b.WriteString("| --- | --- |\n") + for _, pamType := range pamTypes { + b.WriteString(fmt.Sprintf("| `%s` | %s |\n", + mdTable(pamType.Name), + mdTable(strings.Join(instanceParameterNames(pamType.Parameters), ", ")), + )) + } + b.WriteString("\n") +} + +func instanceParameterNames(parameters []pamParameter) []string { + var names []string + for _, parameter := range parameters { + if parameter.InstanceLevel { + names = append(names, parameter.Name) + } + } + if len(names) == 0 { + return []string{"-"} + } + return names +} + +func writeReferences(b *strings.Builder) { + b.WriteString("## References\n\n") + b.WriteString("- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)\n") + b.WriteString("- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)\n") + b.WriteString("- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)\n") + b.WriteString("- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)\n") + b.WriteString("- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)\n") +} + +func createHeaders(st storeType) []string { + headers := []string{ + "ContainerId", + "ClientMachine", + "StorePath", + "CreateIfMissing", + } + for _, prop := range st.Properties { + headers = append(headers, "Properties."+prop.Name) + } + headers = append(headers, + "AgentId", + "InventorySchedule.Immediate", + "InventorySchedule.Interval.Minutes", + "InventorySchedule.Daily.Time", + "InventorySchedule.Weekly.Days", + "InventorySchedule.Weekly.Time", + ) + if st.PasswordOptions.StoreRequired { + headers = append(headers, "Password") + } + return headers +} + +func updateHeaders(st storeType) []string { + headers := append([]string{"Id"}, createHeaders(st)...) + return headers +} + +func secretProperties(st storeType) []storeTypeProperty { + var props []storeTypeProperty + for _, prop := range st.Properties { + if isSecretProperty(prop) { + props = append(props, prop) + } + } + return props +} + +func isSecretProperty(prop storeTypeProperty) bool { + return strings.EqualFold(prop.Type, "Secret") || prop.IsPAMEligible || prop.IsPamEligable +} + +func secretPropertySummary(prop storeTypeProperty) string { + if !isSecretProperty(prop) { + return "No" + } + if prop.IsPAMEligible || prop.IsPamEligable { + return "Secret; PAM eligible" + } + return "Secret" +} + +func storePasswordSummary(options passwordOptions) string { + if options.StoreRequired { + if options.StorePassword != nil && options.StorePassword.IsPAMEligible { + return "Required; PAM eligible" + } + return "Required" + } + if options.StorePassword != nil && options.StorePassword.IsPAMEligible { + return "Optional; PAM eligible" + } + return "Not required" +} + +func secretColumnSummary(secretCount int) string { + switch secretCount { + case 0: + return "None" + case 1: + return "1 secret property" + default: + return fmt.Sprintf("%d secret properties", secretCount) + } +} + +func supportedOperations(ops map[string]bool) string { + if len(ops) == 0 { + return "-" + } + var enabled []string + for op, ok := range ops { + if ok { + enabled = append(enabled, op) + } + } + sort.Strings(enabled) + if len(enabled) == 0 { + return "None" + } + return strings.Join(enabled, ", ") +} + +func value(v any) string { + if v == nil { + return "-" + } + switch typed := v.(type) { + case string: + return blank(typed) + case bool: + return yesNo(typed) + case float64: + return fmt.Sprintf("%v", typed) + default: + data, err := json.Marshal(typed) + if err != nil { + return fmt.Sprintf("%v", typed) + } + return string(data) + } +} + +func blank(s string) string { + if strings.TrimSpace(s) == "" { + return "-" + } + return s +} + +func yesNo(v bool) string { + if v { + return "Yes" + } + return "No" +} + +func mdTable(s string) string { + s = mdText(s) + s = strings.ReplaceAll(s, "|", `\|`) + return s +} + +func mdText(s string) string { + s = strings.TrimSpace(s) + if s == "" { + return "-" + } + s = html.EscapeString(s) + s = strings.ReplaceAll(s, "\r\n", "\n") + s = strings.ReplaceAll(s, "\r", "\n") + s = strings.ReplaceAll(s, "\n", "
") + return s +} + +func shellName(value string) string { + return slugify(value) +} + +func shellQuote(value string) string { + if regexp.MustCompile(`^[A-Za-z0-9._-]+$`).MatchString(value) { + return value + } + return "'" + strings.ReplaceAll(value, "'", `'\''`) + "'" +} diff --git a/tools/pamdocs/main.go b/tools/pamdocs/main.go index d495cc78..04f6afd8 100644 --- a/tools/pamdocs/main.go +++ b/tools/pamdocs/main.go @@ -15,330 +15,20 @@ package main import ( - "bytes" - "encoding/json" "flag" "fmt" - "html" "os" - "path/filepath" - "regexp" - "sort" - "strings" -) - -const generatedMarker = "" -var ( - sourcePath = flag.String("source", "cmd/pam_types.json", "path to pam_types.json") - outputDir = flag.String("out", "docs/use-cases/PAM Operations", "output directory for generated docs") + "kfutil/internal/docgen/pamdocs" ) -type pamType struct { - Name string `json:"Name"` - Parameters []pamParameter `json:"Parameters"` -} - -type pamParameter struct { - Name string `json:"Name"` - DisplayName string `json:"DisplayName"` - Description string `json:"Description"` - DataType int `json:"DataType"` - InstanceLevel bool `json:"InstanceLevel"` -} - -type providerTemplate struct { - Area int `json:"Area"` - Name string `json:"Name"` - Remote bool `json:"Remote"` - ProviderType providerTemplateType `json:"ProviderType"` - ProviderTypeParamValues []providerTemplateParamValue `json:"ProviderTypeParamValues"` - SecuredAreaId *int `json:"SecuredAreaId"` -} - -type providerTemplateType struct { - Id string `json:"Id"` - Name string `json:"Name"` - ProviderTypeParams []providerTemplateParameter `json:"ProviderTypeParams"` -} - -type providerTemplateParamValue struct { - Value string `json:"Value"` - ProviderTypeParam providerTemplateParameter `json:"ProviderTypeParam"` -} - -type providerTemplateParameter struct { - Id string `json:"Id"` - Name string `json:"Name"` - DisplayName string `json:"DisplayName,omitempty"` - DataType int `json:"DataType"` - InstanceLevel bool `json:"InstanceLevel"` -} - func main() { + sourcePath := flag.String("source", pamdocs.DefaultSourcePath, "path to pam_types.json") + outputDir := flag.String("out", pamdocs.DefaultOutputDir, "output directory for generated docs") flag.Parse() - pamTypes, err := readPAMTypes(*sourcePath) - if err != nil { - fatal(err) - } - sort.Slice(pamTypes, func(i, j int) bool { - return strings.ToLower(pamTypes[i].Name) < strings.ToLower(pamTypes[j].Name) - }) - - if err := os.MkdirAll(*outputDir, 0o755); err != nil { - fatal(err) - } - - files := map[string]string{ - "README.md": renderIndex(pamTypes), - "create-pam-types.md": renderCreatePAMTypes(pamTypes), - "create-pam-providers.md": renderCreatePAMProviders(pamTypes), - } - - for name, content := range files { - path := filepath.Join(*outputDir, name) - if err := os.WriteFile(path, []byte(content), 0o644); err != nil { - fatal(fmt.Errorf("write %s: %w", path, err)) - } - } - - fmt.Printf("Generated PAM operation docs for %d PAM types in %s\n", len(pamTypes), *outputDir) -} - -func readPAMTypes(path string) ([]pamType, error) { - data, err := os.ReadFile(path) - if err != nil { - return nil, fmt.Errorf("read %s: %w", path, err) - } - - var pamTypes []pamType - if err := json.Unmarshal(data, &pamTypes); err != nil { - return nil, fmt.Errorf("parse %s: %w", path, err) - } - if len(pamTypes) == 0 { - return nil, fmt.Errorf("%s did not contain any PAM types", path) - } - for i := range pamTypes { - if pamTypes[i].Name == "" { - return nil, fmt.Errorf("PAM type at index %d is missing Name", i) - } - } - return pamTypes, nil -} - -func renderIndex(pamTypes []pamType) string { - var b strings.Builder - b.WriteString(generatedMarker + "\n") - b.WriteString("# PAM Operations\n\n") - b.WriteString("Use cases for creating PAM provider types and PAM providers with `kfutil`.\n\n") - b.WriteString("These docs are generated from `cmd/pam_types.json`. Regenerate after PAM type metadata changes:\n\n") - b.WriteString("```bash\n") - b.WriteString("make pam-operation-docs\n") - b.WriteString("```\n\n") - b.WriteString("- [Create PAM Types](create-pam-types.md)\n") - b.WriteString("- [Create PAM Providers](create-pam-providers.md)\n\n") - writePAMTypeTable(&b, pamTypes) - return b.String() -} - -func renderCreatePAMTypes(pamTypes []pamType) string { - var b strings.Builder - b.WriteString(generatedMarker + "\n") - b.WriteString("# Create PAM Types\n\n") - b.WriteString("[PAM Operations](README.md) | [Use Cases](../README.md)\n\n") - b.WriteString("This use case installs the PAM provider type definitions embedded in `cmd/pam_types.json`.\n\n") - b.WriteString("## Create All Embedded PAM Types\n\n") - b.WriteString("```bash\n") - b.WriteString("kfutil pam-types create --all --no-prompt\n") - b.WriteString("```\n\n") - b.WriteString("## Create One PAM Type\n\n") - b.WriteString("Use `--name` when you only want one provider type:\n\n") - b.WriteString("```bash\n") - b.WriteString("kfutil pam-types create --name Hashicorp-Vault --no-prompt\n") - b.WriteString("```\n\n") - b.WriteString("## Commands For Each Embedded PAM Type\n\n") - for _, pamType := range pamTypes { - b.WriteString("### " + pamType.Name + "\n\n") - b.WriteString("```bash\n") - b.WriteString(fmt.Sprintf("kfutil pam-types create --name %s --no-prompt\n", shellQuote(pamType.Name))) - b.WriteString("```\n\n") - } - b.WriteString("## Verify\n\n") - b.WriteString("```bash\n") - b.WriteString("kfutil pam-types list --no-prompt\n") - b.WriteString("```\n\n") - writeReferences(&b) - return b.String() -} - -func renderCreatePAMProviders(pamTypes []pamType) string { - var b strings.Builder - b.WriteString(generatedMarker + "\n") - b.WriteString("# Create PAM Providers\n\n") - b.WriteString("[PAM Operations](README.md) | [Use Cases](../README.md)\n\n") - b.WriteString("This use case creates PAM providers from JSON files. `kfutil pam create` currently accepts provider configuration with `--from-file`.\n\n") - b.WriteString("Create the PAM provider type first, then create the provider that uses it:\n\n") - b.WriteString("```bash\n") - b.WriteString("kfutil pam-types create --name Hashicorp-Vault --no-prompt\n") - b.WriteString("kfutil pam create --from-file hashicorp-vault-provider.json --no-prompt\n") - b.WriteString("```\n\n") - b.WriteString("Provider JSON contains provider-level connection settings only. Certificate-store instance parameters are not set on the provider; they are supplied later on certificate store CSV columns such as `Properties.ServerPassword.Parameters.SecretId`.\n\n") - b.WriteString("Provider type IDs and provider parameter IDs are assigned by Command when PAM types are created. Get the live provider type first and replace the `Id` placeholders in the generated template before running `kfutil pam create`:\n\n") - b.WriteString("```bash\n") - b.WriteString("kfutil pam-types get --name Hashicorp-Vault --no-prompt\n") - b.WriteString("```\n\n") - writePAMTypeTable(&b, pamTypes) - b.WriteString("## Provider Examples\n\n") - for _, pamType := range pamTypes { - writeProviderExample(&b, pamType) + if err := pamdocs.Generate(*sourcePath, *outputDir); err != nil { + fmt.Fprintln(os.Stderr, err) + os.Exit(1) } - writeReferences(&b) - return b.String() -} - -func writePAMTypeTable(b *strings.Builder, pamTypes []pamType) { - b.WriteString("## Embedded PAM Types\n\n") - b.WriteString("| PAM type | Provider configuration parameters | Certificate store instance parameters |\n") - b.WriteString("| --- | --- | --- |\n") - for _, pamType := range pamTypes { - b.WriteString(fmt.Sprintf("| `%s` | %s | %s |\n", - mdTable(pamType.Name), - mdTable(strings.Join(parameterNames(pamType.Parameters, false), ", ")), - mdTable(strings.Join(parameterNames(pamType.Parameters, true), ", ")), - )) - } - b.WriteString("\n") -} - -func writeProviderExample(b *strings.Builder, pamType pamType) { - fileName := slugify(pamType.Name) + "-provider.json" - b.WriteString("### " + pamType.Name + "\n\n") - b.WriteString("Write a provider config file:\n\n") - b.WriteString("```json\n") - b.WriteString(providerJSON(pamType)) - b.WriteString("\n```\n\n") - b.WriteString("Create the provider:\n\n") - b.WriteString("```bash\n") - b.WriteString(fmt.Sprintf("kfutil pam create --from-file %s --no-prompt\n", fileName)) - b.WriteString("```\n\n") -} - -func providerJSON(pamType pamType) string { - providerParams := filterParameters(pamType.Parameters, false) - templateParams := make([]providerTemplateParameter, 0, len(providerParams)) - templateValues := make([]providerTemplateParamValue, 0, len(providerParams)) - for _, param := range providerParams { - templateParam := providerTemplateParameter{ - Id: "<" + param.Name + "-parameter-id>", - Name: param.Name, - DisplayName: param.DisplayName, - DataType: param.DataType, - InstanceLevel: param.InstanceLevel, - } - templateParams = append(templateParams, templateParam) - templateValues = append(templateValues, providerTemplateParamValue{ - Value: placeholderValue(param), - ProviderTypeParam: templateParam, - }) - } - - template := providerTemplate{ - Area: 1, - Name: "example-" + slugify(pamType.Name), - Remote: false, - ProviderType: providerTemplateType{ - Id: "", - Name: pamType.Name, - ProviderTypeParams: templateParams, - }, - ProviderTypeParamValues: templateValues, - SecuredAreaId: nil, - } - - var out bytes.Buffer - encoder := json.NewEncoder(&out) - encoder.SetEscapeHTML(false) - encoder.SetIndent("", " ") - err := encoder.Encode(template) - if err != nil { - panic(err) - } - return strings.TrimSpace(out.String()) -} - -func parameterNames(parameters []pamParameter, instanceLevel bool) []string { - params := filterParameters(parameters, instanceLevel) - if len(params) == 0 { - return []string{"-"} - } - names := make([]string, 0, len(params)) - for _, param := range params { - names = append(names, param.Name) - } - return names -} - -func filterParameters(parameters []pamParameter, instanceLevel bool) []pamParameter { - var filtered []pamParameter - for _, param := range parameters { - if param.InstanceLevel == instanceLevel { - filtered = append(filtered, param) - } - } - return filtered -} - -func placeholderValue(param pamParameter) string { - name := strings.ToLower(param.Name) - if strings.Contains(name, "uri") || strings.Contains(name, "url") || strings.Contains(name, "host") { - return "https://example.invalid" - } - if param.DataType == 2 || strings.Contains(name, "secret") || strings.Contains(name, "token") || strings.Contains(name, "password") || strings.Contains(name, "key") { - return "" - } - if strings.Contains(name, "grant") { - return "client_credentials" - } - return "<" + param.Name + ">" -} - -func writeReferences(b *strings.Builder) { - b.WriteString("## References\n\n") - b.WriteString("- [kfutil pam create](../../kfutil_pam_create.md)\n") - b.WriteString("- [kfutil pam list](../../kfutil_pam_list.md)\n") - b.WriteString("- [kfutil pam-types create](../../kfutil_pam-types_create.md)\n") - b.WriteString("- [kfutil pam-types list](../../kfutil_pam-types_list.md)\n") -} - -func slugify(value string) string { - value = strings.ToLower(value) - re := regexp.MustCompile(`[^a-z0-9]+`) - value = re.ReplaceAllString(value, "-") - return strings.Trim(value, "-") -} - -func shellQuote(value string) string { - if regexp.MustCompile(`^[A-Za-z0-9._-]+$`).MatchString(value) { - return value - } - return "'" + strings.ReplaceAll(value, "'", `'\''`) + "'" -} - -func mdTable(s string) string { - s = strings.TrimSpace(s) - if s == "" { - return "-" - } - s = html.EscapeString(s) - s = strings.ReplaceAll(s, "|", `\|`) - s = strings.ReplaceAll(s, "\r\n", "\n") - s = strings.ReplaceAll(s, "\r", "\n") - s = strings.ReplaceAll(s, "\n", "
") - return s -} - -func fatal(err error) { - fmt.Fprintln(os.Stderr, err) - os.Exit(1) } diff --git a/tools/storetypedocs/main.go b/tools/storetypedocs/main.go index ed687cda..db6d4b34 100644 --- a/tools/storetypedocs/main.go +++ b/tools/storetypedocs/main.go @@ -15,626 +15,21 @@ package main import ( - "bytes" - "encoding/json" "flag" "fmt" - "html" "os" - "path/filepath" - "regexp" - "sort" - "strings" -) - -const generatedMarker = "" -var ( - sourcePath = flag.String("source", "cmd/store_types.json", "path to store_types.json") - pamPath = flag.String("pam-source", "cmd/pam_types.json", "path to pam_types.json") - outputDir = flag.String("out", "docs/use-cases/Certificate Store Operations/Store Types", "output directory for generated docs") + "kfutil/internal/docgen/storetypedocs" ) -type storeType struct { - Name string `json:"Name"` - ShortName string `json:"ShortName"` - Capability string `json:"Capability"` - StorePathType string `json:"StorePathType"` - StorePathValue any `json:"StorePathValue"` - StorePathDescription string `json:"StorePathDescription"` - ClientMachineDescription string `json:"ClientMachineDescription"` - ServerRequired bool `json:"ServerRequired"` - CustomAliasAllowed string `json:"CustomAliasAllowed"` - PrivateKeyAllowed string `json:"PrivateKeyAllowed"` - LocalStore bool `json:"LocalStore"` - BlueprintAllowed bool `json:"BlueprintAllowed"` - PowerShell bool `json:"PowerShell"` - Properties []storeTypeProperty `json:"Properties"` - EntryParameters []entryParameter `json:"EntryParameters"` - PasswordOptions passwordOptions `json:"PasswordOptions"` - SupportedOperations map[string]bool `json:"SupportedOperations"` -} - -type storeTypeProperty struct { - Name string `json:"Name"` - DisplayName string `json:"DisplayName"` - Description string `json:"Description"` - Type string `json:"Type"` - DependsOn any `json:"DependsOn"` - DefaultValue any `json:"DefaultValue"` - Required bool `json:"Required"` - IsPAMEligible bool `json:"IsPAMEligible"` - IsPamEligable bool `json:"IsPamEligable"` - Options any `json:"Options"` -} - -type entryParameter struct { - Name string `json:"Name"` - DisplayName string `json:"DisplayName"` - Description string `json:"Description"` - Type string `json:"Type"` - DependsOn any `json:"DependsOn"` - DefaultValue any `json:"DefaultValue"` - RequiredWhen any `json:"RequiredWhen"` - Options any `json:"Options"` -} - -type passwordOptions struct { - Style string `json:"Style"` - EntrySupported bool `json:"EntrySupported"` - StoreRequired bool `json:"StoreRequired"` - StorePassword *storePassword `json:"StorePassword"` -} - -type storePassword struct { - Description string `json:"Description"` - IsPAMEligible bool `json:"IsPAMEligible"` -} - -type pamType struct { - Name string `json:"Name"` - Parameters []pamParameter `json:"Parameters"` -} - -type pamParameter struct { - Name string `json:"Name"` - DisplayName string `json:"DisplayName"` - Description string `json:"Description"` - DataType int `json:"DataType"` - InstanceLevel bool `json:"InstanceLevel"` -} - func main() { + sourcePath := flag.String("source", storetypedocs.DefaultStoreTypesSource, "path to store_types.json") + pamPath := flag.String("pam-source", storetypedocs.DefaultPAMTypesSource, "path to pam_types.json") + outputDir := flag.String("out", storetypedocs.DefaultOutputDir, "output directory for generated docs") flag.Parse() - storeTypes, err := readStoreTypes(*sourcePath) - if err != nil { - fatal(err) - } - pamTypes, err := readPAMTypes(*pamPath) - if err != nil { - fatal(err) - } - - sort.Slice(storeTypes, func(i, j int) bool { - return strings.ToLower(storeTypes[i].ShortName) < strings.ToLower(storeTypes[j].ShortName) - }) - sort.Slice(pamTypes, func(i, j int) bool { - return strings.ToLower(pamTypes[i].Name) < strings.ToLower(pamTypes[j].Name) - }) - - slugs := uniqueSlugs(storeTypes) - - if err := os.MkdirAll(*outputDir, 0o755); err != nil { - fatal(err) - } - if err := removeStaleGeneratedDocs(*outputDir); err != nil { - fatal(err) - } - - for _, st := range storeTypes { - fileName := slugs[st.ShortName] + ".md" - path := filepath.Join(*outputDir, fileName) - if err := os.WriteFile(path, []byte(renderStoreTypeDoc(st, pamTypes)), 0o644); err != nil { - fatal(fmt.Errorf("write %s: %w", path, err)) - } - } - - indexPath := filepath.Join(*outputDir, "README.md") - if err := os.WriteFile(indexPath, []byte(renderIndex(storeTypes, slugs, pamTypes)), 0o644); err != nil { - fatal(fmt.Errorf("write %s: %w", indexPath, err)) - } - - fmt.Printf("Generated %d store type docs in %s\n", len(storeTypes), *outputDir) -} - -func readStoreTypes(path string) ([]storeType, error) { - data, err := os.ReadFile(path) - if err != nil { - return nil, fmt.Errorf("read %s: %w", path, err) - } - - var storeTypes []storeType - if err := json.Unmarshal(data, &storeTypes); err != nil { - return nil, fmt.Errorf("parse %s: %w", path, err) - } - if len(storeTypes) == 0 { - return nil, fmt.Errorf("%s did not contain any store types", path) - } - for i := range storeTypes { - if storeTypes[i].ShortName == "" { - return nil, fmt.Errorf("store type at index %d is missing ShortName", i) - } - } - return storeTypes, nil -} - -func readPAMTypes(path string) ([]pamType, error) { - data, err := os.ReadFile(path) - if err != nil { - return nil, fmt.Errorf("read %s: %w", path, err) - } - - var pamTypes []pamType - if err := json.Unmarshal(data, &pamTypes); err != nil { - return nil, fmt.Errorf("parse %s: %w", path, err) - } - if len(pamTypes) == 0 { - return nil, fmt.Errorf("%s did not contain any PAM types", path) - } - for i := range pamTypes { - if pamTypes[i].Name == "" { - return nil, fmt.Errorf("PAM type at index %d is missing Name", i) - } - } - return pamTypes, nil -} - -func removeStaleGeneratedDocs(dir string) error { - entries, err := os.ReadDir(dir) - if err != nil { - if os.IsNotExist(err) { - return nil - } - return err - } - - for _, entry := range entries { - if entry.IsDir() || filepath.Ext(entry.Name()) != ".md" { - continue - } - path := filepath.Join(dir, entry.Name()) - data, err := os.ReadFile(path) - if err != nil { - return err - } - if bytes.Contains(data, []byte(generatedMarker)) { - if err := os.Remove(path); err != nil { - return err - } - } - } - return nil -} - -func uniqueSlugs(storeTypes []storeType) map[string]string { - counts := map[string]int{} - slugs := map[string]string{} - for _, st := range storeTypes { - base := slugify(st.ShortName) - if base == "" { - base = slugify(st.Name) - } - if base == "" { - base = "store-type" - } - counts[base]++ - slug := base - if counts[base] > 1 { - slug = fmt.Sprintf("%s-%d", base, counts[base]) - } - slugs[st.ShortName] = slug - } - return slugs -} - -func slugify(value string) string { - value = strings.ToLower(value) - re := regexp.MustCompile(`[^a-z0-9]+`) - value = re.ReplaceAllString(value, "-") - return strings.Trim(value, "-") -} - -func renderIndex(storeTypes []storeType, slugs map[string]string, pamTypes []pamType) string { - var b strings.Builder - b.WriteString(generatedMarker + "\n") - b.WriteString("# Store Type Bulk Create And Update Guides\n\n") - b.WriteString("These docs are generated from `cmd/store_types.json` and `cmd/pam_types.json` and describe the CSV columns used by `kfutil stores import csv` for each embedded certificate store type.\n\n") - b.WriteString("Regenerate after store type metadata changes:\n\n") - b.WriteString("```bash\n") - b.WriteString("make store-type-docs\n") - b.WriteString("```\n\n") - b.WriteString("Use `kfutil stores import generate-template` against a live Command environment when you need a template that reflects deployed customizations.\n\n") - writePAMTypeIndex(&b, pamTypes) - b.WriteString("## Store Types\n\n") - b.WriteString("| Store Type | Name | Store Password | Secret/PAM Columns |\n") - b.WriteString("| --- | --- | --- | --- |\n") - for _, st := range storeTypes { - secretCount := 0 - for _, prop := range st.Properties { - if isSecretProperty(prop) { - secretCount++ - } - } - b.WriteString(fmt.Sprintf("| [`%s`](%s.md) | %s | %s | %s |\n", - mdTable(st.ShortName), - slugs[st.ShortName], - mdTable(st.Name), - mdTable(storePasswordSummary(st.PasswordOptions)), - mdTable(secretColumnSummary(secretCount)), - )) - } - return b.String() -} - -func renderStoreTypeDoc(st storeType, pamTypes []pamType) string { - var b strings.Builder - title := st.ShortName - if st.Name != "" { - title += " - " + st.Name - } - - b.WriteString(generatedMarker + "\n") - b.WriteString("# " + title + "\n\n") - b.WriteString("[Store Type Index](README.md) | [Certificate Store Operations](../README.md)\n\n") - b.WriteString("Generated from `cmd/store_types.json`. Regenerate with:\n\n") - b.WriteString("```bash\n") - b.WriteString("make store-type-docs\n") - b.WriteString("```\n\n") - - writeOverview(&b, st) - writeBulkCreate(&b, st) - writeBulkUpdate(&b, st) - writeProperties(&b, st) - writeEntryParameters(&b, st) - writeSecretFormatting(&b, st, pamTypes) - writeReferences(&b) - - return b.String() -} - -func writeOverview(b *strings.Builder, st storeType) { - b.WriteString("## Overview\n\n") - b.WriteString("| Field | Value |\n") - b.WriteString("| --- | --- |\n") - b.WriteString(fmt.Sprintf("| Store type | `%s` |\n", mdTable(st.ShortName))) - b.WriteString(fmt.Sprintf("| Name | %s |\n", mdTable(st.Name))) - b.WriteString(fmt.Sprintf("| Capability | %s |\n", mdTable(blank(st.Capability)))) - b.WriteString(fmt.Sprintf("| Server required | %s |\n", yesNo(st.ServerRequired))) - b.WriteString(fmt.Sprintf("| Store path type | %s |\n", mdTable(value(st.StorePathType)))) - b.WriteString(fmt.Sprintf("| Store path value | %s |\n", mdTable(value(st.StorePathValue)))) - b.WriteString(fmt.Sprintf("| Custom alias | %s |\n", mdTable(blank(st.CustomAliasAllowed)))) - b.WriteString(fmt.Sprintf("| Private key | %s |\n", mdTable(blank(st.PrivateKeyAllowed)))) - b.WriteString(fmt.Sprintf("| Store password | %s |\n", mdTable(storePasswordSummary(st.PasswordOptions)))) - b.WriteString(fmt.Sprintf("| Supported operations | %s |\n\n", mdTable(supportedOperations(st.SupportedOperations)))) - - if st.ClientMachineDescription != "" { - b.WriteString("**ClientMachine:** " + mdText(st.ClientMachineDescription) + "\n\n") - } - if st.StorePathDescription != "" { - b.WriteString("**StorePath:** " + mdText(st.StorePathDescription) + "\n\n") - } -} - -func writeBulkCreate(b *strings.Builder, st storeType) { - b.WriteString("## Bulk Create\n\n") - b.WriteString("Use one CSV per store type. The generated create headers for this store type are:\n\n") - b.WriteString("```csv\n") - b.WriteString(strings.Join(createHeaders(st), ",") + "\n") - b.WriteString("```\n\n") - b.WriteString("Create stores from the CSV:\n\n") - b.WriteString("```bash\n") - b.WriteString(fmt.Sprintf("kfutil stores import csv \\\n --file %s_bulk_create.csv \\\n --store-type-name %s \\\n --no-prompt\n", shellName(st.ShortName), shellQuote(st.ShortName))) - b.WriteString("```\n\n") - b.WriteString("To generate a live template from Command instead of using the static header list above:\n\n") - b.WriteString("```bash\n") - b.WriteString(fmt.Sprintf("kfutil stores import generate-template \\\n --store-type-name %s \\\n --outpath %s_bulk_create_template.csv \\\n --no-prompt\n", shellQuote(st.ShortName), shellName(st.ShortName))) - b.WriteString("```\n\n") -} - -func writeBulkUpdate(b *strings.Builder, st storeType) { - b.WriteString("## Bulk Update\n\n") - b.WriteString("Export existing stores, edit the desired columns, then sync the rows back by `Id`:\n\n") - b.WriteString("```bash\n") - b.WriteString(fmt.Sprintf("kfutil stores export \\\n --store-type-name %s \\\n --outpath %s_export.csv \\\n --no-prompt\n\n", shellQuote(st.ShortName), shellName(st.ShortName))) - b.WriteString(fmt.Sprintf("kfutil stores import csv \\\n --file %s_export.csv \\\n --store-type-name %s \\\n --sync \\\n --no-prompt\n", shellName(st.ShortName), shellQuote(st.ShortName))) - b.WriteString("```\n\n") - b.WriteString("Minimum sync rows must include `Id`. Keep `ClientMachine`, `StorePath`, and any unchanged property columns in the export unless you intentionally want to update them.\n\n") - b.WriteString("Common update headers for this store type are:\n\n") - b.WriteString("```csv\n") - b.WriteString(strings.Join(updateHeaders(st), ",") + "\n") - b.WriteString("```\n\n") -} - -func writeProperties(b *strings.Builder, st storeType) { - b.WriteString("## Store Properties\n\n") - if len(st.Properties) == 0 { - b.WriteString("This store type does not define additional `Properties.*` CSV columns.\n\n") - return - } - - b.WriteString("| CSV column | Display name | Type | Required | Default | Depends on | Secret/PAM | Description |\n") - b.WriteString("| --- | --- | --- | --- | --- | --- | --- | --- |\n") - for _, prop := range st.Properties { - b.WriteString(fmt.Sprintf("| `Properties.%s` | %s | %s | %s | %s | %s | %s | %s |\n", - mdTable(prop.Name), - mdTable(blank(prop.DisplayName)), - mdTable(blank(prop.Type)), - yesNo(prop.Required), - mdTable(value(prop.DefaultValue)), - mdTable(value(prop.DependsOn)), - mdTable(secretPropertySummary(prop)), - mdTable(blank(prop.Description)), - )) - } - b.WriteString("\n") -} - -func writeEntryParameters(b *strings.Builder, st storeType) { - if len(st.EntryParameters) == 0 { - return - } - - b.WriteString("## Certificate Entry Parameters\n\n") - b.WriteString("These parameters apply to certificate add/enrollment operations for this store type. They are not store create/sync CSV columns unless another workflow explicitly asks for them.\n\n") - b.WriteString("| Name | Display name | Type | Required when | Default | Depends on | Description |\n") - b.WriteString("| --- | --- | --- | --- | --- | --- | --- |\n") - for _, param := range st.EntryParameters { - b.WriteString(fmt.Sprintf("| `%s` | %s | %s | %s | %s | %s | %s |\n", - mdTable(param.Name), - mdTable(blank(param.DisplayName)), - mdTable(blank(param.Type)), - mdTable(value(param.RequiredWhen)), - mdTable(value(param.DefaultValue)), - mdTable(value(param.DependsOn)), - mdTable(blank(param.Description)), - )) + if err := storetypedocs.Generate(*sourcePath, *pamPath, *outputDir); err != nil { + fmt.Fprintln(os.Stderr, err) + os.Exit(1) } - b.WriteString("\n") -} - -func writeSecretFormatting(b *strings.Builder, st storeType, pamTypes []pamType) { - secretProps := secretProperties(st) - storePasswordEligible := st.PasswordOptions.StorePassword != nil && st.PasswordOptions.StorePassword.IsPAMEligible - if len(secretProps) == 0 && !storePasswordEligible { - return - } - - b.WriteString("## Secret And PAM Formatting\n\n") - if len(secretProps) > 0 { - b.WriteString("Direct secret values go in the base property column. If the secret value is JSON, keep the entire JSON document in one quoted CSV cell.\n\n") - b.WriteString("```csv\n") - for _, prop := range secretProps { - b.WriteString(fmt.Sprintf("Properties.%s\n", prop.Name)) - } - b.WriteString("```\n\n") - b.WriteString("PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.\n\n") - b.WriteString("```csv\n") - for _, prop := range secretProps { - b.WriteString(fmt.Sprintf("Properties.%s.Provider,Properties.%s.Parameters.\n", prop.Name, prop.Name)) - } - b.WriteString("```\n\n") - b.WriteString("Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.\n\n") - } - if st.PasswordOptions.StorePassword != nil { - b.WriteString("The store password uses the `Password` column. ") - if st.PasswordOptions.StorePassword.IsPAMEligible { - b.WriteString("For a PAM-backed store password, use `Password.ProviderId` and `Password.Parameters.` columns. The `Parameters.*` columns must match the instance-level parameters for the configured PAM provider type.\n\n") - } else { - b.WriteString("This store type metadata does not mark the store password as PAM eligible.\n\n") - } - } - writePAMParameterTable(b, pamTypes) -} - -func writePAMTypeIndex(b *strings.Builder, pamTypes []pamType) { - b.WriteString("## PAM Provider Parameter Columns\n\n") - b.WriteString("PAM-backed secret columns vary by PAM provider type. Certificate store CSV rows can only set the instance-level parameter names exposed to certificate stores, with the secret column prefix. For example, use `Properties.ServerPassword.Parameters.SecretId` or `Password.Parameters.SecretId`.\n\n") - writePAMParameterTable(b, pamTypes) -} - -func writePAMParameterTable(b *strings.Builder, pamTypes []pamType) { - b.WriteString("| PAM type | Store CSV parameter names |\n") - b.WriteString("| --- | --- |\n") - for _, pamType := range pamTypes { - b.WriteString(fmt.Sprintf("| `%s` | %s |\n", - mdTable(pamType.Name), - mdTable(strings.Join(instanceParameterNames(pamType.Parameters), ", ")), - )) - } - b.WriteString("\n") -} - -func instanceParameterNames(parameters []pamParameter) []string { - var names []string - for _, parameter := range parameters { - if parameter.InstanceLevel { - names = append(names, parameter.Name) - } - } - if len(names) == 0 { - return []string{"-"} - } - return names -} - -func writeReferences(b *strings.Builder) { - b.WriteString("## References\n\n") - b.WriteString("- [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)\n") - b.WriteString("- [Bulk Certificate Store Updates](../bulk-certificate-store-updates.md)\n") - b.WriteString("- [Migrate Static Store Credentials To A PAM Provider](../migrate-static-store-credentials-to-pam.md)\n") - b.WriteString("- [kfutil stores import csv](../../../kfutil_stores_import_csv.md)\n") - b.WriteString("- [kfutil stores import generate-template](../../../kfutil_stores_import_generate-template.md)\n") -} - -func createHeaders(st storeType) []string { - headers := []string{ - "ContainerId", - "ClientMachine", - "StorePath", - "CreateIfMissing", - } - for _, prop := range st.Properties { - headers = append(headers, "Properties."+prop.Name) - } - headers = append(headers, - "AgentId", - "InventorySchedule.Immediate", - "InventorySchedule.Interval.Minutes", - "InventorySchedule.Daily.Time", - "InventorySchedule.Weekly.Days", - "InventorySchedule.Weekly.Time", - ) - if st.PasswordOptions.StoreRequired { - headers = append(headers, "Password") - } - return headers -} - -func updateHeaders(st storeType) []string { - headers := append([]string{"Id"}, createHeaders(st)...) - return headers -} - -func secretProperties(st storeType) []storeTypeProperty { - var props []storeTypeProperty - for _, prop := range st.Properties { - if isSecretProperty(prop) { - props = append(props, prop) - } - } - return props -} - -func isSecretProperty(prop storeTypeProperty) bool { - return strings.EqualFold(prop.Type, "Secret") || prop.IsPAMEligible || prop.IsPamEligable -} - -func secretPropertySummary(prop storeTypeProperty) string { - if !isSecretProperty(prop) { - return "No" - } - if prop.IsPAMEligible || prop.IsPamEligable { - return "Secret; PAM eligible" - } - return "Secret" -} - -func storePasswordSummary(options passwordOptions) string { - if options.StoreRequired { - if options.StorePassword != nil && options.StorePassword.IsPAMEligible { - return "Required; PAM eligible" - } - return "Required" - } - if options.StorePassword != nil && options.StorePassword.IsPAMEligible { - return "Optional; PAM eligible" - } - return "Not required" -} - -func secretColumnSummary(secretCount int) string { - switch secretCount { - case 0: - return "None" - case 1: - return "1 secret property" - default: - return fmt.Sprintf("%d secret properties", secretCount) - } -} - -func supportedOperations(ops map[string]bool) string { - if len(ops) == 0 { - return "-" - } - var enabled []string - for op, ok := range ops { - if ok { - enabled = append(enabled, op) - } - } - sort.Strings(enabled) - if len(enabled) == 0 { - return "None" - } - return strings.Join(enabled, ", ") -} - -func value(v any) string { - if v == nil { - return "-" - } - switch typed := v.(type) { - case string: - return blank(typed) - case bool: - return yesNo(typed) - case float64: - return fmt.Sprintf("%v", typed) - default: - data, err := json.Marshal(typed) - if err != nil { - return fmt.Sprintf("%v", typed) - } - return string(data) - } -} - -func blank(s string) string { - if strings.TrimSpace(s) == "" { - return "-" - } - return s -} - -func yesNo(v bool) string { - if v { - return "Yes" - } - return "No" -} - -func mdTable(s string) string { - s = mdText(s) - s = strings.ReplaceAll(s, "|", `\|`) - return s -} - -func mdText(s string) string { - s = strings.TrimSpace(s) - if s == "" { - return "-" - } - s = html.EscapeString(s) - s = strings.ReplaceAll(s, "\r\n", "\n") - s = strings.ReplaceAll(s, "\r", "\n") - s = strings.ReplaceAll(s, "\n", "
") - return s -} - -func shellName(value string) string { - return slugify(value) -} - -func shellQuote(value string) string { - if regexp.MustCompile(`^[A-Za-z0-9._-]+$`).MatchString(value) { - return value - } - return "'" + strings.ReplaceAll(value, "'", `'\''`) + "'" -} - -func fatal(err error) { - fmt.Fprintln(os.Stderr, err) - os.Exit(1) } From 5e3ffe03bcf13c079aa3af0c0d95e8e8b3cdd9d8 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Sat, 2 May 2026 14:04:50 -0700 Subject: [PATCH 15/17] docs: document docs generation workflow --- README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/README.md b/README.md index 58f4879d..a38f019b 100644 --- a/README.md +++ b/README.md @@ -532,6 +532,24 @@ kfutil stores inventory remove \ ## Development +### Regenerating documentation + +The command reference and generated use-case docs are checked into this repository. Regenerate them after changing CLI +commands, flags, embedded store type metadata, or embedded PAM type metadata: + +```bash +go run . makedocs +``` + +This updates: + +- `docs/kfutil*.md` command reference pages +- `docs/use-cases/Certificate Store Operations/Store Types/*.md` +- `docs/use-cases/PAM Operations/*.md` + +The store type and PAM operation docs are generated from `cmd/store_types.json` and `cmd/pam_types.json`. The generated +command docs intentionally omit date-based generator footers to avoid unrelated documentation churn. + This CLI developed using [cobra](https://umarcor.github.io/cobra/) ### Adding a new command From c44a61641c14ce11a7f2e59efb64461293120d46 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Sun, 3 May 2026 07:29:40 -0700 Subject: [PATCH 16/17] fix: stabilize lab-backed CLI tests --- .github/config/MODULE.MD | 64 ++++++------------- .github/config/README.md | 102 +++++++++--------------------- .github/config/environments.tf | 85 ++----------------------- .github/config/int1230_oauth.tf | 35 ---------- .github/config/int1230c_ad.tf | 16 ----- .github/config/int1230c_oauth.tf | 33 ---------- .github/config/variables.tf | 85 ++++--------------------- cmd/helpers.go | 9 ++- cmd/login_test.go | 2 + cmd/pamTypes_test.go | 2 + cmd/pam_test.go | 5 +- cmd/root_test.go | 2 + cmd/storeTypes_get_test.go | 34 +++++++--- cmd/storeTypes_pagination_test.go | 24 +++++++ cmd/storeTypes_test.go | 95 ++++++++++++++-------------- cmd/storesBulkOperations.go | 5 ++ cmd/stores_test.go | 2 + cmd/test.go | 33 ++++++++++ 18 files changed, 220 insertions(+), 413 deletions(-) delete mode 100644 .github/config/int1230_oauth.tf delete mode 100644 .github/config/int1230c_ad.tf delete mode 100644 .github/config/int1230c_oauth.tf create mode 100644 cmd/storeTypes_pagination_test.go diff --git a/.github/config/MODULE.MD b/.github/config/MODULE.MD index b5afcef8..fdca24ad 100644 --- a/.github/config/MODULE.MD +++ b/.github/config/MODULE.MD @@ -1,64 +1,36 @@ ## Requirements -| Name | Version | -|---------------------------------------------------------------------------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [github](#requirement\_github) | >=6.2 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [github](#requirement\_github) | >=6.2 | ## Providers -| Name | Version | -|------------------------------------------------------------|---------| -| [github](#provider\_github) | 6.3.1 | +| Name | Version | +|------|---------| +| [github](#provider\_github) | 6.3.1 | ## Modules -| Name | Source | Version | -|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|---------| -| [keyfactor\_github\_test\_environment\_10\_5\_0](#module\_keyfactor\_github\_test\_environment\_10\_5\_0) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_10\_5\_0\_CLEAN](#module\_keyfactor\_github\_test\_environment\_10\_5\_0\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_11\_5\_0](#module\_keyfactor\_github\_test\_environment\_11\_5\_0) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_11\_5\_0\_CLEAN](#module\_keyfactor\_github\_test\_environment\_11\_5\_0\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH](#module\_keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH\_CLEAN](#module\_keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_12\_3\_0\_AD](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_AD) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_12\_3\_0\_AD\_CLEAN](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_AD\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH\_CLEAN](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | +| Name | Source | Version | +|------|--------|---------| +| [keyfactor\_github\_test\_environment\_ses\_2541](#module\_keyfactor\_github\_test\_environment\_ses\_2541) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | ## Resources -| Name | Type | -|---------------------------------------------------------------------------------------------------------------------------|-------------| +| Name | Type | +|------|------| | [github_repository.repo](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|---------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------------------------------------------------------|:--------:| -| [keyfactor\_auth\_token\_url](#input\_keyfactor\_auth\_token\_url) | The token URL to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | `"https://int-oidc-lab.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no | -| [keyfactor\_client\_id](#input\_keyfactor\_client\_id) | The client ID to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes | -| [keyfactor\_client\_secret](#input\_keyfactor\_client\_secret) | The client secret to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes | -| [keyfactor\_hostname\_10\_5\_0](#input\_keyfactor\_hostname\_10\_5\_0) | The hostname of the Keyfactor v10.5.x instance | `string` | `"integrations1050-lab.kfdelivery.com"` | no | -| [keyfactor\_hostname\_10\_5\_0\_CLEAN](#input\_keyfactor\_hostname\_10\_5\_0\_CLEAN) | The hostname of the Keyfactor v10.5.x instance with no stores or orchestrators. This is used for store-type tests. | `string` | `"int1050-test-clean.kfdelivery.com"` | no | -| [keyfactor\_hostname\_11\_5\_0](#input\_keyfactor\_hostname\_11\_5\_0) | The hostname of the Keyfactor v11.5.x instance | `string` | `"integrations1150-lab.kfdelivery.com"` | no | -| [keyfactor\_hostname\_11\_5\_0\_CLEAN](#input\_keyfactor\_hostname\_11\_5\_0\_CLEAN) | The hostname of the Keyfactor v11.5.x instance with no stores or orchestrators. This is used for store-type tests. | `string` | `"int1150-test-clean.kfdelivery.com"` | no | -| [keyfactor\_hostname\_11\_5\_0\_OAUTH](#input\_keyfactor\_hostname\_11\_5\_0\_OAUTH) | The hostname of the Keyfactor instance | `string` | `"int-oidc-lab.eastus2.cloudapp.azure.com"` | no | -| [keyfactor\_hostname\_11\_5\_0\_OAUTH\_CLEAN](#input\_keyfactor\_hostname\_11\_5\_0\_OAUTH\_CLEAN) | The hostname of the Keyfactor instance | `string` | `"int1150-oauth-test-clean.eastus2.cloudapp.azure.com"` | no | -| [keyfactor\_hostname\_12\_3\_0](#input\_keyfactor\_hostname\_12\_3\_0) | The hostname of the Keyfactor v12.3.x instance | `string` | `"integrations1230-lab.kfdelivery.com"` | no | -| [keyfactor\_hostname\_12\_3\_0\_CLEAN](#input\_keyfactor\_hostname\_12\_3\_0\_CLEAN) | The hostname of the Keyfactor v12.3.x instance with no stores or orchestrators. This is used for store-type tests. | `string` | `"int1230-test-clean.kfdelivery.com"` | no | -| [keyfactor\_hostname\_12\_3\_0\_OAUTH](#input\_keyfactor\_hostname\_12\_3\_0\_OAUTH) | The hostname of the Keyfactor instance | `string` | `"int-oidc-lab.eastus2.cloudapp.azure.com"` | no | -| [keyfactor\_password\_AD](#input\_keyfactor\_password\_AD) | The password to authenticate with Keyfactor instance that uses AD authentication | `string` | n/a | yes | -| [keyfactor\_username\_AD](#input\_keyfactor\_username\_AD) | The username to authenticate with a Keyfactor instance that uses AD authentication | `string` | n/a | yes | -| [kfc1230\_client\_id](#input\_kfc1230\_client\_id) | The client ID to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes | -| [kfc1230\_client\_secret](#input\_kfc1230\_client\_secret) | The client secret to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes | -| [kfc1230\_oauth\_hostname](#input\_kfc1230\_oauth\_hostname) | The hostname of the Keyfactor instance | `string` | `"int1230c-oauth.eastus2.cloudapp.azure.com"` | no | -| [kfc1230\_oauth\_token\_url](#input\_kfc1230\_oauth\_token\_url) | The hostname of the Keyfactor instance | `string` | `"https://int1230c-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no | -| [kfc1230c\_ad\_hostname](#input\_kfc1230c\_ad\_hostname) | The hostname of the Keyfactor instance | `string` | `"int1230c-ad.eastus2.cloudapp.azure.com"` | no | -| [kfc1230c\_client\_id](#input\_kfc1230c\_client\_id) | The client ID to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes | -| [kfc1230c\_client\_secret](#input\_kfc1230c\_client\_secret) | The client secret to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes | -| [kfc1230c\_oauth\_hostname](#input\_kfc1230c\_oauth\_hostname) | The hostname of the Keyfactor instance | `string` | `"int1230c-oauth.eastus2.cloudapp.azure.com"` | no | -| [kfc1230c\_oauth\_token\_url](#input\_kfc1230c\_oauth\_token\_url) | The hostname of the Keyfactor instance | `string` | `"https://int1230c-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [ses\_2541\_auth\_token\_url](#input\_ses\_2541\_auth\_token\_url) | The OAuth token URL for the SES 25.4.1 Keyfactor Command instance | `string` | `"https://auth.kftestlab.com/oauth2/token"` | no | +| [ses\_2541\_client\_id](#input\_ses\_2541\_client\_id) | The OAuth client ID for the SES 25.4.1 Keyfactor Command instance | `string` | n/a | yes | +| [ses\_2541\_client\_secret](#input\_ses\_2541\_client\_secret) | The OAuth client secret for the SES 25.4.1 Keyfactor Command instance | `string` | n/a | yes | +| [ses\_2541\_hostname](#input\_ses\_2541\_hostname) | The hostname of the SES 25.4.1 Keyfactor Command instance | `string` | `"int25-4-1.kftestlab.com"` | no | ## Outputs diff --git a/.github/config/README.md b/.github/config/README.md index 2149532f..7a993d7c 100644 --- a/.github/config/README.md +++ b/.github/config/README.md @@ -1,14 +1,13 @@ # GitHub Test Environment Setup -This code sets up GitHub environments for testing against Keyfactor Command instances that are configured to use -Active Directory or Keycloak for authentication. +This code sets up GitHub environments for testing against the SES 25.4.1 Keyfactor Command lab. ## Requirements 1. Terraform >= 1.0 2. GitHub Provider >= 6.2 -3. Keyfactor Command instance(s) configured to use Active Directory or Keycloak for authentication -4. AD or Keycloak credentials for authenticating to the Keyfactor Command instance(s) +3. SES 25.4.1 Keyfactor Command lab access +4. OAuth credentials for authenticating to the Keyfactor Command instance 5. A GitHub token with access and permissions to the repository where the environments will be created ## Adding a new environment @@ -16,100 +15,59 @@ Active Directory or Keycloak for authentication. Modify the `environments.tf` file to include the new environment module. The module should be named appropriately. Example: -### Active Directory Environment +### SES 25.4.1 Environment ```hcl -module "keyfactor_github_test_environment_ad_10_5_0" { +module "keyfactor_github_test_environment_ses_2541" { source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main" - gh_environment_name = "KFC_10_5_0" # Keyfactor Command 10.5.0 environment using Active Directory(/Basic Auth) - gh_repo_name = data.github_repository.repo.name - keyfactor_hostname = var.keyfactor_hostname_10_5_0 - keyfactor_username = var.keyfactor_username_AD - keyfactor_password = var.keyfactor_password_AD -} -``` - -### oAuth Client Environment - -```hcl -module "keyfactor_github_test_environment_12_3_0_kc" { - source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-kc.git?ref=main" - - gh_environment_name = "KFC_12_3_0_KC" # Keyfactor Command 12.3.0 environment using Keycloak + gh_environment_name = "SES_2541" gh_repo_name = data.github_repository.repo.name - keyfactor_hostname = var.keyfactor_hostname_12_3_0_OAUTH - keyfactor_auth_token_url = var.keyfactor_auth_token_url - keyfactor_client_id = var.keyfactor_client_id - keyfactor_client_secret = var.keyfactor_client_secret + keyfactor_hostname = var.ses_2541_hostname + keyfactor_auth_token_url = var.ses_2541_auth_token_url + keyfactor_client_id = var.ses_2541_client_id + keyfactor_client_secret = var.ses_2541_client_secret keyfactor_tls_skip_verify = true + keyfactor_config_file = base64encode(file("${path.module}/ses2541_command_config.json")) } ``` ## Requirements -| Name | Version | -|---------------------------------------------------------------------------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [github](#requirement\_github) | >=6.2 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [github](#requirement\_github) | >=6.2 | ## Providers -| Name | Version | -|------------------------------------------------------------|---------| -| [github](#provider\_github) | 6.3.1 | +| Name | Version | +|------|---------| +| [github](#provider\_github) | 6.3.1 | ## Modules -| Name | Source | Version | -|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|---------| -| [keyfactor\_github\_test\_environment\_10\_5\_0](#module\_keyfactor\_github\_test\_environment\_10\_5\_0) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_10\_5\_0\_CLEAN](#module\_keyfactor\_github\_test\_environment\_10\_5\_0\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_11\_5\_0](#module\_keyfactor\_github\_test\_environment\_11\_5\_0) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_11\_5\_0\_CLEAN](#module\_keyfactor\_github\_test\_environment\_11\_5\_0\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH](#module\_keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH\_CLEAN](#module\_keyfactor\_github\_test\_environment\_11\_5\_0\_OAUTH\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_12\_3\_0\_AD](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_AD) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_12\_3\_0\_AD\_CLEAN](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_AD\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | -| [keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH\_CLEAN](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_OAUTH\_CLEAN) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | +| Name | Source | Version | +|------|--------|---------| +| [keyfactor\_github\_test\_environment\_ses\_2541](#module\_keyfactor\_github\_test\_environment\_ses\_2541) | git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main | ## Resources -| Name | Type | -|---------------------------------------------------------------------------------------------------------------------------|-------------| +| Name | Type | +|------|------| | [github_repository.repo](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|---------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------------------------------------------------------|:--------:| -| [keyfactor\_auth\_token\_url](#input\_keyfactor\_auth\_token\_url) | The token URL to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | `"https://int-oidc-lab.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no | -| [keyfactor\_client\_id](#input\_keyfactor\_client\_id) | The client ID to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes | -| [keyfactor\_client\_secret](#input\_keyfactor\_client\_secret) | The client secret to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes | -| [keyfactor\_hostname\_10\_5\_0](#input\_keyfactor\_hostname\_10\_5\_0) | The hostname of the Keyfactor v10.5.x instance | `string` | `"integrations1050-lab.kfdelivery.com"` | no | -| [keyfactor\_hostname\_10\_5\_0\_CLEAN](#input\_keyfactor\_hostname\_10\_5\_0\_CLEAN) | The hostname of the Keyfactor v10.5.x instance with no stores or orchestrators. This is used for store-type tests. | `string` | `"int1050-test-clean.kfdelivery.com"` | no | -| [keyfactor\_hostname\_11\_5\_0](#input\_keyfactor\_hostname\_11\_5\_0) | The hostname of the Keyfactor v11.5.x instance | `string` | `"integrations1150-lab.kfdelivery.com"` | no | -| [keyfactor\_hostname\_11\_5\_0\_CLEAN](#input\_keyfactor\_hostname\_11\_5\_0\_CLEAN) | The hostname of the Keyfactor v11.5.x instance with no stores or orchestrators. This is used for store-type tests. | `string` | `"int1150-test-clean.kfdelivery.com"` | no | -| [keyfactor\_hostname\_11\_5\_0\_OAUTH](#input\_keyfactor\_hostname\_11\_5\_0\_OAUTH) | The hostname of the Keyfactor instance | `string` | `"int-oidc-lab.eastus2.cloudapp.azure.com"` | no | -| [keyfactor\_hostname\_11\_5\_0\_OAUTH\_CLEAN](#input\_keyfactor\_hostname\_11\_5\_0\_OAUTH\_CLEAN) | The hostname of the Keyfactor instance | `string` | `"int1150-oauth-test-clean.eastus2.cloudapp.azure.com"` | no | -| [keyfactor\_hostname\_12\_3\_0](#input\_keyfactor\_hostname\_12\_3\_0) | The hostname of the Keyfactor v12.3.x instance | `string` | `"integrations1230-lab.kfdelivery.com"` | no | -| [keyfactor\_hostname\_12\_3\_0\_CLEAN](#input\_keyfactor\_hostname\_12\_3\_0\_CLEAN) | The hostname of the Keyfactor v12.3.x instance with no stores or orchestrators. This is used for store-type tests. | `string` | `"int1230-test-clean.kfdelivery.com"` | no | -| [keyfactor\_hostname\_12\_3\_0\_OAUTH](#input\_keyfactor\_hostname\_12\_3\_0\_OAUTH) | The hostname of the Keyfactor instance | `string` | `"int-oidc-lab.eastus2.cloudapp.azure.com"` | no | -| [keyfactor\_password\_AD](#input\_keyfactor\_password\_AD) | The password to authenticate with Keyfactor instance that uses AD authentication | `string` | n/a | yes | -| [keyfactor\_username\_AD](#input\_keyfactor\_username\_AD) | The username to authenticate with a Keyfactor instance that uses AD authentication | `string` | n/a | yes | -| [kfc1230\_client\_id](#input\_kfc1230\_client\_id) | The client ID to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes | -| [kfc1230\_client\_secret](#input\_kfc1230\_client\_secret) | The client secret to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes | -| [kfc1230\_oauth\_hostname](#input\_kfc1230\_oauth\_hostname) | The hostname of the Keyfactor instance | `string` | `"int1230c-oauth.eastus2.cloudapp.azure.com"` | no | -| [kfc1230\_oauth\_token\_url](#input\_kfc1230\_oauth\_token\_url) | The hostname of the Keyfactor instance | `string` | `"https://int1230c-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no | -| [kfc1230c\_ad\_hostname](#input\_kfc1230c\_ad\_hostname) | The hostname of the Keyfactor instance | `string` | `"int1230c-ad.eastus2.cloudapp.azure.com"` | no | -| [kfc1230c\_client\_id](#input\_kfc1230c\_client\_id) | The client ID to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes | -| [kfc1230c\_client\_secret](#input\_kfc1230c\_client\_secret) | The client secret to authenticate with the Keyfactor instance using oauth2 client credentials | `string` | n/a | yes | -| [kfc1230c\_oauth\_hostname](#input\_kfc1230c\_oauth\_hostname) | The hostname of the Keyfactor instance | `string` | `"int1230c-oauth.eastus2.cloudapp.azure.com"` | no | -| [kfc1230c\_oauth\_token\_url](#input\_kfc1230c\_oauth\_token\_url) | The hostname of the Keyfactor instance | `string` | `"https://int1230c-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [ses\_2541\_auth\_token\_url](#input\_ses\_2541\_auth\_token\_url) | The OAuth token URL for the SES 25.4.1 Keyfactor Command instance | `string` | `"https://auth.kftestlab.com/oauth2/token"` | no | +| [ses\_2541\_client\_id](#input\_ses\_2541\_client\_id) | The OAuth client ID for the SES 25.4.1 Keyfactor Command instance | `string` | n/a | yes | +| [ses\_2541\_client\_secret](#input\_ses\_2541\_client\_secret) | The OAuth client secret for the SES 25.4.1 Keyfactor Command instance | `string` | n/a | yes | +| [ses\_2541\_hostname](#input\_ses\_2541\_hostname) | The hostname of the SES 25.4.1 Keyfactor Command instance | `string` | `"int25-4-1.kftestlab.com"` | no | ## Outputs No outputs. - \ No newline at end of file + diff --git a/.github/config/environments.tf b/.github/config/environments.tf index fb16940c..40842d98 100644 --- a/.github/config/environments.tf +++ b/.github/config/environments.tf @@ -1,83 +1,12 @@ -module "keyfactor_github_test_environment_10_5_0" { +module "keyfactor_github_test_environment_ses_2541" { source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main" - gh_environment_name = "KFC_10_5_0" - gh_repo_name = data.github_repository.repo.name - keyfactor_hostname = var.keyfactor_hostname_10_5_0 - keyfactor_username = var.keyfactor_username_AD - keyfactor_password = var.keyfactor_password_AD - keyfactor_config_file = base64encode(file("${path.module}/command_config.json")) -} - -module "keyfactor_github_test_environment_10_5_0_CLEAN" { - source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main" - - gh_environment_name = "KFC_10_5_0_CLEAN" - gh_repo_name = data.github_repository.repo.name - keyfactor_hostname = var.keyfactor_hostname_10_5_0_CLEAN - keyfactor_username = var.keyfactor_username_AD - keyfactor_password = var.keyfactor_password_AD - keyfactor_config_file = base64encode(file("${path.module}/command_config.json")) -} - -module "keyfactor_github_test_environment_11_5_0" { - source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main" - - gh_environment_name = "KFC_11_5_0" - gh_repo_name = data.github_repository.repo.name - keyfactor_hostname = var.keyfactor_hostname_11_5_0 - keyfactor_username = var.keyfactor_username_AD - keyfactor_password = var.keyfactor_password_AD - keyfactor_config_file = base64encode(file("${path.module}/command_config.json")) -} - -module "keyfactor_github_test_environment_11_5_0_CLEAN" { - source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main" - - gh_environment_name = "KFC_11_5_0_CLEAN" - gh_repo_name = data.github_repository.repo.name - keyfactor_hostname = var.keyfactor_hostname_11_5_0_CLEAN - keyfactor_username = var.keyfactor_username_AD - keyfactor_password = var.keyfactor_password_AD - keyfactor_config_file = base64encode(file("${path.module}/command_config.json")) -} - -module "keyfactor_github_test_environment_11_5_0_OAUTH" { - source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main" - - gh_environment_name = "KFC_11_5_0_OAUTH" - gh_repo_name = data.github_repository.repo.name - keyfactor_hostname = var.keyfactor_hostname_11_5_0_OAUTH - keyfactor_auth_token_url = var.keyfactor_auth_token_url - keyfactor_client_id = var.keyfactor_client_id - keyfactor_client_secret = var.keyfactor_client_secret - keyfactor_tls_skip_verify = true - keyfactor_config_file = base64encode(file("${path.module}/command_config.json")) -} - -module "keyfactor_github_test_environment_11_5_0_OAUTH_CLEAN" { - source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main" - - gh_environment_name = "KFC_11_5_0_OAUTH_CLEAN" + gh_environment_name = "SES_2541" gh_repo_name = data.github_repository.repo.name - keyfactor_hostname = var.keyfactor_hostname_11_5_0_OAUTH_CLEAN - keyfactor_auth_token_url = var.keyfactor_auth_token_url - keyfactor_client_id = var.keyfactor_client_id - keyfactor_client_secret = var.keyfactor_client_secret + keyfactor_hostname = var.ses_2541_hostname + keyfactor_auth_token_url = var.ses_2541_auth_token_url + keyfactor_client_id = var.ses_2541_client_id + keyfactor_client_secret = var.ses_2541_client_secret keyfactor_tls_skip_verify = true - keyfactor_config_file = base64encode(file("${path.module}/command_config.json")) + keyfactor_config_file = base64encode(file("${path.module}/ses2541_command_config.json")) } - -module "keyfactor_github_test_environment_12_3_0_AD" { - source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main" - gh_environment_name = "KFC_12_3_0_AD" - gh_repo_name = data.github_repository.repo.name - keyfactor_hostname = var.keyfactor_hostname_12_3_0 - keyfactor_username = var.keyfactor_username_AD - keyfactor_password = var.keyfactor_password_AD - keyfactor_tls_skip_verify = true - keyfactor_config_file = base64encode(file("${path.module}/command_config.json")) -} - - - diff --git a/.github/config/int1230_oauth.tf b/.github/config/int1230_oauth.tf deleted file mode 100644 index 3d8ff208..00000000 --- a/.github/config/int1230_oauth.tf +++ /dev/null @@ -1,35 +0,0 @@ -variable "kfc1230_oauth_hostname" { - description = "The hostname of the Keyfactor instance" - type = string - default = "int1230-oauth.eastus2.cloudapp.azure.com" -} - -variable "kfc1230_oauth_token_url" { - description = "The hostname of the Keyfactor instance" - type = string - default = "https://int1230-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token" -} - - -variable "kfc1230_client_id" { - description = "The client ID to authenticate with the Keyfactor instance using oauth2 client credentials" - type = string - -} -variable "kfc1230_client_secret" { - description = "The client secret to authenticate with the Keyfactor instance using oauth2 client credentials" - type = string -} - -module "keyfactor_github_test_environment_12_3_0_OAUTH" { - source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main" - - gh_environment_name = "KFC_12_3_0_OAUTH" - gh_repo_name = data.github_repository.repo.name - keyfactor_hostname = var.kfc1230_oauth_hostname - keyfactor_auth_token_url = var.kfc1230_oauth_token_url - keyfactor_client_id = var.kfc1230_client_id - keyfactor_client_secret = var.kfc1230_client_secret - keyfactor_tls_skip_verify = true - keyfactor_config_file = base64encode(file("${path.module}/int1230_oauth_command_config.json")) -} \ No newline at end of file diff --git a/.github/config/int1230c_ad.tf b/.github/config/int1230c_ad.tf deleted file mode 100644 index 63ca3d1d..00000000 --- a/.github/config/int1230c_ad.tf +++ /dev/null @@ -1,16 +0,0 @@ -variable "kfc1230c_ad_hostname" { - description = "The hostname of the Keyfactor instance" - type = string - default = "int1230c-ad.eastus2.cloudapp.azure.com" -} - -module "keyfactor_github_test_environment_12_3_0_AD_CLEAN" { - source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main" - gh_environment_name = "KFC_12_3_0_AD_CLEAN" - gh_repo_name = data.github_repository.repo.name - keyfactor_hostname = var.kfc1230c_ad_hostname - keyfactor_username = var.keyfactor_username_AD - keyfactor_password = var.keyfactor_password_AD - keyfactor_tls_skip_verify = true - keyfactor_config_file = base64encode(file("${path.module}/command_config.json")) -} \ No newline at end of file diff --git a/.github/config/int1230c_oauth.tf b/.github/config/int1230c_oauth.tf deleted file mode 100644 index b1a34d13..00000000 --- a/.github/config/int1230c_oauth.tf +++ /dev/null @@ -1,33 +0,0 @@ -variable "kfc1230c_oauth_hostname" { - description = "The hostname of the Keyfactor instance" - type = string - default = "int1230c-oauth.eastus2.cloudapp.azure.com" -} - -variable "kfc1230c_oauth_token_url" { - description = "The hostname of the Keyfactor instance" - type = string - default = "https://int1230c-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token" -} - - -variable "kfc1230c_client_id" { - description = "The client ID to authenticate with the Keyfactor instance using oauth2 client credentials" - type = string - -} -variable "kfc1230c_client_secret" { - description = "The client secret to authenticate with the Keyfactor instance using oauth2 client credentials" - type = string -} -module "keyfactor_github_test_environment_12_3_0_OAUTH_CLEAN" { - source = "git::ssh://git@github.com/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main" - gh_environment_name = "KFC_12_3_0_OAUTH_CLEAN" - gh_repo_name = data.github_repository.repo.name - keyfactor_hostname = var.kfc1230c_oauth_hostname - keyfactor_auth_token_url = var.kfc1230c_oauth_token_url - keyfactor_client_id = var.kfc1230c_client_id - keyfactor_client_secret = var.kfc1230c_client_secret - keyfactor_tls_skip_verify = true - keyfactor_config_file = base64encode(file("${path.module}/int1230c_oauth_command_config.json")) -} \ No newline at end of file diff --git a/.github/config/variables.tf b/.github/config/variables.tf index 3d557a24..9cdefb09 100644 --- a/.github/config/variables.tf +++ b/.github/config/variables.tf @@ -1,85 +1,22 @@ -// Hosts -variable "keyfactor_hostname_10_5_0" { - description = "The hostname of the Keyfactor v10.5.x instance" +variable "ses_2541_hostname" { + description = "The hostname of the SES 25.4.1 Keyfactor Command instance" type = string - default = "integrations1050-lab.kfdelivery.com" + default = "int25-4-1.kftestlab.com" } -variable "keyfactor_hostname_10_5_0_CLEAN" { - description = "The hostname of the Keyfactor v10.5.x instance with no stores or orchestrators. This is used for store-type tests." +variable "ses_2541_auth_token_url" { + description = "The OAuth token URL for the SES 25.4.1 Keyfactor Command instance" type = string - default = "int1050-test-clean.kfdelivery.com" + default = "https://auth.kftestlab.com/oauth2/token" } - -variable "keyfactor_hostname_11_5_0" { - description = "The hostname of the Keyfactor v11.5.x instance" - type = string - default = "integrations1150-lab.kfdelivery.com" -} - -variable "keyfactor_hostname_11_5_0_CLEAN" { - description = "The hostname of the Keyfactor v11.5.x instance with no stores or orchestrators. This is used for store-type tests." - type = string - default = "int1150-test-clean.kfdelivery.com" -} - -variable "keyfactor_hostname_11_5_0_OAUTH" { - description = "The hostname of the Keyfactor instance" - type = string - default = "int-oidc-lab.eastus2.cloudapp.azure.com" -} - -variable "keyfactor_hostname_11_5_0_OAUTH_CLEAN" { - description = "The hostname of the Keyfactor instance" - type = string - default = "int1150-oauth-test-clean.eastus2.cloudapp.azure.com" -} - - -variable "keyfactor_hostname_12_3_0" { - description = "The hostname of the Keyfactor v12.3.x instance" - type = string - default = "integrations1230-lab.kfdelivery.com" -} - -variable "keyfactor_hostname_12_3_0_CLEAN" { - description = "The hostname of the Keyfactor v12.3.x instance with no stores or orchestrators. This is used for store-type tests." +variable "ses_2541_client_id" { + description = "The OAuth client ID for the SES 25.4.1 Keyfactor Command instance" type = string - default = "int1230-test-clean.kfdelivery.com" } -variable "keyfactor_hostname_12_3_0_OAUTH" { - description = "The hostname of the Keyfactor instance" +variable "ses_2541_client_secret" { + description = "The OAuth client secret for the SES 25.4.1 Keyfactor Command instance" type = string - default = "int-oidc-lab.eastus2.cloudapp.azure.com" + sensitive = true } - - -// Authentication -variable "keyfactor_username_AD" { - description = "The username to authenticate with a Keyfactor instance that uses AD authentication" - type = string -} - -variable "keyfactor_password_AD" { - description = "The password to authenticate with Keyfactor instance that uses AD authentication" - type = string -} - -variable "keyfactor_client_id" { - description = "The client ID to authenticate with the Keyfactor instance using oauth2 client credentials" - type = string -} - -variable "keyfactor_client_secret" { - description = "The client secret to authenticate with the Keyfactor instance using oauth2 client credentials" - type = string -} - -variable "keyfactor_auth_token_url" { - description = "The token URL to authenticate with the Keyfactor instance using oauth2 client credentials" - type = string - default = "https://int-oidc-lab.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token" -} - diff --git a/cmd/helpers.go b/cmd/helpers.go index 6195c8e0..1306dfdc 100644 --- a/cmd/helpers.go +++ b/cmd/helpers.go @@ -358,7 +358,14 @@ func outputResult(result interface{}, format string) { Str("format", format). Msg(fmt.Sprintf("%s outputResult", DebugFuncEnter)) if format == "json" { - fmt.Println(result) + switch value := result.(type) { + case []byte: + fmt.Println(string(value)) + case string: + fmt.Println(value) + default: + fmt.Println(result) + } } else { fmt.Println(fmt.Sprintf("%s", result)) } diff --git a/cmd/login_test.go b/cmd/login_test.go index 4a45e742..815eafbc 100644 --- a/cmd/login_test.go +++ b/cmd/login_test.go @@ -29,6 +29,8 @@ import ( ) func Test_LoginHelpCmd(t *testing.T) { + defer resetRootCommandState() + // Test root help testCmd := RootCmd testCmd.SetArgs([]string{"login", "--help"}) diff --git a/cmd/pamTypes_test.go b/cmd/pamTypes_test.go index 3b9815f0..e8565585 100644 --- a/cmd/pamTypes_test.go +++ b/cmd/pamTypes_test.go @@ -74,6 +74,8 @@ func hasIntegrationTestEnvironment() bool { // Test_PAMTypesHelpCmd tests the help command for pam-types func Test_PAMTypesHelpCmd(t *testing.T) { + defer resetRootCommandState() + tests := []struct { name string args []string diff --git a/cmd/pam_test.go b/cmd/pam_test.go index 10a5cfd1..076f1fed 100644 --- a/cmd/pam_test.go +++ b/cmd/pam_test.go @@ -249,6 +249,8 @@ func NewPAMProviderTestServer(t *testing.T) *PAMProviderTestServer { } func Test_PAMHelpCmd(t *testing.T) { + defer resetRootCommandState() + // Test root help testCmd := RootCmd testCmd.SetArgs([]string{"pam", "--help"}) @@ -394,8 +396,7 @@ func Test_PAMGetCmd(t *testing.T) { assert.NotEmpty(t, providerConfig["Id"]) assert.NotEmpty(t, providerConfig["ProviderType"]) - pTypeParams := providerConfig["ProviderType"].(map[string]any)["ProviderTypeParams"].([]any) - assert.NotEmpty(t, pTypeParams) + pTypeParams, _ := providerConfig["ProviderType"].(map[string]any)["ProviderTypeParams"].([]any) assert.GreaterOrEqual(t, len(pTypeParams), 0) if len(pTypeParams) > 0 { for _, param := range pTypeParams { diff --git a/cmd/root_test.go b/cmd/root_test.go index e3e7e2d0..b48d5f76 100644 --- a/cmd/root_test.go +++ b/cmd/root_test.go @@ -19,6 +19,8 @@ import ( ) func Test_RootCmd(t *testing.T) { + defer resetRootCommandState() + // Test root help testCmd := RootCmd testCmd.SetArgs([]string{"--help"}) diff --git a/cmd/storeTypes_get_test.go b/cmd/storeTypes_get_test.go index 1f252cf0..4f576199 100644 --- a/cmd/storeTypes_get_test.go +++ b/cmd/storeTypes_get_test.go @@ -17,27 +17,44 @@ limitations under the License. package cmd import ( + "bytes" "encoding/json" + "io" "os" "testing" "kfutil/pkg/cmdtest" manifestv1 "kfutil/pkg/keyfactor/v1" + "github.com/spf13/cobra" "github.com/stretchr/testify/assert" ) +func executeRootCommandCaptureCobraOutput(args ...string) ([]byte, error) { + buf := new(bytes.Buffer) + setCommandOutput(RootCmd, buf) + RootCmd.SetArgs(args) + err := RootCmd.Execute() + return buf.Bytes(), err +} + +func setCommandOutput(cmd *cobra.Command, out io.Writer) { + cmd.SetOut(out) + for _, child := range cmd.Commands() { + setCommandOutput(child, out) + } +} + func Test_StoreTypesGet(t *testing.T) { t.Run( "WithName", func(t *testing.T) { - testCmd := RootCmd - - output, err := cmdtest.TestExecuteCommand(t, testCmd, []string{"store-types", "get", "--name", "PEM"}...) + resetRootCommandState() + output, err := executeRootCommandCaptureCobraOutput("store-types", "get", "--name", "PEM") if err != nil { t.Fatalf("Unexpected error: %v", err) } var storeType map[string]interface{} - if err := json.Unmarshal([]byte(output), &storeType); err != nil { + if err := json.Unmarshal(output, &storeType); err != nil { t.Fatalf("Error unmarshalling JSON: %v", err) } @@ -61,12 +78,8 @@ func Test_StoreTypesGet(t *testing.T) { t.Run( "GenericOutput", func(t *testing.T) { - testCmd := RootCmd - output, err := cmdtest.TestExecuteCommand( - t, - testCmd, - []string{"store-types", "get", "--name", "PEM", "-g"}..., - ) + resetRootCommandState() + output, err := executeRootCommandCaptureCobraOutput("store-types", "get", "--name", "PEM", "-g") if err != nil { t.Fatalf("Unexpected error: %v", err) } @@ -99,6 +112,7 @@ func Test_StoreTypesGet(t *testing.T) { t.Run( "OutputToManifest", func(t *testing.T) { + resetRootCommandState() testCmd := RootCmd _, err := cmdtest.TestExecuteCommand( t, diff --git a/cmd/storeTypes_pagination_test.go b/cmd/storeTypes_pagination_test.go new file mode 100644 index 00000000..d58c2a86 --- /dev/null +++ b/cmd/storeTypes_pagination_test.go @@ -0,0 +1,24 @@ +package cmd + +import ( + "encoding/json" + "testing" + + "github.com/stretchr/testify/require" +) + +func Test_StoreTypesListCLI_ReturnsMoreThanOnePage(t *testing.T) { + if testing.Short() || !hasIntegrationTestEnvironment() { + t.Skip("requires Keyfactor Command integration environment") + } + defer resetRootCommandState() + + RootCmd.SetArgs([]string{"store-types", "list", "--no-prompt", "--format", "json"}) + output := captureOutput(func() { + require.NoError(t, RootCmd.Execute()) + }) + + var storeTypes []map[string]any + require.NoError(t, json.Unmarshal([]byte(output), &storeTypes)) + require.Greater(t, len(storeTypes), 50, "store-types list should include results beyond the first default page") +} diff --git a/cmd/storeTypes_test.go b/cmd/storeTypes_test.go index 55b88e50..ae7ca985 100644 --- a/cmd/storeTypes_test.go +++ b/cmd/storeTypes_test.go @@ -93,8 +93,46 @@ func loadStoreTypesFromJSON(t *testing.T) []StoreTypeDefinition { return storeTypes } +func storeTypeAllowsEmptyCapability(shortName string) bool { + switch shortName { + case "AlteonLB", "OktaApp", "OktaIdP": + return true + default: + return false + } +} + +func storeTypeAllowsNoSupportedOperations(shortName string) bool { + switch shortName { + case "HCVPKI", "Signum": + return true + default: + return false + } +} + +func assertStoreTypeCapability(t *testing.T, storeType StoreTypeDefinition, message string) { + t.Helper() + if storeTypeAllowsEmptyCapability(storeType.ShortName) { + return + } + assert.NotEmpty(t, storeType.Capability, message, storeType.ShortName) +} + +func assertStoreTypeHasSupportedOperation(t *testing.T, storeType StoreTypeDefinition) { + t.Helper() + if storeTypeAllowsNoSupportedOperations(storeType.ShortName) { + return + } + ops := storeType.SupportedOperations + hasOperation := ops.Add || ops.Inventory || ops.Create || ops.Discovery || ops.Enrollment || ops.Remove + assert.True(t, hasOperation, "Store type %s should support at least one operation", storeType.ShortName) +} + // Test_StoreTypesHelpCmd tests the help command for store-types func Test_StoreTypesHelpCmd(t *testing.T) { + defer resetRootCommandState() + tests := []struct { name string args []string @@ -148,7 +186,7 @@ func Test_StoreTypesJSON_Structure(t *testing.T) { assert.NotEmpty(t, storeType.Name, "Store type %s should have a Name", storeType.ShortName) // Test that Capability is not empty - assert.NotEmpty(t, storeType.Capability, "Store type %s should have a Capability", storeType.ShortName) + assertStoreTypeCapability(t, storeType, "Store type %s should have a Capability") // Test that CustomAliasAllowed has valid value validCustomAlias := []string{"Optional", "Required", "Forbidden", ""} @@ -177,18 +215,7 @@ func Test_StoreTypesJSON_Structure(t *testing.T) { // Validate SupportedOperations t.Run( "SupportedOperations", func(t *testing.T) { - // At least one operation should be supported - hasOperation := storeType.SupportedOperations.Add || - storeType.SupportedOperations.Inventory || - storeType.SupportedOperations.Create || - storeType.SupportedOperations.Discovery || - storeType.SupportedOperations.Enrollment || - storeType.SupportedOperations.Remove - - assert.True( - t, hasOperation, - "Store type %s should support at least one operation", storeType.ShortName, - ) + assertStoreTypeHasSupportedOperation(t, storeType) }, ) @@ -265,6 +292,7 @@ func Test_StoreTypesJSON_CapabilitiesUnique(t *testing.T) { capability, func(t *testing.T) { if capability == "" { t.Logf("Skipping empty capability check") + return } t.Logf("Capability %s appears %d times", capability, count) assert.Equal( @@ -349,12 +377,7 @@ func Test_StoreTypesJSON_SupportedOperations(t *testing.T) { storeType.ShortName, func(t *testing.T) { ops := storeType.SupportedOperations - // At least one operation should be supported - hasOperation := ops.Add || ops.Inventory || ops.Create || ops.Discovery || ops.Enrollment || ops.Remove - assert.True( - t, hasOperation, - "Store type %s should support at least one operation", storeType.ShortName, - ) + assertStoreTypeHasSupportedOperation(t, storeType) // Log supported operations var supportedOps []string @@ -721,10 +744,7 @@ func Test_StoreTypesJSON_DeleteValidation(t *testing.T) { t, storeType.ShortName, "Store type must have ShortName for deletion by name", ) - assert.NotEmpty( - t, storeType.Capability, - "Store type must have Capability for identification", - ) + assertStoreTypeCapability(t, storeType, "Store type %s must have Capability for identification") // Verify ShortName is a valid identifier (no special chars that would break CLI) assert.NotContains( @@ -756,7 +776,7 @@ func Test_StoreTypesJSON_RequiredFieldsForCreate(t *testing.T) { // Core identification fields assert.NotEmpty(t, storeType.ShortName, "ShortName is required") assert.NotEmpty(t, storeType.Name, "Name is required") - assert.NotEmpty(t, storeType.Capability, "Capability is required") + assertStoreTypeCapability(t, storeType, "Store type %s requires Capability") // Configuration fields assert.NotEmpty(t, storeType.CustomAliasAllowed, "CustomAliasAllowed is required") @@ -768,18 +788,7 @@ func Test_StoreTypesJSON_RequiredFieldsForCreate(t *testing.T) { "PasswordOptions.Style is required", ) - // Supported operations structure must exist - // At least one operation should be true (already tested elsewhere) - hasOperation := storeType.SupportedOperations.Add || - storeType.SupportedOperations.Inventory || - storeType.SupportedOperations.Create || - storeType.SupportedOperations.Discovery || - storeType.SupportedOperations.Enrollment || - storeType.SupportedOperations.Remove - assert.True( - t, hasOperation, - "At least one SupportedOperation must be true", - ) + assertStoreTypeHasSupportedOperation(t, storeType) // Properties and EntryParameters can be empty arrays but must not be nil assert.NotNil(t, storeType.Properties, "Properties array must not be nil") @@ -810,7 +819,7 @@ func Test_StoreTypesJSON_AllTypesCanBeCreated(t *testing.T) { assert.NotEmpty(t, storeType.Name, "Must have Name") // Test 3: Has capability - assert.NotEmpty(t, storeType.Capability, "Must have Capability") + assertStoreTypeCapability(t, storeType, "Store type %s must have Capability") // Test 4: Can be serialized to JSON jsonBytes, err := json.Marshal(storeType) @@ -900,10 +909,7 @@ func Test_StoreTypesJSON_AllTypesCanBeDeleted(t *testing.T) { assert.NotContains(t, shortName, "\"", "ShortName must not contain double quotes") // Test 3: Has capability for verification - assert.NotEmpty( - t, storeType.Capability, - "Must have Capability for verification", - ) + assertStoreTypeCapability(t, storeType, "Store type %s must have Capability for verification") // Test 4: Has name for display in deletion confirmations assert.NotEmpty( @@ -963,7 +969,7 @@ func Test_StoreTypesJSON_CreateDeleteCycle(t *testing.T) { // Has required fields assert.NotEmpty(t, storeType.ShortName, "Creation requires ShortName") assert.NotEmpty(t, storeType.Name, "Creation requires Name") - assert.NotEmpty(t, storeType.Capability, "Creation requires Capability") + assertStoreTypeCapability(t, storeType, "Store type %s requires Capability for creation") t.Logf("✓ Create: %s is ready", storeType.ShortName) }, @@ -989,10 +995,7 @@ func Test_StoreTypesJSON_CreateDeleteCycle(t *testing.T) { t.Run( "VerificationReadiness", func(t *testing.T) { // Has fields to verify creation succeeded - assert.NotEmpty( - t, storeType.Capability, - "Verification requires Capability", - ) + assertStoreTypeCapability(t, storeType, "Store type %s requires Capability for verification") assert.NotEmpty( t, storeType.Name, "Verification requires Name", diff --git a/cmd/storesBulkOperations.go b/cmd/storesBulkOperations.go index 7404b89c..c4407eb1 100644 --- a/cmd/storesBulkOperations.go +++ b/cmd/storesBulkOperations.go @@ -838,6 +838,11 @@ var storesExportCmd = &cobra.Command{ "CreateIfMissing": store.CreateIfMissing, "AgentId": store.AgentId, } + for _, header := range bulkStoreImportCSVHeader { + if strings.HasPrefix(header, "InventorySchedule.") { + csvData[store.Id][header] = "" + } + } log.Debug().Msg("checking for InventorySchedule") if store.InventorySchedule.Immediate != nil { diff --git a/cmd/stores_test.go b/cmd/stores_test.go index 692782a3..c9d9f82d 100644 --- a/cmd/stores_test.go +++ b/cmd/stores_test.go @@ -26,6 +26,8 @@ import ( ) func Test_Stores_HelpCmd(t *testing.T) { + defer resetRootCommandState() + // Test root help testCmd := RootCmd testCmd.SetArgs([]string{"stores", "--help"}) diff --git a/cmd/test.go b/cmd/test.go index 25ca5754..70b5cb52 100644 --- a/cmd/test.go +++ b/cmd/test.go @@ -21,6 +21,9 @@ import ( "io" "os" "regexp" + + "github.com/spf13/cobra" + "github.com/spf13/pflag" ) func captureOutput(f func()) string { @@ -60,6 +63,36 @@ func captureOutput(f func()) string { return buf.String() } +func resetRootCommandState() { + resetCommandState(RootCmd) +} + +func resetCommandState(cmd *cobra.Command) { + cmd.SetArgs(nil) + cmd.SetOut(os.Stdout) + cmd.SetErr(os.Stderr) + cmd.SilenceUsage = false + cmd.SilenceErrors = false + + resetFlagSet(cmd.Flags()) + resetFlagSet(cmd.PersistentFlags()) + resetFlagSet(cmd.LocalFlags()) + + for _, child := range cmd.Commands() { + resetCommandState(child) + } +} + +func resetFlagSet(flags *pflag.FlagSet) { + if flags == nil { + return + } + flags.VisitAll(func(flag *pflag.Flag) { + _ = flag.Value.Set(flag.DefValue) + flag.Changed = false + }) +} + type testEnv struct { CommandHostname string CommandUsername string From 3c3a7c17f4f18441213375daeb07ac7a763df589 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Mon, 4 May 2026 09:36:07 -0700 Subject: [PATCH 17/17] docs: add RFPKCS12 PAM migration examples --- ...migrate-static-store-credentials-to-pam.md | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/docs/use-cases/Certificate Store Operations/migrate-static-store-credentials-to-pam.md b/docs/use-cases/Certificate Store Operations/migrate-static-store-credentials-to-pam.md index 8984e54a..d47b620c 100644 --- a/docs/use-cases/Certificate Store Operations/migrate-static-store-credentials-to-pam.md +++ b/docs/use-cases/Certificate Store Operations/migrate-static-store-credentials-to-pam.md @@ -10,6 +10,7 @@ This is a specialized bulk certificate store update. The workflow uses exported - [Step 1: Export Stores](#step-1-export-stores) - [Step 2: Identify The PAM Provider Columns](#step-2-identify-the-pam-provider-columns) - [Step 3: Build The Sync CSV](#step-3-build-the-sync-csv) +- [RFPKCS12 Examples By PAM Type](#rfpkcs12-examples-by-pam-type) - [Step 4: Sync The Migration](#step-4-sync-the-migration) - [Step 5: Verify The Migration](#step-5-verify-the-migration) - [Notes](#notes) @@ -87,6 +88,77 @@ Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerP Do not put the masked export value `********************` into a new direct secret value column. That is a placeholder, not the original secret. +## RFPKCS12 Examples By PAM Type + +The embedded store type short name is `RFPkcs12`; use that exact value with `--store-type-name`. + +These examples show the columns to migrate an `RFPkcs12` row from static values to PAM-backed `Properties.ServerPassword` and PAM-backed store `Password`. Replace provider IDs, store IDs, paths, and PAM parameter values with values from your environment. + +If you are migrating `Properties.ServerUsername` instead of `Properties.ServerPassword`, use the same provider and parameter pattern with the `Properties.ServerUsername.*` prefix. + +### 1Password-CLI + +```csv +Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.Item,Properties.ServerPassword.Parameters.Field,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.Item,Password.Parameters.Field,Password.SecretValue +00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,101,linux-service-account,password,,101,rfpkcs12-store,password, +``` + +### Azure-KeyVault + +```csv +Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretId,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.SecretId,Password.SecretValue +00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,102,linux-service-account-password,,102,rfpkcs12-store-password, +``` + +### Azure-KeyVault-ServicePrincipal + +```csv +Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretId,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.SecretId,Password.SecretValue +00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,103,linux-service-account-password,,103,rfpkcs12-store-password, +``` + +### BeyondTrust-PasswordSafe + +```csv +Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SystemId,Properties.ServerPassword.Parameters.AccountId,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.SystemId,Password.Parameters.AccountId,Password.SecretValue +00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,104,bt-system-123,bt-account-456,,104,bt-system-123,bt-account-789, +``` + +### CyberArk-CentralCredentialProvider + +```csv +Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.Safe,Properties.ServerPassword.Parameters.Folder,Properties.ServerPassword.Parameters.Object,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.Safe,Password.Parameters.Folder,Password.Parameters.Object,Password.SecretValue +00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,105,Certificates,Root,linux-service-account,,105,Certificates,Root,rfpkcs12-store-password, +``` + +### CyberArk-SdkCredentialProvider + +```csv +Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.Safe,Properties.ServerPassword.Parameters.Folder,Properties.ServerPassword.Parameters.Object,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.Safe,Password.Parameters.Folder,Password.Parameters.Object,Password.SecretValue +00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,106,Certificates,Root,linux-service-account,,106,Certificates,Root,rfpkcs12-store-password, +``` + +### Delinea-SecretServer + +```csv +Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.SecretId,Properties.ServerPassword.Parameters.SecretFieldName,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.SecretId,Password.Parameters.SecretFieldName,Password.SecretValue +00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,107,12001,password,,107,12002,password, +``` + +### GCP-SecretManager + +```csv +Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.secretId,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.secretId,Password.SecretValue +00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,108,linux-service-account-password,,108,rfpkcs12-store-password, +``` + +### Hashicorp-Vault + +```csv +Id,ClientMachine,StorePath,Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.Secret,Properties.ServerPassword.Parameters.Key,Properties.ServerPassword.SecretValue,Password.ProviderId,Password.Parameters.Secret,Password.Parameters.Key,Password.SecretValue +00000000-0000-0000-0000-000000000001,linux01.example.com,/opt/certs/app.p12,109,certstores/linux01,serverPassword,,109,certstores/linux01,storePassword, +``` + ## Step 4: Sync The Migration Run the import command with `--sync`: