Deploying External Secrets on Kubernetes Kapsule
External Secrets - Overview
External Secrets is a Kubernetes operator that allows you to manage the lifecycle of your secrets from external providers.
In this tutorial you will learn how to deploy External Secrets and its services on Kubernetes Kapsule, the managed Kubernetes service from Scaleway.
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- An SSH key
- Created a Kapsule cluster
- Configured kubectl
- Installed
helm, the Kubernetes package manager, on your local machine (version 3.2 or latest)
Preparing the Kubernetes Kapsule cluster
- Make sure you are connected to your cluster and that
kubectlandhelmare installed on your local machine. - Add the External Secrets repository to your Helm configuration and update it using the following commands:
helm repo add external-secrets https://charts.external-secrets.iohelm repo update
Deploying External Secrets
Run the command below to deploy the External Secrets application in your cluster and create its associated resources.
To automatically install and manage the CRDs as part of your Helm release, you must add the --set installCRDs=true flag to your Helm installation command.
Uncomment the --set installCRDs=true line in the following command to do so.
Create a secret containing your Scaleway API key information
Make sure you replace ACCESSKEY and SECRETKEY with your own values.
Create your first SecretStore
Define a SecretStore resource in Kubernetes to inform External Secrets where to fetch secrets from.
Secret Manager is a regionalized product so you will need to specify the region to create your secret in.
-
Copy the template below and paste it in a file named
secret-store.yaml.---apiVersion: external-secrets.io/v1beta1kind: SecretStoremetadata:name: secret-storenamespace: defaultspec:provider:scaleway:region: <REGION>projectId: <SCALEWAY_PROJECT_ID>accessKey:secretRef:name: scwsm-secretkey: access-keysecretKey:secretRef:name: scwsm-secretkey: secret-access-key -
Apply your file to your cluster:
kubectl apply -f secret-store.yaml
Create your first External Secret
Create an ExternalSecret resource to specify which secret to fetch from Secret Manager.
-
Copy the following template and paste it in a file named
external-secret.yaml---apiVersion: external-secrets.io/v1beta1kind: ExternalSecretmetadata:name: secretnamespace: defaultspec:refreshInterval: 20ssecretStoreRef:kind: SecretStorename: secret-storetarget:name: kubernetes-secret-to-be-createdcreationPolicy: Ownerdata:- secretKey: password # key in the kubernetes secretremoteRef:key: id:<SECRET_ID in the secret store>version: latest_enabled -
Apply the file to your cluster:
kubectl apply -f external-secret.yaml
A secret with the name kubernetes-secret-to-be-created should appear in your namespace. It contains the secret pulled from Secret Manager:
Uninstalling
Make sure you have deleted any resources created by External Secrets beforehand. You can check for any existing resources with the following command:
Once all these resources have been deleted you are ready to uninstall External Secrets.
Uninstalling with Helm
Uninstall the External Secrets deployment using the following command.