NavigationContentFooter
Jump toSuggest an edit

Deploying External Secrets on Kubernetes Kapsule

Reviewed on 16 November 2023Published on 21 February 2023

External Secrets - Overview

External Secrets is a Kubernetes operator that allows you to manage the lifecycle of your secrets from external providers.

In this tutorial you will learn how to deploy External Secrets and its services on Kubernetes Kapsule, the managed Kubernetes service from Scaleway.

Security & Identity (IAM)

To perform certain actions described below, you must either be the Owner of the Organization in which the actions will be performed or an IAM user with the necessary permissions.

Requirements
  • You have an account and are logged into the Scaleway console
  • You have configured your SSH key
  • You have created a Kapsule cluster
  • You have configured kubectl
  • You have installed helm, the Kubernetes package manager, on your local machine (version 3.2 or latest)

Preparing the Kubernetes Kapsule cluster

  1. Make sure you are connected to your cluster and that kubectl and helm are installed on your local machine.
  2. Add the External Secrets helm repo and update it using the following command:
    helm repo add external-secrets https://charts.external-secrets.io
    helm repo update

Deploying External Secrets

To automatically install and manage the CRDs as part of your Helm release, you must add the --set installCRDs=true flag to your Helm installation command. Uncomment the relevant line in the next steps to enable this.

helm upgrade --install external-secrets external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
# --set installCRDs=true

Create a secret containing your Scaleway API key information

Make sure you replace KEYID and SECRETKEY with your own values.

echo -n 'KEYID' > ./access-key
echo -n 'SECRETKEY' > ./secret-access-key
kubectl create secret generic scwsm-secret --from-file=./access-key --from-file=./secret-access-key

Create your first SecretStore

Secret Manager is a regionalized product so you will need to create a secret stored by region.

---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: secret-store
namespace: default
spec:
provider:
scaleway:
region: <REGION>
projectId: <YOUR_PROJECT_UUID>
accessKey:
secretRef:
name: scwsm-secret
key: access-key
secretKey:
secretRef:
name: scwsm-secret
key: secret-access-key

Create your first External Secret

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: secret
namespace: default
spec:
refreshInterval: 20s
secretStoreRef:
kind: SecretStore
name: secret-store
target:
name: kubernetes-secret-to-be-created
creationPolicy: Owner
data:
- secretKey: password # key in the kubernetes secret
remoteRef:
key: id:<SECRET_ID in the secret store>
version: latest_enabled

A secret with the name kubernetes-secret-to-be-created should be present in your namespace. It contains the secret pulled from Scaleway’s Secret Manager:

kubectl get secret kubernetes-secret-to-be-created
NAME TYPE DATA AGE
kubernetes-secret-to-be-created Opaque 1 9m14s

Uninstalling

Make sure you have deleted all external-secret resources you might have created beforehand. You can check for any existing resources with the following command:

kubectl get SecretStores,ClusterSecretStores,ExternalSecrets,ClusterExternalSecret,PushSecret --all-namespaces

Once all these resources have been deleted you are ready to uninstall external-secrets.

Uninstalling with Helm

Uninstall the helm release using the following command.

helm delete external-secrets --namespace external-secrets
Cloud Products & Resources
  • Scaleway Console
  • Compute
  • Storage
  • Network
  • IoT
  • AI
Dedicated Products & Resources
  • Dedibox Console
  • Dedibox Servers
  • Network
  • Web Hosting
Scaleway
  • Scaleway.com
  • Blog
  • Careers
  • Scaleway Learning
Follow us
FacebookTwitterSlackInstagramLinkedin
ContractsLegal NoticePrivacy PolicyCookie PolicyDocumentation license
© 1999-2024 – Scaleway SAS