NavigationContentFooter
Jump toSuggest an edit

Deploying External Secrets on Kubernetes Kapsule

Reviewed on 16 November 2023Published on 21 February 2023

External Secrets - Overview

External Secrets is a Kubernetes operator that allows you to manage the lifecycle of your secrets from external providers.

In this tutorial you will learn how to deploy External Secrets and its services on Kubernetes Kapsule, the managed Kubernetes service from Scaleway.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • An SSH key
  • Created a Kapsule cluster
  • Configured kubectl
  • Installed helm, the Kubernetes package manager, on your local machine (version 3.2 or latest)

Preparing the Kubernetes Kapsule cluster

  1. Make sure you are connected to your cluster and that kubectl and helm are installed on your local machine.
  2. Add the External Secrets helm repo and update it using the following command: 
    helm repo add external-secrets https://charts.external-secrets.io
    helm repo update

Deploying External Secrets

To automatically install and manage the CRDs as part of your Helm release, you must add the --set installCRDs=true flag to your Helm installation command. Uncomment the relevant line in the next steps to enable this.

helm upgrade --install external-secrets  external-secrets/external-secrets \
    -n external-secrets \
    --create-namespace \
    # --set installCRDs=true

Create a secret containing your Scaleway API key information

Make sure you replace KEYID and SECRETKEY with your own values.

echo -n 'KEYID' > ./access-key
echo -n 'SECRETKEY' > ./secret-access-key
kubectl create secret generic scwsm-secret --from-file=./access-key --from-file=./secret-access-key

Create your first SecretStore

Secret Manager is a regionalized product so you will need to create a secret stored by region.

---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: secret-store
  namespace: default
spec:
  provider:
    scaleway:
      region: <REGION>
      projectId: <YOUR_PROJECT_UUID>
      accessKey:
        secretRef:
          name: scwsm-secret
          key: access-key
      secretKey:
        secretRef:
          name: scwsm-secret
          key: secret-access-key

Create your first External Secret

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
    name: secret
    namespace: default
spec:
    refreshInterval: 20s
    secretStoreRef:
        kind: SecretStore
        name: secret-store
    target:
        name: kubernetes-secret-to-be-created
        creationPolicy: Owner
    data:
      - secretKey: password  # key in the kubernetes secret
        remoteRef:
          key: id:<SECRET_ID in the secret store>
          version: latest_enabled

A secret with the name kubernetes-secret-to-be-created should be present in your namespace. It contains the secret pulled from Scaleway’s Secret Manager:

kubectl get secret kubernetes-secret-to-be-created
NAME                              TYPE     DATA   AGE
kubernetes-secret-to-be-created   Opaque   1      9m14s

Uninstalling

Make sure you have deleted all external-secret resources you might have created beforehand. You can check for any existing resources with the following command:

kubectl get SecretStores,ClusterSecretStores,ExternalSecrets,ClusterExternalSecret,PushSecret --all-namespaces

Once all these resources have been deleted you are ready to uninstall external-secrets.

Uninstalling with Helm

Uninstall the helm release using the following command.

helm delete external-secrets --namespace external-secrets
Docs APIScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCarreer
© 2023-2024 – Scaleway