Deploying External Secrets on Kubernetes Kapsule
External Secrets - Overview
External Secrets is a Kubernetes operator that allows you to manage the lifecycle of your secrets from external providers.
In this tutorial you will learn how to deploy External Secrets and its services on Kubernetes Kapsule, the managed Kubernetes service from Scaleway.
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- An SSH key
- Created a Kapsule cluster
- Configured kubectl
- Installed
helm, the Kubernetes package manager, on your local machine (version 3.2 or latest)
Preparing the Kubernetes Kapsule cluster
- Make sure you are connected to your cluster and that
kubectlandhelmare installed on your local machine. - Add the External Secrets repository to your Helm configuration and update it using the following commands:
helm repo add external-secrets https://charts.external-secrets.io helm repo update
Deploying External Secrets
Run the command below to deploy the External Secrets application in your cluster and create its associated resources.
To automatically install and manage the CRDs as part of your Helm release, you must add the --set installCRDs=true flag to your Helm installation command.
Uncomment the --set installCRDs=true line in the following command to do so.
helm upgrade --install external-secrets external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
# --set installCRDs=trueCreate a secret containing your Scaleway API key information
Make sure you replace ACCESSKEY and SECRETKEY with your own values.
echo -n 'ACCESSKEY' > ./access-key
echo -n 'SECRETKEY' > ./secret-access-key
kubectl create secret generic scwsm-secret --from-file=./access-key --from-file=./secret-access-keyCreate your first SecretStore
Define a SecretStore resource in Kubernetes to inform External Secrets where to fetch secrets from.
Secret Manager is a regionalized product, so you will need to specify the region in which you want to create your secret.
-
Copy the template below and paste it into a file named
secret-store.yaml.--- apiVersion: external-secrets.io/v1 kind: SecretStore metadata: name: secret-store namespace: default spec: provider: scaleway: region: <REGION> projectId: <SCALEWAY_PROJECT_ID> accessKey: secretRef: name: scwsm-secret key: access-key secretKey: secretRef: name: scwsm-secret key: secret-access-key -
Apply your file to your cluster:
kubectl apply -f secret-store.yaml
Create your first External Secret
Create an ExternalSecret resource to specify which secret to fetch from Secret Manager.
-
Copy the following template and paste it into a file named
external-secret.yaml--- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: secret namespace: default spec: refreshInterval: 20s secretStoreRef: kind: SecretStore name: secret-store target: name: kubernetes-secret-to-be-created creationPolicy: Owner data: - secretKey: password # key in the kubernetes secret remoteRef: key: id:<SECRET_ID in the secret store> version: latest_enabled -
Apply the file to your cluster:
kubectl apply -f external-secret.yaml
A secret with the name kubernetes-secret-to-be-created should appear in your namespace. It contains the secret pulled from Secret Manager:
kubectl get secret kubernetes-secret-to-be-created
NAME TYPE DATA AGE
kubernetes-secret-to-be-created Opaque 1 9m14sUninstalling
Make sure you have deleted any resources created by External Secrets beforehand. You can check for any existing resources with the following command:
kubectl get SecretStores,ClusterSecretStores,ExternalSecrets,ClusterExternalSecret,PushSecret --all-namespacesOnce all these resources have been deleted you are ready to uninstall External Secrets.
Uninstalling with Helm
Uninstall the External Secrets deployment using the following command.
helm delete external-secrets --namespace external-secrets