Skip to navigationSkip to main contentSkip to footerScaleway Docs

Deploying External Secrets on Kubernetes Kapsule

External Secrets - Overview

External Secrets is a Kubernetes operator that allows you to manage the lifecycle of your secrets from external providers.

In this tutorial you will learn how to deploy External Secrets and its services on Kubernetes Kapsule, the managed Kubernetes service from Scaleway.

Before you start

To complete the actions presented below, you must have:

Preparing the Kubernetes Kapsule cluster

  1. Make sure you are connected to your cluster and that kubectl and helm are installed on your local machine.
  2. Add the External Secrets repository to your Helm configuration and update it using the following commands:
    helm repo add external-secrets https://charts.external-secrets.io
    helm repo update

Deploying External Secrets

Run the command below to deploy the External Secrets application in your cluster and create its associated resources. To automatically install and manage the CRDs as part of your Helm release, you must add the --set installCRDs=true flag to your Helm installation command. Uncomment the --set installCRDs=true line in the following command to do so.

helm upgrade --install external-secrets  external-secrets/external-secrets \
    -n external-secrets \
    --create-namespace \
    # --set installCRDs=true

Create a secret containing your Scaleway API key information

Make sure you replace ACCESSKEY and SECRETKEY with your own values.

echo -n 'ACCESSKEY' > ./access-key
echo -n 'SECRETKEY' > ./secret-access-key
kubectl create secret generic scwsm-secret --from-file=./access-key --from-file=./secret-access-key

Create your first SecretStore

Define a SecretStore resource in Kubernetes to inform External Secrets where to fetch secrets from. Secret Manager is a regionalized product, so you will need to specify the region in which you want to create your secret.

  1. Copy the template below and paste it into a file named secret-store.yaml.

    ---
    apiVersion: external-secrets.io/v1
    kind: SecretStore
    metadata:
      name: secret-store
      namespace: default
    spec:
      provider:
        scaleway:
          region: <REGION>
          projectId: <SCALEWAY_PROJECT_ID>
          accessKey:
            secretRef:
              name: scwsm-secret
              key: access-key
          secretKey:
            secretRef:
              name: scwsm-secret
              key: secret-access-key
  2. Apply your file to your cluster:

    kubectl apply -f secret-store.yaml

Create your first External Secret

Create an ExternalSecret resource to specify which secret to fetch from Secret Manager.

  1. Copy the following template and paste it into a file named external-secret.yaml

    ---
    apiVersion: external-secrets.io/v1
    kind: ExternalSecret
    metadata:
        name: secret
        namespace: default
    spec:
        refreshInterval: 20s
        secretStoreRef:
            kind: SecretStore
            name: secret-store
        target:
            name: kubernetes-secret-to-be-created
            creationPolicy: Owner
        data:
          - secretKey: password  # key in the kubernetes secret
            remoteRef:
              key: id:<SECRET_ID in the secret store>
              version: latest_enabled
  2. Apply the file to your cluster:

    kubectl apply -f external-secret.yaml

A secret with the name kubernetes-secret-to-be-created should appear in your namespace. It contains the secret pulled from Secret Manager:

kubectl get secret kubernetes-secret-to-be-created
NAME                              TYPE     DATA   AGE
kubernetes-secret-to-be-created   Opaque   1      9m14s

Uninstalling

Make sure you have deleted any resources created by External Secrets beforehand. You can check for any existing resources with the following command:

kubectl get SecretStores,ClusterSecretStores,ExternalSecrets,ClusterExternalSecret,PushSecret --all-namespaces

Once all these resources have been deleted you are ready to uninstall External Secrets.

Uninstalling with Helm

Uninstall the External Secrets deployment using the following command.

helm delete external-secrets --namespace external-secrets
Still need help?

Create a support ticket
No Results