Hometutorials
external secrets
Jump toUpdate content

Deploying External Secrets on Kubernetes Kapsule

Reviewed on 20 April 2023Published on 21 February 2023
  • kapsule-cluster
  • kubernetes
  • external-secrets
  • secret-management

External Secrets - Overview

External Secrets is a Kubernetes operator that allows you to manage the lifecycle of your secrets from external providers.

In this tutorial you will learn how to deploy External Secrets and its services on Kubernetes Kapsule, the managed Kubernetes service from Scaleway.

Security & Identity (IAM):

You may need certain IAM permissions to carry out some actions described on this page. This means:

  • you are the Owner of the Scaleway Organization in which the actions will be carried out, or
  • you are an IAM user of the Organization, with a policy granting you the necessary permission sets
Requirements:

Preparing the Kubernetes Kapsule Cluster

  1. Make sure you are connected to your cluster and that kubectl and helm are installed on your local machine.
  2. Add the External Secrets helm repo and update it using the following command:
    helm repo add external-secrets https://charts.external-secrets.io
    helm repo update

Deploying External Secrets

To automatically install and manage the CRDs as part of your Helm release, you must add the --set installCRDs=true flag to your Helm installation command. Uncomment the relevant line in the next steps to enable this.

helm upgrade --install external-secrets external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
# --set installCRDs=true

Create a secret containing your Scaleway API key information

echo -n 'KEYID' > ./access-key
echo -n 'SECRETKEY' > ./secret-access-key
kubectl create secret generic scwsm-secret --from-file=./access-key --from-file=./secret-access-key

Create your first SecretStore

Secret Manager is a regionalized product so you will need to create a secret store by region.

---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: secret-store
namespace: default
spec:
provider:
scaleway:
region: <REGION>
projectId: <YOUR_PROJECT_UUID>
accessKey:
secretRef:
name: scwsm-secret
key: access-key
secretKey:
secretRef:
name: scwsm-secret
key: secret-access-key

Create your first External Secret

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: secret
namespace: default
spec:
refreshInterval: 20s
secretStoreRef:
kind: SecretStore
name: secret-store
target:
name: kubernetes-secret-to-be-created
creationPolicy: Owner
data:
- secretKey: password # key in the kubernetes secret
remoteRef:
key: id:<SECRET_ID in the secret store>
version: latest_enabled

A secret with the name kubernetes-secret-to-be-created should be present in your namespace. It contains the secret pulled from Scaleway’s Secret Manager:

kubectl get secret kubernetes-secret-to-be-created
NAME TYPE DATA AGE
kubernetes-secret-to-be-created Opaque 1 9m14s

Uninstalling

Make sure you have deleted all external-secret resources you might have created beforehand. You can check for any existing resources with the following command:

kubectl get SecretStores,ClusterSecretStores,ExternalSecrets,ClusterExternalSecret,PushSecret --all-namespaces

Once all these resources have been deleted you are ready to uninstall external-secrets.

Uninstalling with Helm

Uninstall the helm release using the following command.

helm delete external-secrets --namespace external-secrets