Deploying External Secrets on Kubernetes Kapsule
External Secrets - Overview
External Secrets is a Kubernetes operator that allows you to manage the lifecycle of your secrets from external providers.
In this tutorial you will learn how to deploy External Secrets and its services on Kubernetes Kapsule, the managed Kubernetes service from Scaleway.
You may need certain IAM permissions to carry out some actions described on this page. This means:
- you are the Owner of the Scaleway Organization in which the actions will be carried out, or
- you are an IAM user of the Organization, with a policy granting you the necessary permission sets
- You have an account and are logged into the Scaleway console
- You have configured your SSH Key
- You have created a Kapsule cluster
- You have configured kubectl
- You have installed
helm, the Kubernetes package manager, on your local machine (version 3.2 or latest)
Preparing the Kubernetes Kapsule Cluster
- Make sure you are connected to your cluster and that
helmare installed on your local machine.
- Add the External Secrets helm repo and update it using the following command:
helm repo add external-secrets https://charts.external-secrets.iohelm repo update
Deploying External Secrets
To automatically install and manage the CRDs as part of your Helm release, you must add the
--set installCRDs=true flag to your Helm installation command.
Uncomment the relevant line in the next steps to enable this.
helm upgrade --install external-secrets external-secrets/external-secrets \-n external-secrets \--create-namespace \# --set installCRDs=true
Create a secret containing your Scaleway API key information
echo -n 'KEYID' > ./access-keyecho -n 'SECRETKEY' > ./secret-access-keykubectl create secret generic scwsm-secret --from-file=./access-key --from-file=./secret-access-key
Create your first SecretStore
Secret Manager is a regionalized product so you will need to create a secret store by region.
---apiVersion: external-secrets.io/v1beta1kind: SecretStoremetadata:name: secret-storenamespace: defaultspec:provider:scaleway:region: <REGION>projectId: <YOUR_PROJECT_UUID>accessKey:secretRef:name: scwsm-secretkey: access-keysecretKey:secretRef:name: scwsm-secretkey: secret-access-key
Create your first External Secret
---apiVersion: external-secrets.io/v1beta1kind: ExternalSecretmetadata:name: secretnamespace: defaultspec:refreshInterval: 20ssecretStoreRef:kind: SecretStorename: secret-storetarget:name: kubernetes-secret-to-be-createdcreationPolicy: Ownerdata:- secretKey: password # key in the kubernetes secretremoteRef:key: id:<SECRET_ID in the secret store>version: latest_enabled
A secret with the name
kubernetes-secret-to-be-created should be present in your namespace. It contains the secret pulled from Scaleway’s Secret Manager:
kubectl get secret kubernetes-secret-to-be-createdNAME TYPE DATA AGEkubernetes-secret-to-be-created Opaque 1 9m14s
Make sure you have deleted all external-secret resources you might have created beforehand. You can check for any existing resources with the following command:
kubectl get SecretStores,ClusterSecretStores,ExternalSecrets,ClusterExternalSecret,PushSecret --all-namespaces
Once all these resources have been deleted you are ready to uninstall external-secrets.
Uninstalling with Helm
Uninstall the helm release using the following command.
helm delete external-secrets --namespace external-secrets