|
| 1 | +--- |
| 2 | +meta: |
| 3 | + title: Deploying External Secrets on Kubernetes Kapsule |
| 4 | + description: Learn how to deploy External Secrets on Kubernetes Kapsule, seamlessly integrating with Scaleway Secret Manager for secure secret management. |
| 5 | +content: |
| 6 | + h1: Deploying External Secrets on Kubernetes Kapsule |
| 7 | + paragraph: Learn how to deploy External Secrets on Kubernetes Kapsule, seamlessly integrating with Scaleway Secret Manager for secure secret management. |
| 8 | +tags: kapsule-cluster kubernetes external-secrets secret-management |
| 9 | +categories: |
| 10 | + - containers |
| 11 | +dates: |
| 12 | + validation: 2024-12-24 |
| 13 | + posted: 2024-12-24 |
| 14 | +--- |
| 15 | + |
| 16 | +## External Secrets - Overview |
| 17 | + |
| 18 | +[External Secrets](https://external-secrets.io) is a Kubernetes operator that allows you to manage the lifecycle of your secrets from external providers. |
| 19 | + |
| 20 | +In this tutorial you will learn how to deploy External Secrets and its services on [Kubernetes Kapsule](/containers/kubernetes/concepts/#kubernetes-kapsule), the managed Kubernetes service from Scaleway. |
| 21 | + |
| 22 | +<Macro id="requirements" /> |
| 23 | + |
| 24 | +- A Scaleway account logged into the [console](https://console.scaleway.com) |
| 25 | +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization |
| 26 | +- An [SSH key](/identity-and-access-management/organizations-and-projects/how-to/create-ssh-key/) |
| 27 | +- [Created a Kapsule cluster](/containers/kubernetes/how-to/create-cluster/) |
| 28 | +- Configured [kubectl](/containers/kubernetes/how-to/connect-cluster-kubectl/) |
| 29 | +- Installed `helm`, the Kubernetes [package manager](https://helm.sh/), on your local machine (version 3.2 or latest) |
| 30 | + |
| 31 | +## Preparing the Kubernetes Kapsule cluster |
| 32 | + |
| 33 | +1. Make sure you are connected to your cluster and that `kubectl` and `helm` are installed on your local machine. |
| 34 | +2. Add the External Secrets repository to your Helm configuration and update it using the following commands: |
| 35 | + ``` |
| 36 | + helm repo add external-secrets https://charts.external-secrets.io |
| 37 | + helm repo update |
| 38 | + ``` |
| 39 | + |
| 40 | +## Deploying External Secrets |
| 41 | + |
| 42 | +Run the command below to deploy the External Secrets application in your cluster and create its associated resources. |
| 43 | +To automatically install and manage the CRDs as part of your Helm release, you must add the `--set installCRDs=true` flag to your Helm installation command. |
| 44 | +Uncomment the `--set installCRDs=true` line in the following command to do so. |
| 45 | +``` |
| 46 | +helm upgrade --install external-secrets external-secrets/external-secrets \ |
| 47 | + -n external-secrets \ |
| 48 | + --create-namespace \ |
| 49 | + # --set installCRDs=true |
| 50 | +``` |
| 51 | + |
| 52 | +## Create a secret containing your Scaleway API key information |
| 53 | + |
| 54 | +Make sure you replace `ACCESSKEY` and `SECRETKEY` with your own values. |
| 55 | + |
| 56 | +``` |
| 57 | +echo -n 'ACCESSKEY' > ./access-key |
| 58 | +echo -n 'SECRETKEY' > ./secret-access-key |
| 59 | +kubectl create secret generic scwsm-secret --from-file=./access-key --from-file=./secret-access-key |
| 60 | +``` |
| 61 | +## Create your first SecretStore |
| 62 | + |
| 63 | +Define a `SecretStore` resource in Kubernetes to inform External Secrets where to fetch secrets from. |
| 64 | +Secret Manager is a regionalized product, so you will need to specify the [region](/identity-and-access-management/secret-manager/concepts/#region) in which you want to create your secret. |
| 65 | + |
| 66 | +1. Copy the template below and paste it into a file named `secret-store.yaml`. |
| 67 | + |
| 68 | + ``` |
| 69 | + --- |
| 70 | + apiVersion: external-secrets.io/v1beta1 |
| 71 | + kind: SecretStore |
| 72 | + metadata: |
| 73 | + name: secret-store |
| 74 | + namespace: default |
| 75 | + spec: |
| 76 | + provider: |
| 77 | + scaleway: |
| 78 | + region: <REGION> |
| 79 | + projectId: <SCALEWAY_PROJECT_ID> |
| 80 | + accessKey: |
| 81 | + secretRef: |
| 82 | + name: scwsm-secret |
| 83 | + key: access-key |
| 84 | + secretKey: |
| 85 | + secretRef: |
| 86 | + name: scwsm-secret |
| 87 | + key: secret-access-key |
| 88 | + ``` |
| 89 | +2. Apply your file to your cluster: |
| 90 | + |
| 91 | + ``` |
| 92 | + kubectl apply -f secret-store.yaml |
| 93 | + ``` |
| 94 | + |
| 95 | +## Create your first External Secret |
| 96 | + |
| 97 | +Create an `ExternalSecret` resource to specify which secret to fetch from Secret Manager. |
| 98 | + |
| 99 | +1. Copy the following template and paste it into a file named `external-secret.yaml` |
| 100 | + |
| 101 | + ``` |
| 102 | + --- |
| 103 | + apiVersion: external-secrets.io/v1beta1 |
| 104 | + kind: ExternalSecret |
| 105 | + metadata: |
| 106 | + name: secret |
| 107 | + namespace: default |
| 108 | + spec: |
| 109 | + refreshInterval: 20s |
| 110 | + secretStoreRef: |
| 111 | + kind: SecretStore |
| 112 | + name: secret-store |
| 113 | + target: |
| 114 | + name: kubernetes-secret-to-be-created |
| 115 | + creationPolicy: Owner |
| 116 | + data: |
| 117 | + - secretKey: password # key in the kubernetes secret |
| 118 | + remoteRef: |
| 119 | + key: id:<SECRET_ID in the secret store> |
| 120 | + version: latest_enabled |
| 121 | + ``` |
| 122 | +2. Apply the file to your cluster: |
| 123 | + ``` |
| 124 | + kubectl apply -f external-secret.yaml |
| 125 | + ``` |
| 126 | + |
| 127 | +A secret with the name `kubernetes-secret-to-be-created` should appear in your namespace. It contains the secret pulled from Secret Manager: |
| 128 | + |
| 129 | +``` |
| 130 | +kubectl get secret kubernetes-secret-to-be-created |
| 131 | +NAME TYPE DATA AGE |
| 132 | +kubernetes-secret-to-be-created Opaque 1 9m14s |
| 133 | +``` |
| 134 | + |
| 135 | +## Uninstalling |
| 136 | + |
| 137 | +Make sure you have deleted any resources created by External Secrets beforehand. You can check for any existing resources with the following command: |
| 138 | + |
| 139 | +``` |
| 140 | +kubectl get SecretStores,ClusterSecretStores,ExternalSecrets,ClusterExternalSecret,PushSecret --all-namespaces |
| 141 | +``` |
| 142 | + |
| 143 | +Once all these resources have been deleted you are ready to uninstall External Secrets. |
| 144 | + |
| 145 | +## Uninstalling with Helm |
| 146 | + |
| 147 | +Uninstall the External Secrets deployment using the following command. |
| 148 | + |
| 149 | +``` |
| 150 | +helm delete external-secrets --namespace external-secrets |
| 151 | +``` |
0 commit comments