From c44124dcfecedb02b5870209ce0799d0b7725982 Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Tue, 24 Dec 2024 12:28:49 +0100 Subject: [PATCH 1/3] docs(add): add external secrets in k8s --- .../api-cli/external-secrets-kubernetes.mdx | 150 ++++++++++++++++++ menu/navigation.json | 3 + 2 files changed, 153 insertions(+) create mode 100644 containers/kubernetes/api-cli/external-secrets-kubernetes.mdx diff --git a/containers/kubernetes/api-cli/external-secrets-kubernetes.mdx b/containers/kubernetes/api-cli/external-secrets-kubernetes.mdx new file mode 100644 index 0000000000..6ac319502b --- /dev/null +++ b/containers/kubernetes/api-cli/external-secrets-kubernetes.mdx @@ -0,0 +1,150 @@ +--- +meta: + title: Deploying External Secrets on Kubernetes Kapsule + description: Learn how to deploy External Secrets on Kubernetes Kapsule, seamlessly integrating with Scaleway Secret Manager for secure secret management. +content: + h1: Deploying External Secrets on Kubernetes Kapsule + paragraph: Learn how to deploy External Secrets on Kubernetes Kapsule, seamlessly integrating with Scaleway Secret Manager for secure secret management. +tags: kapsule-cluster kubernetes external-secrets secret-management +categories: + - identity-and-access-management +dates: + validation: 2024-12-24 + posted: 2024-12-24 +--- + +## External Secrets - Overview + +[External Secrets](https://external-secrets.io) is a Kubernetes operator that allows you to manage the lifecycle of your secrets from external providers. + +In this tutorial you will learn how to deploy External Secrets and its services on [Kubernetes Kapsule](/containers/kubernetes/concepts/#kubernetes-kapsule), the managed Kubernetes service from Scaleway. + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- An [SSH key](/identity-and-access-management/organizations-and-projects/how-to/create-ssh-key/) +- [Created a Kapsule cluster](/containers/kubernetes/how-to/create-cluster/) +- Configured [kubectl](/containers/kubernetes/how-to/connect-cluster-kubectl/) +- Installed `helm`, the Kubernetes [package manager](https://helm.sh/), on your local machine (version 3.2 or latest) + +## Preparing the Kubernetes Kapsule cluster + +1. Make sure you are connected to your cluster and that `kubectl` and `helm` are installed on your local machine. +2. Add the External Secrets repository to your Helm configuration and update it using the following commands: + ``` + helm repo add external-secrets https://charts.external-secrets.io + helm repo update + ``` + +## Deploying External Secrets + +Run the command below to deploy the External Secrets application in your cluster and create its associated resources. +To automatically install and manage the CRDs as part of your Helm release, you must add the `--set installCRDs=true` flag to your Helm installation command. +Uncomment the `--set installCRDs=true` line in the following command to do so. +``` +helm upgrade --install external-secrets external-secrets/external-secrets \ + -n external-secrets \ + --create-namespace \ + # --set installCRDs=true +``` + +## Create a secret containing your Scaleway API key information + +Make sure you replace `ACCESSKEY` and `SECRETKEY` with your own values. + +``` +echo -n 'ACCESSKEY' > ./access-key +echo -n 'SECRETKEY' > ./secret-access-key +kubectl create secret generic scwsm-secret --from-file=./access-key --from-file=./secret-access-key +``` +## Create your first SecretStore + +Define a `SecretStore` resource in Kubernetes to inform External Secrets where to fetch secrets from. +Secret Manager is a regionalized product so you will need to specify the [region](/identity-and-access-management/secret-manager/concepts/#region) to create your secret in. + +1. Copy the template below and paste it in a file named `secret-store.yaml`. + + ``` + --- + apiVersion: external-secrets.io/v1beta1 + kind: SecretStore + metadata: + name: secret-store + namespace: default + spec: + provider: + scaleway: + region: + projectId: + accessKey: + secretRef: + name: scwsm-secret + key: access-key + secretKey: + secretRef: + name: scwsm-secret + key: secret-access-key + ``` +2. Apply your file to your cluster: + + ``` + kubectl apply -f secret-store.yaml + ``` + +## Create your first External Secret + +Create an `ExternalSecret` resource to specify which secret to fetch from Secret Manager. +1. Copy the following template and paste it in a file named `external-secret.yaml` + + ``` + --- + apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: secret + namespace: default + spec: + refreshInterval: 20s + secretStoreRef: + kind: SecretStore + name: secret-store + target: + name: kubernetes-secret-to-be-created + creationPolicy: Owner + data: + - secretKey: password # key in the kubernetes secret + remoteRef: + key: id: + version: latest_enabled + ``` +2. Apply the file to your cluster: + ``` + kubectl apply -f external-secret.yaml + ``` + +A secret with the name `kubernetes-secret-to-be-created` should appear in your namespace. It contains the secret pulled from Secret Manager: + +``` +kubectl get secret kubernetes-secret-to-be-created +NAME TYPE DATA AGE +kubernetes-secret-to-be-created Opaque 1 9m14s +``` + +## Uninstalling + +Make sure you have deleted any resources created by External Secrets beforehand. You can check for any existing resources with the following command: + +``` +kubectl get SecretStores,ClusterSecretStores,ExternalSecrets,ClusterExternalSecret,PushSecret --all-namespaces +``` + +Once all these resources have been deleted you are ready to uninstall External Secrets. + +## Uninstalling with Helm + +Uninstall the External Secrets deployment using the following command. + +``` +helm delete external-secrets --namespace external-secrets +``` \ No newline at end of file diff --git a/menu/navigation.json b/menu/navigation.json index 7c01f0218c..ce882e0fa0 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -1865,6 +1865,9 @@ { "label": "Using the Kapsule autoheal feature", "slug": "using-kapsule-autoheal-feature" + }, { + "label": "Deploying External Secrets on Kubernetes Kapsule", + "slug": "external-secrets-kubernetes" }, { "label": "Wildcard DNS routing", From 76d777c847364b2564d9d080f3fceed9be60b5a6 Mon Sep 17 00:00:00 2001 From: nerda-codes <87707325+nerda-codes@users.noreply.github.com> Date: Tue, 24 Dec 2024 12:32:43 +0100 Subject: [PATCH 2/3] Update containers/kubernetes/api-cli/external-secrets-kubernetes.mdx --- containers/kubernetes/api-cli/external-secrets-kubernetes.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/kubernetes/api-cli/external-secrets-kubernetes.mdx b/containers/kubernetes/api-cli/external-secrets-kubernetes.mdx index 6ac319502b..300280e461 100644 --- a/containers/kubernetes/api-cli/external-secrets-kubernetes.mdx +++ b/containers/kubernetes/api-cli/external-secrets-kubernetes.mdx @@ -7,7 +7,7 @@ content: paragraph: Learn how to deploy External Secrets on Kubernetes Kapsule, seamlessly integrating with Scaleway Secret Manager for secure secret management. tags: kapsule-cluster kubernetes external-secrets secret-management categories: - - identity-and-access-management + - containers dates: validation: 2024-12-24 posted: 2024-12-24 From c5daa818990bfb0805266271bb4c24ef096a08b7 Mon Sep 17 00:00:00 2001 From: nerda-codes <87707325+nerda-codes@users.noreply.github.com> Date: Mon, 30 Dec 2024 10:56:29 +0100 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Jessica <113192637+jcirinosclwy@users.noreply.github.com> --- .../kubernetes/api-cli/external-secrets-kubernetes.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/containers/kubernetes/api-cli/external-secrets-kubernetes.mdx b/containers/kubernetes/api-cli/external-secrets-kubernetes.mdx index 300280e461..68de0bd1f3 100644 --- a/containers/kubernetes/api-cli/external-secrets-kubernetes.mdx +++ b/containers/kubernetes/api-cli/external-secrets-kubernetes.mdx @@ -61,9 +61,9 @@ kubectl create secret generic scwsm-secret --from-file=./access-key --from-file= ## Create your first SecretStore Define a `SecretStore` resource in Kubernetes to inform External Secrets where to fetch secrets from. -Secret Manager is a regionalized product so you will need to specify the [region](/identity-and-access-management/secret-manager/concepts/#region) to create your secret in. +Secret Manager is a regionalized product, so you will need to specify the [region](/identity-and-access-management/secret-manager/concepts/#region) in which you want to create your secret. -1. Copy the template below and paste it in a file named `secret-store.yaml`. +1. Copy the template below and paste it into a file named `secret-store.yaml`. ``` --- @@ -95,7 +95,8 @@ Secret Manager is a regionalized product so you will need to specify the [region ## Create your first External Secret Create an `ExternalSecret` resource to specify which secret to fetch from Secret Manager. -1. Copy the following template and paste it in a file named `external-secret.yaml` + +1. Copy the following template and paste it into a file named `external-secret.yaml` ``` ---