-
Notifications
You must be signed in to change notification settings - Fork 260
docs(add): add external secrets in k8s #4144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
150 changes: 150 additions & 0 deletions
150
containers/kubernetes/api-cli/external-secrets-kubernetes.mdx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,150 @@ | ||
| --- | ||
| meta: | ||
| title: Deploying External Secrets on Kubernetes Kapsule | ||
| description: Learn how to deploy External Secrets on Kubernetes Kapsule, seamlessly integrating with Scaleway Secret Manager for secure secret management. | ||
| content: | ||
| h1: Deploying External Secrets on Kubernetes Kapsule | ||
| paragraph: Learn how to deploy External Secrets on Kubernetes Kapsule, seamlessly integrating with Scaleway Secret Manager for secure secret management. | ||
| tags: kapsule-cluster kubernetes external-secrets secret-management | ||
| categories: | ||
| - identity-and-access-management | ||
| dates: | ||
| validation: 2024-12-24 | ||
| posted: 2024-12-24 | ||
| --- | ||
|
|
||
| ## External Secrets - Overview | ||
|
|
||
| [External Secrets](https://external-secrets.io) is a Kubernetes operator that allows you to manage the lifecycle of your secrets from external providers. | ||
|
|
||
| In this tutorial you will learn how to deploy External Secrets and its services on [Kubernetes Kapsule](/containers/kubernetes/concepts/#kubernetes-kapsule), the managed Kubernetes service from Scaleway. | ||
|
|
||
| <Macro id="requirements" /> | ||
|
|
||
| - A Scaleway account logged into the [console](https://console.scaleway.com) | ||
| - [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization | ||
| - An [SSH key](/identity-and-access-management/organizations-and-projects/how-to/create-ssh-key/) | ||
| - [Created a Kapsule cluster](/containers/kubernetes/how-to/create-cluster/) | ||
| - Configured [kubectl](/containers/kubernetes/how-to/connect-cluster-kubectl/) | ||
| - Installed `helm`, the Kubernetes [package manager](https://helm.sh/), on your local machine (version 3.2 or latest) | ||
|
|
||
| ## Preparing the Kubernetes Kapsule cluster | ||
|
|
||
| 1. Make sure you are connected to your cluster and that `kubectl` and `helm` are installed on your local machine. | ||
| 2. Add the External Secrets repository to your Helm configuration and update it using the following commands: | ||
| ``` | ||
| helm repo add external-secrets https://charts.external-secrets.io | ||
| helm repo update | ||
| ``` | ||
|
|
||
| ## Deploying External Secrets | ||
|
|
||
| Run the command below to deploy the External Secrets application in your cluster and create its associated resources. | ||
| To automatically install and manage the CRDs as part of your Helm release, you must add the `--set installCRDs=true` flag to your Helm installation command. | ||
| Uncomment the `--set installCRDs=true` line in the following command to do so. | ||
| ``` | ||
| helm upgrade --install external-secrets external-secrets/external-secrets \ | ||
| -n external-secrets \ | ||
| --create-namespace \ | ||
| # --set installCRDs=true | ||
| ``` | ||
|
|
||
| ## Create a secret containing your Scaleway API key information | ||
|
|
||
| Make sure you replace `ACCESSKEY` and `SECRETKEY` with your own values. | ||
|
|
||
| ``` | ||
| echo -n 'ACCESSKEY' > ./access-key | ||
| echo -n 'SECRETKEY' > ./secret-access-key | ||
| kubectl create secret generic scwsm-secret --from-file=./access-key --from-file=./secret-access-key | ||
| ``` | ||
| ## Create your first SecretStore | ||
|
|
||
| Define a `SecretStore` resource in Kubernetes to inform External Secrets where to fetch secrets from. | ||
| Secret Manager is a regionalized product so you will need to specify the [region](/identity-and-access-management/secret-manager/concepts/#region) to create your secret in. | ||
nerda-codes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| 1. Copy the template below and paste it in a file named `secret-store.yaml`. | ||
nerda-codes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| ``` | ||
| --- | ||
| apiVersion: external-secrets.io/v1beta1 | ||
| kind: SecretStore | ||
| metadata: | ||
| name: secret-store | ||
| namespace: default | ||
| spec: | ||
| provider: | ||
| scaleway: | ||
| region: <REGION> | ||
| projectId: <SCALEWAY_PROJECT_ID> | ||
| accessKey: | ||
| secretRef: | ||
| name: scwsm-secret | ||
| key: access-key | ||
| secretKey: | ||
| secretRef: | ||
| name: scwsm-secret | ||
| key: secret-access-key | ||
| ``` | ||
| 2. Apply your file to your cluster: | ||
|
|
||
| ``` | ||
| kubectl apply -f secret-store.yaml | ||
| ``` | ||
|
|
||
| ## Create your first External Secret | ||
|
|
||
| Create an `ExternalSecret` resource to specify which secret to fetch from Secret Manager. | ||
nerda-codes marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| 1. Copy the following template and paste it in a file named `external-secret.yaml` | ||
nerda-codes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| ``` | ||
| --- | ||
| apiVersion: external-secrets.io/v1beta1 | ||
| kind: ExternalSecret | ||
| metadata: | ||
| name: secret | ||
| namespace: default | ||
| spec: | ||
| refreshInterval: 20s | ||
| secretStoreRef: | ||
| kind: SecretStore | ||
| name: secret-store | ||
| target: | ||
| name: kubernetes-secret-to-be-created | ||
| creationPolicy: Owner | ||
| data: | ||
| - secretKey: password # key in the kubernetes secret | ||
| remoteRef: | ||
| key: id:<SECRET_ID in the secret store> | ||
| version: latest_enabled | ||
| ``` | ||
| 2. Apply the file to your cluster: | ||
| ``` | ||
| kubectl apply -f external-secret.yaml | ||
| ``` | ||
|
|
||
| A secret with the name `kubernetes-secret-to-be-created` should appear in your namespace. It contains the secret pulled from Secret Manager: | ||
|
|
||
| ``` | ||
| kubectl get secret kubernetes-secret-to-be-created | ||
| NAME TYPE DATA AGE | ||
| kubernetes-secret-to-be-created Opaque 1 9m14s | ||
| ``` | ||
|
|
||
| ## Uninstalling | ||
|
|
||
| Make sure you have deleted any resources created by External Secrets beforehand. You can check for any existing resources with the following command: | ||
|
|
||
| ``` | ||
| kubectl get SecretStores,ClusterSecretStores,ExternalSecrets,ClusterExternalSecret,PushSecret --all-namespaces | ||
| ``` | ||
|
|
||
| Once all these resources have been deleted you are ready to uninstall External Secrets. | ||
|
|
||
| ## Uninstalling with Helm | ||
|
|
||
| Uninstall the External Secrets deployment using the following command. | ||
|
|
||
| ``` | ||
| helm delete external-secrets --namespace external-secrets | ||
| ``` | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.