NavigationContentFooter
Jump toSuggest an edit
Was this page helpful?

Deploying External Secrets on Kubernetes Kapsule

Reviewed on 27 November 2024Published on 21 February 2023

External Secrets - OverviewLink to this anchor

External Secrets is a Kubernetes operator that allows you to manage the lifecycle of your secrets from external providers.

In this tutorial you will learn how to deploy External Secrets and its services on Kubernetes Kapsule, the managed Kubernetes service from Scaleway.

Before you startLink to this anchor

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • An SSH key
  • Created a Kapsule cluster
  • Configured kubectl
  • Installed helm, the Kubernetes package manager, on your local machine (version 3.2 or latest)

Preparing the Kubernetes Kapsule clusterLink to this anchor

  1. Make sure you are connected to your cluster and that kubectl and helm are installed on your local machine.
  2. Add the External Secrets repository to your Helm configuration and update it using the following commands:
    helm repo add external-secrets https://charts.external-secrets.io
    helm repo update

Deploying External SecretsLink to this anchor

Run the command below to deploy the External Secrets application in your cluster and create its associated resources. To automatically install and manage the CRDs as part of your Helm release, you must add the --set installCRDs=true flag to your Helm installation command. Uncomment the --set installCRDs=true line in the following command to do so.

helm upgrade --install external-secrets external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
# --set installCRDs=true

Create a secret containing your Scaleway API key informationLink to this anchor

Make sure you replace ACCESSKEY and SECRETKEY with your own values.

echo -n 'ACCESSKEY' > ./access-key
echo -n 'SECRETKEY' > ./secret-access-key
kubectl create secret generic scwsm-secret --from-file=./access-key --from-file=./secret-access-key

Create your first SecretStoreLink to this anchor

Define a SecretStore resource in Kubernetes to inform External Secrets where to fetch secrets from. Secret Manager is a regionalized product so you will need to specify the region to create your secret in.

  1. Copy the template below and paste it in a file named secret-store.yaml.

    ---
    apiVersion: external-secrets.io/v1beta1
    kind: SecretStore
    metadata:
    name: secret-store
    namespace: default
    spec:
    provider:
    scaleway:
    region: <REGION>
    projectId: <SCALEWAY_PROJECT_ID>
    accessKey:
    secretRef:
    name: scwsm-secret
    key: access-key
    secretKey:
    secretRef:
    name: scwsm-secret
    key: secret-access-key
  2. Apply your file to your cluster:

    kubectl apply -f secret-store.yaml

Create your first External SecretLink to this anchor

Create an ExternalSecret resource to specify which secret to fetch from Secret Manager.

  1. Copy the following template and paste it in a file named external-secret.yaml

    ---
    apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
    name: secret
    namespace: default
    spec:
    refreshInterval: 20s
    secretStoreRef:
    kind: SecretStore
    name: secret-store
    target:
    name: kubernetes-secret-to-be-created
    creationPolicy: Owner
    data:
    - secretKey: password # key in the kubernetes secret
    remoteRef:
    key: id:<SECRET_ID in the secret store>
    version: latest_enabled
  2. Apply the file to your cluster:

    kubectl apply -f external-secret.yaml

A secret with the name kubernetes-secret-to-be-created should appear in your namespace. It contains the secret pulled from Secret Manager:

kubectl get secret kubernetes-secret-to-be-created
NAME TYPE DATA AGE
kubernetes-secret-to-be-created Opaque 1 9m14s

UninstallingLink to this anchor

Make sure you have deleted any resources created by External Secrets beforehand. You can check for any existing resources with the following command:

kubectl get SecretStores,ClusterSecretStores,ExternalSecrets,ClusterExternalSecret,PushSecret --all-namespaces

Once all these resources have been deleted you are ready to uninstall External Secrets.

Uninstalling with HelmLink to this anchor

Uninstall the External Secrets deployment using the following command.

helm delete external-secrets --namespace external-secrets
Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2025 – Scaleway