From b4038dbe8e2131d1eaa06524517dda1873029088 Mon Sep 17 00:00:00 2001 From: gbarideau Date: Mon, 3 Nov 2025 10:40:29 +0100 Subject: [PATCH 1/9] First version of External Secret Operator documentation --- pages/index.md | 1 + .../external-secret-operator/guide.en-gb.md | 237 ++++++++++++++++++ .../external-secret-operator/guide.fr-fr.md | 237 ++++++++++++++++++ .../external-secret-operator/meta.yaml | 3 + 4 files changed, 478 insertions(+) create mode 100644 pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md create mode 100644 pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md create mode 100644 pages/manage_and_operate/secret_manager/external-secret-operator/meta.yaml diff --git a/pages/index.md b/pages/index.md index b0347a3b779..aefa14044de 100644 --- a/pages/index.md +++ b/pages/index.md @@ -2210,6 +2210,7 @@ + [Manage your OKMS access certificate](manage_and_operate/kms/okms-certificate-management) + [OKMS Architecture overview](manage_and_operate/kms/architecture-overview) + [OKMS - Shared responsibilities](manage_and_operate/kms/responsibility-model-kms) + + [Use Kubernetes External Secret Operator with Secret Manager](manage_and_operate/secret_manager/external-secret-operator) + OVHcloud Labs + [Data Collector](products/ovhcloud-labs-data-collector) + [Getting started](ovhcloud-labs-data-collector-getting-started) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md new file mode 100644 index 00000000000..022dd82f856 --- /dev/null +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -0,0 +1,237 @@ +--- +title: "Use Kubernetes External Secret Operator with Secret Manager" +excerpt: "Configure External Secret Operator to store Kubernetes secrets on the OVHcloud Secret Manager" +updated: 2025-10-27 +--- + +## Objective + +This guide explains how set up the Kubernetes External Secret Operator to use the OVHcloud Secret Manager as a provider + +## Requirements + +- An [OVHcloud customer account](/pages/account_and_service_management/account_information/ovhcloud-account-creation). +- Have [ordered an OKMS domain](/pages/manage_and_operate/kms/quick-start) or [created a first secret](/pages/manage_and_operate/secret_manager/secret-manager-ui). + +## Instructions + +### Setup the Secret Manager + +To allow access to the Secret Manager you will need to create credentials. + +Create an [IAM local user](/pages/account_and_service_management/account_information/ovhcloud-users-management) with acces right on your domain. +This user need to have at least the following rights: + +- `okms:apikms:secret/create` +- `okms:apikms:secret/version/getData` + +Then create a Personnal Acces Token (PAT) `user_pat`: + +> [!api] +> +> @api {v1} /me POST /me/identity/user/{user}/token + +You will also need the `okms-id` of the OKMS domain you want to use. This ID can be found on the OVHcloud Control Panel. + +### Setup Sealed Secret + +Sealed Secret allows you to safely store Kubernetes Secrets wherever you want by encrypting them. +This step is optionnal but highly recommendated. + +First, install the controller in your cluster. It will automatically decrypt Sealed Secrets into standard Kubernetes Secrets + +```bash +helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets +helm install sealed-secrets -n kube-system sealed-secrets/sealed-secrets +``` + +Then, install kubeseal cli to encrypt Secrets into Sealed Secrets + +```bash +KUBESEAL_VERSION='' # Set this to, for example, KUBESEAL_VERSION='0.23.0' +curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION:?}/kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz" +tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal +sudo install -m 755 kubeseal /usr/local/bin/kubeseal +``` + +#### Usage + +- Create your Sealed Secret + +```bash +kubeseal -f \ + -w \ + --controller-name=sealed-secrets \ + --controller-namespace=kube-system + +kubectl create -f + +# Check if you have access to your original Secret +kubectl get secrets -o yaml +``` + +You can now delete `secret-file` and use `sealedsecret-output-file` instead for a more secure storage + +- Delete your Sealed Secret + +```bash +kubectl delete sealedsecret +``` + +#### Example + +```bash +$ cat secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: secret +type: Opaque +data: + value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF + +$ kubeseal -f secret.yaml \ + -w sealed-secret.yaml \ + --controller-name=sealed-secrets \ + --controller-namespace=kube-system + +$ cat sealed-secret.yaml +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: secret + namespace: default +spec: + encryptedData: + value: AgBLSGW9eG8Lc0HbToTM884euTNp49M6AkauFadPI8GwKe/lfSEmLr16HEQnh7DPb7T8OgL3d7qMRucEWO2TSppxsoXS5whKDaX7XA+d5tLSPZR6TCgI+ZWYBCYcerp8fM3gkzixM4wlyxAevqsWPxazGNQM4eYBv0YFZ+kaffkougHjG5uLwuX1IWGE8pFMf5XszkXu3MoFtmf2lbop+2qEtS3Wr4k/ueL92dY3ZmP1ZHSXWgvnNfZ30H1t+4pn9K+ddlJrajC/8TVT811WylyISd7EG6HaO8ayNRDErsu/JjsworJBKdj1vMIsdE+0ZQFg1MmCKp0zWU0Xjp90cEhSXuq9eqp4A8pofZ6D5n7ERr4jmznb41WWHRcKj2BdZBsOBUlP/J7P2Ymseet8+8od1HX0XQOv1CEnLHF6GMNAFZ7aQckuUIwKMx+zEHT6qVNBbtNe2B1OP1ApwRUw6lEdP5AnToi/mNt3ilypuTwXMqVGbHJzNMUrQRhfDItPALpDknCIcu1j1QsQRFIrdQ0Gfheg+QIzYJKVErWCRGR9zEUkqsMcxM7ruEc5U1GAgYyfLvXkczxzUG2WXf5mszKWyfcnQfCwmNdF/WKsufeJI0FaVQaWpkgX2cvTSd0281rKLvwEv0NRBVJkZ0lL1mzoZMXzXP5uWyk0E9SCHwM261ZkvqLsxnpKVA2QDZ4SuMBvl2fdIle5WVO/U1sl1eRAK1BVEWg8pYE7mTE7cXE= + template: + metadata: + name: secret + namespace: default + type: Opaque + +$ kubectl create -f sealed-secret.yaml +sealedsecret.bitnami.com/secret created + +$ kubectl get secrets secret -o yaml +apiVersion: v1 +data: + value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF +kind: Secret +metadata: + creationTimestamp: "2025-10-13T12:37:25Z" + name: secret + namespace: default + ownerReferences: + - apiVersion: bitnami.com/v1alpha1 + controller: true + kind: SealedSecret + name: secret + uid: c3a8489f-8125-406b-8a3a-f99b82d432e1 + resourceVersion: "16156798047" + uid: f3fbfd60-46d7-4211-a9b1-e67d452bc7dc +type: Opaque +``` + +More information: () + +### Setup the Secret Provider in Kubernetes + +#### Install the External Secret Operator on your kubernetes + +```bash +helm repo add external-secrets https://charts.external-secrets.io + +helm install external-secrets \ +external-secrets/external-secrets \ +-n external-secrets \ +--create-namespace \ +--set installCRDs=true +``` + +#### Define the External Secret Operator charts + +First, setup a `SecretStore` that is responsible of the synchronization with the Secret Manager. +We configure the SecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend. + +Add the `user_pat` as a secret to be able to use it in the charts. + +```yaml +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: +name: token-secret +namespace: default +spec: +encryptedData: + token: +template: + metadata: + name: token-secret + namespace: default + type: Opaque +``` + +The `SecretStore` chart: + +```yaml +apiVersion: external-secrets.io/v1 +kind: ClusterSecretStore +metadata: +name: vault-secret-store +spec: +provider: + vault: + server: "https://{region}.okms.ovh.net/api/" # OKMS endpoint, fill with the correct region and your okms_id + path: "secret" + version: "v2" + auth: + tokenSecretRef: + name: token-secret # The k8s secret that contain your PAT + key: token +``` + +Once the `SecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. +In the example we use a secret already created on the Secret Manager: + +- Path: `prod/database/MySQL` +- Value: + - `login: admin` + - `password: my_secret_password` + +```yaml +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: +name: vault-external-secret +namespace: default +spec: +secretStoreRef: + name: vault-secret-store + kind: ClusterSecretStore +refreshInterval: "10s" +target: + name: creds-secret + creationPolicy: Owner +data: + - secretKey: login + remoteRef: + key: prod/database/MySQL # Path of the secret in the Secret Manager + property: login # Key to find in the JSON data of the secret + - secretKey: password + remoteRef: + key: prod/database/MySQL + property: password +``` + +#### Deploy your application + +The secret should be created and available in kubernetes. + +For any additionnal informations on how to manage the External Secret Operator refer to the dedicated documentation, using the HashiCorp Vault provider: . + +## Go further + +Join our [community of users](/links/community). diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md new file mode 100644 index 00000000000..65ac779625c --- /dev/null +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -0,0 +1,237 @@ +--- +title: "Utiliser Kubernetes External Secret Operator avec Secret Manager" +excerpt: "Configurer External Secret Operator pour stocker des secrets Kubernetes sur le Secret Manager OVHcloud" +updated: 2025-10-27 +--- + +## Objectif + +Ce guide explique comment configurer le Kubernetes External Secret Operator pour utiliser le Secret Manager OVHcloud comme fournisseur + +## Prérequis + +- Un [compte client OVHcloud](/pages/account_and_service_management/account_information/ovhcloud-account-creation). +- Avoir [commandé un domaine OKMS](/pages/manage_and_operate/kms/quick-start) ou [créé un premier secret](/pages/manage_and_operate/secret_manager/secret-manager-ui). + +## En pratique + +### Configuration du Secret Manager + +Pour permettre l'accès au Secret Manager, vous devrez créer des identifiants. + +Créez un [utilisateur local IAM](/pages/account_and_service_management/account_information/ovhcloud-users-management) avec les droits d'accès à votre domaine. +Cet utilisateur doit avoir au moins les droits suivants : + +- `okms:apikms:secret/create` +- `okms:apikms:secret/version/getData` + +Puis créez un jeton d'accès personnel (PAT) `user_pat` : + +> [!api] +> +> @api {v1} /me POST /me/identity/user/{user}/token + +Vous aurez également besoin de l'`okms-id` du domaine OKMS que vous souhaitez utiliser. Cet ID peut être trouvé sur l'espace client OVHcloud. + +### Configuration de Sealed Secret + +Sealed Secret vous permet de stocker en toute sécurité des Secrets Kubernetes là où vous le souhaitez en les chiffrant. +Cette étape est optionnelle mais fortement recommandée. + +Tout d'abord, installez le contrôleur dans votre cluster. Il déchiffrera automatiquement les Sealed Secrets en Secrets Kubernetes standards + +```bash +helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets +helm install sealed-secrets -n kube-system sealed-secrets/sealed-secrets +``` + +Puis, installez la cli kubeseal pour chiffrer des Secrets en Sealed Secrets + +```bash +KUBESEAL_VERSION='' # Définissez ceci sur, par exemple, KUBESEAL_VERSION='0.23.0' +curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION:?}/kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz" +tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal +sudo install -m 755 kubeseal /usr/local/bin/kubeseal +``` + +#### Utilisation + +- Créez votre Sealed Secret + +```bash +kubeseal -f \ + -w \ + --controller-name=sealed-secrets \ + --controller-namespace=kube-system + +kubectl create -f + +# Vérifiez si vous avez accès à votre Secret d'origine +kubectl get secrets -o yaml +``` + +Vous pouvez maintenant supprimer `secret-file` et utiliser `sealedsecret-output-file` à la place pour un stockage plus sécurisé + +- Supprimez votre Sealed Secret + +```bash +kubectl delete sealedsecret +``` + +#### Exemple + +```bash +$ cat secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: secret +type: Opaque +data: + value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF + +$ kubeseal -f secret.yaml \ + -w sealed-secret.yaml \ + --controller-name=sealed-secrets \ + --controller-namespace=kube-system + +$ cat sealed-secret.yaml +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: secret + namespace: default +spec: + encryptedData: + value: AgBLSGW9eG8Lc0HbToTM884euTNp49M6AkauFadPI8GwKe/lfSEmLr16HEQnh7DPb7T8OgL3d7qMRucEWO2TSppxsoXS5whKDaX7XA+d5tLSPZR6TCgI+ZWYBCYcerp8fM3gkzixM4wlyxAevqsWPxazGNQM4eYBv0YFZ+kaffkougHjG5uLwuX1IWGE8pFMf5XszkXu3MoFtmf2lbop+2qEtS3Wr4k/ueL92dY3ZmP1ZHSXWgvnNfZ30H1t+4pn9K+ddlJrajC/8TVT811WylyISd7EG6HaO8ayNRDErsu/JjsworJBKdj1vMIsdE+0ZQFg1MmCKp0zWU0Xjp90cEhSXuq9eqp4A8pofZ6D5n7ERr4jmznb41WWHRcKj2BdZBsOBUlP/J7P2Ymseet8+8od1HX0XQOv1CEnLHF6GMNAFZ7aQckuUIwKMx+zEHT6qVNBbtNe2B1OP1ApwRUw6lEdP5AnToi/mNt3ilypuTwXMqVGbHJzNMUrQRhfDItPALpDknCIcu1j1QsQRFIrdQ0Gfheg+QIzYJKVErWCRGR9zEUkqsMcxM7ruEc5U1GAgYyfLvXkczxzUG2WXf5mszKWyfcnQfCwmNdF/WKsufeJI0FaVQaWpkgX2cvTSd0281rKLvwEv0NRBVJkZ0lL1mzoZMXzXP5uWyk0E9SCHwM261ZkvqLsxnpKVA2QDZ4SuMBvl2fdIle5WVO/U1sl1eRAK1BVEWg8pYE7mTE7cXE= + template: + metadata: + name: secret + namespace: default + type: Opaque + +$ kubectl create -f sealed-secret.yaml +sealedsecret.bitnami.com/secret created + +$ kubectl get secrets secret -o yaml +apiVersion: v1 +data: + value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF +kind: Secret +metadata: + creationTimestamp: "2025-10-13T12:37:25Z" + name: secret + namespace: default + ownerReferences: + - apiVersion: bitnami.com/v1alpha1 + controller: true + kind: SealedSecret + name: secret + uid: c3a8489f-8125-406b-8a3a-f99b82d432e1 + resourceVersion: "16156798047" + uid: f3fbfd60-46d7-4211-a9b1-e67d452bc7dc +type: Opaque +``` + +Plus d'informations : () + +### Configuration du Secret Provider dans Kubernetes + +#### Installez l'External Secret Operator sur votre Kubernetes + +```bash +helm repo add external-secrets https://charts.external-secrets.io + +helm install external-secrets \ +external-secrets/external-secrets \ +-n external-secrets \ +--create-namespace \ +--set installCRDs=true +``` + +#### Définissez les chartes de l'External Secret Operator + +Tout d'abord, configurez un `SecretStore` qui est chargé de la synchronisation avec le Secret Manager. +Nous configurons le SecretStore en utilisant HashiCorp Vault avec l'authentification par jeton et en utilisant l'endpoint OKMS comme backend. + +Ajoutez le `user_pat` en tant que secret pour pouvoir l'utiliser dans les chartes. + +```yaml +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: +name: token-secret +namespace: default +spec: +encryptedData: + token: +template: + metadata: + name: token-secret + namespace: default + type: Opaque +``` + +La charte `SecretStore` : + +```yaml +apiVersion: external-secrets.io/v1 +kind: ClusterSecretStore +metadata: +name: vault-secret-store +spec: +provider: + vault: + server: "https://{region}.okms.ovh.net/api/" # endpoint OKMS, complétez avec la région correcte et votre okms_id + path: "secret" + version: "v2" + auth: + tokenSecretRef: + name: token-secret # Le secret k8s contenant votre PAT + key: token +``` + +Une fois le `SecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. +Dans l'exemple, nous utilisons un secret déjà créé sur le Secret Manager : + +- Path : `prod/database/MySQL` +- Value : + - `login: admin` + - `password: my_secret_password` + +```yaml +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: +name: vault-external-secret +namespace: default +spec: +secretStoreRef: + name: vault-secret-store + kind: ClusterSecretStore +refreshInterval: "10s" +target: + name: creds-secret + creationPolicy: Owner +data: + - secretKey: login + remoteRef: + key: prod/database/MySQL # Chemin du secret dans le Secret Manager + property: login # Clé à trouver dans les données JSON du secret + - secretKey: password + remoteRef: + key: prod/database/MySQL + property: password +``` + +#### Déployez votre application + +Le secret devrait être créé et disponible dans Kubernetes. + +Pour toute information supplémentaire sur la gestion de l'External Secret Operator, reportez-vous à la documentation dédiée, en utilisant le fournisseur HashiCorp Vault : . + +## Aller plus loin + +Rejoignez notre [communauté d'utilisateurs](/links/community). \ No newline at end of file diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/meta.yaml b/pages/manage_and_operate/secret_manager/external-secret-operator/meta.yaml new file mode 100644 index 00000000000..cc78c7c3cdb --- /dev/null +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/meta.yaml @@ -0,0 +1,3 @@ +id: f1e7d674-2086-49c9-b315-cfe6df0e0781 +full_slug: secret-manager-external-secret-operator +reference_category: manage-operate-secret-manager \ No newline at end of file From c41a3c4da3b27bd194da5eaab0b21a2c4820b02c Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 6 Nov 2025 11:03:47 +0100 Subject: [PATCH 2/9] adding info about authentification method supported --- .../external-secret-operator/guide.en-gb.md | 6 ++++++ .../external-secret-operator/guide.fr-fr.md | 9 ++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index 022dd82f856..98c9ca5cbbc 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -4,6 +4,9 @@ excerpt: "Configure External Secret Operator to store Kubernetes secrets on the updated: 2025-10-27 --- +> [!primary] +> Secret Manager is currently in beta phase. This guide can be updated in the future with the advances of our teams in charge of this product. + ## Objective This guide explains how set up the Kubernetes External Secret Operator to use the OVHcloud Secret Manager as a provider @@ -193,6 +196,9 @@ provider: key: token ``` +> [!info] +> Only [token authentication](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) is supported + Once the `SecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. In the example we use a secret already created on the Secret Manager: diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index 65ac779625c..8d77972a8bd 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -4,6 +4,10 @@ excerpt: "Configurer External Secret Operator pour stocker des secrets Kubernete updated: 2025-10-27 --- +> [!primary] +> Le Secret Manager est actuellement en phase bêta. Ce guide est susceptible d’être mis à jour ultérieurement avec les avancées de nos équipes en charge de ce produit. +> + ## Objectif Ce guide explique comment configurer le Kubernetes External Secret Operator pour utiliser le Secret Manager OVHcloud comme fournisseur @@ -193,6 +197,9 @@ provider: key: token ``` +> [!info] +> Seulement [l'authentification par token](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) est supporté + Une fois le `SecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. Dans l'exemple, nous utilisons un secret déjà créé sur le Secret Manager : @@ -234,4 +241,4 @@ Pour toute information supplémentaire sur la gestion de l'External Secret Opera ## Aller plus loin -Rejoignez notre [communauté d'utilisateurs](/links/community). \ No newline at end of file +Rejoignez notre [communauté d'utilisateurs](/links/community). From 0d3d6bcd13cb12db72265a5aa31bf317ba9d8988 Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 6 Nov 2025 17:14:44 +0100 Subject: [PATCH 3/9] adding info about pushing secret not supported yet --- .../secret_manager/external-secret-operator/guide.en-gb.md | 3 +++ .../secret_manager/external-secret-operator/guide.fr-fr.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index 98c9ca5cbbc..d492be8f3b6 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -232,6 +232,9 @@ data: property: password ``` +> [!info] +> [Pushing secret from Kubernetes](https://external-secrets.io/latest/guides/pushsecrets/) is not supported yet. + #### Deploy your application The secret should be created and available in kubernetes. diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index 8d77972a8bd..d53805c9c06 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -233,6 +233,9 @@ data: property: password ``` +> [!info] +> [La création de secret depuis Kubernetes](https://external-secrets.io/latest/guides/pushsecrets/) n'est pas encore supportée. + #### Déployez votre application Le secret devrait être créé et disponible dans Kubernetes. From 36b3fd89174a4f4c91494dbfa06ed9addfcc25aa Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 6 Nov 2025 17:50:41 +0100 Subject: [PATCH 4/9] minor fix --- .../external-secret-operator/guide.en-gb.md | 10 +++++++--- .../external-secret-operator/guide.fr-fr.md | 10 +++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index d492be8f3b6..7f1afb87103 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -27,6 +27,8 @@ This user need to have at least the following rights: - `okms:apikms:secret/create` - `okms:apikms:secret/version/getData` +- `okms:apiovh:secret/get` +- `okms:apikms:secret/create` Then create a Personnal Acces Token (PAT) `user_pat`: @@ -153,7 +155,7 @@ external-secrets/external-secrets \ --set installCRDs=true ``` -#### Define the External Secret Operator charts +#### Configure External Secret Operator First, setup a `SecretStore` that is responsible of the synchronization with the Secret Manager. We configure the SecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend. @@ -177,7 +179,7 @@ template: type: Opaque ``` -The `SecretStore` chart: +The `SecretStore` resource: ```yaml apiVersion: external-secrets.io/v1 @@ -199,6 +201,8 @@ provider: > [!info] > Only [token authentication](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) is supported +#### Use External Secret Operator + Once the `SecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. In the example we use a secret already created on the Secret Manager: @@ -233,7 +237,7 @@ data: ``` > [!info] -> [Pushing secret from Kubernetes](https://external-secrets.io/latest/guides/pushsecrets/) is not supported yet. +> Only `ExternalSecret` are supported yet. #### Deploy your application diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index d53805c9c06..9a923542574 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -28,6 +28,8 @@ Cet utilisateur doit avoir au moins les droits suivants : - `okms:apikms:secret/create` - `okms:apikms:secret/version/getData` +- `okms:apiovh:secret/get` +- `okms:apikms:secret/create` Puis créez un jeton d'accès personnel (PAT) `user_pat` : @@ -154,7 +156,7 @@ external-secrets/external-secrets \ --set installCRDs=true ``` -#### Définissez les chartes de l'External Secret Operator +#### Configurer l'External Secret Operator Tout d'abord, configurez un `SecretStore` qui est chargé de la synchronisation avec le Secret Manager. Nous configurons le SecretStore en utilisant HashiCorp Vault avec l'authentification par jeton et en utilisant l'endpoint OKMS comme backend. @@ -178,7 +180,7 @@ template: type: Opaque ``` -La charte `SecretStore` : +La ressource `SecretStore` : ```yaml apiVersion: external-secrets.io/v1 @@ -200,6 +202,8 @@ provider: > [!info] > Seulement [l'authentification par token](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) est supporté +#### Utiliser External Secret Operator + Une fois le `SecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. Dans l'exemple, nous utilisons un secret déjà créé sur le Secret Manager : @@ -234,7 +238,7 @@ data: ``` > [!info] -> [La création de secret depuis Kubernetes](https://external-secrets.io/latest/guides/pushsecrets/) n'est pas encore supportée. +> Uniquement les `ExternalSecret` sont supporté pour l'instant. #### Déployez votre application From d11fd63c44148f3951b39de8944dd469373ca2db Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 6 Nov 2025 17:55:24 +0100 Subject: [PATCH 5/9] date update --- .../secret_manager/external-secret-operator/guide.en-gb.md | 2 +- .../secret_manager/external-secret-operator/guide.fr-fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index 7f1afb87103..a7d8a14aa5c 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -1,7 +1,7 @@ --- title: "Use Kubernetes External Secret Operator with Secret Manager" excerpt: "Configure External Secret Operator to store Kubernetes secrets on the OVHcloud Secret Manager" -updated: 2025-10-27 +updated: 2025-11-07 --- > [!primary] diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index 9a923542574..09668200713 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -1,7 +1,7 @@ --- title: "Utiliser Kubernetes External Secret Operator avec Secret Manager" excerpt: "Configurer External Secret Operator pour stocker des secrets Kubernetes sur le Secret Manager OVHcloud" -updated: 2025-10-27 +updated: 2025-11-07 --- > [!primary] From 08fccab23f5ad9c1b6130ea5c51bd21bb3ad628e Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 13 Nov 2025 12:51:30 +0100 Subject: [PATCH 6/9] numerous fix following scraly comment --- .../external-secret-operator/guide.en-gb.md | 176 ++++++------------ .../external-secret-operator/guide.fr-fr.md | 174 ++++++----------- 2 files changed, 119 insertions(+), 231 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index a7d8a14aa5c..a561708c7ea 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -9,12 +9,13 @@ updated: 2025-11-07 ## Objective -This guide explains how set up the Kubernetes External Secret Operator to use the OVHcloud Secret Manager as a provider +This guide explains how to set up the Kubernetes External Secret Operator to use the OVHcloud Secret Manager as a provider. ## Requirements - An [OVHcloud customer account](/pages/account_and_service_management/account_information/ovhcloud-account-creation). - Have [ordered an OKMS domain](/pages/manage_and_operate/kms/quick-start) or [created a first secret](/pages/manage_and_operate/secret_manager/secret-manager-ui). +- Have a Kubernetes cluster. ## Instructions @@ -22,13 +23,13 @@ This guide explains how set up the Kubernetes External Secret Operator to use th To allow access to the Secret Manager you will need to create credentials. -Create an [IAM local user](/pages/account_and_service_management/account_information/ovhcloud-users-management) with acces right on your domain. -This user need to have at least the following rights: +Create an [IAM local user](/pages/account_and_service_management/account_information/ovhcloud-users-management) with access right on your domain. + +The user should be a member of a group with the ADMIN role, or if using [IAM policies](/pages/account_and_service_management/account_information/iam-policy-ui) to have at least the following rights on the OKMS domain: - `okms:apikms:secret/create` - `okms:apikms:secret/version/getData` - `okms:apiovh:secret/get` -- `okms:apikms:secret/create` Then create a Personnal Acces Token (PAT) `user_pat`: @@ -36,12 +37,27 @@ Then create a Personnal Acces Token (PAT) `user_pat`: > > @api {v1} /me POST /me/identity/user/{user}/token +API will answer with: + +```json +{ + "creation": "2025-11-13T10:38:44.658926311Z", + "description": "my first PAT", + "expiresAt": null, + "lastUsed": null, + "name": "my_PAT", + "token": "eyJhbGciOiJFZERXXXXXXXXDyI23Q7euIDmw9Pn__SDA" +} +``` + +Keep safe the value of `token` field as it will never be prompt again and will be used to authenticate on the Secret Manager as `user_pat`. + You will also need the `okms-id` of the OKMS domain you want to use. This ID can be found on the OVHcloud Control Panel. -### Setup Sealed Secret +### Setup Sealed Secret (optionnal) Sealed Secret allows you to safely store Kubernetes Secrets wherever you want by encrypting them. -This step is optionnal but highly recommendated. +This step is optionnal but highly recommended. First, install the controller in your cluster. It will automatically decrypt Sealed Secrets into standard Kubernetes Secrets @@ -59,86 +75,6 @@ tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal sudo install -m 755 kubeseal /usr/local/bin/kubeseal ``` -#### Usage - -- Create your Sealed Secret - -```bash -kubeseal -f \ - -w \ - --controller-name=sealed-secrets \ - --controller-namespace=kube-system - -kubectl create -f - -# Check if you have access to your original Secret -kubectl get secrets -o yaml -``` - -You can now delete `secret-file` and use `sealedsecret-output-file` instead for a more secure storage - -- Delete your Sealed Secret - -```bash -kubectl delete sealedsecret -``` - -#### Example - -```bash -$ cat secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: secret -type: Opaque -data: - value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF - -$ kubeseal -f secret.yaml \ - -w sealed-secret.yaml \ - --controller-name=sealed-secrets \ - --controller-namespace=kube-system - -$ cat sealed-secret.yaml ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: secret - namespace: default -spec: - encryptedData: - value: AgBLSGW9eG8Lc0HbToTM884euTNp49M6AkauFadPI8GwKe/lfSEmLr16HEQnh7DPb7T8OgL3d7qMRucEWO2TSppxsoXS5whKDaX7XA+d5tLSPZR6TCgI+ZWYBCYcerp8fM3gkzixM4wlyxAevqsWPxazGNQM4eYBv0YFZ+kaffkougHjG5uLwuX1IWGE8pFMf5XszkXu3MoFtmf2lbop+2qEtS3Wr4k/ueL92dY3ZmP1ZHSXWgvnNfZ30H1t+4pn9K+ddlJrajC/8TVT811WylyISd7EG6HaO8ayNRDErsu/JjsworJBKdj1vMIsdE+0ZQFg1MmCKp0zWU0Xjp90cEhSXuq9eqp4A8pofZ6D5n7ERr4jmznb41WWHRcKj2BdZBsOBUlP/J7P2Ymseet8+8od1HX0XQOv1CEnLHF6GMNAFZ7aQckuUIwKMx+zEHT6qVNBbtNe2B1OP1ApwRUw6lEdP5AnToi/mNt3ilypuTwXMqVGbHJzNMUrQRhfDItPALpDknCIcu1j1QsQRFIrdQ0Gfheg+QIzYJKVErWCRGR9zEUkqsMcxM7ruEc5U1GAgYyfLvXkczxzUG2WXf5mszKWyfcnQfCwmNdF/WKsufeJI0FaVQaWpkgX2cvTSd0281rKLvwEv0NRBVJkZ0lL1mzoZMXzXP5uWyk0E9SCHwM261ZkvqLsxnpKVA2QDZ4SuMBvl2fdIle5WVO/U1sl1eRAK1BVEWg8pYE7mTE7cXE= - template: - metadata: - name: secret - namespace: default - type: Opaque - -$ kubectl create -f sealed-secret.yaml -sealedsecret.bitnami.com/secret created - -$ kubectl get secrets secret -o yaml -apiVersion: v1 -data: - value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF -kind: Secret -metadata: - creationTimestamp: "2025-10-13T12:37:25Z" - name: secret - namespace: default - ownerReferences: - - apiVersion: bitnami.com/v1alpha1 - controller: true - kind: SealedSecret - name: secret - uid: c3a8489f-8125-406b-8a3a-f99b82d432e1 - resourceVersion: "16156798047" - uid: f3fbfd60-46d7-4211-a9b1-e67d452bc7dc -type: Opaque -``` - More information: () ### Setup the Secret Provider in Kubernetes @@ -147,12 +83,12 @@ More information: () ```bash helm repo add external-secrets https://charts.external-secrets.io +helm repo update helm install external-secrets \ external-secrets/external-secrets \ -n external-secrets \ --create-namespace \ ---set installCRDs=true ``` #### Configure External Secret Operator @@ -167,16 +103,16 @@ Add the `user_pat` as a secret to be able to use it in the charts. apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: -name: token-secret -namespace: default + name: token-secret + namespace: default spec: -encryptedData: - token: -template: - metadata: - name: token-secret - namespace: default - type: Opaque + encryptedData: + token: + template: + metadata: + name: token-secret + namespace: default + type: Opaque ``` The `SecretStore` resource: @@ -185,22 +121,30 @@ The `SecretStore` resource: apiVersion: external-secrets.io/v1 kind: ClusterSecretStore metadata: -name: vault-secret-store + name: vault-secret-store spec: -provider: - vault: - server: "https://{region}.okms.ovh.net/api/" # OKMS endpoint, fill with the correct region and your okms_id - path: "secret" - version: "v2" - auth: - tokenSecretRef: - name: token-secret # The k8s secret that contain your PAT - key: token + provider: + vault: + server: "https://{region}.okms.ovh.net/api/" # OKMS endpoint, fill with the correct region and your okms_id + path: "secret" + version: "v2" + auth: + tokenSecretRef: + name: token-secret # The k8s secret that contain your PAT + key: token ``` > [!info] > Only [token authentication](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) is supported +Region name can be translated from your region location using: + +> [!api] +> +> @api {v1} /location GET /location + +As an example for **Europe (France - Paris)**, OKMS endpoint is **eu-west-par.okms.ovh.net** + #### Use External Secret Operator Once the `SecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. @@ -215,22 +159,22 @@ In the example we use a secret already created on the Secret Manager: apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: -name: vault-external-secret -namespace: default + name: vault-external-secret + namespace: default spec: secretStoreRef: - name: vault-secret-store - kind: ClusterSecretStore + name: vault-secret-store + kind: ClusterSecretStore refreshInterval: "10s" target: - name: creds-secret - creationPolicy: Owner + name: creds-secret + creationPolicy: Owner data: - - secretKey: login + - secretKey: login remoteRef: - key: prod/database/MySQL # Path of the secret in the Secret Manager - property: login # Key to find in the JSON data of the secret - - secretKey: password + key: prod/database/MySQL # Path of the secret in the Secret Manager + property: login # Key to find in the JSON data of the secret + - secretKey: password remoteRef: key: prod/database/MySQL property: password diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index 09668200713..8257e7fc9b4 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -16,6 +16,7 @@ Ce guide explique comment configurer le Kubernetes External Secret Operator pour - Un [compte client OVHcloud](/pages/account_and_service_management/account_information/ovhcloud-account-creation). - Avoir [commandé un domaine OKMS](/pages/manage_and_operate/kms/quick-start) ou [créé un premier secret](/pages/manage_and_operate/secret_manager/secret-manager-ui). +- Avoir un cluster Kubernetes. ## En pratique @@ -24,12 +25,12 @@ Ce guide explique comment configurer le Kubernetes External Secret Operator pour Pour permettre l'accès au Secret Manager, vous devrez créer des identifiants. Créez un [utilisateur local IAM](/pages/account_and_service_management/account_information/ovhcloud-users-management) avec les droits d'accès à votre domaine. -Cet utilisateur doit avoir au moins les droits suivants : + +Cet utilisateur doit être membre d'un groupe avec le role ADMIN, ou si vous utilisez les [politiques IAM](/pages/account_and_service_management/account_information/iam-policy-ui) avoir au moins les droits suivants sur le domaine OKMS : - `okms:apikms:secret/create` - `okms:apikms:secret/version/getData` - `okms:apiovh:secret/get` -- `okms:apikms:secret/create` Puis créez un jeton d'accès personnel (PAT) `user_pat` : @@ -37,9 +38,24 @@ Puis créez un jeton d'accès personnel (PAT) `user_pat` : > > @api {v1} /me POST /me/identity/user/{user}/token +L'API va répondre : + +```json +{ + "creation": "2025-11-13T10:38:44.658926311Z", + "description": "my first PAT", + "expiresAt": null, + "lastUsed": null, + "name": "my_PAT", + "token": "eyJhbGciOiJFZERXXXXXXXXDyI23Q7euIDmw9Pn__SDA" +} +``` + +Gardez en sécurité la valeur du champ `token` car il ne sera jamais réaffiché et sera utilisé pour l'authentification sur le Secret Manager comme `user_pat`. + Vous aurez également besoin de l'`okms-id` du domaine OKMS que vous souhaitez utiliser. Cet ID peut être trouvé sur l'espace client OVHcloud. -### Configuration de Sealed Secret +### Configuration de Sealed Secret (optionnel) Sealed Secret vous permet de stocker en toute sécurité des Secrets Kubernetes là où vous le souhaitez en les chiffrant. Cette étape est optionnelle mais fortement recommandée. @@ -60,86 +76,6 @@ tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal sudo install -m 755 kubeseal /usr/local/bin/kubeseal ``` -#### Utilisation - -- Créez votre Sealed Secret - -```bash -kubeseal -f \ - -w \ - --controller-name=sealed-secrets \ - --controller-namespace=kube-system - -kubectl create -f - -# Vérifiez si vous avez accès à votre Secret d'origine -kubectl get secrets -o yaml -``` - -Vous pouvez maintenant supprimer `secret-file` et utiliser `sealedsecret-output-file` à la place pour un stockage plus sécurisé - -- Supprimez votre Sealed Secret - -```bash -kubectl delete sealedsecret -``` - -#### Exemple - -```bash -$ cat secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: secret -type: Opaque -data: - value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF - -$ kubeseal -f secret.yaml \ - -w sealed-secret.yaml \ - --controller-name=sealed-secrets \ - --controller-namespace=kube-system - -$ cat sealed-secret.yaml ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: secret - namespace: default -spec: - encryptedData: - value: AgBLSGW9eG8Lc0HbToTM884euTNp49M6AkauFadPI8GwKe/lfSEmLr16HEQnh7DPb7T8OgL3d7qMRucEWO2TSppxsoXS5whKDaX7XA+d5tLSPZR6TCgI+ZWYBCYcerp8fM3gkzixM4wlyxAevqsWPxazGNQM4eYBv0YFZ+kaffkougHjG5uLwuX1IWGE8pFMf5XszkXu3MoFtmf2lbop+2qEtS3Wr4k/ueL92dY3ZmP1ZHSXWgvnNfZ30H1t+4pn9K+ddlJrajC/8TVT811WylyISd7EG6HaO8ayNRDErsu/JjsworJBKdj1vMIsdE+0ZQFg1MmCKp0zWU0Xjp90cEhSXuq9eqp4A8pofZ6D5n7ERr4jmznb41WWHRcKj2BdZBsOBUlP/J7P2Ymseet8+8od1HX0XQOv1CEnLHF6GMNAFZ7aQckuUIwKMx+zEHT6qVNBbtNe2B1OP1ApwRUw6lEdP5AnToi/mNt3ilypuTwXMqVGbHJzNMUrQRhfDItPALpDknCIcu1j1QsQRFIrdQ0Gfheg+QIzYJKVErWCRGR9zEUkqsMcxM7ruEc5U1GAgYyfLvXkczxzUG2WXf5mszKWyfcnQfCwmNdF/WKsufeJI0FaVQaWpkgX2cvTSd0281rKLvwEv0NRBVJkZ0lL1mzoZMXzXP5uWyk0E9SCHwM261ZkvqLsxnpKVA2QDZ4SuMBvl2fdIle5WVO/U1sl1eRAK1BVEWg8pYE7mTE7cXE= - template: - metadata: - name: secret - namespace: default - type: Opaque - -$ kubectl create -f sealed-secret.yaml -sealedsecret.bitnami.com/secret created - -$ kubectl get secrets secret -o yaml -apiVersion: v1 -data: - value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF -kind: Secret -metadata: - creationTimestamp: "2025-10-13T12:37:25Z" - name: secret - namespace: default - ownerReferences: - - apiVersion: bitnami.com/v1alpha1 - controller: true - kind: SealedSecret - name: secret - uid: c3a8489f-8125-406b-8a3a-f99b82d432e1 - resourceVersion: "16156798047" - uid: f3fbfd60-46d7-4211-a9b1-e67d452bc7dc -type: Opaque -``` - Plus d'informations : () ### Configuration du Secret Provider dans Kubernetes @@ -148,12 +84,12 @@ Plus d'informations : () ```bash helm repo add external-secrets https://charts.external-secrets.io +helm repo update helm install external-secrets \ external-secrets/external-secrets \ -n external-secrets \ --create-namespace \ ---set installCRDs=true ``` #### Configurer l'External Secret Operator @@ -168,16 +104,16 @@ Ajoutez le `user_pat` en tant que secret pour pouvoir l'utiliser dans les charte apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: -name: token-secret -namespace: default + name: token-secret + namespace: default spec: -encryptedData: - token: -template: - metadata: - name: token-secret - namespace: default - type: Opaque + encryptedData: + token: + template: + metadata: + name: token-secret + namespace: default + type: Opaque ``` La ressource `SecretStore` : @@ -186,22 +122,30 @@ La ressource `SecretStore` : apiVersion: external-secrets.io/v1 kind: ClusterSecretStore metadata: -name: vault-secret-store + name: vault-secret-store spec: -provider: - vault: - server: "https://{region}.okms.ovh.net/api/" # endpoint OKMS, complétez avec la région correcte et votre okms_id - path: "secret" - version: "v2" - auth: - tokenSecretRef: - name: token-secret # Le secret k8s contenant votre PAT - key: token + provider: + vault: + server: "https://{region}.okms.ovh.net/api/" # endpoint OKMS, complétez avec la région correcte et votre okms_id + path: "secret" + version: "v2" + auth: + tokenSecretRef: + name: token-secret # Le secret k8s contenant votre PAT + key: token ``` > [!info] > Seulement [l'authentification par token](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) est supporté +Le nom de la région peut être traduit de la localisation avec: + +> [!api] +> +> @api {v1} /location GET /location + +Par exemple pour **Europe (France - Paris)**, l'endpoint OKMS est **eu-west-par.okms.ovh.net** + #### Utiliser External Secret Operator Une fois le `SecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. @@ -216,25 +160,25 @@ Dans l'exemple, nous utilisons un secret déjà créé sur le Secret Manager : apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: -name: vault-external-secret -namespace: default + name: vault-external-secret + namespace: default spec: secretStoreRef: - name: vault-secret-store - kind: ClusterSecretStore + name: vault-secret-store + kind: ClusterSecretStore refreshInterval: "10s" target: - name: creds-secret - creationPolicy: Owner + name: creds-secret + creationPolicy: Owner data: - - secretKey: login + - secretKey: login remoteRef: - key: prod/database/MySQL # Chemin du secret dans le Secret Manager - property: login # Clé à trouver dans les données JSON du secret - - secretKey: password + key: prod/database/MySQL # Chemin du secret dans le Secret Manager + property: login # Clé à trouver dans les données JSON du secret + - secretKey: password remoteRef: - key: prod/database/MySQL - property: password + key: prod/database/MySQL + property: password ``` > [!info] From 400ac303ce0f9dd06679182bde3fc49874f7e662 Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 13 Nov 2025 13:03:35 +0100 Subject: [PATCH 7/9] indentation fix --- .../external-secret-operator/guide.en-gb.md | 10 +++++----- .../external-secret-operator/guide.fr-fr.md | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index a561708c7ea..b4494fbef05 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -162,9 +162,9 @@ metadata: name: vault-external-secret namespace: default spec: -secretStoreRef: - name: vault-secret-store - kind: ClusterSecretStore + secretStoreRef: + name: vault-secret-store + kind: ClusterSecretStore refreshInterval: "10s" target: name: creds-secret @@ -176,8 +176,8 @@ data: property: login # Key to find in the JSON data of the secret - secretKey: password remoteRef: - key: prod/database/MySQL - property: password + key: prod/database/MySQL + property: password ``` > [!info] diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index 8257e7fc9b4..b72381700a6 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -163,9 +163,9 @@ metadata: name: vault-external-secret namespace: default spec: -secretStoreRef: - name: vault-secret-store - kind: ClusterSecretStore + secretStoreRef: + name: vault-secret-store + kind: ClusterSecretStore refreshInterval: "10s" target: name: creds-secret From 2a2ab174fee74bf2d5db1deb122a2bc8dc9e8716 Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 13 Nov 2025 13:07:25 +0100 Subject: [PATCH 8/9] indentation fix --- .../external-secret-operator/guide.en-gb.md | 26 +++++++++---------- .../external-secret-operator/guide.fr-fr.md | 26 +++++++++---------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index b4494fbef05..5101b3c135d 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -165,19 +165,19 @@ spec: secretStoreRef: name: vault-secret-store kind: ClusterSecretStore -refreshInterval: "10s" -target: - name: creds-secret - creationPolicy: Owner -data: - - secretKey: login - remoteRef: - key: prod/database/MySQL # Path of the secret in the Secret Manager - property: login # Key to find in the JSON data of the secret - - secretKey: password - remoteRef: - key: prod/database/MySQL - property: password + refreshInterval: "10s" + target: + name: creds-secret + creationPolicy: Owner + data: + - secretKey: login + remoteRef: + key: prod/database/MySQL # Path of the secret in the Secret Manager + property: login # Key to find in the JSON data of the secret + - secretKey: password + remoteRef: + key: prod/database/MySQL + property: password ``` > [!info] diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index b72381700a6..c15a005d10e 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -166,19 +166,19 @@ spec: secretStoreRef: name: vault-secret-store kind: ClusterSecretStore -refreshInterval: "10s" -target: - name: creds-secret - creationPolicy: Owner -data: - - secretKey: login - remoteRef: - key: prod/database/MySQL # Chemin du secret dans le Secret Manager - property: login # Clé à trouver dans les données JSON du secret - - secretKey: password - remoteRef: - key: prod/database/MySQL - property: password + refreshInterval: "10s" + target: + name: creds-secret + creationPolicy: Owner + data: + - secretKey: login + remoteRef: + key: prod/database/MySQL # Chemin du secret dans le Secret Manager + property: login # Clé à trouver dans les données JSON du secret + - secretKey: password + remoteRef: + key: prod/database/MySQL + property: password ``` > [!info] From c5d472c8a88de6b3dc11998d39cdba9f28e72621 Mon Sep 17 00:00:00 2001 From: gbarideau Date: Fri, 14 Nov 2025 16:09:20 +0100 Subject: [PATCH 9/9] moving SecretStore to ClusterSecretStore --- .../external-secret-operator/guide.en-gb.md | 8 ++++---- .../external-secret-operator/guide.fr-fr.md | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index 5101b3c135d..a7149e4f9bd 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -93,8 +93,8 @@ external-secrets/external-secrets \ #### Configure External Secret Operator -First, setup a `SecretStore` that is responsible of the synchronization with the Secret Manager. -We configure the SecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend. +First, setup a `ClusterSecretStore` that is responsible of the synchronization with the Secret Manager. +We configure the ClusterSecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend. Add the `user_pat` as a secret to be able to use it in the charts. @@ -115,7 +115,7 @@ spec: type: Opaque ``` -The `SecretStore` resource: +The `ClusterSecretStore` resource: ```yaml apiVersion: external-secrets.io/v1 @@ -147,7 +147,7 @@ As an example for **Europe (France - Paris)**, OKMS endpoint is **eu-west-par.ok #### Use External Secret Operator -Once the `SecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. +Once the `ClusterSecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. In the example we use a secret already created on the Secret Manager: - Path: `prod/database/MySQL` diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index c15a005d10e..3f6efbab974 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -94,8 +94,8 @@ external-secrets/external-secrets \ #### Configurer l'External Secret Operator -Tout d'abord, configurez un `SecretStore` qui est chargé de la synchronisation avec le Secret Manager. -Nous configurons le SecretStore en utilisant HashiCorp Vault avec l'authentification par jeton et en utilisant l'endpoint OKMS comme backend. +Tout d'abord, configurez un `ClusterSecretStore` qui est chargé de la synchronisation avec le Secret Manager. +Nous configurons le ClusterSecretStore en utilisant HashiCorp Vault avec l'authentification par jeton et en utilisant l'endpoint OKMS comme backend. Ajoutez le `user_pat` en tant que secret pour pouvoir l'utiliser dans les chartes. @@ -116,7 +116,7 @@ spec: type: Opaque ``` -La ressource `SecretStore` : +La ressource `ClusterSecretStore` : ```yaml apiVersion: external-secrets.io/v1 @@ -148,7 +148,7 @@ Par exemple pour **Europe (France - Paris)**, l'endpoint OKMS est **eu-west-par. #### Utiliser External Secret Operator -Une fois le `SecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. +Une fois le `ClusterSecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. Dans l'exemple, nous utilisons un secret déjà créé sur le Secret Manager : - Path : `prod/database/MySQL`