Skip to content

[New] External Secret Operator with Secret Manager #8653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: develop
Choose a base branch
from
Open

[New] External Secret Operator with Secret Manager #8653

wants to merge 9 commits into from

Conversation

@gbarideau
Copy link
Contributor

@gbarideau gbarideau commented Nov 6, 2025
edited
Loading

What type of Pull Request is this?

  • New guide(s)

Description

New documentation to explain how to use Kubernetes External Secret Operator with the OVHcloud Secret Manager

Mandatory information

The translations in this Pull Request have been done using:

  • OVHcloud integrated translation LLM

  • Systran

  • Other tool (specify which tool was used)

  • This Pull Request didn't require any translation.

  • This Pull Request can be merged as soon as possible.

  • This Pull Request content should be replicated for the US OVHcloud documentation : YES

scraly
scraly requested changes Nov 7, 2025
View reviewed changes
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md Outdated
kind: SealedSecret
metadata:
name: token-secret
namespace: default
Copy link
Contributor

@scraly scraly Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
namespace: default
namespace: default

Copy link
Contributor

@scraly scraly Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

il n'est pas conseillé de mettre des ressources perso dans le namespace default.

ldesauw
ldesauw reviewed Nov 14, 2025
View reviewed changes
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md Outdated

#### Configure External Secret Operator

First, setup a `SecretStore` that is responsible of the synchronization with the Secret Manager.
Copy link

@ldesauw ldesauw Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ClusterSecretStore instead, the SecretStore doesn't work.
May change all appearance of it.

scraly
scraly requested changes Nov 25, 2025
View reviewed changes
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
Then, install kubeseal cli to encrypt Secrets into Sealed Secrets

```bash
KUBESEAL_VERSION='' # Set this to, for example, KUBESEAL_VERSION='0.23.0'
Copy link
Contributor

@scraly scraly Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0.33.1 est la version que je viens d'installer, la plus recente.
Le readme dont est extrait ce code est pas super a jour, donc plutot :

KUBESEAL_VERSION=$(curl -s https://api.github.com/repos/bitnami-labs/sealed-secrets/tags | jq -r '.[0].name' | cut -c 2-)

pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION:?}/kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz"
tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal
```
Copy link
Contributor

@scraly scraly Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or install via homebrew

brew install kubeseal

pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
helm install external-secrets \
external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
Copy link
Contributor

@scraly scraly Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
--create-namespace \
--create-namespace

pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
Add the `user_pat` as a secret to be able to use it in the charts.

```yaml
---
Copy link
Contributor

@scraly scraly Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
---

pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
First, setup a `ClusterSecretStore` that is responsible of the synchronization with the Secret Manager.
We configure the ClusterSecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend.

Add the `user_pat` as a secret to be able to use it in the charts.
Copy link
Contributor

@scraly scraly Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cette etape est à mettre apres installation de sealed-secret, dans la section "Setup Sealed Secret (optionnal)"

pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
#### Use External Secret Operator

Once the `ClusterSecretStore` is setup you can define `ExternalSecret` that comes from the secret manager.
In the example we use a secret already created on the Secret Manager:
Copy link
Contributor

@scraly scraly Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
In the example we use a secret already created on the Secret Manager:
In the example we use a secret already created on the Secret Manager:

pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
- `login: admin`
- `password: my_secret_password`

```yaml
Copy link
Contributor

@scraly scraly Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
```yaml
Create a `externalsecret.yaml` file with this content:
```yaml

pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
```

> [!info]
> Only `ExternalSecret` are supported yet.
Copy link
Contributor

@scraly scraly Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

c'est a dire ?

pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md

> [!info]
> Only `ExternalSecret` are supported yet.

Copy link
Contributor

@scraly scraly Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Apply the resource in your cluster:
kubectl apply -f externalsecret.yaml

pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md

#### Deploy your application

The secret should be created and available in kubernetes.
Copy link
Contributor

@scraly scraly Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The secret should be created and available in kubernetes.
The secret should be created and available in the Kubernetes cluster.
Check:
$ kubectl get secret -n default
NAME TYPE DATA AGE
token-secret Opaque 1 17h
creds-secret Opaque 1 9m4s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scraly scraly scraly requested changes

+1 more reviewer

@ldesauw ldesauw ldesauw left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gbarideau @scraly @ldesauw