[New] External Secret Operator with Secret Manager #8653
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
scraly
requested changes
Nov 7, 2025
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
Outdated
Show resolved
Hide resolved
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
Show resolved
Hide resolved
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
Outdated
Show resolved
Hide resolved
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
Outdated
Show resolved
Hide resolved
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
Outdated
Show resolved
Hide resolved
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
Outdated
Show resolved
Hide resolved
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
Outdated
Show resolved
Hide resolved
| kind: SealedSecret | ||
| metadata: | ||
| name: token-secret | ||
| namespace: default |
Contributor
There was a problem hiding this comment.
Suggested change
| namespace: default | |
| namespace: default |
Contributor
There was a problem hiding this comment.
il n'est pas conseillé de mettre des ressources perso dans le namespace default.
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
Outdated
Show resolved
Hide resolved
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
Outdated
Show resolved
Hide resolved
ldesauw
reviewed
Nov 14, 2025
|
|
||
| #### Configure External Secret Operator | ||
|
|
||
| First, setup a `SecretStore` that is responsible of the synchronization with the Secret Manager. |
There was a problem hiding this comment.
ClusterSecretStore instead, the SecretStore doesn't work.
May change all appearance of it.
scraly
requested changes
Nov 25, 2025
| Then, install kubeseal cli to encrypt Secrets into Sealed Secrets | ||
|
|
||
| ```bash | ||
| KUBESEAL_VERSION='' # Set this to, for example, KUBESEAL_VERSION='0.23.0' |
Contributor
There was a problem hiding this comment.
0.33.1 est la version que je viens d'installer, la plus recente.
Le readme dont est extrait ce code est pas super a jour, donc plutot :
KUBESEAL_VERSION=$(curl -s https://api.github.com/repos/bitnami-labs/sealed-secrets/tags | jq -r '.[0].name' | cut -c 2-)
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
Show resolved
Hide resolved
| helm install external-secrets \ | ||
| external-secrets/external-secrets \ | ||
| -n external-secrets \ | ||
| --create-namespace \ |
Contributor
There was a problem hiding this comment.
Suggested change
| --create-namespace \ | |
| --create-namespace |
| Add the `user_pat` as a secret to be able to use it in the charts. | ||
|
|
||
| ```yaml | ||
| --- |
| First, setup a `ClusterSecretStore` that is responsible of the synchronization with the Secret Manager. | ||
| We configure the ClusterSecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend. | ||
|
|
||
| Add the `user_pat` as a secret to be able to use it in the charts. |
Contributor
There was a problem hiding this comment.
cette etape est à mettre apres installation de sealed-secret, dans la section "Setup Sealed Secret (optionnal)"
| #### Use External Secret Operator | ||
|
|
||
| Once the `ClusterSecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. | ||
| In the example we use a secret already created on the Secret Manager: |
Contributor
There was a problem hiding this comment.
Suggested change
| In the example we use a secret already created on the Secret Manager: | |
| In the example we use a secret already created on the Secret Manager: |
| - `login: admin` | ||
| - `password: my_secret_password` | ||
|
|
||
| ```yaml |
Contributor
There was a problem hiding this comment.
Suggested change
| ```yaml | |
| Create a `externalsecret.yaml` file with this content: | |
| ```yaml |
| ``` | ||
|
|
||
| > [!info] | ||
| > Only `ExternalSecret` are supported yet. |
|
|
||
| > [!info] | ||
| > Only `ExternalSecret` are supported yet. | ||
|
|
Contributor
There was a problem hiding this comment.
Suggested change
| Apply the resource in your cluster: | |
| kubectl apply -f externalsecret.yaml | |
|
|
||
| #### Deploy your application | ||
|
|
||
| The secret should be created and available in kubernetes. |
Contributor
There was a problem hiding this comment.
Suggested change
| The secret should be created and available in kubernetes. | |
| The secret should be created and available in the Kubernetes cluster. | |
| Check: | |
| $ kubectl get secret -n default | |
| NAME TYPE DATA AGE | |
| token-secret Opaque 1 17h | |
| creds-secret Opaque 1 9m4s |
Y0Coss
added
the
Edition needed
Y0Coss
added
the
Guide creation
scraly
requested changes
Dec 18, 2025
| --- | ||
|
|
||
| > [!primary] | ||
| > Secret Manager is currently in beta phase. This guide can be updated in the future with the advances of our teams in charge of this product. |
Contributor
There was a problem hiding this comment.
Suggested change
| > Secret Manager is currently in beta phase. This guide can be updated in the future with the advances of our teams in charge of this product. | |
| > Secret Manager is currently in Beta phase. This guide can be updated in the future with the advancements made by our teams in charge of this product. |
|
|
||
| ### Setup the Secret Manager | ||
|
|
||
| To allow access to the Secret Manager you will need to have a `token`, and the `region` and `okms-id` of your Secret Manager. |
Contributor
There was a problem hiding this comment.
Suggested change
| To allow access to the Secret Manager you will need to have a `token`, and the `region` and `okms-id` of your Secret Manager. | |
| To allow access to the Secret Manager you will need to have a `token`, the `region` and `okms-id` of your Secret Manager. |
| --set installCRDs=true | ||
| ``` | ||
|
|
||
| Check ESO is running : |
Contributor
There was a problem hiding this comment.
Suggested change
| Check ESO is running : | |
| Check ESO is running: |
pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md
Show resolved
Hide resolved
scraly
requested changes
Dec 18, 2025
| >> ``` | ||
| >> | ||
| > CLI | ||
| >> PAT can also created with the [OVHcloud CLI](https://github.com/ovh/ovhcloud-cli) and the command (fill with your values) : |
Contributor
There was a problem hiding this comment.
Suggested change
| >> PAT can also created with the [OVHcloud CLI](https://github.com/ovh/ovhcloud-cli) and the command (fill with your values) : | |
| >> PAT can also created with the [OVHcloud CLI](https://github.com/ovh/ovhcloud-cli) and the command (fill with your values): |
| >> PAT can also created with the [OVHcloud CLI](https://github.com/ovh/ovhcloud-cli) and the command (fill with your values) : | ||
| >> | ||
| >> ```bash | ||
| >> ovhcloud iam user {user} token create --name pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --description "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" |
Contributor
There was a problem hiding this comment.
Suggested change
| >> ovhcloud iam user {user} token create --name pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --description "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" | |
| >> ovhcloud iam user token create {user} --name pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --description "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" |
scraly
requested changes
Dec 19, 2025
| >> PAT can also created with the [OVHcloud CLI](https://github.com/ovh/ovhcloud-cli) and the command (fill with your values): | ||
| >> | ||
| >> ```bash | ||
| >> ovhcloud iam user token create {user} --name pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --description "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" |
Contributor
There was a problem hiding this comment.
Or you can create the token AND save it in an environment variable
PAT_TOKEN=$(ovhcloud iam user token create {user} --name pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --description "PAT secret manager for domain secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" -j | jq .details.token | tr -d '"') ; echo $PAT_TOKEN
| Start by encoding your `user_pat` is base64 so it can be stored in a kubernetes secret. | ||
|
|
||
| ```bash | ||
| $ echo -n "<token>" | base64 |
Contributor
There was a problem hiding this comment.
If you saved the token in an env variable (c.f my 1st comment today), you can directly do:
PAT_TOKEN_B64=$(echo -n $PAT_TOKEN | base64) ; echo $PAT_TOKEN_B64
| ZXlKaG...wVkFn | ||
| ``` | ||
|
|
||
| Then create a `secret.yaml`: |
Contributor
There was a problem hiding this comment.
Or, easily, create the Secret from the created environment variable (see my comment number 1 and 2 of this review):
$ kubectl create secret generic ovhcloud-vault-token -n external-secrets --from-literal=token=$PAT_TOKEN_B64
secret/ovhcloud-vault-token created
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of Pull Request is this?
Description
New documentation to explain how to use Kubernetes External Secret Operator with the OVHcloud Secret Manager
Mandatory information
The translations in this Pull Request have been done using:
OVHcloud integrated translation LLM
Systran
Other tool (specify which tool was used)
This Pull Request didn't require any translation.
This Pull Request can be merged as soon as possible.
This Pull Request content should be replicated for the US OVHcloud documentation : YES