From b4038dbe8e2131d1eaa06524517dda1873029088 Mon Sep 17 00:00:00 2001 From: gbarideau Date: Mon, 3 Nov 2025 10:40:29 +0100 Subject: [PATCH 01/12] First version of External Secret Operator documentation --- pages/index.md | 1 + .../external-secret-operator/guide.en-gb.md | 237 ++++++++++++++++++ .../external-secret-operator/guide.fr-fr.md | 237 ++++++++++++++++++ .../external-secret-operator/meta.yaml | 3 + 4 files changed, 478 insertions(+) create mode 100644 pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md create mode 100644 pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md create mode 100644 pages/manage_and_operate/secret_manager/external-secret-operator/meta.yaml diff --git a/pages/index.md b/pages/index.md index b0347a3b779..aefa14044de 100644 --- a/pages/index.md +++ b/pages/index.md @@ -2210,6 +2210,7 @@ + [Manage your OKMS access certificate](manage_and_operate/kms/okms-certificate-management) + [OKMS Architecture overview](manage_and_operate/kms/architecture-overview) + [OKMS - Shared responsibilities](manage_and_operate/kms/responsibility-model-kms) + + [Use Kubernetes External Secret Operator with Secret Manager](manage_and_operate/secret_manager/external-secret-operator) + OVHcloud Labs + [Data Collector](products/ovhcloud-labs-data-collector) + [Getting started](ovhcloud-labs-data-collector-getting-started) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md new file mode 100644 index 00000000000..022dd82f856 --- /dev/null +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -0,0 +1,237 @@ +--- +title: "Use Kubernetes External Secret Operator with Secret Manager" +excerpt: "Configure External Secret Operator to store Kubernetes secrets on the OVHcloud Secret Manager" +updated: 2025-10-27 +--- + +## Objective + +This guide explains how set up the Kubernetes External Secret Operator to use the OVHcloud Secret Manager as a provider + +## Requirements + +- An [OVHcloud customer account](/pages/account_and_service_management/account_information/ovhcloud-account-creation). +- Have [ordered an OKMS domain](/pages/manage_and_operate/kms/quick-start) or [created a first secret](/pages/manage_and_operate/secret_manager/secret-manager-ui). + +## Instructions + +### Setup the Secret Manager + +To allow access to the Secret Manager you will need to create credentials. + +Create an [IAM local user](/pages/account_and_service_management/account_information/ovhcloud-users-management) with acces right on your domain. +This user need to have at least the following rights: + +- `okms:apikms:secret/create` +- `okms:apikms:secret/version/getData` + +Then create a Personnal Acces Token (PAT) `user_pat`: + +> [!api] +> +> @api {v1} /me POST /me/identity/user/{user}/token + +You will also need the `okms-id` of the OKMS domain you want to use. This ID can be found on the OVHcloud Control Panel. + +### Setup Sealed Secret + +Sealed Secret allows you to safely store Kubernetes Secrets wherever you want by encrypting them. +This step is optionnal but highly recommendated. + +First, install the controller in your cluster. It will automatically decrypt Sealed Secrets into standard Kubernetes Secrets + +```bash +helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets +helm install sealed-secrets -n kube-system sealed-secrets/sealed-secrets +``` + +Then, install kubeseal cli to encrypt Secrets into Sealed Secrets + +```bash +KUBESEAL_VERSION='' # Set this to, for example, KUBESEAL_VERSION='0.23.0' +curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION:?}/kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz" +tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal +sudo install -m 755 kubeseal /usr/local/bin/kubeseal +``` + +#### Usage + +- Create your Sealed Secret + +```bash +kubeseal -f \ + -w \ + --controller-name=sealed-secrets \ + --controller-namespace=kube-system + +kubectl create -f + +# Check if you have access to your original Secret +kubectl get secrets -o yaml +``` + +You can now delete `secret-file` and use `sealedsecret-output-file` instead for a more secure storage + +- Delete your Sealed Secret + +```bash +kubectl delete sealedsecret +``` + +#### Example + +```bash +$ cat secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: secret +type: Opaque +data: + value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF + +$ kubeseal -f secret.yaml \ + -w sealed-secret.yaml \ + --controller-name=sealed-secrets \ + --controller-namespace=kube-system + +$ cat sealed-secret.yaml +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: secret + namespace: default +spec: + encryptedData: + value: AgBLSGW9eG8Lc0HbToTM884euTNp49M6AkauFadPI8GwKe/lfSEmLr16HEQnh7DPb7T8OgL3d7qMRucEWO2TSppxsoXS5whKDaX7XA+d5tLSPZR6TCgI+ZWYBCYcerp8fM3gkzixM4wlyxAevqsWPxazGNQM4eYBv0YFZ+kaffkougHjG5uLwuX1IWGE8pFMf5XszkXu3MoFtmf2lbop+2qEtS3Wr4k/ueL92dY3ZmP1ZHSXWgvnNfZ30H1t+4pn9K+ddlJrajC/8TVT811WylyISd7EG6HaO8ayNRDErsu/JjsworJBKdj1vMIsdE+0ZQFg1MmCKp0zWU0Xjp90cEhSXuq9eqp4A8pofZ6D5n7ERr4jmznb41WWHRcKj2BdZBsOBUlP/J7P2Ymseet8+8od1HX0XQOv1CEnLHF6GMNAFZ7aQckuUIwKMx+zEHT6qVNBbtNe2B1OP1ApwRUw6lEdP5AnToi/mNt3ilypuTwXMqVGbHJzNMUrQRhfDItPALpDknCIcu1j1QsQRFIrdQ0Gfheg+QIzYJKVErWCRGR9zEUkqsMcxM7ruEc5U1GAgYyfLvXkczxzUG2WXf5mszKWyfcnQfCwmNdF/WKsufeJI0FaVQaWpkgX2cvTSd0281rKLvwEv0NRBVJkZ0lL1mzoZMXzXP5uWyk0E9SCHwM261ZkvqLsxnpKVA2QDZ4SuMBvl2fdIle5WVO/U1sl1eRAK1BVEWg8pYE7mTE7cXE= + template: + metadata: + name: secret + namespace: default + type: Opaque + +$ kubectl create -f sealed-secret.yaml +sealedsecret.bitnami.com/secret created + +$ kubectl get secrets secret -o yaml +apiVersion: v1 +data: + value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF +kind: Secret +metadata: + creationTimestamp: "2025-10-13T12:37:25Z" + name: secret + namespace: default + ownerReferences: + - apiVersion: bitnami.com/v1alpha1 + controller: true + kind: SealedSecret + name: secret + uid: c3a8489f-8125-406b-8a3a-f99b82d432e1 + resourceVersion: "16156798047" + uid: f3fbfd60-46d7-4211-a9b1-e67d452bc7dc +type: Opaque +``` + +More information: () + +### Setup the Secret Provider in Kubernetes + +#### Install the External Secret Operator on your kubernetes + +```bash +helm repo add external-secrets https://charts.external-secrets.io + +helm install external-secrets \ +external-secrets/external-secrets \ +-n external-secrets \ +--create-namespace \ +--set installCRDs=true +``` + +#### Define the External Secret Operator charts + +First, setup a `SecretStore` that is responsible of the synchronization with the Secret Manager. +We configure the SecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend. + +Add the `user_pat` as a secret to be able to use it in the charts. + +```yaml +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: +name: token-secret +namespace: default +spec: +encryptedData: + token: +template: + metadata: + name: token-secret + namespace: default + type: Opaque +``` + +The `SecretStore` chart: + +```yaml +apiVersion: external-secrets.io/v1 +kind: ClusterSecretStore +metadata: +name: vault-secret-store +spec: +provider: + vault: + server: "https://{region}.okms.ovh.net/api/" # OKMS endpoint, fill with the correct region and your okms_id + path: "secret" + version: "v2" + auth: + tokenSecretRef: + name: token-secret # The k8s secret that contain your PAT + key: token +``` + +Once the `SecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. +In the example we use a secret already created on the Secret Manager: + +- Path: `prod/database/MySQL` +- Value: + - `login: admin` + - `password: my_secret_password` + +```yaml +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: +name: vault-external-secret +namespace: default +spec: +secretStoreRef: + name: vault-secret-store + kind: ClusterSecretStore +refreshInterval: "10s" +target: + name: creds-secret + creationPolicy: Owner +data: + - secretKey: login + remoteRef: + key: prod/database/MySQL # Path of the secret in the Secret Manager + property: login # Key to find in the JSON data of the secret + - secretKey: password + remoteRef: + key: prod/database/MySQL + property: password +``` + +#### Deploy your application + +The secret should be created and available in kubernetes. + +For any additionnal informations on how to manage the External Secret Operator refer to the dedicated documentation, using the HashiCorp Vault provider: . + +## Go further + +Join our [community of users](/links/community). diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md new file mode 100644 index 00000000000..65ac779625c --- /dev/null +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -0,0 +1,237 @@ +--- +title: "Utiliser Kubernetes External Secret Operator avec Secret Manager" +excerpt: "Configurer External Secret Operator pour stocker des secrets Kubernetes sur le Secret Manager OVHcloud" +updated: 2025-10-27 +--- + +## Objectif + +Ce guide explique comment configurer le Kubernetes External Secret Operator pour utiliser le Secret Manager OVHcloud comme fournisseur + +## Prérequis + +- Un [compte client OVHcloud](/pages/account_and_service_management/account_information/ovhcloud-account-creation). +- Avoir [commandé un domaine OKMS](/pages/manage_and_operate/kms/quick-start) ou [créé un premier secret](/pages/manage_and_operate/secret_manager/secret-manager-ui). + +## En pratique + +### Configuration du Secret Manager + +Pour permettre l'accès au Secret Manager, vous devrez créer des identifiants. + +Créez un [utilisateur local IAM](/pages/account_and_service_management/account_information/ovhcloud-users-management) avec les droits d'accès à votre domaine. +Cet utilisateur doit avoir au moins les droits suivants : + +- `okms:apikms:secret/create` +- `okms:apikms:secret/version/getData` + +Puis créez un jeton d'accès personnel (PAT) `user_pat` : + +> [!api] +> +> @api {v1} /me POST /me/identity/user/{user}/token + +Vous aurez également besoin de l'`okms-id` du domaine OKMS que vous souhaitez utiliser. Cet ID peut être trouvé sur l'espace client OVHcloud. + +### Configuration de Sealed Secret + +Sealed Secret vous permet de stocker en toute sécurité des Secrets Kubernetes là où vous le souhaitez en les chiffrant. +Cette étape est optionnelle mais fortement recommandée. + +Tout d'abord, installez le contrôleur dans votre cluster. Il déchiffrera automatiquement les Sealed Secrets en Secrets Kubernetes standards + +```bash +helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets +helm install sealed-secrets -n kube-system sealed-secrets/sealed-secrets +``` + +Puis, installez la cli kubeseal pour chiffrer des Secrets en Sealed Secrets + +```bash +KUBESEAL_VERSION='' # Définissez ceci sur, par exemple, KUBESEAL_VERSION='0.23.0' +curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION:?}/kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz" +tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal +sudo install -m 755 kubeseal /usr/local/bin/kubeseal +``` + +#### Utilisation + +- Créez votre Sealed Secret + +```bash +kubeseal -f \ + -w \ + --controller-name=sealed-secrets \ + --controller-namespace=kube-system + +kubectl create -f + +# Vérifiez si vous avez accès à votre Secret d'origine +kubectl get secrets -o yaml +``` + +Vous pouvez maintenant supprimer `secret-file` et utiliser `sealedsecret-output-file` à la place pour un stockage plus sécurisé + +- Supprimez votre Sealed Secret + +```bash +kubectl delete sealedsecret +``` + +#### Exemple + +```bash +$ cat secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: secret +type: Opaque +data: + value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF + +$ kubeseal -f secret.yaml \ + -w sealed-secret.yaml \ + --controller-name=sealed-secrets \ + --controller-namespace=kube-system + +$ cat sealed-secret.yaml +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: secret + namespace: default +spec: + encryptedData: + value: AgBLSGW9eG8Lc0HbToTM884euTNp49M6AkauFadPI8GwKe/lfSEmLr16HEQnh7DPb7T8OgL3d7qMRucEWO2TSppxsoXS5whKDaX7XA+d5tLSPZR6TCgI+ZWYBCYcerp8fM3gkzixM4wlyxAevqsWPxazGNQM4eYBv0YFZ+kaffkougHjG5uLwuX1IWGE8pFMf5XszkXu3MoFtmf2lbop+2qEtS3Wr4k/ueL92dY3ZmP1ZHSXWgvnNfZ30H1t+4pn9K+ddlJrajC/8TVT811WylyISd7EG6HaO8ayNRDErsu/JjsworJBKdj1vMIsdE+0ZQFg1MmCKp0zWU0Xjp90cEhSXuq9eqp4A8pofZ6D5n7ERr4jmznb41WWHRcKj2BdZBsOBUlP/J7P2Ymseet8+8od1HX0XQOv1CEnLHF6GMNAFZ7aQckuUIwKMx+zEHT6qVNBbtNe2B1OP1ApwRUw6lEdP5AnToi/mNt3ilypuTwXMqVGbHJzNMUrQRhfDItPALpDknCIcu1j1QsQRFIrdQ0Gfheg+QIzYJKVErWCRGR9zEUkqsMcxM7ruEc5U1GAgYyfLvXkczxzUG2WXf5mszKWyfcnQfCwmNdF/WKsufeJI0FaVQaWpkgX2cvTSd0281rKLvwEv0NRBVJkZ0lL1mzoZMXzXP5uWyk0E9SCHwM261ZkvqLsxnpKVA2QDZ4SuMBvl2fdIle5WVO/U1sl1eRAK1BVEWg8pYE7mTE7cXE= + template: + metadata: + name: secret + namespace: default + type: Opaque + +$ kubectl create -f sealed-secret.yaml +sealedsecret.bitnami.com/secret created + +$ kubectl get secrets secret -o yaml +apiVersion: v1 +data: + value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF +kind: Secret +metadata: + creationTimestamp: "2025-10-13T12:37:25Z" + name: secret + namespace: default + ownerReferences: + - apiVersion: bitnami.com/v1alpha1 + controller: true + kind: SealedSecret + name: secret + uid: c3a8489f-8125-406b-8a3a-f99b82d432e1 + resourceVersion: "16156798047" + uid: f3fbfd60-46d7-4211-a9b1-e67d452bc7dc +type: Opaque +``` + +Plus d'informations : () + +### Configuration du Secret Provider dans Kubernetes + +#### Installez l'External Secret Operator sur votre Kubernetes + +```bash +helm repo add external-secrets https://charts.external-secrets.io + +helm install external-secrets \ +external-secrets/external-secrets \ +-n external-secrets \ +--create-namespace \ +--set installCRDs=true +``` + +#### Définissez les chartes de l'External Secret Operator + +Tout d'abord, configurez un `SecretStore` qui est chargé de la synchronisation avec le Secret Manager. +Nous configurons le SecretStore en utilisant HashiCorp Vault avec l'authentification par jeton et en utilisant l'endpoint OKMS comme backend. + +Ajoutez le `user_pat` en tant que secret pour pouvoir l'utiliser dans les chartes. + +```yaml +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: +name: token-secret +namespace: default +spec: +encryptedData: + token: +template: + metadata: + name: token-secret + namespace: default + type: Opaque +``` + +La charte `SecretStore` : + +```yaml +apiVersion: external-secrets.io/v1 +kind: ClusterSecretStore +metadata: +name: vault-secret-store +spec: +provider: + vault: + server: "https://{region}.okms.ovh.net/api/" # endpoint OKMS, complétez avec la région correcte et votre okms_id + path: "secret" + version: "v2" + auth: + tokenSecretRef: + name: token-secret # Le secret k8s contenant votre PAT + key: token +``` + +Une fois le `SecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. +Dans l'exemple, nous utilisons un secret déjà créé sur le Secret Manager : + +- Path : `prod/database/MySQL` +- Value : + - `login: admin` + - `password: my_secret_password` + +```yaml +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: +name: vault-external-secret +namespace: default +spec: +secretStoreRef: + name: vault-secret-store + kind: ClusterSecretStore +refreshInterval: "10s" +target: + name: creds-secret + creationPolicy: Owner +data: + - secretKey: login + remoteRef: + key: prod/database/MySQL # Chemin du secret dans le Secret Manager + property: login # Clé à trouver dans les données JSON du secret + - secretKey: password + remoteRef: + key: prod/database/MySQL + property: password +``` + +#### Déployez votre application + +Le secret devrait être créé et disponible dans Kubernetes. + +Pour toute information supplémentaire sur la gestion de l'External Secret Operator, reportez-vous à la documentation dédiée, en utilisant le fournisseur HashiCorp Vault : . + +## Aller plus loin + +Rejoignez notre [communauté d'utilisateurs](/links/community). \ No newline at end of file diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/meta.yaml b/pages/manage_and_operate/secret_manager/external-secret-operator/meta.yaml new file mode 100644 index 00000000000..cc78c7c3cdb --- /dev/null +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/meta.yaml @@ -0,0 +1,3 @@ +id: f1e7d674-2086-49c9-b315-cfe6df0e0781 +full_slug: secret-manager-external-secret-operator +reference_category: manage-operate-secret-manager \ No newline at end of file From c41a3c4da3b27bd194da5eaab0b21a2c4820b02c Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 6 Nov 2025 11:03:47 +0100 Subject: [PATCH 02/12] adding info about authentification method supported --- .../external-secret-operator/guide.en-gb.md | 6 ++++++ .../external-secret-operator/guide.fr-fr.md | 9 ++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index 022dd82f856..98c9ca5cbbc 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -4,6 +4,9 @@ excerpt: "Configure External Secret Operator to store Kubernetes secrets on the updated: 2025-10-27 --- +> [!primary] +> Secret Manager is currently in beta phase. This guide can be updated in the future with the advances of our teams in charge of this product. + ## Objective This guide explains how set up the Kubernetes External Secret Operator to use the OVHcloud Secret Manager as a provider @@ -193,6 +196,9 @@ provider: key: token ``` +> [!info] +> Only [token authentication](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) is supported + Once the `SecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. In the example we use a secret already created on the Secret Manager: diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index 65ac779625c..8d77972a8bd 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -4,6 +4,10 @@ excerpt: "Configurer External Secret Operator pour stocker des secrets Kubernete updated: 2025-10-27 --- +> [!primary] +> Le Secret Manager est actuellement en phase bêta. Ce guide est susceptible d’être mis à jour ultérieurement avec les avancées de nos équipes en charge de ce produit. +> + ## Objectif Ce guide explique comment configurer le Kubernetes External Secret Operator pour utiliser le Secret Manager OVHcloud comme fournisseur @@ -193,6 +197,9 @@ provider: key: token ``` +> [!info] +> Seulement [l'authentification par token](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) est supporté + Une fois le `SecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. Dans l'exemple, nous utilisons un secret déjà créé sur le Secret Manager : @@ -234,4 +241,4 @@ Pour toute information supplémentaire sur la gestion de l'External Secret Opera ## Aller plus loin -Rejoignez notre [communauté d'utilisateurs](/links/community). \ No newline at end of file +Rejoignez notre [communauté d'utilisateurs](/links/community). From 0d3d6bcd13cb12db72265a5aa31bf317ba9d8988 Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 6 Nov 2025 17:14:44 +0100 Subject: [PATCH 03/12] adding info about pushing secret not supported yet --- .../secret_manager/external-secret-operator/guide.en-gb.md | 3 +++ .../secret_manager/external-secret-operator/guide.fr-fr.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index 98c9ca5cbbc..d492be8f3b6 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -232,6 +232,9 @@ data: property: password ``` +> [!info] +> [Pushing secret from Kubernetes](https://external-secrets.io/latest/guides/pushsecrets/) is not supported yet. + #### Deploy your application The secret should be created and available in kubernetes. diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index 8d77972a8bd..d53805c9c06 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -233,6 +233,9 @@ data: property: password ``` +> [!info] +> [La création de secret depuis Kubernetes](https://external-secrets.io/latest/guides/pushsecrets/) n'est pas encore supportée. + #### Déployez votre application Le secret devrait être créé et disponible dans Kubernetes. From 36b3fd89174a4f4c91494dbfa06ed9addfcc25aa Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 6 Nov 2025 17:50:41 +0100 Subject: [PATCH 04/12] minor fix --- .../external-secret-operator/guide.en-gb.md | 10 +++++++--- .../external-secret-operator/guide.fr-fr.md | 10 +++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index d492be8f3b6..7f1afb87103 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -27,6 +27,8 @@ This user need to have at least the following rights: - `okms:apikms:secret/create` - `okms:apikms:secret/version/getData` +- `okms:apiovh:secret/get` +- `okms:apikms:secret/create` Then create a Personnal Acces Token (PAT) `user_pat`: @@ -153,7 +155,7 @@ external-secrets/external-secrets \ --set installCRDs=true ``` -#### Define the External Secret Operator charts +#### Configure External Secret Operator First, setup a `SecretStore` that is responsible of the synchronization with the Secret Manager. We configure the SecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend. @@ -177,7 +179,7 @@ template: type: Opaque ``` -The `SecretStore` chart: +The `SecretStore` resource: ```yaml apiVersion: external-secrets.io/v1 @@ -199,6 +201,8 @@ provider: > [!info] > Only [token authentication](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) is supported +#### Use External Secret Operator + Once the `SecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. In the example we use a secret already created on the Secret Manager: @@ -233,7 +237,7 @@ data: ``` > [!info] -> [Pushing secret from Kubernetes](https://external-secrets.io/latest/guides/pushsecrets/) is not supported yet. +> Only `ExternalSecret` are supported yet. #### Deploy your application diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index d53805c9c06..9a923542574 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -28,6 +28,8 @@ Cet utilisateur doit avoir au moins les droits suivants : - `okms:apikms:secret/create` - `okms:apikms:secret/version/getData` +- `okms:apiovh:secret/get` +- `okms:apikms:secret/create` Puis créez un jeton d'accès personnel (PAT) `user_pat` : @@ -154,7 +156,7 @@ external-secrets/external-secrets \ --set installCRDs=true ``` -#### Définissez les chartes de l'External Secret Operator +#### Configurer l'External Secret Operator Tout d'abord, configurez un `SecretStore` qui est chargé de la synchronisation avec le Secret Manager. Nous configurons le SecretStore en utilisant HashiCorp Vault avec l'authentification par jeton et en utilisant l'endpoint OKMS comme backend. @@ -178,7 +180,7 @@ template: type: Opaque ``` -La charte `SecretStore` : +La ressource `SecretStore` : ```yaml apiVersion: external-secrets.io/v1 @@ -200,6 +202,8 @@ provider: > [!info] > Seulement [l'authentification par token](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) est supporté +#### Utiliser External Secret Operator + Une fois le `SecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. Dans l'exemple, nous utilisons un secret déjà créé sur le Secret Manager : @@ -234,7 +238,7 @@ data: ``` > [!info] -> [La création de secret depuis Kubernetes](https://external-secrets.io/latest/guides/pushsecrets/) n'est pas encore supportée. +> Uniquement les `ExternalSecret` sont supporté pour l'instant. #### Déployez votre application From d11fd63c44148f3951b39de8944dd469373ca2db Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 6 Nov 2025 17:55:24 +0100 Subject: [PATCH 05/12] date update --- .../secret_manager/external-secret-operator/guide.en-gb.md | 2 +- .../secret_manager/external-secret-operator/guide.fr-fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index 7f1afb87103..a7d8a14aa5c 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -1,7 +1,7 @@ --- title: "Use Kubernetes External Secret Operator with Secret Manager" excerpt: "Configure External Secret Operator to store Kubernetes secrets on the OVHcloud Secret Manager" -updated: 2025-10-27 +updated: 2025-11-07 --- > [!primary] diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index 9a923542574..09668200713 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -1,7 +1,7 @@ --- title: "Utiliser Kubernetes External Secret Operator avec Secret Manager" excerpt: "Configurer External Secret Operator pour stocker des secrets Kubernetes sur le Secret Manager OVHcloud" -updated: 2025-10-27 +updated: 2025-11-07 --- > [!primary] From 08fccab23f5ad9c1b6130ea5c51bd21bb3ad628e Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 13 Nov 2025 12:51:30 +0100 Subject: [PATCH 06/12] numerous fix following scraly comment --- .../external-secret-operator/guide.en-gb.md | 176 ++++++------------ .../external-secret-operator/guide.fr-fr.md | 174 ++++++----------- 2 files changed, 119 insertions(+), 231 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index a7d8a14aa5c..a561708c7ea 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -9,12 +9,13 @@ updated: 2025-11-07 ## Objective -This guide explains how set up the Kubernetes External Secret Operator to use the OVHcloud Secret Manager as a provider +This guide explains how to set up the Kubernetes External Secret Operator to use the OVHcloud Secret Manager as a provider. ## Requirements - An [OVHcloud customer account](/pages/account_and_service_management/account_information/ovhcloud-account-creation). - Have [ordered an OKMS domain](/pages/manage_and_operate/kms/quick-start) or [created a first secret](/pages/manage_and_operate/secret_manager/secret-manager-ui). +- Have a Kubernetes cluster. ## Instructions @@ -22,13 +23,13 @@ This guide explains how set up the Kubernetes External Secret Operator to use th To allow access to the Secret Manager you will need to create credentials. -Create an [IAM local user](/pages/account_and_service_management/account_information/ovhcloud-users-management) with acces right on your domain. -This user need to have at least the following rights: +Create an [IAM local user](/pages/account_and_service_management/account_information/ovhcloud-users-management) with access right on your domain. + +The user should be a member of a group with the ADMIN role, or if using [IAM policies](/pages/account_and_service_management/account_information/iam-policy-ui) to have at least the following rights on the OKMS domain: - `okms:apikms:secret/create` - `okms:apikms:secret/version/getData` - `okms:apiovh:secret/get` -- `okms:apikms:secret/create` Then create a Personnal Acces Token (PAT) `user_pat`: @@ -36,12 +37,27 @@ Then create a Personnal Acces Token (PAT) `user_pat`: > > @api {v1} /me POST /me/identity/user/{user}/token +API will answer with: + +```json +{ + "creation": "2025-11-13T10:38:44.658926311Z", + "description": "my first PAT", + "expiresAt": null, + "lastUsed": null, + "name": "my_PAT", + "token": "eyJhbGciOiJFZERXXXXXXXXDyI23Q7euIDmw9Pn__SDA" +} +``` + +Keep safe the value of `token` field as it will never be prompt again and will be used to authenticate on the Secret Manager as `user_pat`. + You will also need the `okms-id` of the OKMS domain you want to use. This ID can be found on the OVHcloud Control Panel. -### Setup Sealed Secret +### Setup Sealed Secret (optionnal) Sealed Secret allows you to safely store Kubernetes Secrets wherever you want by encrypting them. -This step is optionnal but highly recommendated. +This step is optionnal but highly recommended. First, install the controller in your cluster. It will automatically decrypt Sealed Secrets into standard Kubernetes Secrets @@ -59,86 +75,6 @@ tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal sudo install -m 755 kubeseal /usr/local/bin/kubeseal ``` -#### Usage - -- Create your Sealed Secret - -```bash -kubeseal -f \ - -w \ - --controller-name=sealed-secrets \ - --controller-namespace=kube-system - -kubectl create -f - -# Check if you have access to your original Secret -kubectl get secrets -o yaml -``` - -You can now delete `secret-file` and use `sealedsecret-output-file` instead for a more secure storage - -- Delete your Sealed Secret - -```bash -kubectl delete sealedsecret -``` - -#### Example - -```bash -$ cat secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: secret -type: Opaque -data: - value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF - -$ kubeseal -f secret.yaml \ - -w sealed-secret.yaml \ - --controller-name=sealed-secrets \ - --controller-namespace=kube-system - -$ cat sealed-secret.yaml ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: secret - namespace: default -spec: - encryptedData: - value: AgBLSGW9eG8Lc0HbToTM884euTNp49M6AkauFadPI8GwKe/lfSEmLr16HEQnh7DPb7T8OgL3d7qMRucEWO2TSppxsoXS5whKDaX7XA+d5tLSPZR6TCgI+ZWYBCYcerp8fM3gkzixM4wlyxAevqsWPxazGNQM4eYBv0YFZ+kaffkougHjG5uLwuX1IWGE8pFMf5XszkXu3MoFtmf2lbop+2qEtS3Wr4k/ueL92dY3ZmP1ZHSXWgvnNfZ30H1t+4pn9K+ddlJrajC/8TVT811WylyISd7EG6HaO8ayNRDErsu/JjsworJBKdj1vMIsdE+0ZQFg1MmCKp0zWU0Xjp90cEhSXuq9eqp4A8pofZ6D5n7ERr4jmznb41WWHRcKj2BdZBsOBUlP/J7P2Ymseet8+8od1HX0XQOv1CEnLHF6GMNAFZ7aQckuUIwKMx+zEHT6qVNBbtNe2B1OP1ApwRUw6lEdP5AnToi/mNt3ilypuTwXMqVGbHJzNMUrQRhfDItPALpDknCIcu1j1QsQRFIrdQ0Gfheg+QIzYJKVErWCRGR9zEUkqsMcxM7ruEc5U1GAgYyfLvXkczxzUG2WXf5mszKWyfcnQfCwmNdF/WKsufeJI0FaVQaWpkgX2cvTSd0281rKLvwEv0NRBVJkZ0lL1mzoZMXzXP5uWyk0E9SCHwM261ZkvqLsxnpKVA2QDZ4SuMBvl2fdIle5WVO/U1sl1eRAK1BVEWg8pYE7mTE7cXE= - template: - metadata: - name: secret - namespace: default - type: Opaque - -$ kubectl create -f sealed-secret.yaml -sealedsecret.bitnami.com/secret created - -$ kubectl get secrets secret -o yaml -apiVersion: v1 -data: - value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF -kind: Secret -metadata: - creationTimestamp: "2025-10-13T12:37:25Z" - name: secret - namespace: default - ownerReferences: - - apiVersion: bitnami.com/v1alpha1 - controller: true - kind: SealedSecret - name: secret - uid: c3a8489f-8125-406b-8a3a-f99b82d432e1 - resourceVersion: "16156798047" - uid: f3fbfd60-46d7-4211-a9b1-e67d452bc7dc -type: Opaque -``` - More information: () ### Setup the Secret Provider in Kubernetes @@ -147,12 +83,12 @@ More information: () ```bash helm repo add external-secrets https://charts.external-secrets.io +helm repo update helm install external-secrets \ external-secrets/external-secrets \ -n external-secrets \ --create-namespace \ ---set installCRDs=true ``` #### Configure External Secret Operator @@ -167,16 +103,16 @@ Add the `user_pat` as a secret to be able to use it in the charts. apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: -name: token-secret -namespace: default + name: token-secret + namespace: default spec: -encryptedData: - token: -template: - metadata: - name: token-secret - namespace: default - type: Opaque + encryptedData: + token: + template: + metadata: + name: token-secret + namespace: default + type: Opaque ``` The `SecretStore` resource: @@ -185,22 +121,30 @@ The `SecretStore` resource: apiVersion: external-secrets.io/v1 kind: ClusterSecretStore metadata: -name: vault-secret-store + name: vault-secret-store spec: -provider: - vault: - server: "https://{region}.okms.ovh.net/api/" # OKMS endpoint, fill with the correct region and your okms_id - path: "secret" - version: "v2" - auth: - tokenSecretRef: - name: token-secret # The k8s secret that contain your PAT - key: token + provider: + vault: + server: "https://{region}.okms.ovh.net/api/" # OKMS endpoint, fill with the correct region and your okms_id + path: "secret" + version: "v2" + auth: + tokenSecretRef: + name: token-secret # The k8s secret that contain your PAT + key: token ``` > [!info] > Only [token authentication](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) is supported +Region name can be translated from your region location using: + +> [!api] +> +> @api {v1} /location GET /location + +As an example for **Europe (France - Paris)**, OKMS endpoint is **eu-west-par.okms.ovh.net** + #### Use External Secret Operator Once the `SecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. @@ -215,22 +159,22 @@ In the example we use a secret already created on the Secret Manager: apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: -name: vault-external-secret -namespace: default + name: vault-external-secret + namespace: default spec: secretStoreRef: - name: vault-secret-store - kind: ClusterSecretStore + name: vault-secret-store + kind: ClusterSecretStore refreshInterval: "10s" target: - name: creds-secret - creationPolicy: Owner + name: creds-secret + creationPolicy: Owner data: - - secretKey: login + - secretKey: login remoteRef: - key: prod/database/MySQL # Path of the secret in the Secret Manager - property: login # Key to find in the JSON data of the secret - - secretKey: password + key: prod/database/MySQL # Path of the secret in the Secret Manager + property: login # Key to find in the JSON data of the secret + - secretKey: password remoteRef: key: prod/database/MySQL property: password diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index 09668200713..8257e7fc9b4 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -16,6 +16,7 @@ Ce guide explique comment configurer le Kubernetes External Secret Operator pour - Un [compte client OVHcloud](/pages/account_and_service_management/account_information/ovhcloud-account-creation). - Avoir [commandé un domaine OKMS](/pages/manage_and_operate/kms/quick-start) ou [créé un premier secret](/pages/manage_and_operate/secret_manager/secret-manager-ui). +- Avoir un cluster Kubernetes. ## En pratique @@ -24,12 +25,12 @@ Ce guide explique comment configurer le Kubernetes External Secret Operator pour Pour permettre l'accès au Secret Manager, vous devrez créer des identifiants. Créez un [utilisateur local IAM](/pages/account_and_service_management/account_information/ovhcloud-users-management) avec les droits d'accès à votre domaine. -Cet utilisateur doit avoir au moins les droits suivants : + +Cet utilisateur doit être membre d'un groupe avec le role ADMIN, ou si vous utilisez les [politiques IAM](/pages/account_and_service_management/account_information/iam-policy-ui) avoir au moins les droits suivants sur le domaine OKMS : - `okms:apikms:secret/create` - `okms:apikms:secret/version/getData` - `okms:apiovh:secret/get` -- `okms:apikms:secret/create` Puis créez un jeton d'accès personnel (PAT) `user_pat` : @@ -37,9 +38,24 @@ Puis créez un jeton d'accès personnel (PAT) `user_pat` : > > @api {v1} /me POST /me/identity/user/{user}/token +L'API va répondre : + +```json +{ + "creation": "2025-11-13T10:38:44.658926311Z", + "description": "my first PAT", + "expiresAt": null, + "lastUsed": null, + "name": "my_PAT", + "token": "eyJhbGciOiJFZERXXXXXXXXDyI23Q7euIDmw9Pn__SDA" +} +``` + +Gardez en sécurité la valeur du champ `token` car il ne sera jamais réaffiché et sera utilisé pour l'authentification sur le Secret Manager comme `user_pat`. + Vous aurez également besoin de l'`okms-id` du domaine OKMS que vous souhaitez utiliser. Cet ID peut être trouvé sur l'espace client OVHcloud. -### Configuration de Sealed Secret +### Configuration de Sealed Secret (optionnel) Sealed Secret vous permet de stocker en toute sécurité des Secrets Kubernetes là où vous le souhaitez en les chiffrant. Cette étape est optionnelle mais fortement recommandée. @@ -60,86 +76,6 @@ tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal sudo install -m 755 kubeseal /usr/local/bin/kubeseal ``` -#### Utilisation - -- Créez votre Sealed Secret - -```bash -kubeseal -f \ - -w \ - --controller-name=sealed-secrets \ - --controller-namespace=kube-system - -kubectl create -f - -# Vérifiez si vous avez accès à votre Secret d'origine -kubectl get secrets -o yaml -``` - -Vous pouvez maintenant supprimer `secret-file` et utiliser `sealedsecret-output-file` à la place pour un stockage plus sécurisé - -- Supprimez votre Sealed Secret - -```bash -kubectl delete sealedsecret -``` - -#### Exemple - -```bash -$ cat secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: secret -type: Opaque -data: - value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF - -$ kubeseal -f secret.yaml \ - -w sealed-secret.yaml \ - --controller-name=sealed-secrets \ - --controller-namespace=kube-system - -$ cat sealed-secret.yaml ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: secret - namespace: default -spec: - encryptedData: - value: AgBLSGW9eG8Lc0HbToTM884euTNp49M6AkauFadPI8GwKe/lfSEmLr16HEQnh7DPb7T8OgL3d7qMRucEWO2TSppxsoXS5whKDaX7XA+d5tLSPZR6TCgI+ZWYBCYcerp8fM3gkzixM4wlyxAevqsWPxazGNQM4eYBv0YFZ+kaffkougHjG5uLwuX1IWGE8pFMf5XszkXu3MoFtmf2lbop+2qEtS3Wr4k/ueL92dY3ZmP1ZHSXWgvnNfZ30H1t+4pn9K+ddlJrajC/8TVT811WylyISd7EG6HaO8ayNRDErsu/JjsworJBKdj1vMIsdE+0ZQFg1MmCKp0zWU0Xjp90cEhSXuq9eqp4A8pofZ6D5n7ERr4jmznb41WWHRcKj2BdZBsOBUlP/J7P2Ymseet8+8od1HX0XQOv1CEnLHF6GMNAFZ7aQckuUIwKMx+zEHT6qVNBbtNe2B1OP1ApwRUw6lEdP5AnToi/mNt3ilypuTwXMqVGbHJzNMUrQRhfDItPALpDknCIcu1j1QsQRFIrdQ0Gfheg+QIzYJKVErWCRGR9zEUkqsMcxM7ruEc5U1GAgYyfLvXkczxzUG2WXf5mszKWyfcnQfCwmNdF/WKsufeJI0FaVQaWpkgX2cvTSd0281rKLvwEv0NRBVJkZ0lL1mzoZMXzXP5uWyk0E9SCHwM261ZkvqLsxnpKVA2QDZ4SuMBvl2fdIle5WVO/U1sl1eRAK1BVEWg8pYE7mTE7cXE= - template: - metadata: - name: secret - namespace: default - type: Opaque - -$ kubectl create -f sealed-secret.yaml -sealedsecret.bitnami.com/secret created - -$ kubectl get secrets secret -o yaml -apiVersion: v1 -data: - value: TVkgQkFTRTY0IEVOQ09ERUQgU0VDUkVUIFZBTFVF -kind: Secret -metadata: - creationTimestamp: "2025-10-13T12:37:25Z" - name: secret - namespace: default - ownerReferences: - - apiVersion: bitnami.com/v1alpha1 - controller: true - kind: SealedSecret - name: secret - uid: c3a8489f-8125-406b-8a3a-f99b82d432e1 - resourceVersion: "16156798047" - uid: f3fbfd60-46d7-4211-a9b1-e67d452bc7dc -type: Opaque -``` - Plus d'informations : () ### Configuration du Secret Provider dans Kubernetes @@ -148,12 +84,12 @@ Plus d'informations : () ```bash helm repo add external-secrets https://charts.external-secrets.io +helm repo update helm install external-secrets \ external-secrets/external-secrets \ -n external-secrets \ --create-namespace \ ---set installCRDs=true ``` #### Configurer l'External Secret Operator @@ -168,16 +104,16 @@ Ajoutez le `user_pat` en tant que secret pour pouvoir l'utiliser dans les charte apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: -name: token-secret -namespace: default + name: token-secret + namespace: default spec: -encryptedData: - token: -template: - metadata: - name: token-secret - namespace: default - type: Opaque + encryptedData: + token: + template: + metadata: + name: token-secret + namespace: default + type: Opaque ``` La ressource `SecretStore` : @@ -186,22 +122,30 @@ La ressource `SecretStore` : apiVersion: external-secrets.io/v1 kind: ClusterSecretStore metadata: -name: vault-secret-store + name: vault-secret-store spec: -provider: - vault: - server: "https://{region}.okms.ovh.net/api/" # endpoint OKMS, complétez avec la région correcte et votre okms_id - path: "secret" - version: "v2" - auth: - tokenSecretRef: - name: token-secret # Le secret k8s contenant votre PAT - key: token + provider: + vault: + server: "https://{region}.okms.ovh.net/api/" # endpoint OKMS, complétez avec la région correcte et votre okms_id + path: "secret" + version: "v2" + auth: + tokenSecretRef: + name: token-secret # Le secret k8s contenant votre PAT + key: token ``` > [!info] > Seulement [l'authentification par token](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) est supporté +Le nom de la région peut être traduit de la localisation avec: + +> [!api] +> +> @api {v1} /location GET /location + +Par exemple pour **Europe (France - Paris)**, l'endpoint OKMS est **eu-west-par.okms.ovh.net** + #### Utiliser External Secret Operator Une fois le `SecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. @@ -216,25 +160,25 @@ Dans l'exemple, nous utilisons un secret déjà créé sur le Secret Manager : apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: -name: vault-external-secret -namespace: default + name: vault-external-secret + namespace: default spec: secretStoreRef: - name: vault-secret-store - kind: ClusterSecretStore + name: vault-secret-store + kind: ClusterSecretStore refreshInterval: "10s" target: - name: creds-secret - creationPolicy: Owner + name: creds-secret + creationPolicy: Owner data: - - secretKey: login + - secretKey: login remoteRef: - key: prod/database/MySQL # Chemin du secret dans le Secret Manager - property: login # Clé à trouver dans les données JSON du secret - - secretKey: password + key: prod/database/MySQL # Chemin du secret dans le Secret Manager + property: login # Clé à trouver dans les données JSON du secret + - secretKey: password remoteRef: - key: prod/database/MySQL - property: password + key: prod/database/MySQL + property: password ``` > [!info] From 400ac303ce0f9dd06679182bde3fc49874f7e662 Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 13 Nov 2025 13:03:35 +0100 Subject: [PATCH 07/12] indentation fix --- .../external-secret-operator/guide.en-gb.md | 10 +++++----- .../external-secret-operator/guide.fr-fr.md | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index a561708c7ea..b4494fbef05 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -162,9 +162,9 @@ metadata: name: vault-external-secret namespace: default spec: -secretStoreRef: - name: vault-secret-store - kind: ClusterSecretStore + secretStoreRef: + name: vault-secret-store + kind: ClusterSecretStore refreshInterval: "10s" target: name: creds-secret @@ -176,8 +176,8 @@ data: property: login # Key to find in the JSON data of the secret - secretKey: password remoteRef: - key: prod/database/MySQL - property: password + key: prod/database/MySQL + property: password ``` > [!info] diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index 8257e7fc9b4..b72381700a6 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -163,9 +163,9 @@ metadata: name: vault-external-secret namespace: default spec: -secretStoreRef: - name: vault-secret-store - kind: ClusterSecretStore + secretStoreRef: + name: vault-secret-store + kind: ClusterSecretStore refreshInterval: "10s" target: name: creds-secret From 2a2ab174fee74bf2d5db1deb122a2bc8dc9e8716 Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 13 Nov 2025 13:07:25 +0100 Subject: [PATCH 08/12] indentation fix --- .../external-secret-operator/guide.en-gb.md | 26 +++++++++---------- .../external-secret-operator/guide.fr-fr.md | 26 +++++++++---------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index b4494fbef05..5101b3c135d 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -165,19 +165,19 @@ spec: secretStoreRef: name: vault-secret-store kind: ClusterSecretStore -refreshInterval: "10s" -target: - name: creds-secret - creationPolicy: Owner -data: - - secretKey: login - remoteRef: - key: prod/database/MySQL # Path of the secret in the Secret Manager - property: login # Key to find in the JSON data of the secret - - secretKey: password - remoteRef: - key: prod/database/MySQL - property: password + refreshInterval: "10s" + target: + name: creds-secret + creationPolicy: Owner + data: + - secretKey: login + remoteRef: + key: prod/database/MySQL # Path of the secret in the Secret Manager + property: login # Key to find in the JSON data of the secret + - secretKey: password + remoteRef: + key: prod/database/MySQL + property: password ``` > [!info] diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index b72381700a6..c15a005d10e 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -166,19 +166,19 @@ spec: secretStoreRef: name: vault-secret-store kind: ClusterSecretStore -refreshInterval: "10s" -target: - name: creds-secret - creationPolicy: Owner -data: - - secretKey: login - remoteRef: - key: prod/database/MySQL # Chemin du secret dans le Secret Manager - property: login # Clé à trouver dans les données JSON du secret - - secretKey: password - remoteRef: - key: prod/database/MySQL - property: password + refreshInterval: "10s" + target: + name: creds-secret + creationPolicy: Owner + data: + - secretKey: login + remoteRef: + key: prod/database/MySQL # Chemin du secret dans le Secret Manager + property: login # Clé à trouver dans les données JSON du secret + - secretKey: password + remoteRef: + key: prod/database/MySQL + property: password ``` > [!info] From c5d472c8a88de6b3dc11998d39cdba9f28e72621 Mon Sep 17 00:00:00 2001 From: gbarideau Date: Fri, 14 Nov 2025 16:09:20 +0100 Subject: [PATCH 09/12] moving SecretStore to ClusterSecretStore --- .../external-secret-operator/guide.en-gb.md | 8 ++++---- .../external-secret-operator/guide.fr-fr.md | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index 5101b3c135d..a7149e4f9bd 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -93,8 +93,8 @@ external-secrets/external-secrets \ #### Configure External Secret Operator -First, setup a `SecretStore` that is responsible of the synchronization with the Secret Manager. -We configure the SecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend. +First, setup a `ClusterSecretStore` that is responsible of the synchronization with the Secret Manager. +We configure the ClusterSecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend. Add the `user_pat` as a secret to be able to use it in the charts. @@ -115,7 +115,7 @@ spec: type: Opaque ``` -The `SecretStore` resource: +The `ClusterSecretStore` resource: ```yaml apiVersion: external-secrets.io/v1 @@ -147,7 +147,7 @@ As an example for **Europe (France - Paris)**, OKMS endpoint is **eu-west-par.ok #### Use External Secret Operator -Once the `SecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. +Once the `ClusterSecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. In the example we use a secret already created on the Secret Manager: - Path: `prod/database/MySQL` diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index c15a005d10e..3f6efbab974 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -94,8 +94,8 @@ external-secrets/external-secrets \ #### Configurer l'External Secret Operator -Tout d'abord, configurez un `SecretStore` qui est chargé de la synchronisation avec le Secret Manager. -Nous configurons le SecretStore en utilisant HashiCorp Vault avec l'authentification par jeton et en utilisant l'endpoint OKMS comme backend. +Tout d'abord, configurez un `ClusterSecretStore` qui est chargé de la synchronisation avec le Secret Manager. +Nous configurons le ClusterSecretStore en utilisant HashiCorp Vault avec l'authentification par jeton et en utilisant l'endpoint OKMS comme backend. Ajoutez le `user_pat` en tant que secret pour pouvoir l'utiliser dans les chartes. @@ -116,7 +116,7 @@ spec: type: Opaque ``` -La ressource `SecretStore` : +La ressource `ClusterSecretStore` : ```yaml apiVersion: external-secrets.io/v1 @@ -148,7 +148,7 @@ Par exemple pour **Europe (France - Paris)**, l'endpoint OKMS est **eu-west-par. #### Utiliser External Secret Operator -Une fois le `SecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. +Une fois le `ClusterSecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. Dans l'exemple, nous utilisons un secret déjà créé sur le Secret Manager : - Path : `prod/database/MySQL` From ddad50bf5131a820e9e66d21331d319e5957db1b Mon Sep 17 00:00:00 2001 From: gbarideau Date: Thu, 18 Dec 2025 14:09:47 +0100 Subject: [PATCH 10/12] Documentation rework to support SecretStore instead of ClusterSecretStore --- .../external-secret-operator/guide.en-gb.md | 206 +++++++++------ .../external-secret-operator/guide.fr-fr.md | 241 ++++++++++-------- 2 files changed, 259 insertions(+), 188 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index a7149e4f9bd..008ef275e27 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -21,7 +21,9 @@ This guide explains how to set up the Kubernetes External Secret Operator to use ### Setup the Secret Manager -To allow access to the Secret Manager you will need to create credentials. +To allow access to the Secret Manager you will need to have a `token`, and the `region` and `okms-id` of your Secret Manager. + +#### Credential creation Create an [IAM local user](/pages/account_and_service_management/account_information/ovhcloud-users-management) with access right on your domain. @@ -33,50 +35,65 @@ The user should be a member of a group with the ADMIN role, or if using [IAM pol Then create a Personnal Acces Token (PAT) `user_pat`: -> [!api] -> -> @api {v1} /me POST /me/identity/user/{user}/token - -API will answer with: - -```json -{ - "creation": "2025-11-13T10:38:44.658926311Z", - "description": "my first PAT", - "expiresAt": null, - "lastUsed": null, - "name": "my_PAT", - "token": "eyJhbGciOiJFZERXXXXXXXXDyI23Q7euIDmw9Pn__SDA" -} -``` +> [!tabs] +> API +>> > [!api] +>> > +>> > @api {v1} /me POST /me/identity/user/{user}/token +>> +>> With the following payload (fill with your values): +>> +>> ```json +>> { +>> "description": "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx", +>> "name": "pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" +>> } +>> ``` +>> +>> API will answer with: +>> +>> ```json +>> { +>> "creation": "2025-11-13T10:38:44.658926311Z", +>> "description": "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx", +>> "expiresAt": null, +>> "lastUsed": null, +>> "name": "pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx", +>> "token": "eyJhbGciOiJ...punpVAg" +>> } +>> ``` +>> +> CLI +>> PAT can also created with the [OVHcloud CLI](https://github.com/ovh/ovhcloud-cli) and the command (fill with your values) : +>> +>> ```bash +>> ovhcloud iam user {user} token create --name pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --description "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" +>> ``` +>> +>> CLI will answer with the `token` value : +>> +>> ```bash +>> ✅ Token Secret-Manager created successfully, value: eyJhbGciOiJ...punpVAg +>> ``` Keep safe the value of `token` field as it will never be prompt again and will be used to authenticate on the Secret Manager as `user_pat`. -You will also need the `okms-id` of the OKMS domain you want to use. This ID can be found on the OVHcloud Control Panel. - -### Setup Sealed Secret (optionnal) +#### Secret Manager info -Sealed Secret allows you to safely store Kubernetes Secrets wherever you want by encrypting them. -This step is optionnal but highly recommended. - -First, install the controller in your cluster. It will automatically decrypt Sealed Secrets into standard Kubernetes Secrets - -```bash -helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets -helm install sealed-secrets -n kube-system sealed-secrets/sealed-secrets -``` +You will also need the `region` and the `okms-id` of the OKMS domain you want to use. This ID and this region can be found on the OVHcloud Control Panel. -Then, install kubeseal cli to encrypt Secrets into Sealed Secrets +Or through the [`ovhcloud` CLI](https://github.com/ovh/ovhcloud-cli): ```bash -KUBESEAL_VERSION='' # Set this to, for example, KUBESEAL_VERSION='0.23.0' -curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION:?}/kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz" -tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal -sudo install -m 755 kubeseal /usr/local/bin/kubeseal +$ ovhcloud okms list +┌──────────────────────────────────────┬─────────────┐ +│ id │ region │ +├──────────────────────────────────────┼─────────────┤ +│ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx │ eu-west-par │ +│ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx │ eu-west-par │ +└──────────────────────────────────────┴─────────────┘ ``` -More information: () - ### Setup the Secret Provider in Kubernetes #### Install the External Secret Operator on your kubernetes @@ -86,57 +103,67 @@ helm repo add external-secrets https://charts.external-secrets.io helm repo update helm install external-secrets \ -external-secrets/external-secrets \ --n external-secrets \ ---create-namespace \ + external-secrets/external-secrets \ + -n external-secrets \ + --create-namespace \ + --set installCRDs=true +``` + +Check ESO is running : + +```bash +$ kubectl get all -n external-secrets +NAME READY STATUS RESTARTS AGE +pod/external-secrets-8cbc56569-9875p 1/1 Running 0 12s +pod/external-secrets-cert-controller-565fcd479b-xbkcp 0/1 Running 0 12s +pod/external-secrets-webhook-7fb59d4b88-9tkl6 0/1 Running 0 12s + +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +service/external-secrets-webhook ClusterIP 10.3.43.102 443/TCP 13s + +NAME READY UP-TO-DATE AVAILABLE AGE +deployment.apps/external-secrets 1/1 1 1 13s +deployment.apps/external-secrets-cert-controller 0/1 1 0 13s +deployment.apps/external-secrets-webhook 0/1 1 0 13s + +NAME DESIRED CURRENT READY AGE +replicaset.apps/external-secrets-8cbc56569 1 1 1 13s +replicaset.apps/external-secrets-cert-controller-565fcd479b 1 1 0 13s +replicaset.apps/external-secrets-webhook-7fb59d4b88 1 1 0 13s ``` #### Configure External Secret Operator -First, setup a `ClusterSecretStore` that is responsible of the synchronization with the Secret Manager. -We configure the ClusterSecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend. +First, setup a `SecretStore` that is responsible of the synchronization with the Secret Manager. +We configure the SecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend. Add the `user_pat` as a secret to be able to use it in the charts. -```yaml ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: token-secret - namespace: default -spec: - encryptedData: - token: - template: - metadata: - name: token-secret - namespace: default - type: Opaque -``` - -The `ClusterSecretStore` resource: +To define a new `SecretStore` resource, create a `secretstore.yaml` file with the followong content: ```yaml apiVersion: external-secrets.io/v1 -kind: ClusterSecretStore +kind: SecretStore metadata: name: vault-secret-store spec: provider: vault: - server: "https://{region}.okms.ovh.net/api/" # OKMS endpoint, fill with the correct region and your okms_id + server: "https://.okms.ovh.net/api/" # OKMS endpoint, fill with the correct region and your okms_id path: "secret" version: "v2" auth: tokenSecretRef: - name: token-secret # The k8s secret that contain your PAT + name: ovhcloud-vault-token # The k8s secret that contain your PAT key: token ``` > [!info] > Only [token authentication](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) is supported +> [!info] +> This integration works with a `ClusterSecretStore` as well + Region name can be translated from your region location using: > [!api] @@ -145,47 +172,56 @@ Region name can be translated from your region location using: As an example for **Europe (France - Paris)**, OKMS endpoint is **eu-west-par.okms.ovh.net** -#### Use External Secret Operator +Deploy the resource in your cluster: + +```bash +kubectl apply -f secretstore.yaml +``` -Once the `ClusterSecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. -In the example we use a secret already created on the Secret Manager: +#### Use External Secret Operator -- Path: `prod/database/MySQL` -- Value: - - `login: admin` - - `password: my_secret_password` +Once the `SecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. +Create a `externalsecret.yaml` file with this content: ```yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vault-external-secret - namespace: default + name: docker-config-secret + namespace: external-secrets spec: + refreshInterval: 30m secretStoreRef: name: vault-secret-store kind: ClusterSecretStore - refreshInterval: "10s" target: - name: creds-secret + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .mysecret | toString }}" + name: ovhregistrycred creationPolicy: Owner data: - - secretKey: login - remoteRef: - key: prod/database/MySQL # Path of the secret in the Secret Manager - property: login # Key to find in the JSON data of the secret - - secretKey: password - remoteRef: - key: prod/database/MySQL - property: password + - secretKey: mysecret + remoteRef: + key: prod/va1/dockerconfigjson ``` -> [!info] -> Only `ExternalSecret` are supported yet. +Apply the resource in your cluster: + +```bash +kubectl apply -f externalsecret.yaml +``` -#### Deploy your application +It will create a Kubernetes Secret object. -The secret should be created and available in kubernetes. +```bash +$ kubectl get secret -n external-secrets +NAME TYPE DATA AGE +... +ovhregistrycred kubernetes.io/dockerconfigjson 1 15m +... +``` For any additionnal informations on how to manage the External Secret Operator refer to the dedicated documentation, using the HashiCorp Vault provider: . diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index 3f6efbab974..3396c76f68e 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -5,12 +5,11 @@ updated: 2025-11-07 --- > [!primary] -> Le Secret Manager est actuellement en phase bêta. Ce guide est susceptible d’être mis à jour ultérieurement avec les avancées de nos équipes en charge de ce produit. -> +> Secret Manager est actuellement en phase bêta. Ce guide peut être mis à jour à l'avenir avec les avancées de nos équipes en charge de ce produit. ## Objectif -Ce guide explique comment configurer le Kubernetes External Secret Operator pour utiliser le Secret Manager OVHcloud comme fournisseur +Ce guide explique comment configurer le Kubernetes External Secret Operator pour utiliser le Secret Manager OVHcloud en tant que fournisseur. ## Prérequis @@ -22,173 +21,209 @@ Ce guide explique comment configurer le Kubernetes External Secret Operator pour ### Configuration du Secret Manager -Pour permettre l'accès au Secret Manager, vous devrez créer des identifiants. +Pour permettre l'accès au Secret Manager, vous aurez besoin d'avoir un `token`, ainsi que la `region` et l'`okms-id` de votre Secret Manager. + +#### Création des identifiants Créez un [utilisateur local IAM](/pages/account_and_service_management/account_information/ovhcloud-users-management) avec les droits d'accès à votre domaine. -Cet utilisateur doit être membre d'un groupe avec le role ADMIN, ou si vous utilisez les [politiques IAM](/pages/account_and_service_management/account_information/iam-policy-ui) avoir au moins les droits suivants sur le domaine OKMS : +L'utilisateur doit appartenir à un groupe avec le rôle ADMIN, ou si vous utilisez les [politiques IAM](/pages/account_and_service_management/account_information/iam-policy-ui), il doit avoir au moins les droits suivants sur le domaine OKMS : - `okms:apikms:secret/create` - `okms:apikms:secret/version/getData` - `okms:apiovh:secret/get` -Puis créez un jeton d'accès personnel (PAT) `user_pat` : - -> [!api] -> -> @api {v1} /me POST /me/identity/user/{user}/token - -L'API va répondre : - -```json -{ - "creation": "2025-11-13T10:38:44.658926311Z", - "description": "my first PAT", - "expiresAt": null, - "lastUsed": null, - "name": "my_PAT", - "token": "eyJhbGciOiJFZERXXXXXXXXDyI23Q7euIDmw9Pn__SDA" -} -``` - -Gardez en sécurité la valeur du champ `token` car il ne sera jamais réaffiché et sera utilisé pour l'authentification sur le Secret Manager comme `user_pat`. - -Vous aurez également besoin de l'`okms-id` du domaine OKMS que vous souhaitez utiliser. Cet ID peut être trouvé sur l'espace client OVHcloud. - -### Configuration de Sealed Secret (optionnel) - -Sealed Secret vous permet de stocker en toute sécurité des Secrets Kubernetes là où vous le souhaitez en les chiffrant. -Cette étape est optionnelle mais fortement recommandée. - -Tout d'abord, installez le contrôleur dans votre cluster. Il déchiffrera automatiquement les Sealed Secrets en Secrets Kubernetes standards +Puis créez un Token d'Accès Personnel (PAT) `user_pat` : + +> [!tabs] +> API +>> > [!api] +>> > +>> > @api {v1} /me POST /me/identity/user/{user}/token +>> +>> Avec le payload suivant (remplissez avec vos valeurs) : +>> +>> ```json +>> { +>> "description": "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx", +>> "name": "pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" +>> } +>> ``` +>> +>> L'API répondra avec : +>> +>> ```json +>> { +>> "creation": "2025-11-13T10:38:44.658926311Z", +>> "description": "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx", +>> "expiresAt": null, +>> "lastUsed": null, +>> "name": "pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx", +>> "token": "eyJhbGciOiJ...punpVAg" +>> } +>> ``` +>> +> CLI +>> Le PAT peut également être créé avec la [CLI OVHcloud](https://github.com/ovh/ovhcloud-cli) et la commande suivante (remplissez avec vos valeurs) : +>> +>> ```bash +>> ovhcloud iam user {user} token create --name pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --description "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" +>> ``` +>> +>> La CLI répondra avec la valeur du `token` : +>> +>> ```bash +>> ✅ Token Secret-Manager created successfully, Value: eyJhbGciOiJ...punpVAg +>> ``` + +Conservez la valeur du champ `token` car elle ne sera plus affichée et sera utilisée pour l'authentification sur le Secret Manager en tant que `user_pat`. + +#### Informations du Secret Manager + +Vous aurez également besoin de la `region` et de l'`okms-id` du domaine OKMS que vous souhaitez utiliser. Cet ID et cette région peuvent être trouvés sur l'espace client OVHcloud. + +Ou via la [`ovhcloud` CLI](https://github.com/ovh/ovhcloud-cli) : ```bash -helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets -helm install sealed-secrets -n kube-system sealed-secrets/sealed-secrets +$ ovhcloud okms list +┌──────────────────────────────────────┬─────────────┐ +│ id │ region │ +├──────────────────────────────────────┼─────────────┤ +│ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx │ eu-west-par │ +│ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx │ eu-west-par │ +└──────────────────────────────────────┴─────────────┘ ``` -Puis, installez la cli kubeseal pour chiffrer des Secrets en Sealed Secrets - -```bash -KUBESEAL_VERSION='' # Définissez ceci sur, par exemple, KUBESEAL_VERSION='0.23.0' -curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION:?}/kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz" -tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal -sudo install -m 755 kubeseal /usr/local/bin/kubeseal -``` +### Configuration du fournisseur de secrets dans Kubernetes -Plus d'informations : () - -### Configuration du Secret Provider dans Kubernetes - -#### Installez l'External Secret Operator sur votre Kubernetes +#### Installation de l'External Secret Operator sur votre Kubernetes ```bash helm repo add external-secrets https://charts.external-secrets.io helm repo update helm install external-secrets \ -external-secrets/external-secrets \ --n external-secrets \ ---create-namespace \ + external-secrets/external-secrets \ + -n external-secrets \ + --create-namespace \ + --set installCRDs=true ``` -#### Configurer l'External Secret Operator +Vérifiez que l'ESO est en cours d'exécution : -Tout d'abord, configurez un `ClusterSecretStore` qui est chargé de la synchronisation avec le Secret Manager. -Nous configurons le ClusterSecretStore en utilisant HashiCorp Vault avec l'authentification par jeton et en utilisant l'endpoint OKMS comme backend. +```bash +$ kubectl get all -n external-secrets +NAME READY STATUS RESTARTS AGE +pod/external-secrets-8cbc56569-9875p 1/1 Running 0 12s +pod/external-secrets-cert-controller-565fcd479b-xbkcp 0/1 Running 0 12s +pod/external-secrets-webhook-7fb59d4b88-9tkl6 0/1 Running 0 12s + +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +service/external-secrets-webhook ClusterIP 10.3.43.102 443/TCP 13s + +NAME READY UP-TO-DATE AVAILABLE AGE +deployment.apps/external-secrets 1/1 1 1 13s +deployment.apps/external-secrets-cert-controller 0/1 1 0 13s +deployment.apps/external-secrets-webhook 0/1 1 0 13s + +NAME DESIRED CURRENT READY AGE +replicaset.apps/external-secrets-8cbc56569 1 1 1 13s +replicaset.apps/external-secrets-cert-controller-565fcd479b 1 1 0 13s +replicaset.apps/external-secrets-webhook-7fb59d4b88 1 1 0 13s +``` -Ajoutez le `user_pat` en tant que secret pour pouvoir l'utiliser dans les chartes. +#### Configuration de l'External Secret Operator -```yaml ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: token-secret - namespace: default -spec: - encryptedData: - token: - template: - metadata: - name: token-secret - namespace: default - type: Opaque -``` +Tout d'abord, configurez un `SecretStore` qui est responsable de la synchronisation avec le Secret Manager. +Nous configurons le SecretStore en utilisant HashiCorp Vault avec l'authentification par token et en utilisant l'endpoint OKMS en tant que backend. -La ressource `ClusterSecretStore` : +Ajoutez le `user_pat` en tant que secret afin de pouvoir l'utiliser dans les chartes. + +Pour définir une nouvelle ressource `SecretStore`, créez un fichier `secretstore.yaml` avec le contenu suivant : ```yaml apiVersion: external-secrets.io/v1 -kind: ClusterSecretStore +kind: SecretStore metadata: name: vault-secret-store spec: provider: vault: - server: "https://{region}.okms.ovh.net/api/" # endpoint OKMS, complétez avec la région correcte et votre okms_id + server: "https://.okms.ovh.net/api/" # endpoint OKMS, remplissez avec la région correcte et votre okms_id path: "secret" version: "v2" auth: tokenSecretRef: - name: token-secret # Le secret k8s contenant votre PAT + name: ovhcloud-vault-token # le secret k8s contenant votre PAT key: token ``` > [!info] -> Seulement [l'authentification par token](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) est supporté +> Seule l'[authentification par token](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) est prise en charge + +> [!info] +> Cette intégration fonctionne également avec un `ClusterSecretStore` -Le nom de la région peut être traduit de la localisation avec: +Le nom de la région peut être traduit à partir de votre localisation régionale en utilisant : > [!api] > > @api {v1} /location GET /location -Par exemple pour **Europe (France - Paris)**, l'endpoint OKMS est **eu-west-par.okms.ovh.net** +Par exemple, pour **Europe (France - Paris)**, l'endpoint OKMS est **eu-west-par.okms.ovh.net** -#### Utiliser External Secret Operator +Déployez la ressource dans votre cluster : -Une fois le `ClusterSecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. -Dans l'exemple, nous utilisons un secret déjà créé sur le Secret Manager : +```bash +kubectl apply -f secretstore.yaml +``` + +#### Utilisation de l'External Secret Operator -- Path : `prod/database/MySQL` -- Value : - - `login: admin` - - `password: my_secret_password` +Une fois le `SecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. +Créez un fichier `externalsecret.yaml` avec le contenu suivant : ```yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vault-external-secret - namespace: default + name: docker-config-secret + namespace: external-secrets spec: + refreshInterval: 30m secretStoreRef: name: vault-secret-store kind: ClusterSecretStore - refreshInterval: "10s" target: - name: creds-secret + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .mysecret | toString }}" + name: ovhregistrycred creationPolicy: Owner data: - - secretKey: login - remoteRef: - key: prod/database/MySQL # Chemin du secret dans le Secret Manager - property: login # Clé à trouver dans les données JSON du secret - - secretKey: password - remoteRef: - key: prod/database/MySQL - property: password + - secretKey: mysecret + remoteRef: + key: prod/va1/dockerconfigjson ``` -> [!info] -> Uniquement les `ExternalSecret` sont supporté pour l'instant. +Appliquez la ressource dans votre cluster : + +```bash +kubectl apply -f externalsecret.yaml +``` -#### Déployez votre application +Cela créera un objet de secret Kubernetes. -Le secret devrait être créé et disponible dans Kubernetes. +```bash +$ kubectl get secret -n external-secrets +NAME TYPE DATA AGE +... +ovhregistrycred kubernetes.io/dockerconfigjson 1 15m +... +``` -Pour toute information supplémentaire sur la gestion de l'External Secret Operator, reportez-vous à la documentation dédiée, en utilisant le fournisseur HashiCorp Vault : . +Pour toute information supplémentaire sur la gestion de l'External Secret Operator, veuillez consulter la documentation dédiée, en utilisant le fournisseur HashiCorp Vault : . ## Aller plus loin From ff6bb799185dd99c77be1492e8ddce928f6f8eee Mon Sep 17 00:00:00 2001 From: gbarideau Date: Fri, 19 Dec 2025 11:19:11 +0100 Subject: [PATCH 11/12] adding missing section about secret creation --- .../external-secret-operator/guide.en-gb.md | 45 +++++++++++-- .../external-secret-operator/guide.fr-fr.md | 67 ++++++++++++++----- 2 files changed, 91 insertions(+), 21 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index 008ef275e27..ab19a57043f 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -5,7 +5,7 @@ updated: 2025-11-07 --- > [!primary] -> Secret Manager is currently in beta phase. This guide can be updated in the future with the advances of our teams in charge of this product. +> Secret Manager is currently in Beta phase. This guide can be updated in the future with the advancements made by our teams in charge of this product. ## Objective @@ -21,7 +21,7 @@ This guide explains how to set up the Kubernetes External Secret Operator to use ### Setup the Secret Manager -To allow access to the Secret Manager you will need to have a `token`, and the `region` and `okms-id` of your Secret Manager. +To allow access to the Secret Manager you will need to have a `token`, the `region` and `okms-id` of your Secret Manager. #### Credential creation @@ -64,10 +64,10 @@ Then create a Personnal Acces Token (PAT) `user_pat`: >> ``` >> > CLI ->> PAT can also created with the [OVHcloud CLI](https://github.com/ovh/ovhcloud-cli) and the command (fill with your values) : +>> PAT can also created with the [OVHcloud CLI](https://github.com/ovh/ovhcloud-cli) and the command (fill with your values): >> >> ```bash ->> ovhcloud iam user {user} token create --name pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --description "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" +>> ovhcloud iam user token create {user} --name pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --description "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" >> ``` >> >> CLI will answer with the `token` value : @@ -109,7 +109,7 @@ helm install external-secrets \ --set installCRDs=true ``` -Check ESO is running : +Check ESO is running: ```bash $ kubectl get all -n external-secrets @@ -132,6 +132,41 @@ replicaset.apps/external-secrets-cert-controller-565fcd479b 1 1 replicaset.apps/external-secrets-webhook-7fb59d4b88 1 1 0 13s ``` +#### Create a secret containing the PAT + +Start by encoding your `user_pat` is base64 so it can be stored in a kubernetes secret. + +```bash +$ echo -n "" | base64 +ZXlKaG...wVkFn +``` + +Then create a `secret.yaml`: + +```yaml + apiVersion: v1 +kind: Secret +metadata: + name: ovhcloud-vault-token + namespace: external-secrets +data: + token: ZXlKaG...wVkFn +``` + +And apply the ressource to the cluster: + +```bash +kubectl apply -f secret.yaml +``` + +The secret should have been created: + +```bash +$ kubectl get secret ovhcloud-vault-token -n external-secrets +NAME TYPE DATA AGE +ovhcloud-vault-token Opaque 1 5m +``` + #### Configure External Secret Operator First, setup a `SecretStore` that is responsible of the synchronization with the Secret Manager. diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index 3396c76f68e..0e1d2bd77ca 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -1,15 +1,15 @@ --- title: "Utiliser Kubernetes External Secret Operator avec Secret Manager" -excerpt: "Configurer External Secret Operator pour stocker des secrets Kubernetes sur le Secret Manager OVHcloud" +excerpt: "Configurer External Secret Operator pour stocker les secrets Kubernetes sur le Secret Manager d'OVHcloud" updated: 2025-11-07 --- > [!primary] -> Secret Manager est actuellement en phase bêta. Ce guide peut être mis à jour à l'avenir avec les avancées de nos équipes en charge de ce produit. +> Secret Manager est actuellement en phase bêta. Ce guide peut être mis à jour à l'avenir avec les avancées apportées par nos équipes en charge de ce produit. ## Objectif -Ce guide explique comment configurer le Kubernetes External Secret Operator pour utiliser le Secret Manager OVHcloud en tant que fournisseur. +Ce guide explique comment configurer l'External Secret Operator Kubernetes pour utiliser le Secret Manager d'OVHcloud en tant que fournisseur. ## Prérequis @@ -21,19 +21,19 @@ Ce guide explique comment configurer le Kubernetes External Secret Operator pour ### Configuration du Secret Manager -Pour permettre l'accès au Secret Manager, vous aurez besoin d'avoir un `token`, ainsi que la `region` et l'`okms-id` de votre Secret Manager. +Pour permettre l'accès au Secret Manager, vous aurez besoin d'un `token`, de la `region` et de l'`okms-id` de votre Secret Manager. #### Création des identifiants Créez un [utilisateur local IAM](/pages/account_and_service_management/account_information/ovhcloud-users-management) avec les droits d'accès à votre domaine. -L'utilisateur doit appartenir à un groupe avec le rôle ADMIN, ou si vous utilisez les [politiques IAM](/pages/account_and_service_management/account_information/iam-policy-ui), il doit avoir au moins les droits suivants sur le domaine OKMS : +L'utilisateur doit appartenir à un groupe avec le rôle ADMIN, ou si vous utilisez des [politiques IAM](/pages/account_and_service_management/account_information/iam-policy-ui), il doit avoir au moins les droits suivants sur le domaine OKMS : - `okms:apikms:secret/create` - `okms:apikms:secret/version/getData` - `okms:apiovh:secret/get` -Puis créez un Token d'Accès Personnel (PAT) `user_pat` : +Puis créez un jeton d'accès personnel (PAT) `user_pat` : > [!tabs] > API @@ -41,7 +41,7 @@ Puis créez un Token d'Accès Personnel (PAT) `user_pat` : >> > >> > @api {v1} /me POST /me/identity/user/{user}/token >> ->> Avec le payload suivant (remplissez avec vos valeurs) : +>> Avec la charge utile suivante (remplissez avec vos valeurs) : >> >> ```json >> { @@ -64,10 +64,10 @@ Puis créez un Token d'Accès Personnel (PAT) `user_pat` : >> ``` >> > CLI ->> Le PAT peut également être créé avec la [CLI OVHcloud](https://github.com/ovh/ovhcloud-cli) et la commande suivante (remplissez avec vos valeurs) : +>> Le PAT peut également être créé avec l'[OVHcloud CLI](https://github.com/ovh/ovhcloud-cli) et la commande suivante (remplissez avec vos valeurs) : >> >> ```bash ->> ovhcloud iam user {user} token create --name pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --description "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" +>> ovhcloud iam user token create {user} --name pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --description "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" >> ``` >> >> La CLI répondra avec la valeur du `token` : @@ -76,13 +76,13 @@ Puis créez un Token d'Accès Personnel (PAT) `user_pat` : >> ✅ Token Secret-Manager created successfully, Value: eyJhbGciOiJ...punpVAg >> ``` -Conservez la valeur du champ `token` car elle ne sera plus affichée et sera utilisée pour l'authentification sur le Secret Manager en tant que `user_pat`. +Conservez la valeur du champ `token` car elle ne sera plus affichée et sera utilisée pour s'authentifier sur le Secret Manager en tant que `user_pat`. #### Informations du Secret Manager Vous aurez également besoin de la `region` et de l'`okms-id` du domaine OKMS que vous souhaitez utiliser. Cet ID et cette région peuvent être trouvés sur l'espace client OVHcloud. -Ou via la [`ovhcloud` CLI](https://github.com/ovh/ovhcloud-cli) : +Ou via l'[OVHcloud CLI](https://github.com/ovh/ovhcloud-cli) : ```bash $ ovhcloud okms list @@ -132,12 +132,47 @@ replicaset.apps/external-secrets-cert-controller-565fcd479b 1 1 replicaset.apps/external-secrets-webhook-7fb59d4b88 1 1 0 13s ``` +#### Création d'un secret contenant le PAT + +Commencez par encoder votre `user_pat` en base64 afin de pouvoir le stocker dans un secret Kubernetes. + +```bash +$ echo -n "" | base64 +ZXlKaG...wVkFn +``` + +Puis créez un fichier `secret.yaml` : + +```yaml + apiVersion: v1 +kind: Secret +metadata: + name: ovhcloud-vault-token + namespace: external-secrets +data: + token: ZXlKaG...wVkFn +``` + +Et appliquez la ressource au cluster : + +```bash +kubectl apply -f secret.yaml +``` + +Le secret devrait avoir été créé : + +```bash +$ kubectl get secret ovhcloud-vault-token -n external-secrets +NAME TYPE DATA AGE +ovhcloud-vault-token Opaque 1 5m +``` + #### Configuration de l'External Secret Operator -Tout d'abord, configurez un `SecretStore` qui est responsable de la synchronisation avec le Secret Manager. -Nous configurons le SecretStore en utilisant HashiCorp Vault avec l'authentification par token et en utilisant l'endpoint OKMS en tant que backend. +Tout d'abord, configurez un `SecretStore` qui est chargé de la synchronisation avec le Secret Manager. +Nous configurons le SecretStore en utilisant HashiCorp Vault avec l'authentification par jeton et l'endpoint OKMS en tant que backend. -Ajoutez le `user_pat` en tant que secret afin de pouvoir l'utiliser dans les chartes. +Ajoutez le `user_pat` en tant que secret pour pouvoir l'utiliser dans les chartes. Pour définir une nouvelle ressource `SecretStore`, créez un fichier `secretstore.yaml` avec le contenu suivant : @@ -159,12 +194,12 @@ spec: ``` > [!info] -> Seule l'[authentification par token](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) est prise en charge +> Seule l'[authentification par jeton](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) est prise en charge > [!info] > Cette intégration fonctionne également avec un `ClusterSecretStore` -Le nom de la région peut être traduit à partir de votre localisation régionale en utilisant : +Le nom de la région peut être traduit à partir de votre emplacement régional en utilisant : > [!api] > From 5d3a23deb3ff82bfcdae76e679cd3d0321fdf3d5 Mon Sep 17 00:00:00 2001 From: gbarideau Date: Fri, 19 Dec 2025 15:41:08 +0100 Subject: [PATCH 12/12] switching SecretStore for ClusterSecretStore --- .../external-secret-operator/guide.en-gb.md | 10 +++++----- .../external-secret-operator/guide.fr-fr.md | 8 ++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md index ab19a57043f..2288175f1ae 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -169,16 +169,16 @@ ovhcloud-vault-token Opaque 1 5m #### Configure External Secret Operator -First, setup a `SecretStore` that is responsible of the synchronization with the Secret Manager. +First, setup a `ClusterSecretStore` that is responsible of the synchronization with the Secret Manager. We configure the SecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend. Add the `user_pat` as a secret to be able to use it in the charts. -To define a new `SecretStore` resource, create a `secretstore.yaml` file with the followong content: +To define a new `ClusterSecretStore` resource, create a `clustersecretstore.yaml` file with the followong content: ```yaml apiVersion: external-secrets.io/v1 -kind: SecretStore +kind: ClusterSecretStore metadata: name: vault-secret-store spec: @@ -197,7 +197,7 @@ spec: > Only [token authentication](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) is supported > [!info] -> This integration works with a `ClusterSecretStore` as well +> This integration works with a `SecretStore` as well Region name can be translated from your region location using: @@ -215,7 +215,7 @@ kubectl apply -f secretstore.yaml #### Use External Secret Operator -Once the `SecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. +Once the `ClusterSecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. Create a `externalsecret.yaml` file with this content: ```yaml diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md index 0e1d2bd77ca..236088e777a 100644 --- a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -169,16 +169,16 @@ ovhcloud-vault-token Opaque 1 5m #### Configuration de l'External Secret Operator -Tout d'abord, configurez un `SecretStore` qui est chargé de la synchronisation avec le Secret Manager. +Tout d'abord, configurez un `ClusterSecretStore` qui est chargé de la synchronisation avec le Secret Manager. Nous configurons le SecretStore en utilisant HashiCorp Vault avec l'authentification par jeton et l'endpoint OKMS en tant que backend. Ajoutez le `user_pat` en tant que secret pour pouvoir l'utiliser dans les chartes. -Pour définir une nouvelle ressource `SecretStore`, créez un fichier `secretstore.yaml` avec le contenu suivant : +Pour définir une nouvelle ressource `ClusterSecretStore`, créez un fichier `clustersecretstore.yaml` avec le contenu suivant : ```yaml apiVersion: external-secrets.io/v1 -kind: SecretStore +kind: ClusterSecretStore metadata: name: vault-secret-store spec: @@ -215,7 +215,7 @@ kubectl apply -f secretstore.yaml #### Utilisation de l'External Secret Operator -Une fois le `SecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. +Une fois le `ClusterSecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. Créez un fichier `externalsecret.yaml` avec le contenu suivant : ```yaml