diff --git a/pages/index.md b/pages/index.md index b0347a3b779..aefa14044de 100644 --- a/pages/index.md +++ b/pages/index.md @@ -2210,6 +2210,7 @@ + [Manage your OKMS access certificate](manage_and_operate/kms/okms-certificate-management) + [OKMS Architecture overview](manage_and_operate/kms/architecture-overview) + [OKMS - Shared responsibilities](manage_and_operate/kms/responsibility-model-kms) + + [Use Kubernetes External Secret Operator with Secret Manager](manage_and_operate/secret_manager/external-secret-operator) + OVHcloud Labs + [Data Collector](products/ovhcloud-labs-data-collector) + [Getting started](ovhcloud-labs-data-collector-getting-started) diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md new file mode 100644 index 00000000000..5101b3c135d --- /dev/null +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.en-gb.md @@ -0,0 +1,194 @@ +--- +title: "Use Kubernetes External Secret Operator with Secret Manager" +excerpt: "Configure External Secret Operator to store Kubernetes secrets on the OVHcloud Secret Manager" +updated: 2025-11-07 +--- + +> [!primary] +> Secret Manager is currently in beta phase. This guide can be updated in the future with the advances of our teams in charge of this product. + +## Objective + +This guide explains how to set up the Kubernetes External Secret Operator to use the OVHcloud Secret Manager as a provider. + +## Requirements + +- An [OVHcloud customer account](/pages/account_and_service_management/account_information/ovhcloud-account-creation). +- Have [ordered an OKMS domain](/pages/manage_and_operate/kms/quick-start) or [created a first secret](/pages/manage_and_operate/secret_manager/secret-manager-ui). +- Have a Kubernetes cluster. + +## Instructions + +### Setup the Secret Manager + +To allow access to the Secret Manager you will need to create credentials. + +Create an [IAM local user](/pages/account_and_service_management/account_information/ovhcloud-users-management) with access right on your domain. + +The user should be a member of a group with the ADMIN role, or if using [IAM policies](/pages/account_and_service_management/account_information/iam-policy-ui) to have at least the following rights on the OKMS domain: + +- `okms:apikms:secret/create` +- `okms:apikms:secret/version/getData` +- `okms:apiovh:secret/get` + +Then create a Personnal Acces Token (PAT) `user_pat`: + +> [!api] +> +> @api {v1} /me POST /me/identity/user/{user}/token + +API will answer with: + +```json +{ + "creation": "2025-11-13T10:38:44.658926311Z", + "description": "my first PAT", + "expiresAt": null, + "lastUsed": null, + "name": "my_PAT", + "token": "eyJhbGciOiJFZERXXXXXXXXDyI23Q7euIDmw9Pn__SDA" +} +``` + +Keep safe the value of `token` field as it will never be prompt again and will be used to authenticate on the Secret Manager as `user_pat`. + +You will also need the `okms-id` of the OKMS domain you want to use. This ID can be found on the OVHcloud Control Panel. + +### Setup Sealed Secret (optionnal) + +Sealed Secret allows you to safely store Kubernetes Secrets wherever you want by encrypting them. +This step is optionnal but highly recommended. + +First, install the controller in your cluster. It will automatically decrypt Sealed Secrets into standard Kubernetes Secrets + +```bash +helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets +helm install sealed-secrets -n kube-system sealed-secrets/sealed-secrets +``` + +Then, install kubeseal cli to encrypt Secrets into Sealed Secrets + +```bash +KUBESEAL_VERSION='' # Set this to, for example, KUBESEAL_VERSION='0.23.0' +curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION:?}/kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz" +tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal +sudo install -m 755 kubeseal /usr/local/bin/kubeseal +``` + +More information: () + +### Setup the Secret Provider in Kubernetes + +#### Install the External Secret Operator on your kubernetes + +```bash +helm repo add external-secrets https://charts.external-secrets.io +helm repo update + +helm install external-secrets \ +external-secrets/external-secrets \ +-n external-secrets \ +--create-namespace \ +``` + +#### Configure External Secret Operator + +First, setup a `SecretStore` that is responsible of the synchronization with the Secret Manager. +We configure the SecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend. + +Add the `user_pat` as a secret to be able to use it in the charts. + +```yaml +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: token-secret + namespace: default +spec: + encryptedData: + token: + template: + metadata: + name: token-secret + namespace: default + type: Opaque +``` + +The `SecretStore` resource: + +```yaml +apiVersion: external-secrets.io/v1 +kind: ClusterSecretStore +metadata: + name: vault-secret-store +spec: + provider: + vault: + server: "https://{region}.okms.ovh.net/api/" # OKMS endpoint, fill with the correct region and your okms_id + path: "secret" + version: "v2" + auth: + tokenSecretRef: + name: token-secret # The k8s secret that contain your PAT + key: token +``` + +> [!info] +> Only [token authentication](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) is supported + +Region name can be translated from your region location using: + +> [!api] +> +> @api {v1} /location GET /location + +As an example for **Europe (France - Paris)**, OKMS endpoint is **eu-west-par.okms.ovh.net** + +#### Use External Secret Operator + +Once the `SecretStore` is setup you can define `ExternalSecret` that comes from the secret manager. +In the example we use a secret already created on the Secret Manager: + +- Path: `prod/database/MySQL` +- Value: + - `login: admin` + - `password: my_secret_password` + +```yaml +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vault-external-secret + namespace: default +spec: + secretStoreRef: + name: vault-secret-store + kind: ClusterSecretStore + refreshInterval: "10s" + target: + name: creds-secret + creationPolicy: Owner + data: + - secretKey: login + remoteRef: + key: prod/database/MySQL # Path of the secret in the Secret Manager + property: login # Key to find in the JSON data of the secret + - secretKey: password + remoteRef: + key: prod/database/MySQL + property: password +``` + +> [!info] +> Only `ExternalSecret` are supported yet. + +#### Deploy your application + +The secret should be created and available in kubernetes. + +For any additionnal informations on how to manage the External Secret Operator refer to the dedicated documentation, using the HashiCorp Vault provider: . + +## Go further + +Join our [community of users](/links/community). diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md new file mode 100644 index 00000000000..c15a005d10e --- /dev/null +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/guide.fr-fr.md @@ -0,0 +1,195 @@ +--- +title: "Utiliser Kubernetes External Secret Operator avec Secret Manager" +excerpt: "Configurer External Secret Operator pour stocker des secrets Kubernetes sur le Secret Manager OVHcloud" +updated: 2025-11-07 +--- + +> [!primary] +> Le Secret Manager est actuellement en phase bêta. Ce guide est susceptible d’être mis à jour ultérieurement avec les avancées de nos équipes en charge de ce produit. +> + +## Objectif + +Ce guide explique comment configurer le Kubernetes External Secret Operator pour utiliser le Secret Manager OVHcloud comme fournisseur + +## Prérequis + +- Un [compte client OVHcloud](/pages/account_and_service_management/account_information/ovhcloud-account-creation). +- Avoir [commandé un domaine OKMS](/pages/manage_and_operate/kms/quick-start) ou [créé un premier secret](/pages/manage_and_operate/secret_manager/secret-manager-ui). +- Avoir un cluster Kubernetes. + +## En pratique + +### Configuration du Secret Manager + +Pour permettre l'accès au Secret Manager, vous devrez créer des identifiants. + +Créez un [utilisateur local IAM](/pages/account_and_service_management/account_information/ovhcloud-users-management) avec les droits d'accès à votre domaine. + +Cet utilisateur doit être membre d'un groupe avec le role ADMIN, ou si vous utilisez les [politiques IAM](/pages/account_and_service_management/account_information/iam-policy-ui) avoir au moins les droits suivants sur le domaine OKMS : + +- `okms:apikms:secret/create` +- `okms:apikms:secret/version/getData` +- `okms:apiovh:secret/get` + +Puis créez un jeton d'accès personnel (PAT) `user_pat` : + +> [!api] +> +> @api {v1} /me POST /me/identity/user/{user}/token + +L'API va répondre : + +```json +{ + "creation": "2025-11-13T10:38:44.658926311Z", + "description": "my first PAT", + "expiresAt": null, + "lastUsed": null, + "name": "my_PAT", + "token": "eyJhbGciOiJFZERXXXXXXXXDyI23Q7euIDmw9Pn__SDA" +} +``` + +Gardez en sécurité la valeur du champ `token` car il ne sera jamais réaffiché et sera utilisé pour l'authentification sur le Secret Manager comme `user_pat`. + +Vous aurez également besoin de l'`okms-id` du domaine OKMS que vous souhaitez utiliser. Cet ID peut être trouvé sur l'espace client OVHcloud. + +### Configuration de Sealed Secret (optionnel) + +Sealed Secret vous permet de stocker en toute sécurité des Secrets Kubernetes là où vous le souhaitez en les chiffrant. +Cette étape est optionnelle mais fortement recommandée. + +Tout d'abord, installez le contrôleur dans votre cluster. Il déchiffrera automatiquement les Sealed Secrets en Secrets Kubernetes standards + +```bash +helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets +helm install sealed-secrets -n kube-system sealed-secrets/sealed-secrets +``` + +Puis, installez la cli kubeseal pour chiffrer des Secrets en Sealed Secrets + +```bash +KUBESEAL_VERSION='' # Définissez ceci sur, par exemple, KUBESEAL_VERSION='0.23.0' +curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION:?}/kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz" +tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal +sudo install -m 755 kubeseal /usr/local/bin/kubeseal +``` + +Plus d'informations : () + +### Configuration du Secret Provider dans Kubernetes + +#### Installez l'External Secret Operator sur votre Kubernetes + +```bash +helm repo add external-secrets https://charts.external-secrets.io +helm repo update + +helm install external-secrets \ +external-secrets/external-secrets \ +-n external-secrets \ +--create-namespace \ +``` + +#### Configurer l'External Secret Operator + +Tout d'abord, configurez un `SecretStore` qui est chargé de la synchronisation avec le Secret Manager. +Nous configurons le SecretStore en utilisant HashiCorp Vault avec l'authentification par jeton et en utilisant l'endpoint OKMS comme backend. + +Ajoutez le `user_pat` en tant que secret pour pouvoir l'utiliser dans les chartes. + +```yaml +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: token-secret + namespace: default +spec: + encryptedData: + token: + template: + metadata: + name: token-secret + namespace: default + type: Opaque +``` + +La ressource `SecretStore` : + +```yaml +apiVersion: external-secrets.io/v1 +kind: ClusterSecretStore +metadata: + name: vault-secret-store +spec: + provider: + vault: + server: "https://{region}.okms.ovh.net/api/" # endpoint OKMS, complétez avec la région correcte et votre okms_id + path: "secret" + version: "v2" + auth: + tokenSecretRef: + name: token-secret # Le secret k8s contenant votre PAT + key: token +``` + +> [!info] +> Seulement [l'authentification par token](https://external-secrets.io/latest/provider/hashicorp-vault/#token-based-authentication) est supporté + +Le nom de la région peut être traduit de la localisation avec: + +> [!api] +> +> @api {v1} /location GET /location + +Par exemple pour **Europe (France - Paris)**, l'endpoint OKMS est **eu-west-par.okms.ovh.net** + +#### Utiliser External Secret Operator + +Une fois le `SecretStore` configuré, vous pouvez définir des `ExternalSecret` provenant du gestionnaire de secrets. +Dans l'exemple, nous utilisons un secret déjà créé sur le Secret Manager : + +- Path : `prod/database/MySQL` +- Value : + - `login: admin` + - `password: my_secret_password` + +```yaml +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vault-external-secret + namespace: default +spec: + secretStoreRef: + name: vault-secret-store + kind: ClusterSecretStore + refreshInterval: "10s" + target: + name: creds-secret + creationPolicy: Owner + data: + - secretKey: login + remoteRef: + key: prod/database/MySQL # Chemin du secret dans le Secret Manager + property: login # Clé à trouver dans les données JSON du secret + - secretKey: password + remoteRef: + key: prod/database/MySQL + property: password +``` + +> [!info] +> Uniquement les `ExternalSecret` sont supporté pour l'instant. + +#### Déployez votre application + +Le secret devrait être créé et disponible dans Kubernetes. + +Pour toute information supplémentaire sur la gestion de l'External Secret Operator, reportez-vous à la documentation dédiée, en utilisant le fournisseur HashiCorp Vault : . + +## Aller plus loin + +Rejoignez notre [communauté d'utilisateurs](/links/community). diff --git a/pages/manage_and_operate/secret_manager/external-secret-operator/meta.yaml b/pages/manage_and_operate/secret_manager/external-secret-operator/meta.yaml new file mode 100644 index 00000000000..cc78c7c3cdb --- /dev/null +++ b/pages/manage_and_operate/secret_manager/external-secret-operator/meta.yaml @@ -0,0 +1,3 @@ +id: f1e7d674-2086-49c9-b315-cfe6df0e0781 +full_slug: secret-manager-external-secret-operator +reference_category: manage-operate-secret-manager \ No newline at end of file