Support for External Secrets Operator | Documentation site for the nOps platform

Edit me

You can use AWS Secrets Manager integration with External Secrets Operator to create/sync the API Keys secret in your EKS cluster.

Prerequisites

API Keys stored in AWS Secrets Manager
External Secrets Operator installed in the EKS Cluster
An already created ClusterSecretStore (Take note of the ClusterSecretStore name as it will be used in helm command)

Steps to create secret in AWS Secrets Manager

Navigate to AWS Secrets Manager service.

Note: Make sure the secret is created in the same region as the EKS cluster

Click on store a new secret
Select Other type of secret
Add key/value for NOPS_API_KEY and DD_API_KEY respectively

Note: The values can be retrieved in the nOps platform under cluster configuration tab

Give the secret a name and click Next

Note: Take note of the secret name as it will be used in helm command

Click on store
Review new secret

Updated helm command

Once the secret in AWS secrets is created and the values for the API keys is in place you can update the helm command to use the integration with External Secrets Operator to create/sync the secret without explicitely passing the value in the helm command.

Example command for Karpenter enabled clusters:

helm upgrade -i nops-kubernetes-agent oci://public.ecr.aws/nops/kubernetes-agent \
  --namespace nops --create-namespace \
  --set containerInsights.enabled=true \
  --set containerInsights.env_variables.APP_NOPS_K8S_AGENT_CLUSTER_ARN=arn:aws:eks:us-east-1:123456789101:cluster/example-cluster  \ # Your target EKS cluster ARN
  --set containerInsights.env_variables.APP_AWS_S3_BUCKET=nops-container-cost-12345678101 \ # Your S3 Bucket name for Container Cost integration
  --set karpenops.enabled=true \
  --set karpenops.image.tag=1.23.2 \
  --set karpenops.clusterId=a+ABC1 \
  --set externalSecrets.enabled=true \ # Set it to true to enable External Secrets integration
  --set externalSecrets.secretStoreRef.name=<your_cluster_external_secret_store_name> \ # Prerequisite 3
  --set externalSecrets.data.apiKeys.remoteRef.key=<your_aws_secret_name> # Get it from step 4

Example command for ClusterAutoscaler enabled clusters:

helm upgrade -i nops-kubernetes-agent oci://public.ecr.aws/nops/kubernetes-agent \
  --namespace nops --create-namespace \
  --set containerInsights.enabled=true \
  --set containerInsights.env_variables.APP_NOPS_K8S_AGENT_CLUSTER_ARN=arn:aws:eks:us-east-1:123456789101:cluster/example-cluster  \ # Your target EKS cluster ARN
  --set containerInsights.env_variables.APP_AWS_S3_BUCKET=nops-container-cost-12345678101 \ # Your S3 Bucket name for Container Cost integration
  --set karpenops.enabled=false \
  --set externalSecrets.enabled=true \ # Set it to true to enable External Secrets integration
  --set externalSecrets.secretStoreRef.name=<your_cluster_external_secret_store_name> \ # Prerequisite 3
  --set externalSecrets.data.apiKeys.remoteRef.key=<your_aws_secret_name> # Get it from step 4

After a successful installation, you’ll see that a ClusterExternalSecret was created as well a secret named nops-api-keys under the nops namespace with both API Keys.

kubectl -n nops get externalsecret
kubectl -n nops get secrets

Tags: