Support for External Secrets Operator
You can use AWS Secrets Manager integration with External Secrets Operator to create/sync the API Keys secret in your EKS cluster.
Prerequisites
- API Keys stored in AWS Secrets Manager
- External Secrets Operator installed in the EKS Cluster
- An already created ClusterSecretStore (Take note of the ClusterSecretStore name as it will be used in helm command)
Steps to create secret in AWS Secrets Manager
-
Navigate to AWS Secrets Manager service.
noteMake sure the secret is created in the same region as the EKS cluster
-
Click on store a new secret
-
Select Other type of secret
-
Add key/value for NOPS_API_KEY and DD_API_KEY respectively
noteThe values can be retrieved in the nOps platform under cluster configuration tab
-
Give the secret a name and click Next
noteTake note of the secret name as it will be used in helm command
-
Click on store
-
Review new secret
Updated helm command
Once the secret in AWS secrets is created and the values for the API keys is in place you can update the helm command to use the integration with External Secrets Operator to create/sync the secret without explicitely passing the value in the helm command.
Example command for Karpenter enabled clusters:
helm upgrade -i nops-kubernetes-agent oci://public.ecr.aws/nops/kubernetes-agent \
--namespace nops --create-namespace \
--set containerInsights.enabled=true \
--set containerInsights.env_variables.APP_NOPS_K8S_AGENT_CLUSTER_ARN=arn:aws:eks:us-east-1:123456789101:cluster/example-cluster \ # Your target EKS cluster ARN
--set containerInsights.env_variables.APP_AWS_S3_BUCKET=nops-container-cost-12345678101 \ # Your S3 Bucket name for Container Cost integration
--set karpenops.enabled=true \
--set karpenops.image.tag=1.23.2 \
--set karpenops.clusterId=a+ABC1 \
--set externalSecrets.enabled=true \ # Set it to true to enable External Secrets integration
--set externalSecrets.secretStoreRef.name=<your_cluster_external_secret_store_name> \ # Prerequisite 3
--set externalSecrets.data.apiKeys.remoteRef.key=<your_aws_secret_name> # Get it from step 4
Example command for ClusterAutoscaler enabled clusters:
helm upgrade -i nops-kubernetes-agent oci://public.ecr.aws/nops/kubernetes-agent \
--namespace nops --create-namespace \
--set containerInsights.enabled=true \
--set containerInsights.env_variables.APP_NOPS_K8S_AGENT_CLUSTER_ARN=arn:aws:eks:us-east-1:123456789101:cluster/example-cluster \ # Your target EKS cluster ARN
--set containerInsights.env_variables.APP_AWS_S3_BUCKET=nops-container-cost-12345678101 \ # Your S3 Bucket name for Container Cost integration
--set karpenops.enabled=false \
--set externalSecrets.enabled=true \ # Set it to true to enable External Secrets integration
--set externalSecrets.secretStoreRef.name=<your_cluster_external_secret_store_name> \ # Prerequisite 3
--set externalSecrets.data.apiKeys.remoteRef.key=<your_aws_secret_name> # Get it from step 4
After a successful installation, you'll see that a ClusterExternalSecret was created as well a secret named nops-api-keys under the nops namespace with both API Keys.
kubectl -n nops get externalsecret
kubectl -n nops get secrets