The Secrets resources in Kubernetes allow us to store sensitive information like login, passwords, tokens, credentials and certificates. But be careful, when creating a Secret in Kubernetes, it is encoded in base64, it is not encrypted so everyone can read and decode it.
The good news is that at OVHcloud we released the Beta version of our Secret Manager that you can use in your Kubernetes clusters thanks to the External Secrets Operator (ESO) 🎉.
External Secrets Operator
The External Secrets Operator (ESO) extends Kubernetes with Custom Resource Definitions (CRDs) that define where the secrets are and how to synchronize them.
The controller retrieves secrets from an external API and creates Kubernetes Secrets. If the secret changes in the external API, the controller updates the secret in the Kubernetes cluster.
Concretely, the ESO can connect to an external Secret Manager (OVHcloud, Vault, AWS, GCP…), through a (Cluster)SecretStore and thanks to an ExternalSecret it know what secrets it will need to fetch. Then it create a Secret in the Kubernetes cluster with the value of the fetched secret.
It can also synchronize secrets across all the namespaces of a Kubernetes cluster (I love this feature ❤️):
External Secrets supports multiple Providers (AWS Secrets Manager, HashiCorp Vault, Google Secret Manager…). In this blog post we will use the Hashicorp Vault provider to create a secret stored on the new OVHcloud Secret Manager.
To know more about it, read the ESO official documentation.
Let’s do it!
Create an IAM local user
To be allowed to fetch secrets in the Secret Manager, first, we need to create (or to have an existing) IAM local user with the necessary rights.
On the OVHcloud Control Panel (UI), go in the “Identity and Access Management” section and then in the “Identities” service.
Click on the “Add user” button to create an IAM local user and fill the fields like below:
Note that I named the user “secretmanager-” following by the ID of the OKMS domain I want to use.
The user must be in the ADMIN group, or, better, it must have the following policies:
okms:apikms:secret/create
okms:apikms:secret/version/getData
okms:apiovh:secret/getGet the Personal Access Token (PAT)
The ESO ClusterSecretStore needs to have the right to fetch secrets from the Secret Manager, so we need to get a PAT, the token.
Through our API, you can retrieve it.
OVHcloud API console URL: https://eu.api.ovh.com/console/?section=%2Fme&branch=v1#post-/me/identity/user/-user-/token
Path parameters
user: secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
Request body:
{
"description": "PAT secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
"name": "pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
}You should obtain a response like this:
{
"creation": "2025-11-07T14:02:56.679157188Z",
"description": "PAT secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
"expiresAt": null,
"lastUsed": null,
"name": "pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
"token": "eyJhbGciOiJ...punpVAg"
}Save the token value, we will use it in the following minutes.
Create a secret in the Secret Manager
In this blog post, we will create a secret that be very useful in a Kubernetes cluster, it will contains the authentication information to our OVHcloud MPR.
On the OVHcloud Control Panel (UI), go to “Secret Manager”, and then create a secret “prod/va1/dockerconfigjson” in the region Europe (France – Paris) eu-west-par:
If it’s the first time you are selecting this region, it’s necessary to activate it:
Select an OKMS domain:
Fill the path and the value of your secret. For example:
Your secret has been created successfully:
Install External Secrets Operators on your cluster
Deploy external secret through Helm:
helm repo add external-secrets https://charts.external-secrets.io
helm repo updateInstall from the chart repository:
helm install external-secrets \
external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
--set installCRDs=trueYou should obtain a result like this:
$ helm install external-secrets \
external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
--set installCRDs=true
NAME: external-secrets
LAST DEPLOYED: Mon Nov 24 17:08:58 2025
NAMESPACE: external-secrets
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
external-secrets has been deployed successfully in namespace external-secrets!
In order to begin using ExternalSecrets, you will need to set up a SecretStore
or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore).
More information on the different types of SecretStores and how to configure them
can be found in our Github: https://github.com/external-secrets/external-secretsThis command will install the External Secrets Operator in your cluster.
Check ESO is running:
$ kubectl get all -n external-secrets
NAME READY STATUS RESTARTS AGE
pod/external-secrets-6b9f8ff5d4-jwd6g 1/1 Running 0 25m
pod/external-secrets-cert-controller-7bf8fd894c-d24xb 1/1 Running 0 25m
pod/external-secrets-webhook-df488ddff-2xv4t 1/1 Running 0 25m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/external-secrets-webhook ClusterIP 10.3.106.32 <none> 443/TCP 25m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/external-secrets 1/1 1 1 25m
deployment.apps/external-secrets-cert-controller 1/1 1 1 25m
deployment.apps/external-secrets-webhook 1/1 1 1 25m
NAME DESIRED CURRENT READY AGE
replicaset.apps/external-secrets-6b9f8ff5d4 1 1 1 25m
replicaset.apps/external-secrets-cert-controller-7bf8fd894c 1 1 1 25m
replicaset.apps/external-secrets-webhook-df488ddff 1 1 1 25mCreate a Secret contains the PAT
Encode the PAT in base64:
$ echo -n "<token>" | base64
ZXlKaG...wVkFnCreate a secret with it inside a secret.yaml file:
apiVersion: v1
kind: Secret
metadata:
name: ovhcloud-vault-token
namespace: external-secrets
data:
token: ZXlKaG...wVkFnApply the resource in your cluster:
kubectl apply -f secret.yamlCheck that the secret have been created:
$ kubectl get secret ovhcloud-vault-token -n external-secrets
NAME TYPE DATA AGE
ovhcloud-vault-token Opaque 1 5mDeploy a ClusterSecretStore to connect ESO to the Secret Manager
Setup a ClusterSecretStore that is responsible of the synchronization with the Secret Manager.
It will use the HashiCorp Vault provider with token authentification and with the OKMS endpoint as backend.
Create a clustersecretstore.yaml file with this content:
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
name: vault-secret-store
spec:
provider:
vault:
server: "https://eu-west-par.okms.ovh.net/api/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # OKMS endpoint, fill with the correct region and your okms_id
path: "secret"
version: "v2"
auth:
tokenSecretRef:
name: ovhcloud-vault-token # The k8s secret that contain your PAT
key: tokenNote that in our example, “eu-west-par” is the region we selected. Please fill the server URL with another region depending on your case.
Apply it:
kubectl apply -f clustersecretstore.yamlCheck:
$ kubectl get clustersecretstore.external-secrets.io/vault-secret-store
NAME AGE STATUS CAPABILITIES READY
vault-secret-store 2m Valid ReadWrite TrueCreate an ExternalSecret
Create an externalsecret.yaml file with this content:
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: docker-config-secret
namespace: external-secrets
spec:
refreshInterval: 30m
secretStoreRef:
name: vault-secret-store
kind: ClusterSecretStore
target:
template:
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: "{{ .mysecret | toString }}"
name: ovhregistrycred
creationPolicy: Owner
data:
- secretKey: mysecret
remoteRef:
key: prod/va1/dockerconfigjsonApply it:
$ kubectl apply -f externalsecret.yaml
externalsecret.external-secrets.io/docker-config-secret createdCheck:
$ kubectl get externalsecret.external-secrets.io/docker-config-secret -n external-secrets
NAME STORETYPE STORE REFRESH INTERVAL STATUS READY
docker-config-secret ClusterSecretStore vault-secret-store 30m0s SecretSynced TrueAfter applying this command, it will create a Kubernetes Secret object
$ kubectl get secret -n external-secrets
NAME TYPE DATA AGE
...
ovhregistrycred kubernetes.io/dockerconfigjson 1 17d
...As you can see, the Secret have been created and now you can use it in your Pods as an imagePullSecret!
Conclusion
In this blog post you saw how to create a secrets in the new OVHcloud Secret Manager and how to use it directly in your Kubernetes clusters, through the ESO Vault provider.
And the good news is that our teams are developing an OVHcloud External Secret Operator, in the coming months you can use it 🎉
Stay up to date and don’t hesitate to give us some feedbacks.
Developer Advocate at OVHcloud, specialized in Cloud Native and Infrastructure as Code (IaC).
She is Docker Captain, CNCF ambassador, GDE, Women techmakers Ambassador & GitPod Hero. She has been working as a Developer and Ops for over 20 years. Cloud enthusiast and advocates DevOps/Cloud/Golang best practices.
Conferences and meetups organizer since 2016. Technical writer, a book author & reviewer, a sketchnoter and a speaker at international conferences.
Mentor and promote diversity and accessibility in technology.
Book author, she created a new visual way for people to learn and understand Cloud technologies: "Understanding Kubernetes / Docker in a visual way" in sketchnotes, books and videos.