search string side menu

BRIX On-Premises > BRIX On-Premises Enterprise > Install add-on components for BRIX / Install External Secrets Operator

Install External Secrets Operator

The External Secrets Operator is a Kubernetes operator that integrates external secret management systems, such as HashiCorp Vault. The operator reads information from external APIs and automatically creates Kubernetes secrets.
The installation of the External Secrets Operator consists of several steps:

  1. Download the Helm chart and configuration file for the External Secrets Operator.
  2. Fill out the configuration file for the External Secrets Operator.
  3. Install the External Secrets Operator using Helm in the Kubernetes cluster.
  4. Configure the elma365-db-connections secret creation parameter in the ELMA365 Helm chart.

Step 1: Download the Helm chart and configuration file for the External Secrets Operator

To install via the internet, obtain the configuration file values-external-secrets.yaml by executing the following command:

helm repo add elma365 https://charts.elma365.tech 
helm repo update
helm show values elma365/external-secrets > values-external-secrets.yaml

Obtaining the configuration file for offline installation without internet access

  1. On a computer with internet access, download the BRIX images and upload them to a local image registry by executing the following commands:

helm repo add elma365 https://charts.elma365.tech 
helm repo update
helm pull elma365/external-secrets

For more details see Download BRIX images.

  1. Copy the downloaded archive of the chart external-secrets-X.Y.Z.tgz to the server where the installation will take place.
  2. Unpack the chart and copy the default configuration file values.yaml to values-external-secrets.yaml:

tar -xf external-secrets-X.Y.Z.tgz
cp external-secrets/values.yaml values-external-secrets.yaml

Step 2: Fill out the configuration file for the External Secrets Operator

Fill out the values-external-secrets.yaml configuration file for installing the external-secrets service:

  1. In parameter namespace specify the namespace where BRIX is installed.
  2. In parameter serverVault replace http://vault-server.vault:8200/ with the address, where the Vault service is accessible. In the example below, the Vault service is installed in in Kubernetes in the vault namespace.
  3. In parameters kvPath, keyPath and kvVersion specify the kv secret management mechanism in Vault.
  4. In parameters authKubernetesRole and authKubernetesServiceAccount specify the service account and role that link the policy to the Kubernetes service account.
  5. In parameters of the key section, specify the secret keys in Vault.

// external-secrets settings
external-secrets:
// Configure secret for elma365-db-connections
  elma365DBConnections:
// namespace, where BRIX will be installed and the secret will be created (must be created before installation)
    namespace: elma365
// vault server address
    serverVault: "http://vault-server.vault:8200"
// path where the kv secret mechanism is enabled
    kvPath: "secret"
// path to the secret in vault
    keyPath: "elma365/db"
// version of the kv secret mechanism
    kvVersion: "v2"
// role that link the policy to the Kubernetes service account
    authKubernetesRole: "read-secret-elma365"
// service account in the Kubernetes cluster
    authKubernetesServiceAccount: "vault-auth"
// secret keys in vault
    key:
      psqlUrl: PSQL_URL
      roPsqlUrl: RO_POSTGRES_URL
      mongoUrl: MONGO_URL
      amqpUrl: AMQP_URL
      redisUrl: REDIS_URL
      vahterMongoUrl: VAHTER_MONGO_URL
      s3BackendAddress: S3_BACKEND_ADDRESS
      s3BackendRegion: S3_REGION
      s3Bucket: S3_BUCKET
      s3Key: S3_KEY
      s3SecretAccessKey: S3_SECRET
      s3SslEnabled: S3_SSL_ENABLED
      s3Method: S3_UPLOAD_METHOD
      s3DumpUrl: S3_DUMP_URL
      s3VirtualHostedStyleEnabled: S3_VIRTUAL_HOSTED_STYLE_ENABLED
// number of replicas for high availability
  replicaCount: 1
// CRD are applied automatically from the /crds directory
  installCRDs: false
...

Filling in the connection parameters for a private registry without internet access involves the following steps:

To connect to a private registry:

  1. Download the BRIX images and upload them to a local image registry. For more details, see Download BRIX images.
  2. Specify the address and path in parameters image.repository, webhook.image.repository, certController.image.repository.
  3. Indicate the name of the secret with access rights to the private registry in the parameter imagePullSecrets. he secret must be created manually and encoded in Base64.

// Settings for external-secrets
external-secrets:
...
// Parameters for connecting to the private registry
  image:
    repository: hub.elma365.tech/docker/addons/external-secrets/external-secrets
    tag: v0.10.2
// The secret with access rights to the private registry must be created manually and encoded in Base64
  imagePullSecrets:
      - name: "myRegistryKeySecretName"
  webhook:
// Parameters for connecting to the private registry
    image:
      repository: hub.elma365.tech/docker/addons/external-secrets/external-secrets
      tag: v0.10.2
// The secret with access rights to the private registry must be created manually and encoded in Base64
    imagePullSecrets:
      - name: "myRegistryKeySecretName"
  certController:
// Parameters for connecting to the private registry
    image:
      repository: hub.elma365.tech/docker/addons/external-secrets/external-secrets
      tag: v0.10.2
// The secret with access rights to the private registry must be created manually and encoded in Base64
    imagePullSecrets:
      - name: "myRegistryKeySecretName"

where the format of repository is:

  • address is hub.elma365.tech;
  • path is docker/addons/external-secrets/external-secrets.

Step 3: Install the External Secrets Operator using Helm in the Kubernetes cluster

Install the external-secrets service in a separate namespace, for example, external-secrets. This Namespace will be created during installation if it doesn't already exist.

To install via the internet, execute the command:

helm upgrade --install external-secrets elma365/external-secrets -f values-external-secrets.yaml -n external-secrets --create-namespace 

For offline installation without internet access, navigate to the directory with the downloaded chart and execute the command:

helm upgrade --install external-secrets ./external-secrets -f values-external-secrets.yaml -n external-secrets --create-namespace

Make sure that the external-secrets service has been created:

kubectl get external-secrets -n elma365

Check the created secret:

kubectl describe secrets elma365-db-connections -n elma365 

Step 4: Configure the elma365-db-connections secret creation parameter in the ELMA365 Helm chart

Before installing or upgrading the BRIX Helm chart, you need to disable the creation of the elma365-db-connections secret with the values-elma365.yaml configuration file parameters. To do this, set the false value to false in the parameter db.enabled in values-elma365.yaml.

For more details on installing and updating BRIX, see Install BRIX Enterprise and Update version of BRIX Enterprise.

Uninstall the External Secrets Operator chart using Helm in the Kubernetes Cluster

To remove the external-secrets service in the external-secrets namespace, run the following command:

helm uninstall external-secrets -n external-secrets

install-vault.html elma365-on-premises-standard.html