How to use Kubernetes External Secret Operator with Secret Manager
INFO
Secret Manager is currently in Beta phase. This guide can be updated in the future with the advancements made by our teams in charge of this product.
Objective
This guide explains how to set up the Kubernetes External Secret Operator to use the OVHcloud Secret Manager as a provider.
Requirements
Instructions
Set up the Secret Manager
To allow access to the Secret Manager you will need to have a token, the region and okms-id of your Secret Manager.
Credential creation
Create an IAM local user with access rights on your domain.
The user should be a member of a group with the ADMIN role. If you are using IAM policies instead, the user should have at least the following rights on the OKMS domain:
okms:apikms:secret/createokms:apikms:secret/version/getDataokms:apiovh:secret/get
Alternatively, it's possible to create a user using OVHcloud CLI:
ovhcloud iam user create --login "secretmanager-b1033fdd-xxxx-xxxx-xxxx-xxxxxxxxx" --group ADMIN --description "A user create for Secret Manager, linked to xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx" --password "secretmanager-xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx" --email "secretmanager-xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx@ovhcloud.com"
Then create a Personal Acces Token (PAT) user_pat:
Use the following API call:
With the following payload (fill it in with your own values):
{
"description": "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
"name": "pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
}
The API will answer with:
{
"creation": "2025-11-13T10:38:44.658926311Z",
"description": "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
"expiresAt": null,
"lastUsed": null,
"name": "pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
"token": "eyJhbGciOiJ...punpVAg"
}
The PAT can be created with the OVHcloud CLI and the following command (fill in it with your own values):
ovhcloud iam user token create {user} --name pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --description "PAT secret manager for domain xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
CLI will answer with the token value:
✅ Token Secret-Manager created successfully, value: eyJhbGciOiJ...punpVAg
As an alternative, you can store directly the PAT in a environment variable:
PAT_TOKEN=$(ovhcloud iam user token create {user} --name pat-secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --description "PAT secret manager for domain secretmanager-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" -j | jq .details.token | tr -d '"') ; echo $PAT_TOKEN
Keep the value of the token field as it will never be prompted again and will be used to authenticate to the Secret Manager as user_pat.
You will also need the region and the okms-id of the OKMS domain you want to use. This ID and this region can be found in the OVHcloud Control Panel or via the OVHcloud CLI:
$ ovhcloud okms list
┌──────────────────────────────────────┬─────────────┐
│ id │ region │
├──────────────────────────────────────┼─────────────┤
│ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx │ eu-west-par │
│ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx │ eu-west-par │
└──────────────────────────────────────┴─────────────┘
Set up the Secret Provider in Kubernetes
Install the External Secret Operator (ESO) on your Kubernetes cluster
helm repo add external-secrets https://charts.external-secrets.io
helm repo update
helm install external-secrets \
external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
--set installCRDs=true
Check that the ESO is running:
$ kubectl get all -n external-secrets
NAME READY STATUS RESTARTS AGE
pod/external-secrets-8cbc56569-9875p 1/1 Running 0 12s
pod/external-secrets-cert-controller-565fcd479b-xbkcp 0/1 Running 0 12s
pod/external-secrets-webhook-7fb59d4b88-9tkl6 0/1 Running 0 12s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/external-secrets-webhook ClusterIP 10.3.43.102 <none> 443/TCP 13s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/external-secrets 1/1 1 1 13s
deployment.apps/external-secrets-cert-controller 0/1 1 0 13s
deployment.apps/external-secrets-webhook 0/1 1 0 13s
NAME DESIRED CURRENT READY AGE
replicaset.apps/external-secrets-8cbc56569 1 1 1 13s
replicaset.apps/external-secrets-cert-controller-565fcd479b 1 1 0 13s
replicaset.apps/external-secrets-webhook-7fb59d4b88 1 1 0 13s
Create a secret containing the PAT
Start by encoding your user_pat in base 64 so it can be stored in a Kubernetes secret.
$ echo -n "<token>" | base64
ZXlKaG...wVkFn
Alternatively, if the user_pat was stored in an environment variable:
PAT_TOKEN_B64=$(echo -n $PAT_TOKEN | base64) ; echo $PAT_TOKEN_B64
Then create a secret.yaml file:
apiVersion: v1
kind: Secret
metadata:
name: ovhcloud-vault-token
namespace: external-secrets
data:
token: ZXlKaG...wVkFn
And apply it with the kubectl apply -f secret.yaml command.
Alternatively, if you are using an environment variable:
kubectl create secret generic ovhcloud-vault-token -n external-secrets --from-literal=token=$PAT_TOKEN_B64
The secret should have been created:
$ kubectl get secret ovhcloud-vault-token -n external-secrets
NAME TYPE DATA AGE
ovhcloud-vault-token Opaque 1 5m
First, set up a ClusterSecretStore that is responsible of the synchronization with the Secret Manager.
We configure the SecretStore using HashiCorp Vault with token authentification and with the OKMS endpoint as backend.
Add the user_pat as a secret to be able to use it in the charts.
To define a new ClusterSecretStore resource, create a clustersecretstore.yaml file with the following content:
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
name: vault-secret-store
spec:
provider:
vault:
server: "https://<region>.okms.ovh.net/api/<okms_id>" # OKMS endpoint, fill with the correct region and your okms_id
path: "secret"
version: "v2"
auth:
tokenSecretRef:
name: ovhcloud-vault-token # The k8s secret that contain your PAT
key: token
namespace: external-secrets
INFO
This integration works with a SecretStore as well.
The region name can be translated from your region location using:
As an example for Europe (France - Paris), the OKMS endpoint is eu-west-par.okms.ovh.net.
Deploy the resource in your cluster:
kubectl apply -f secretstore.yaml
Use the External Secret Operator
Once the ClusterSecretStore is set up you can define the ExternalSecret that comes from the secret manager.
Create an externalsecret.yaml file with this content:
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: docker-config-secret
namespace: external-secrets
spec:
refreshInterval: 30m
secretStoreRef:
name: vault-secret-store
kind: ClusterSecretStore
target:
template:
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: "{{ .mysecret | toString }}"
name: ovhregistrycred
creationPolicy: Owner
data:
- secretKey: mysecret
remoteRef:
key: prod/va1/dockerconfigjson
Apply the resource in your cluster:
kubectl apply -f externalsecret.yaml
It will create a Kubernetes Secret object.
$ kubectl get secret -n external-secrets
NAME TYPE DATA AGE
...
ovhregistrycred kubernetes.io/dockerconfigjson 1 15m
...
For any additional information on how to manage the External Secret Operator, refer to the dedicated documentation, using the HashiCorp Vault provider: https://external-secrets.io/latest/.
Go further
Join our community of users.
