GKE Secret Manager. Consuming secrets using external Secrets

Installing external secrets

# $ helm repo add k8s-external-secrets https://external-secrets.github.io/kubernetes-external-secrets/

$ helm install external-secrets external-secrets/external-secrets \
    --set serviceAccount.annotations."iam\.gke\.io/gcp-service-account"='secret-gsa@'"${PROJECT_ID}"'.iam.gserviceaccount.com' \
    --set serviceAccount.create=true \
    --set serviceAccount.name="secret-ksa"

helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets/external-secrets

helm install external-secrets external-secrets/external-secrets \
    --set serviceAccount.annotations."iam\.gke\.io/gcp-service-account"='secret-gsa@gke-practice-341914.iam.gserviceaccount.com' \
    --set serviceAccount.create=true \
    --set serviceAccount.name="secret-ksa"

helm uninstall external-secrets

Verify that controller and CRDs have been installed

kubectl get po -l app.kubernetes.io/name=external-secrets

You should see one pod

NAME                                                            READY   STATUS    RESTARTS   AGE
external-secrets-kubernetes-external-secrets-694f98f7bhbxgp   1/1     Running       0          20m

kubectl get crd | grep external

You should see 1 crd

externalsecrets.kubernetes-client.io                        2021-11-18T10:53:05Z

Configuring External Secrets

Create a Secret in GSM. NB: External Secrets requires secrets to be in JSON format, we will explain why later.

echo -n '{"value": "my-secret-value"}' | gcloud secrets create my-secret --replication-policy="automatic" --data-file=-

Grant the GSA access to Secrets. NB: We grant access to ALL Secrets in the project as External Secrets doesn't support fine grain access, the controller in the cluster would access secrets in GSM on behalf of all workloads that needs one.

$ gcloud config set project $PROJECT_ID
gcloud config set project gke-practice-341914

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
    --member=serviceAccount:secret-gsa@${PROJECT_ID}.iam.gserviceaccount.com \
    --role=roles/secretmanager.secretAccessor

gcloud projects add-iam-policy-binding gke-practice-341914 `
    --member=serviceAccount:secret-gsa@gke-practice-341914.iam.gserviceaccount.com `
    --role=roles/secretmanager.secretAccessor

Grant the External Secrets KSA the permission to impresonate the GSA

gcloud iam service-accounts add-iam-policy-binding secret-gsa@${PROJECT_ID}.iam.gserviceaccount.com \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:${PROJECT_ID}.svc.id.goog[default/secret-ksa]"

gcloud iam service-accounts add-iam-policy-binding secret-gsa@gke-practice-341914.iam.gserviceaccount.com `
    --role roles/iam.workloadIdentityUser `
    --member "serviceAccount:gke-practice-341914.svc.id.goog[default/secret-ksa]"

ingress-setup

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml

AkhilMovva/gke-gsm-es-argocd

GKE Secret Manager. Consuming secrets using external Secrets

Installing external secrets

Configuring External Secrets

ingress-setup