WARNING: This project is in active development and not suitable for production use.
Google Secret Manager provider for the Secret Store CSI Driver. Allows you to access secrets stored in Secret Manager as files mounted in Kubernetes pods.
- Create a new GKE cluster with K8S 1.16+
- Install Secret Store CSI Driver to the cluster.
$ kubectl apply -f deploy/rbac-secretproviderclass.yaml
$ kubectl apply -f deploy/csidriver.yaml
$ kubectl apply -f deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml
$ kubectl apply -f deploy/secrets-store-csi-driver.yaml- Use Google Cloud Build and Container Registry to build and host the plugin docker image.
$ export PROJECT_ID=<your gcp project>
$ ./scripts/build.sh- Deploy the plugin as a DaemonSet to your cluster.
$ ./scripts/deploy.sh- Setup the workload identity service account
# Create a service account for workload identity
$ gcloud iam service-accounts create gke-workload
# Allow "default/mypod" to act as the new service account
$ gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:$PROJECT_ID.svc.id.goog[default/mypodserviceaccount]" \
gke-workload@$PROJECT_ID.iam.gserviceaccount.com- Create a secret that the workload identity service account can access
# Create a secret with 1 active version
$ echo "foo" > secret.data
$ gcloud secrets create testsecret --replication-policy=automatic --data-file=secret.data
$ rm secret.data
# grant the new service account permission to access the secret
$ gcloud secrets add-iam-policy-binding testsecret \
--member=serviceAccount:gke-workload@$PROJECT_ID.iam.gserviceaccount.com \
--role=roles/secretmanager.secretAccessor- Try it out the example which attempts to mount the secret "test" in
$PROJECT_IDto/var/secrets/good1.txtand/var/secrets/good2.txt
$ ./scripts/example.sh
$ kubectl exec -it mypod /bin/bash
root@mypod:/# ls /var/secretsThis is not an officially supported Google product.