Skip to content

Latest commit

 

History

History
101 lines (78 loc) · 3.83 KB

README.md

File metadata and controls

101 lines (78 loc) · 3.83 KB
Raw

External Secrets

Overview

Kubernetes Secrets are synchronized with GCP Secret Manager using External Secrets Operator.

Installation

Follow these steps to install external-secrets on an untrusted cluster in the external-secrets Namespace.

  1. Create the external-secrets Namespace. Run:

    kubectl create namespace external-secrets

  2. Add the external-secrets Helm repository. Use the following command:

    helm repo add external-secrets https://charts.external-secrets.io

  3. Install the external-secrets/kubernetes-external-secrets Helm chart. Run:

    helm install -n external-secrets external-secrets external-secrets/external-secrets -f prow/cluster/resources/external-secrets/values_untrusted.yaml

  4. Map the external-secrets/secret-manager-untrusted Kubernetes service account to a GCP service account with permission to access Secrets. Run:

gcloud iam service-accounts add-iam-policy-binding --role roles/iam.workloadIdentityUser --member "serviceAccount:sap-kyma-prow.svc.id.goog[external-secrets/secret-manager-untrusted]" [email protected]
  1. Create a new Secret Store. Run:
kubectl apply -f prow/cluster/resources/external-secrets/secrets_store.yaml

Configuration

Secrets can be stored as text in GCP Secret Manager and be mapped to a Kubernetes Secret with one key.

See an example:

apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
  name: plainSecret # name of the k8s external Secret and the k8s Secret
spec:
  secretStoreRef:
    name: gcp-secretstore # name of the Secret store
    kind: ClusterSecretStore
  refreshInterval: "10m" # time between secret synchronization
  target:
    deletionPolicy: "Delete" # delete secret when External Secret is deleted
  data:
    - secretKey: token # key name in the k8s Secret
      remoteRef:
        key: gcp-plain-secret # name of the GCP Secret
        version: latest # version of the GCP Secret

Secrets can also be stored as JSON in GCP Secret Manager and be mapped to a Kubernetes Secret with multiple keys.

See an example:

apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
  name: secretName # name of the k8s external Secret and the k8s Secret
spec:
  secretStoreRef:
    name: gcp-secretstore # name of the Secret store
    kind: ClusterSecretStore
  refreshInterval: "10m" # time between secret synchronization
  target:
    deletionPolicy: "Delete" # delete secret when External Secret is deleted
  data:
    - secretKey: keyName # key name in the k8s Secret
      remoteRef:
        key: gcp-json-secret # name of the GCP Secret
        property: keyName # name of the field in the GCP Secret JSON, unused for plain values
        version: latest # version of the GCP Secret
    - secretKey: anotherKey # key name in the k8s Secret
      remoteRef:
        key: gcp-json-secret # name of the GCP Secret
        property: anotherKey # name of the field in the GCP Secret JSON, unused for plain values
        version: latest # version of the GCP Secret

NOTE: The trusted and untrusted files are only applied to trusted or untrusted clusters respectively. While the workload file is applied to both trusted and untrusted clusters. The presubmit and pj-tester jobs are executed on untrusted clusters, while the periodic jobs are run on trusted clusters. Adding a Secret to the proper file allows the user to specify which type of clusters should have access to the Secret.

External Secrets Checker

External Secrets Checker checks if all External Secrets synchronized successfully, and if all Secrets have corresponding External Secrets.

To install External Secrets Checker run the following command:

kubectl apply -f external_secrets_checker_prow.yaml