A CRD to map Google Cloud managed secrets to k8s
Map GCP Secret Manager secrets to Kubernetes Secrets.
Implemented as a simple CRD. You define CloudSecrets:
apiVersion: secrets.masonwr.dev/v1kind: CloudSecretmetadata:name: cloudsecret-samplespec:data:SECRET_DATA: projects/<PROJECT_ID>/secrets/test/versions/latest
CloudSecrets map a key to a Secret Manager Path, and produces a matching Kubernetes secret with the resolved secret data.
For example, if we apply the above CloudSecret, this would result in the creation of the following Kubernetes secret:
apiVersion: v1data:SECRET_DATA: a2VlcCB0...kind: Secret
NB: The service account running the deployment must have the “Secret Manager Secret Accessor” role. And the Secret Manager API must be enabled.
Dependencies
$ git clone https://github.com/masonwr/CloudSecret && cd CloudSecret$ make install # install CRD$ make deploy # deploy using the public image built from this repo (gcr.io/public-263420/cloudsecret-controller)
Dependencies
$ git clone https://github.com/masonwr/CloudSecret && cd CloudSecret$ export IMG=your/image/repo:tag$ make install$ make docker-build docker-push$ make deploy
Dependencies
Create the GCP Secret, and get its path
$ cd $(mktemp -d)$ export PROJECT_ID=some_project_id$ echo "keep this secret, keep this safe" > secret.data.txt$ gcloud beta secrets create loc-of-ring \--data-file=secret.data.txt \--project=$PROJECT_ID \--replication-policy=automatic$ gcloud beta secrets describe loc-of-ring --project=$PROJECT_IDcreateTime: '2019-12-23T21:11:34.245558Z'name: projects/<PROJECT_ID>/secrets/loc-of-ringreplication:automatic: {}
Note the fully qualified secret name.
Define a CloudSecret
$ cat << EOF > cloudSecretExample.yamlapiVersion: secrets.masonwr.dev/v1kind: CloudSecretmetadata:name: examplespec:data:SECRET_DATA: <Fully qulified secret path>/versions/latestEOF$ kubectl apply -f cloudSecretExample.yaml
Verify
$ kubectl get secrets example -o json | jq -r .data.SECRET_DATA | base64 -dkeep this secret, keep this safe
Built with the awesome kubebuilder.