|
|
@@ -82,7 +82,7 @@
|
|
|
<div data-md-component="skip">
|
|
|
|
|
|
|
|
|
- <a href="#google-cloud-secret-manager" class="md-skip">
|
|
|
+ <a href="#macro-syntax-error" class="md-skip">
|
|
|
Skip to content
|
|
|
</a>
|
|
|
|
|
|
@@ -2180,17 +2180,8 @@
|
|
|
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
|
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
- <label class="md-nav__link md-nav__link--active" for="__toc">
|
|
|
-
|
|
|
-
|
|
|
- <span class="md-ellipsis">
|
|
|
- Google Cloud Secret Manager
|
|
|
- </span>
|
|
|
-
|
|
|
-
|
|
|
- <span class="md-nav__icon md-icon"></span>
|
|
|
- </label>
|
|
|
|
|
|
<a href="./" class="md-nav__link md-nav__link--active">
|
|
|
|
|
|
@@ -2202,122 +2193,6 @@
|
|
|
|
|
|
</a>
|
|
|
|
|
|
-
|
|
|
-
|
|
|
-<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
- <label class="md-nav__title" for="__toc">
|
|
|
- <span class="md-nav__icon md-icon"></span>
|
|
|
- Table of contents
|
|
|
- </label>
|
|
|
- <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#google-cloud-secret-manager" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Google Cloud Secret Manager
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#authentication" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Authentication
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
- <nav class="md-nav" aria-label="Authentication">
|
|
|
- <ul class="md-nav__list">
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#workload-identity" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Workload Identity
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
- <nav class="md-nav" aria-label="Workload Identity">
|
|
|
- <ul class="md-nav__list">
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#creating-workload-identity-service-accounts" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Creating Workload Identity Service Accounts
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#using-service-accounts-directly" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Using Service Accounts directly
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#using-pod-based-workload-identity" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Using Pod-based Workload Identity
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- </ul>
|
|
|
- </nav>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#gcp-service-account-authentication" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- GCP Service Account authentication
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
- <nav class="md-nav" aria-label="GCP Service Account authentication">
|
|
|
- <ul class="md-nav__list">
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#update-secret-store" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Update secret store
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#creating-external-secret" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Creating external secret
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- </ul>
|
|
|
- </nav>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- </ul>
|
|
|
- </nav>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- </ul>
|
|
|
-
|
|
|
-</nav>
|
|
|
-
|
|
|
</li>
|
|
|
|
|
|
|
|
|
@@ -3394,113 +3269,8 @@
|
|
|
|
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
- <label class="md-nav__title" for="__toc">
|
|
|
- <span class="md-nav__icon md-icon"></span>
|
|
|
- Table of contents
|
|
|
- </label>
|
|
|
- <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#google-cloud-secret-manager" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Google Cloud Secret Manager
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#authentication" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Authentication
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
- <nav class="md-nav" aria-label="Authentication">
|
|
|
- <ul class="md-nav__list">
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#workload-identity" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Workload Identity
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
- <nav class="md-nav" aria-label="Workload Identity">
|
|
|
- <ul class="md-nav__list">
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#creating-workload-identity-service-accounts" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Creating Workload Identity Service Accounts
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#using-service-accounts-directly" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Using Service Accounts directly
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#using-pod-based-workload-identity" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Using Pod-based Workload Identity
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- </ul>
|
|
|
- </nav>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#gcp-service-account-authentication" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- GCP Service Account authentication
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
- <nav class="md-nav" aria-label="GCP Service Account authentication">
|
|
|
- <ul class="md-nav__list">
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#update-secret-store" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Update secret store
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- <li class="md-nav__item">
|
|
|
- <a href="#creating-external-secret" class="md-nav__link">
|
|
|
- <span class="md-ellipsis">
|
|
|
- Creating external secret
|
|
|
- </span>
|
|
|
- </a>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- </ul>
|
|
|
- </nav>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- </ul>
|
|
|
- </nav>
|
|
|
-
|
|
|
-</li>
|
|
|
-
|
|
|
- </ul>
|
|
|
|
|
|
</nav>
|
|
|
</div>
|
|
|
@@ -3518,156 +3288,10 @@
|
|
|
|
|
|
|
|
|
|
|
|
- <h1>Google Cloud Secret Manager</h1>
|
|
|
-
|
|
|
-<h2 id="google-cloud-secret-manager">Google Cloud Secret Manager</h2>
|
|
|
-<p>External Secrets Operator integrates with <a href="https://cloud.google.com/secret-manager">GCP Secret Manager</a> for secret management.</p>
|
|
|
-<h2 id="authentication">Authentication</h2>
|
|
|
-<h3 id="workload-identity">Workload Identity</h3>
|
|
|
-<p>Your Google Kubernetes Engine (GKE) applications can consume GCP services like Secrets Manager without using static, long-lived authentication tokens. This is our recommended approach of handling credentials in GCP. ESO offers two options for integrating with GKE workload identity: <strong>pod-based workload identity</strong> and <strong>using service accounts directly</strong>. Before using either way you need to create a service account - this is covered below.</p>
|
|
|
-<h4 id="creating-workload-identity-service-accounts">Creating Workload Identity Service Accounts</h4>
|
|
|
-<p>You can find the documentation for Workload Identity <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">here</a>. We will walk you through how to navigate it here.</p>
|
|
|
-<p>Search <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">the document</a> for this editable values and change them to your values:
|
|
|
-<em>Note: If you have installed ESO, a serviceaccount has already been created. You can either patch the existing <code>external-secrets</code> SA or create a new one that fits your needs.</em></p>
|
|
|
-<ul>
|
|
|
-<li><code>CLUSTER_NAME</code>: The name of your cluster</li>
|
|
|
-<li><code>PROJECT_ID</code>: Your project ID (not your Project number nor your Project name)</li>
|
|
|
-<li><code>K8S_NAMESPACE</code>: For us following these steps here it will be <code>es</code>, but this will be the namespace where you deployed the external-secrets operator</li>
|
|
|
-<li><code>KSA_NAME</code>: external-secrets (if you are not creating a new one to attach to the deployment)</li>
|
|
|
-<li><code>GSA_NAME</code>: external-secrets for simplicity, or something else if you have to follow different naming conventions for cloud resources</li>
|
|
|
-<li><code>ROLE_NAME</code>: should be <code>roles/secretmanager.secretAccessor</code> - so you make the pod only be able to access secrets on Secret Manager</li>
|
|
|
-</ul>
|
|
|
-<h4 id="using-service-accounts-directly">Using Service Accounts directly</h4>
|
|
|
-<p>Let's assume you have created a service account correctly and attached a appropriate workload identity. It should roughly look like this:</p>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
|
|
|
-<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span>
|
|
|
-<span class="nt">metadata</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
|
|
|
-<span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">es</span>
|
|
|
-<span class="w"> </span><span class="nt">annotations</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">iam.gke.io/gcp-service-account</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-team-a@my-project.iam.gserviceaccount.com</span>
|
|
|
-</code></pre></div>
|
|
|
-<p>You can reference this particular ServiceAccount in a <code>SecretStore</code> or <code>ClusterSecretStore</code>. It's important that you also set the <code>projectID</code>, <code>clusterLocation</code> and <code>clusterName</code>. The Namespace on the <code>serviceAccountRef</code> is ignored when using a <code>SecretStore</code> resource. This is needed to isolate the namespaces properly.</p>
|
|
|
-<p><em>When filling <code>clusterLocation</code> parameter keep in mind if it is Regional or Zonal cluster.</em></p>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
-<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterSecretStore</span>
|
|
|
-<span class="nt">metadata</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcp-store</span>
|
|
|
-<span class="nt">spec</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">alphabet-123</span>
|
|
|
-<span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">workloadIdentity</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="c1"># name of the cluster Location, region or zone</span>
|
|
|
-<span class="w"> </span><span class="nt">clusterLocation</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">europe-central2</span>
|
|
|
-<span class="w"> </span><span class="c1"># name of the GKE cluster</span>
|
|
|
-<span class="w"> </span><span class="nt">clusterName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">alpha-cluster-42</span>
|
|
|
-<span class="w"> </span><span class="c1"># projectID of the cluster (if omitted defaults to spec.provider.gcpsm.projectID)</span>
|
|
|
-<span class="w"> </span><span class="nt">clusterProjectID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-cluster-project</span>
|
|
|
-<span class="w"> </span><span class="c1"># reference the sa from above</span>
|
|
|
-<span class="w"> </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-a</span>
|
|
|
-<span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-a</span>
|
|
|
-</code></pre></div>
|
|
|
-<p><em>You need to give the Google service account the <code>roles/iam.serviceAccountTokenCreator</code> role so it can generate a service account token for you (not necessary in the Pod-based Workload Identity bellow)</em></p>
|
|
|
-<h4 id="using-pod-based-workload-identity">Using Pod-based Workload Identity</h4>
|
|
|
-<p>You can attach a Workload Identity directly to the ESO pod. ESO then has access to all the APIs defined in the attached service account policy. You attach the workload identity by (1) creating a service account with a attached workload identity (described above) and (2) using this particular service account in the pod's <code>serviceAccountName</code> field.</p>
|
|
|
-<p>For this example we will assume that you installed ESO using helm and that you named the chart installation <code>external-secrets</code> and the namespace where it lives <code>es</code> like:</p>
|
|
|
-<div class="highlight"><pre><span></span><code>helm<span class="w"> </span>install<span class="w"> </span>external-secrets<span class="w"> </span>external-secrets/external-secrets<span class="w"> </span>--namespace<span class="w"> </span>es
|
|
|
-</code></pre></div>
|
|
|
-<p>Then most of the resources would have this name, the important one here being the k8s service account attached to the external-secrets operator deployment:</p>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="c1"># ...</span>
|
|
|
-<span class="w"> </span><span class="nt">containers</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ghcr.io/external-secrets/external-secrets:vVERSION</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
|
|
|
-<span class="w"> </span><span class="nt">ports</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">8080</span>
|
|
|
-<span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span>
|
|
|
-<span class="w"> </span><span class="nt">restartPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Always</span>
|
|
|
-<span class="w"> </span><span class="nt">schedulerName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default-scheduler</span>
|
|
|
-<span class="w"> </span><span class="nt">serviceAccount</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
|
|
|
-<span class="w"> </span><span class="nt">serviceAccountName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span><span class="w"> </span><span class="c1"># <--- here</span>
|
|
|
-</code></pre></div>
|
|
|
-<p>The pod now has the identity. Now you need to configure the <code>SecretStore</code>.
|
|
|
-You just need to set the <code>projectID</code>, all other fields can be omitted.</p>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
-<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
|
|
|
-<span class="nt">metadata</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcp-store</span>
|
|
|
-<span class="nt">spec</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">alphabet-123</span>
|
|
|
-</code></pre></div>
|
|
|
-<h3 id="gcp-service-account-authentication">GCP Service Account authentication</h3>
|
|
|
-<p>You can use <a href="https://cloud.google.com/iam/docs/service-accounts">GCP Service Account</a> to authenticate with GCP. These are static, long-lived credentials. A GCP Service Account is a JSON file that needs to be stored in a <code>Kind=Secret</code>. ESO will use that Secret to authenticate with GCP. See here how you <a href="https://cloud.google.com/iam/docs/creating-managing-service-accounts">manage GCP Service Accounts</a>.
|
|
|
-After creating a GCP Service account go to <code>IAM & Admin</code> web UI, click <code>ADD ANOTHER ROLE</code> button, add <code>Secret Manager Secret Accessor</code> role to this service account.
|
|
|
-The <code>Secret Manager Secret Accessor</code> role is required to access secrets.</p>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
|
|
|
-<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span>
|
|
|
-<span class="nt">metadata</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcpsm-secret</span>
|
|
|
-<span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcpsm</span>
|
|
|
-<span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Opaque</span>
|
|
|
-<span class="nt">stringData</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">secret-access-credentials</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|-</span>
|
|
|
-<span class="w"> </span><span class="no">{</span>
|
|
|
-<span class="w"> </span><span class="no">"type": "service_account",</span>
|
|
|
-<span class="w"> </span><span class="no">"project_id": "external-secrets-operator",</span>
|
|
|
-<span class="w"> </span><span class="no">"private_key_id": "",</span>
|
|
|
-<span class="w"> </span><span class="no">"private_key": "-----BEGIN PRIVATE KEY-----\nA key\n-----END PRIVATE KEY-----\n",</span>
|
|
|
-<span class="w"> </span><span class="no">"client_email": "test-service-account@external-secrets-operator.iam.gserviceaccount.com",</span>
|
|
|
-<span class="w"> </span><span class="no">"client_id": "client ID",</span>
|
|
|
-<span class="w"> </span><span class="no">"auth_uri": "https://accounts.google.com/o/oauth2/auth",</span>
|
|
|
-<span class="w"> </span><span class="no">"token_uri": "https://oauth2.googleapis.com/token",</span>
|
|
|
-<span class="w"> </span><span class="no">"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",</span>
|
|
|
-<span class="w"> </span><span class="no">"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-service-account%40external-secrets-operator.iam.gserviceaccount.com"</span>
|
|
|
-<span class="w"> </span><span class="no">}</span>
|
|
|
-</code></pre></div>
|
|
|
-<h4 id="update-secret-store">Update secret store</h4>
|
|
|
-<p>Be sure the <code>gcpsm</code> provider is listed in the <code>Kind=SecretStore</code></p>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
-<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
|
|
|
-<span class="nt">metadata</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcp-store</span>
|
|
|
-<span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
|
|
|
-<span class="nt">spec</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span><span class="w"> </span><span class="c1"># gcpsm provider</span>
|
|
|
-<span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">secretRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">secretAccessKeySecretRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcpsm-secret</span><span class="w"> </span><span class="c1"># secret name containing SA key</span>
|
|
|
-<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-access-credentials</span><span class="w"> </span><span class="c1"># key name containing SA key</span>
|
|
|
-<span class="w"> </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">alphabet-123</span><span class="w"> </span><span class="c1"># name of Google Cloud project</span>
|
|
|
-</code></pre></div>
|
|
|
-<p><strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> for <code>SecretAccessKeyRef</code> with the namespace of the secret that we just created.</p>
|
|
|
-<h4 id="creating-external-secret">Creating external secret</h4>
|
|
|
-<p>To create a kubernetes secret from the GCP Secret Manager secret a <code>Kind=ExternalSecret</code> is needed.</p>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
|
|
|
-<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
|
|
|
-<span class="nt">metadata</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
|
|
|
-<span class="nt">spec</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h</span><span class="w"> </span><span class="c1"># rate SecretManager pulls GCPSM</span>
|
|
|
-<span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcp-store</span><span class="w"> </span><span class="c1"># name of the SecretStore (or kind specified)</span>
|
|
|
-<span class="w"> </span><span class="nt">target</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span><span class="w"> </span><span class="c1"># name of the k8s Secret to be created</span>
|
|
|
-<span class="w"> </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span>
|
|
|
-<span class="w"> </span><span class="nt">data</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database_username</span>
|
|
|
-<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database_username</span><span class="w"> </span><span class="c1"># name of the GCPSM secret key</span>
|
|
|
-<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database_password</span>
|
|
|
-<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database_password</span><span class="w"> </span><span class="c1"># name of the GCPSM secret key</span>
|
|
|
-</code></pre></div>
|
|
|
-<p>The operator will fetch the GCP Secret Manager secret and inject it as a <code>Kind=Secret</code>
|
|
|
-<div class="highlight"><pre><span></span><code>kubectl get secret secret-to-be-created -n <namespace> -o jsonpath='{.data.dev-secret-test}' | base64 -d
|
|
|
+<h1 id="macro-syntax-error"><em>Macro Syntax Error</em></h1>
|
|
|
+<p><em>File</em>: <code>provider/google-secrets-manager.md</code></p>
|
|
|
+<p><em>Line 143 in Markdown file:</em> <strong>unexpected '.'</strong>
|
|
|
+<div class="highlight"><pre><span></span><code> bestpokemon: "{{ .bestpokemon }}"
|
|
|
</code></pre></div></p>
|
|
|
|
|
|
|