Add documentation for gcpsm

docs/provider-google-secrets-manager.md

@@ -1,5 +1,35 @@
+## Google Cloud Secret Manager
 
-!!! bug "Not implemented"
-    This is currently **not yet** implemented. Feel free to contribute.
-    Please see [issue#33](https://github.com/external-secrets/external-secrets/issues/33)
-    for futher information.
+External Secrets Operator integrates with [GCP Secret Manager](https://cloud.google.com/secret-manager) for secret management.
+
+### Authentication
+
+At the moment, we only support [service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) authentication.
+
+#### Service account key authentication
+
+A service account key is created and the JSON keyfile is stored in a `Kind=Secret`. The `project_id` and `private_key` should be configured for the project.
+
+```yaml
+{% include 'gcpsm-credentials-secret.yaml' %}
+```
+
+### Update secret store
+Be sure the `gcpsm` provider is listed in the `Kind=SecretStore`
+
+```yaml
+{% include 'gcpsm-secret-store.yaml' %}
+```
+
+### Creating external secret
+
+To create a kubernetes secret from the GCP Secret Manager secret a `Kind=ExternalSecret` is needed.
+
+```yaml
+{% include 'gcpsm-external-secret.yaml' %}
+```
+
+The operator will fetch the GCP Secret Manager secret and inject it as a `Kind=Secret`
+```
+kubectl get secret secret-to-be-created -n <namespace> | -o jsonpath='{.data.example-externalsecret-key}' | base64 -d
+```

docs/snippets/gcpsm-credentials-secret.yaml

@@ -1,5 +1,3 @@
-# The following secret will be used by the GCP provider to get authenticated to the GCP API and retrieve secret(s)
-
 apiVersion: v1
 kind: Secret
 metadata:
@@ -20,4 +18,4 @@ stringData:
       "token_uri": "https://oauth2.googleapis.com/token",
       "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
       "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-service-account%40external-secrets-operator.iam.gserviceaccount.com"
-    }
+    }

docs/snippets/gcpsm-external-secret.yaml

@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: example
+spec:
+  refreshInterval: 1h           # rate SecretManager pulls GCPSM
+  secretStoreRef:
+    kind: SecretStore
+    name: example               # name of the SecretStore (or kind specified)
+  target:
+    name: secret-to-be-created  # name of the k8s Secret to be created
+    creationPolicy: Owner
+  data:
+  - secretKey: dev-secret-test  # name of the GCPSM secret key
+    remoteRef:
+      key: dev-secret-test

docs/snippets/gcpsm-parameter-store.yaml

@@ -1,14 +0,0 @@
-apiVersion: external-secrets.io/v1alpha1
-kind: SecretStore
-metadata:
-  name: secretstore-sample
-spec:
-  controller: dev
-  provider:
-      gcpsm:
-        auth:
-          secretRef:
-            secretAccessKeySecretRef:
-              name: gcpsm-secret
-              key: secret-access-credentials
-        projectID: myproject

docs/snippets/gcpsm-secret-store.yaml

@@ -0,0 +1,13 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: SecretStore
+metadata:
+  name: example
+spec:
+  provider:
+      gcpsm:                                  # gcpsm provider
+        auth:
+          secretRef:
+            secretAccessKeySecretRef:
+              name: gcpsm-secret              # secret name containing SA key
+              key: secret-access-credentials  # key name containing SA key
+        projectID: myproject                  # name of Google Cloud project

docs/spec.md

@@ -888,6 +888,109 @@ map[string]string
 </tr>
 </tbody>
 </table>
+<h3 id="external-secrets.io/v1alpha1.GCPSMAuth">GCPSMAuth
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1alpha1.GCPSMProvider">GCPSMProvider</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>secretRef</code></br>
+<em>
+<a href="#external-secrets.io/v1alpha1.GCPSMAuthSecretRef">
+GCPSMAuthSecretRef
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="external-secrets.io/v1alpha1.GCPSMAuthSecretRef">GCPSMAuthSecretRef
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1alpha1.GCPSMAuth">GCPSMAuth</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>secretAccessKeySecretRef</code></br>
+<em>
+github.com/external-secrets/external-secrets/apis/meta/v1.SecretKeySelector
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>The SecretAccessKey is used for authentication</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="external-secrets.io/v1alpha1.GCPSMProvider">GCPSMProvider
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1alpha1.SecretStoreProvider">SecretStoreProvider</a>)
+</p>
+<p>
+<p>GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>auth</code></br>
+<em>
+<a href="#external-secrets.io/v1alpha1.GCPSMAuth">
+GCPSMAuth
+</a>
+</em>
+</td>
+<td>
+<p>Auth defines the information necessary to authenticate against GCP</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>projectID</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>ProjectID project where secret is located</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="external-secrets.io/v1alpha1.GenericStore">GenericStore
 </h3>
 <p>
@@ -1041,6 +1144,20 @@ VaultProvider
 <p>Vault configures this store to sync secrets using Hashi provider</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>gcpsm</code></br>
+<em>
+<a href="#external-secrets.io/v1alpha1.GCPSMProvider">
+GCPSMProvider
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="external-secrets.io/v1alpha1.SecretStoreRef">SecretStoreRef