GithubHelp home page GithubHelp logo

isabella232 / gsm-controller Goto Github PK

View Code? Open in Web Editor NEW

This project forked from jenkins-x/gsm-controller

0.0 0.0 0.0 277 KB

License: Apache License 2.0

Dockerfile 0.24% Makefile 24.81% Go 69.16% Shell 4.14% Mustache 1.65%

gsm-controller's Introduction

gsm-controller

Documentation Go Report Card Releases LICENSE Slack Status

Overview

gsm-controller is a Kubernetes controller that copies secrets from Google Secrets Manager into Kubernetes secrets. The controller watches Kubernetes secrets looking for an annotation, if the annotation is not found on the secret nothing more is done.

If the secret does have the annotation then the controller will query Google Secrets Manager, access the matching secret and copy the value into the Kubernetes secret and save it in the cluster.

Setup

Note in this example we are creating secrets and running the Kubernetes cluster in the same Google Cloud Project, the same approach will work if Secrets Manager is enabled in a different project to store your secrets, just set the env var SECRETS_MANAGER_PROJECT_ID below to a different GCP project id.

Set some environment variables:

export NAMESPACE=foo
export CLUSTER_NAME=test-cluster-foo
export PROJECT_ID=my-cool-project
export SECRETS_MANAGER_PROJECT_ID=my-cool-project # change if you want you secrets stored in Secrets Manager from another GCP project

First enable Google Secrets Manager

gcloud services enable secretmanager.googleapis.com --project $SECRETS_MANAGER_PROJECT_ID

Create a secret

  • Using a file:
gcloud beta secrets create foo --replication-policy automatic --project $SECRETS_MANAGER_PROJECT_ID --data-file=-=my_secrets.yaml
  • or for a single key=value secret:
echo -n bar | gcloud beta secrets create foo --replication-policy automatic --project $SECRETS_MANAGER_PROJECT_ID --data-file=-

Access

So that gsm-controller can access secrets in Google Secrets Manager so it can populate Kubernetes secrets in a namespace, it requires a GCP service account with a role to access the secrets in a given GCP project.

Setup

kubectl create serviceaccount gsm-sa -n $NAMESPACE
kubectl annotate sa gsm-sa iam.gke.io/gcp-service-account=$CLUSTER_NAME-sm@$SECRETS_MANAGER_PROJECT_ID.iam.gserviceaccount.com

gcloud iam service-accounts create $CLUSTER_NAME-sm --project $SECRETS_MANAGER_PROJECT_ID

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/gsm-sa]" \
  $CLUSTER_NAME-sm@$SECRETS_MANAGER_PROJECT_ID.iam.gserviceaccount.com \
  --project $SECRETS_MANAGER_PROJECT_ID

gcloud projects add-iam-policy-binding $SECRETS_MANAGER_PROJECT_ID \
  --role roles/secretmanager.secretAccessor \
  --member "serviceAccount:$CLUSTER_NAME-sm@$SECRETS_MANAGER_PROJECT_ID.iam.gserviceaccount.com" \
  --project $SECRETS_MANAGER_PROJECT_ID

It can take a little while for permissions to propagate when using workload identity so it's a good idea to validate auth is working before continuing to the next step.

run a temporary pod with our kubernetes service accounts

kubectl run --rm -it \
  --generator=run-pod/v1 \
  --image google/cloud-sdk:slim \
  --serviceaccount gsm-sa \
  --namespace $NAMESPACE \
  workload-identity-test

use gcloud to verify you can auth, it make take a few tries over a few minutes

gcloud auth list

Install

add the helm repo or update it to get the latest charts

helm plugin install https://github.com/hayorov/helm-gcs
helm repo add jx3 https://jenkins-x-charts.github.io/repo

or

helm repo update

install the helm chart, this includes a kubernetes controller that always runs and watches for new or updated secrets. We also install a kubernetes CronJon that periodically triggers and checks for updated secret versions in Google Secret Manager.

helm install --set projectID=$SECRETS_MANAGER_PROJECT_ID gsm-controller jx3/gsm-controller

Annotate secrets

Now that the controller is running we can create a Kubernetes secret and annotate it with the id we stored the secret with above.

kubectl create secret generic my-secret
kubectl annotate secret my-secret jenkins-x.io/gsm-kubernetes-secret-key=credentials.json
kubectl annotate secret my-secret jenkins-x.io/gsm-secret-id=foo

After a short wait you should be able to see the base64 encoded data in the secret

kubectl get secret my-secret -oyaml

If not check the logs of the controller

kubectl logs deployment/gsm-controller

Run locally

gcloud iam service-accounts create $CLUSTER_NAME-sm --project $SECRETS_PROJECT_ID

gcloud iam service-accounts keys create ~/.secret/key.json \
  --iam-account $CLUSTER_NAME-sm@$PROJECT_ID.iam.gserviceaccount.com

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --role roles/secretmanager.secretAccessor \
  --member "serviceAccount:$CLUSTER_NAME-sm@$PROJECT_ID.iam.gserviceaccount.com"

Create a GCP secret in the project your secrets are stored, assign the accessor role, download the key.json and...

export GOOGLE_APPLICATION_CREDENTIALS=~/.secret/key.json
make build
./build/gsm-controller my-cool-project

Video

GSM Controller

gsm-controller's People

Contributors

dev25 avatar jenkins-x-bot-test avatar jstrachan avatar rawlingsj avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.