Fixed and documented external secrets GCP.

lreimer · Dec 5, 2024 · 7b53960 · 7b53960
1 parent f15089c
commit 7b53960
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -47,13 +47,15 @@ create-gke-airbyte-sa:
 	@gcloud iam service-accounts keys create airbyte.json --iam-account=airbyte@$(GCP_PROJECT).iam.gserviceaccount.com
 
 # Create a Service Account for External Secrets
+# Service Account will also be used for Workload Identity
 create-gke-es-sa:
 	@gcloud iam service-accounts create external-secrets-sa --description="External Secrets Service Account" --display-name="External Secrets Service Account"
 	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/secretmanager.secretAccessor --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com
 	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/secretmanager.secretVersionAdder --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com
 	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/secretmanager.secretVersionManager --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com
 	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/secretmanager.viewer --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com
 	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/iam.serviceAccountTokenCreator --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com
+	@gcloud iam service-accounts add-iam-policy-binding external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com --member="serviceAccount:$(GCP_PROJECT).svc.id.goog[external-secrets/external-secrets-sa]" --role="roles/iam.workloadIdentityUser" 
 	@gcloud iam service-accounts keys create external-secrets-sa.json --iam-account=external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com
 
 delete-gke-clusters:

diff --git a/README.md b/README.md
@@ -27,7 +27,7 @@ kubectl apply -f infrastructure/platform/external-secrets/secret-store.yaml
 # this is how to create secrets in the 
 gcloud secrets create external-secrets-sa --data-file=external-secrets-sa.json --replication-policy=automatic
 kubectl apply -f infrastructure/platform/external-secrets/sa-secret.yaml
-kubectl get secret gcp-sa-credentials -o jsonpath='{.data.external-secrets-sa.json}' | base64 -d
+kubectl get secret gcp-sa-credentials -o jsonpath='{.data.external-secrets-sa\.json}' | base64 -d
 ```
 
 ## Building a chat service with Quarkus and OpenAI

diff --git a/infrastructure/platform/external-secrets/sa-secret.yaml b/infrastructure/platform/external-secrets/sa-secret.yaml
@@ -8,7 +8,6 @@ spec:
   secretStoreRef:
     kind: ClusterSecretStore
     name: gcp-secret-manager-store  # name of the SecretStore (or kind specified)
-    namespace: external-secrets
   target:
     name: gcp-sa-credentials        # name of the k8s Secret to be created
     creationPolicy: Owner