From 7b5396077a92fd417038213b3a47c483963031a0 Mon Sep 17 00:00:00 2001 From: "M.-Leander Reimer" Date: Thu, 5 Dec 2024 13:12:51 +0100 Subject: [PATCH] Fixed and documented external secrets GCP. --- Makefile | 2 ++ README.md | 2 +- infrastructure/platform/external-secrets/sa-secret.yaml | 1 - 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 647be49..e35b4b1 100644 --- a/Makefile +++ b/Makefile @@ -47,6 +47,7 @@ create-gke-airbyte-sa: @gcloud iam service-accounts keys create airbyte.json --iam-account=airbyte@$(GCP_PROJECT).iam.gserviceaccount.com # Create a Service Account for External Secrets +# Service Account will also be used for Workload Identity create-gke-es-sa: @gcloud iam service-accounts create external-secrets-sa --description="External Secrets Service Account" --display-name="External Secrets Service Account" @gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/secretmanager.secretAccessor --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com @@ -54,6 +55,7 @@ create-gke-es-sa: @gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/secretmanager.secretVersionManager --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com @gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/secretmanager.viewer --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com @gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/iam.serviceAccountTokenCreator --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com + @gcloud iam service-accounts add-iam-policy-binding external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com --member="serviceAccount:$(GCP_PROJECT).svc.id.goog[external-secrets/external-secrets-sa]" --role="roles/iam.workloadIdentityUser" @gcloud iam service-accounts keys create external-secrets-sa.json --iam-account=external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com delete-gke-clusters: diff --git a/README.md b/README.md index 43f6723..86ee91a 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ kubectl apply -f infrastructure/platform/external-secrets/secret-store.yaml # this is how to create secrets in the gcloud secrets create external-secrets-sa --data-file=external-secrets-sa.json --replication-policy=automatic kubectl apply -f infrastructure/platform/external-secrets/sa-secret.yaml -kubectl get secret gcp-sa-credentials -o jsonpath='{.data.external-secrets-sa.json}' | base64 -d +kubectl get secret gcp-sa-credentials -o jsonpath='{.data.external-secrets-sa\.json}' | base64 -d ``` ## Building a chat service with Quarkus and OpenAI diff --git a/infrastructure/platform/external-secrets/sa-secret.yaml b/infrastructure/platform/external-secrets/sa-secret.yaml index c73dd39..5218b59 100644 --- a/infrastructure/platform/external-secrets/sa-secret.yaml +++ b/infrastructure/platform/external-secrets/sa-secret.yaml @@ -8,7 +8,6 @@ spec: secretStoreRef: kind: ClusterSecretStore name: gcp-secret-manager-store # name of the SecretStore (or kind specified) - namespace: external-secrets target: name: gcp-sa-credentials # name of the k8s Secret to be created creationPolicy: Owner