Added external secrets configuration and docs.

lreimer · Dec 5, 2024 · f15089c · f15089c
1 parent d238903
commit f15089c
Show file tree

Hide file tree

Showing 7 changed files with 74 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -24,4 +24,4 @@ gradle-app.setting
 .vscode/
 .DS_Store
 target/
-airbyte.json
+*.json
diff --git a/Makefile b/Makefile
@@ -35,6 +35,7 @@ bootstrap-flux2:
 		--read-write-key \
 		--personal
 
+# Create a Service Account for Airbyte storage and secrets
 create-gke-airbyte-sa:
 	@gcloud iam service-accounts create airbyte --description="Airbyte Service Account" --display-name="Airbyte Service Account"
 	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/storage.admin --member=serviceAccount:airbyte@$(GCP_PROJECT).iam.gserviceaccount.com 
@@ -45,5 +46,15 @@ create-gke-airbyte-sa:
 	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/secretmanager.viewer --member=serviceAccount:airbyte@$(GCP_PROJECT).iam.gserviceaccount.com
 	@gcloud iam service-accounts keys create airbyte.json --iam-account=airbyte@$(GCP_PROJECT).iam.gserviceaccount.com
 
+# Create a Service Account for External Secrets
+create-gke-es-sa:
+	@gcloud iam service-accounts create external-secrets-sa --description="External Secrets Service Account" --display-name="External Secrets Service Account"
+	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/secretmanager.secretAccessor --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com
+	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/secretmanager.secretVersionAdder --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com
+	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/secretmanager.secretVersionManager --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com
+	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/secretmanager.viewer --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com
+	@gcloud projects add-iam-policy-binding $(GCP_PROJECT) --role=roles/iam.serviceAccountTokenCreator --member=serviceAccount:external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com
+	@gcloud iam service-accounts keys create external-secrets-sa.json --iam-account=external-secrets-sa@$(GCP_PROJECT).iam.gserviceaccount.com
+
 delete-gke-clusters:
 	@gcloud container clusters delete k8s-native-java-ai --region=$(GCP_REGION) --async --quiet
diff --git a/README.md b/README.md
@@ -14,6 +14,22 @@ make bootstrap-flux2
 kubectl annotate namespace default cnrm.cloud.google.com/project-id="cloud-native-experience-lab"
 ```
 
+## External Secrets using Google Cloud Security Manager
+
+```bash
+# credentials to access certain GCP infrastructure components are stored externally
+# make sure that the Google Cloud Security Manager API is enabled in your project
+make create-gke-es-sa
+
+# if required change and apply the ClusterSecretStore CRD
+kubectl apply -f infrastructure/platform/external-secrets/secret-store.yaml
+
+# this is how to create secrets in the 
+gcloud secrets create external-secrets-sa --data-file=external-secrets-sa.json --replication-policy=automatic
+kubectl apply -f infrastructure/platform/external-secrets/sa-secret.yaml
+kubectl get secret gcp-sa-credentials -o jsonpath='{.data.external-secrets-sa.json}' | base64 -d
+```
+
 ## Building a chat service with Quarkus and OpenAI
 
 ```bash

diff --git a/infrastructure/platform/external-secrets/kustomization.yaml b/infrastructure/platform/external-secrets/kustomization.yaml
@@ -2,5 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
+  - sa.yaml
   - repository.yaml
-  - release.yaml
+  - release.yaml
+  - secret-store.yaml
diff --git a/infrastructure/platform/external-secrets/sa-secret.yaml b/infrastructure/platform/external-secrets/sa-secret.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gcp-sa-credentials
+  namespace: default
+spec:
+  refreshInterval: 1h               # rate SecretManager pulls GCPSM
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: gcp-secret-manager-store  # name of the SecretStore (or kind specified)
+    namespace: external-secrets
+  target:
+    name: gcp-sa-credentials        # name of the k8s Secret to be created
+    creationPolicy: Owner
+  data:
+  - secretKey: external-secrets-sa.json
+    remoteRef:
+      key: external-secrets-sa     # name of the GCPSM secret key
diff --git a/infrastructure/platform/external-secrets/sa.yaml b/infrastructure/platform/external-secrets/sa.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-secrets-sa
+  namespace: external-secrets
+  annotations:
+    iam.gke.io/gcp-service-account: external-secrets-sa@cloud-native-experience-lab.iam.gserviceaccount.com
diff --git a/infrastructure/platform/external-secrets/secret-store.yaml b/infrastructure/platform/external-secrets/secret-store.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: gcp-secret-manager-store
+  namespace: external-secrets
+spec:
+  provider:
+    gcpsm:
+      projectID: cloud-native-experience-lab
+      auth:
+        workloadIdentity:
+          clusterLocation: europe-west4
+          clusterName: k8s-native-java-ai
+          # projectID of the cluster (if omitted defaults to spec.provider.gcpsm.projectID)
+          # clusterProjectID: cloud-native-experience-lab
+          serviceAccountRef:
+            name: external-secrets-sa
+            namespace: external-secrets