3

I am setting up my Kubernetes cluster using kubectl -k (kustomize). Like any other such arrangement, I depend on some secrets during deployment. The route I want go is to use the secretGenerator feature of kustomize to fetch my secrets from files or environment variables.

However managing said files or environment variables in a secure and portable manner has shown itself to be a challenge. Especially since I have 3 separate namespaces for test, stage and production, each requiring a different set of secrets.

So I thought surely there must be a way for me to manage the secrets in my cloud provider's official way (google cloud platform - secret manager).

So how would the secretGenerator that accesses secrets stored in the secret manager look like?

My naive guess would be something like this:

secretGenerator:
 - name: juicy-environment-config
   google-secret-resource-id: projects/133713371337/secrets/juicy-test-secret/versions/1
   type: some-google-specific-type
  • Is this at all possible?
  • What would the example look like?
  • Where is this documented?
  • If this is not possible, what are my alternatives?
Mr. Developerdude
  • 9,118
  • 10
  • 57
  • 95

2 Answers2

3

I'm not aware of a plugin for that. The plugin system in Kustomize is somewhat new (added about 6 months ago) so there aren't a ton in the wild so far, and Secrets Manager is only a few weeks old. You can find docs at https://github.com/kubernetes-sigs/kustomize/tree/master/docs/plugins for writing one though. That links to a few Go plugins for secrets management so you can probably take one of those and rework it to the GCP API.

coderanger
  • 52,400
  • 4
  • 52
  • 75
1

There is a Go plugin for this (I helped write it), but plugins weren't supported until more recent versions of Kustomize, so you'll need to install Kustomize directly and run it like kustomize build <path> | kubectl apply -f - rather than kubectl -k. This is a good idea anyway IMO since there are a lot of other useful features in newer versions of Kustomize than the one that's built into kubectl.

As seen in the examples, after you've installed the plugin (or you can run it within Docker, see readme) you can define files like the following and commit them to version control:

my-secret.yaml

apiVersion: crd.forgecloud.com/v1
kind: EncryptedSecret
metadata:
  name: my-secrets
  namespace: default
source: GCP
gcpProjectID: my-gcp-project-id
keys:
- creds.json
- ca.crt

In your kustomization.yaml you would add

generators:
- my-secret.yaml

and when you run kustomize build it'll automatically retrive your secret values from Google Secret Manager and output Kubernetes secret objects.

damick
  • 1,055
  • 1
  • 10
  • 17