Migrating GKE Secrets to Secret Manager

Question

I was wondering if there are any migration guides for migrating from GKE Secrets to the Secret Manager API?

I am curious about why you need to migrate the GKE secret, could you share more details about it? Or have you tried to use the Secret Manager with workloads running on Compute Engine or Google Kubernetes Engine? In this [link](https://cloud.google.com/secret-manager/docs/using-other-products#google-kubernetes-engine), you can find more information on how you can use the Secret Manager with GKE workloads. — Leo, Jun 29 '22 at 17:35

score 1 · Accepted Answer · answered Jul 02 '22 at 10:08

I'm not aware of any existing guides for doing this.

Basically, you'll need to

recreate all of your secrets in Secret Manager
modify your application code to use the Secrets Manager API to access the secrets
ensure you have Workload Identity enabled for your cluster
make sure your pod(s) use a identity with access to Secrets Manager.
assuming everything above works, delete your existing Secrets

score 0 · Answer 2 · answered Jun 30 '22 at 04:07

0

By default, data in GKE secrets is stored in Base64 encoding, which is practically the same as plaintext. GCP Secret Manager are encrypted with Google-default encryption. With Google-default encryption, secret payloads are encrypted by keys managed by Google.

See this documentation.

answered Jun 30 '22 at 04:07

かいぜん

327
2
9

You can also use CMEK to encrypt secrets in GKE as well. – Gari Singh Jul 02 '22 at 10:03

Migrating GKE Secrets to Secret Manager

2 Answers2