-
Enabled and configured secret manager API on your GCP project. Secret Manager Docs
-
Install CRDs
make install
- Uncomment and update credentials to be used in
config/credentials/kustomization.yaml:
resources:
- credentials-gsm.yaml
# - credentials-asm.yaml
# - credentials-dummy.yaml
# - credentials-gitlab.yaml- Update the gsm credentials
config/credentials/credentials-gsm.yamlwith service account key JSON
%cat config/credentials/credentials-gsm.yaml
...
credentials.json: |-
{
"type": "service_account"
....
}
- Update the
SecretStoreresource definitionconfig/samples/store_v1alpha1_secretstore.yaml
% cat `config/samples/store_v1alpha1_secretstore.yaml
apiVersion: store.externalsecret-operator.container-solutions.com/v1alpha1
kind: SecretStore
metadata:
name: secretstore-sample
spec:
controller: staging
store:
type: gsm
auth:
secretRef:
name: externalsecret-operator-credentials-gsm
parameters:
projectID: external-secrets-operator- Update the
ExternalSecretresource definitionconfig/samples/secrets_v1alpha1_externalsecret.yaml
% cat config/samples/secrets_v1alpha1_externalsecret.yaml
apiVersion: secrets.externalsecret-operator.container-solutions.com/v1alpha1
kind: ExternalSecret
metadata:
name: externalsecret-sample
spec:
storeRef:
name: externalsecret-operator-secretstore-sample
data:
- key: example-externalsecret-key
version: latest- The operator fetches the secret from GCP Secret Manager and injects it as a secret:
% make deploy
% kubectl get secret externalsecret-operator-externalsecret-sample -n externalsecret-operator-system \
-o jsonpath='{.data.example-externalsecret-key}' | base64 -d