So far, we've explored how to use Sealed Secrets and HashiCorp Vault for storing our secrets. If you haven't seen those posts yet, please check the links below.

Now, let's dive into using External Secret Operator (ESO) with Google Secret Manager. ESO supports many providers, and you can choose the one that best suits your needs.

Architecture:

Prerequisite:

1) A cluster

Let's Start.

1. Install ESO using following command.

helm repo add external-secrets https://charts.external-secrets.io

helm install external-secrets \
   external-secrets/external-secrets \
    -n external-secrets \
    --create-namespace \

2. We need to create IAM service account and give permission of "SecretManager secret accessor"

3. Create Key to access service account and download it.

4. Now create GCP Service Account authentication. You need to add your json data of your key in "secret-access-credentials" value.

apiVersion: v1
kind: Secret
metadata:
  name: gcpsm-secret
  labels:
    type: gcpsm
type: Opaque
stringData:
  secret-access-credentials: |-
    {
       #your json key should be here.
       "type": "service_account",
      "project_id": "external-secrets-operator",
      "private_key_id": "",
      "private_key": "-----BEGIN PRIVATE KEY-----\nA key\n-----END PRIVATE KEY-----\n",
      "client_email": "test-service-account@external-secrets-operator.iam.gserviceaccount.com",
      "client_id": "client ID",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://oauth2.googleapis.com/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-service-account%40external-secrets-operator.iam.gserviceaccount.com"
    }

5. Create secret store. Add Your Google Project ID.

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: gcp-store
spec:
  provider:
    gcpsm: # gcpsm provider
      auth:
        secretRef:
          secretAccessKeySecretRef:
            name: gcpsm-secret # secret name containing SA key
            key: secret-access-credentials # key name containing SA key
      projectID: <google-project-id>

6. Creating external secret, which will fetch secret from google secret manager and create secret in our cluster.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secret-creator
spec:
  refreshInterval: 3m # rate SecretManager pulls GCPSM
  secretStoreRef:
    kind: SecretStore
    name: gcp-store # name of the SecretStore (or kind specified)
  target:
    name: app-secret # name of the k8s Secret to be created
    creationPolicy: Owner
  data:
    - secretKey: Username
      remoteRef:
        key: Test-Username # name of the GCPSM secret key
    - secretKey: Password
      remoteRef:
        key: Test-Password # name of the GCPSM secret key

You need to provide your google secret manger's secret name as remoteRef Key and you can choose your name for secretKey(that will be created as cluster secret key)

If you have configured right and you check your externalsecret then it status will be "SecretSynced"

It will create your new secret resource in cluster.

This app-secret is create by "External Secrets Operator". That's it. you can use this secret in your app. You can share your all config file except "gcpsm-secret" file on any git.

By using the External Secret Operator with Google Secret Manager, you can seamlessly and securely manage secrets in your Kubernetes cluster. This method ensures that any changes in Google Secret Manager are automatically synchronized with your cluster, enhancing both security and convenience.

That's all from my side. Keep learning and keep hustling.