Last active
December 21, 2023 19:05
-
-
Save vfarcic/ab6782dd6f865b3ffa913d9e1e578e1b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Source: https://gist.github.com/ab6782dd6f865b3ffa913d9e1e578e1b | |
############################################################ | |
# Manage Kubernetes Secrets With External Secrets Operator # | |
# https://youtu.be/SyRZe5YVCVk # | |
############################################################ | |
# Additional Info: | |
# - External Secrets: https://external-secrets.io | |
# - Bitnami Sealed Secrets - How To Store Kubernetes Secrets In Git Repositories: https://youtu.be/xd2QoV6GJlc | |
######### | |
# Setup # | |
######### | |
# Create a Kubernetes cluster | |
# External secrets work with any Kubernetes cluster and majority of secret stores. | |
# This demo works with Google Cloud Secret Manager. | |
# If you prefer a different secret store, some of the commands and manifests used in this demo might need to be updated. | |
git clone https://github.com/vfarcic/external-secrets-demo | |
cd external-secrets-demo | |
helm repo add external-secrets \ | |
https://charts.external-secrets.io | |
helm repo update | |
helm upgrade --install \ | |
external-secrets \ | |
external-secrets/external-secrets \ | |
--namespace external-secrets \ | |
--create-namespace | |
# Replace `[...]` with the Google Cloud Project ID | |
export PROJECT_ID=dot-$(date +%Y%m%d%H%M%S) | |
gcloud projects create $PROJECT_ID | |
echo https://console.cloud.google.com/marketplace/product/google/secretmanager.googleapis.com?project=$PROJECT_ID | |
# Open the URL and *ENABLE* the API | |
gcloud iam service-accounts \ | |
--project $PROJECT_ID \ | |
create external-secrets | |
echo -ne '{ | |
"name": "my-fancy-db", | |
"endpoint": "127.0.0.1:8200", | |
"username": "jdoe", | |
"password": "YouWillNeverFindOut", | |
"port": 8200 | |
}' | gcloud secrets \ | |
--project $PROJECT_ID \ | |
create a-team-postgresql --data-file=- | |
gcloud secrets \ | |
--project $PROJECT_ID \ | |
add-iam-policy-binding a-team-postgresql \ | |
--member "serviceAccount:external-secrets@$PROJECT_ID.iam.gserviceaccount.com" \ | |
--role "roles/secretmanager.secretAccessor" | |
gcloud iam service-accounts \ | |
--project $PROJECT_ID \ | |
keys create account.json \ | |
--iam-account=external-secrets@$PROJECT_ID.iam.gserviceaccount.com | |
kubectl create namespace a-team | |
kubectl --namespace external-secrets \ | |
create secret generic gcp \ | |
--from-file=credentials=account.json | |
cat secret-store.yaml \ | |
| sed -e "s@projectID: .*@projectID: $PROJECT_ID@" \ | |
| tee secret-store.yaml | |
############################# | |
# Managing External Secrets # | |
############################# | |
echo https://console.cloud.google.com/security/secret-manager?project=$PROJECT_ID | |
cat secret-store.yaml | |
kubectl apply --filename secret-store.yaml | |
cat external-secret.yaml | |
kubectl --namespace a-team apply \ | |
--filename external-secret.yaml | |
kubectl --namespace a-team get secrets | |
kubectl --namespace a-team \ | |
get secret postgresql \ | |
--output yaml | |
kubectl --namespace a-team \ | |
get secret postgresql \ | |
--output jsonpath="{.data.password}" \ | |
| base64 --decode | |
kubectl --namespace a-team \ | |
get secret postgresql \ | |
--output jsonpath="{.data.password}" \ | |
| base64 --decode | |
# https://external-secrets.io > Providers | |
########### | |
# Destroy # | |
########### | |
gcloud projects delete $PROJECT_ID | |
# Destroy or reset the Kubernetes cluster |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment