vfarcic/177-external-secrets.sh

## 177-external-secrets.sh
# Source: https://gist.github.com/ab6782dd6f865b3ffa913d9e1e578e1b

############################################################
# Manage Kubernetes Secrets With External Secrets Operator #
# https://youtu.be/SyRZe5YVCVk                             #
############################################################

# Additional Info:
# - External Secrets: https://external-secrets.io
# - Bitnami Sealed Secrets - How To Store Kubernetes Secrets In Git Repositories: https://youtu.be/xd2QoV6GJlc

#########
# Setup #
#########

# Create a Kubernetes cluster

# External secrets work with any Kubernetes cluster and majority of secret stores.
# This demo works with Google Cloud Secret Manager.
# If you prefer a different secret store, some of the commands and manifests used in this demo might need to be updated.

git clone https://github.com/vfarcic/external-secrets-demo

cd external-secrets-demo

helm repo add external-secrets \
    https://charts.external-secrets.io

helm repo update

helm upgrade --install \
    external-secrets \
    external-secrets/external-secrets \
    --namespace external-secrets \
    --create-namespace

# Replace `[...]` with the Google Cloud Project ID
export PROJECT_ID=dot-$(date +%Y%m%d%H%M%S)

gcloud projects create $PROJECT_ID

echo https://console.cloud.google.com/marketplace/product/google/secretmanager.googleapis.com?project=$PROJECT_ID

# Open the URL and *ENABLE* the API

gcloud iam service-accounts \
    --project $PROJECT_ID \
    create external-secrets

echo -ne '{
"name": "my-fancy-db",
"endpoint": "127.0.0.1:8200",
"username": "jdoe",
"password": "YouWillNeverFindOut",
"port": 8200
}' | gcloud secrets \
    --project $PROJECT_ID \
    create a-team-postgresql --data-file=-

gcloud secrets \
    --project $PROJECT_ID \
    add-iam-policy-binding a-team-postgresql \
    --member "serviceAccount:external-secrets@$PROJECT_ID.iam.gserviceaccount.com" \
    --role "roles/secretmanager.secretAccessor"

gcloud iam service-accounts \
    --project $PROJECT_ID \
    keys create account.json \
    --iam-account=external-secrets@$PROJECT_ID.iam.gserviceaccount.com

kubectl create namespace a-team

kubectl --namespace external-secrets \
    create secret generic gcp \
    --from-file=credentials=account.json

cat secret-store.yaml \
    | sed -e "s@projectID: .*@projectID: $PROJECT_ID@" \
    | tee secret-store.yaml

#############################
# Managing External Secrets #
#############################

echo https://console.cloud.google.com/security/secret-manager?project=$PROJECT_ID

cat secret-store.yaml

kubectl apply --filename secret-store.yaml

cat external-secret.yaml

kubectl --namespace a-team apply \
    --filename external-secret.yaml

kubectl --namespace a-team get secrets

kubectl --namespace a-team \
    get secret postgresql \
    --output yaml

kubectl --namespace a-team \
    get secret postgresql \
    --output jsonpath="{.data.password}" \
    | base64 --decode

kubectl --namespace a-team \
    get secret postgresql \
    --output jsonpath="{.data.password}" \
    | base64 --decode

# https://external-secrets.io > Providers

###########
# Destroy #
###########

gcloud projects delete $PROJECT_ID

# Destroy or reset the Kubernetes cluster
	# Source: https://gist.github.com/ab6782dd6f865b3ffa913d9e1e578e1b

	############################################################
	# Manage Kubernetes Secrets With External Secrets Operator #
	# https://youtu.be/SyRZe5YVCVk #
	############################################################

	# Additional Info:
	# - External Secrets: https://external-secrets.io
	# - Bitnami Sealed Secrets - How To Store Kubernetes Secrets In Git Repositories: https://youtu.be/xd2QoV6GJlc

	#########
	# Setup #
	#########

	# Create a Kubernetes cluster

	# External secrets work with any Kubernetes cluster and majority of secret stores.
	# This demo works with Google Cloud Secret Manager.
	# If you prefer a different secret store, some of the commands and manifests used in this demo might need to be updated.

	git clone https://github.com/vfarcic/external-secrets-demo

	cd external-secrets-demo

	helm repo add external-secrets \
	https://charts.external-secrets.io

	helm repo update

	helm upgrade --install \
	external-secrets \
	external-secrets/external-secrets \
	--namespace external-secrets \
	--create-namespace

	# Replace `[...]` with the Google Cloud Project ID
	export PROJECT_ID=dot-$(date +%Y%m%d%H%M%S)

	gcloud projects create $PROJECT_ID

	echo https://console.cloud.google.com/marketplace/product/google/secretmanager.googleapis.com?project=$PROJECT_ID

	# Open the URL and ENABLE the API

	gcloud iam service-accounts \
	--project $PROJECT_ID \
	create external-secrets

	echo -ne '{
	"name": "my-fancy-db",
	"endpoint": "127.0.0.1:8200",
	"username": "jdoe",
	"password": "YouWillNeverFindOut",
	"port": 8200
	}' \| gcloud secrets \
	--project $PROJECT_ID \
	create a-team-postgresql --data-file=-

	gcloud secrets \
	--project $PROJECT_ID \
	add-iam-policy-binding a-team-postgresql \
	--member "serviceAccount:external-secrets@$PROJECT_ID.iam.gserviceaccount.com" \
	--role "roles/secretmanager.secretAccessor"

	gcloud iam service-accounts \
	--project $PROJECT_ID \
	keys create account.json \
	--iam-account=external-secrets@$PROJECT_ID.iam.gserviceaccount.com

	kubectl create namespace a-team

	kubectl --namespace external-secrets \
	create secret generic gcp \
	--from-file=credentials=account.json

	cat secret-store.yaml \
	\| sed -e "s@projectID: .*@projectID: $PROJECT_ID@" \
	\| tee secret-store.yaml

	#############################
	# Managing External Secrets #
	#############################

	echo https://console.cloud.google.com/security/secret-manager?project=$PROJECT_ID

	cat secret-store.yaml

	kubectl apply --filename secret-store.yaml

	cat external-secret.yaml

	kubectl --namespace a-team apply \
	--filename external-secret.yaml

	kubectl --namespace a-team get secrets

	kubectl --namespace a-team \
	get secret postgresql \
	--output yaml

	kubectl --namespace a-team \
	get secret postgresql \
	--output jsonpath="{.data.password}" \
	\| base64 --decode

	kubectl --namespace a-team \
	get secret postgresql \
	--output jsonpath="{.data.password}" \
	\| base64 --decode

	# https://external-secrets.io > Providers

	###########
	# Destroy #
	###########

	gcloud projects delete $PROJECT_ID

	# Destroy or reset the Kubernetes cluster