Skip to content
This repository has been archived by the owner on Jun 21, 2022. It is now read-only.
/ k8s-gsm-tools Public archive
generated from kubernetes/kubernetes-template-project

Controllers to sync and rotate kubernetes secrets with google secret manager

License

Apache-2.0 license
14 stars 8 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kubernetes-retired/k8s-gsm-tools

BranchesTags

Repository files navigation

k8s-gsm-tools

Secret rotation and synchronization integrating Google Secret Manager and Kubernetes.

Current Functions

Parse configuration file into source and destination secrets.

Fetch the latest versions of from Secret Manager secret and Kubernetes secrets.

Prerequisites

  • Create a gke cluster.

  • Create service account for app

  • Enable Identity and Access Management (IAM) API for project.

      gcloud services enable iam.googleapis.com --project=<gcloud-project-id>

  • Grant required permissions to the service account gsa-name.

    • Permission to manage service account keys:

        gcloud projects add-iam-policy-binding <gcloud-project-id> --member "serviceAccount:<gsa-name>@<gcloud-project-id>.iam.gserviceaccount.com" --role "roles/iam.serviceAccountKeyAdmin"

    • Permission to get clusters:

        gcloud projects add-iam-policy-binding <gcloud-project-id> --member "serviceAccount:<gsa-name>@<gcloud-project-id>.iam.gserviceaccount.com" --role "roles/container.clusterViewer"

    • Permission to manage secrets:

        gcloud projects add-iam-policy-binding <gcloud-project-id> --member "serviceAccount:<gsa-name>@<gcloud-project-id>.iam.gserviceaccount.com" --role "roles/secretmanager.admin"

    • Permission to manage secrets within containers:

      • Create a custom iam role iam-role-id with container.secrets.* permissions and add the role to service account gsa-name:

        • service-secret-role.yaml

            title: Kubernetes Engine Secret Admin
  description: Provides access to management of Kubernetes Secrets
  stage: GA
  includedPermissions:
  - container.secrets.create
  - container.secrets.list
  - container.secrets.get
  - container.secrets.delete
  - container.secrets.update

        • Create a custom iam role

            gcloud iam roles create <iam-role-id> --project=<gcloud-project-id> --file=service-secret-role.yaml

        • Add the role to service account gsa-name:

            gcloud projects add-iam-policy-binding <gcloud-project-id> --member "serviceAccount:<gsa-name>@<gcloud-project-id>.iam.gserviceaccount.com" --role "roles/<iam-role-id>"

      • Or just add [Kubernetes Engine Developer] role to service account gsa-name:

          gcloud projects add-iam-policy-binding <gcloud-project-id> --member "serviceAccount:<gsa-name>@<gcloud-project-id>.iam.gserviceaccount.com" --role "roles/container.developer"

  • Modify the cluster to enable Workload Identity

gcloud container clusters update <cluster-name> \
  --workload-pool=<gcloud-project-id>.svc.id.goog
  • Modify an existing node pool to enable GKE_METADATA
gcloud container node-pools update <nodepool-name> \
  --cluster=<cluster-name> \
  --workload-metadata=GKE_METADATA
  • Create Kubernetes service account
kubectl apply -f service-account/serviceaccount.yaml
  • Set up Workload Identity binding
gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:<gcloud-project-id>.svc.id.goog[<k8s_namespace>/<ksa_name>]" \
  <gsa-name>@<gcloud-project-id>.iam.gserviceaccount.com
  • Annotate the KSA to complete the binding between the KSA and GSA
kubectl annotate serviceaccount \
  --namespace <k8s_namespace> \
   <ksa_name> \
   iam.gke.io/gcp-service-account=<gsa-name>@<gcloud-project-id>.iam.gserviceaccount.com
  • Set up Kubernetes service account role and binding (action might require container.roles.create and container.roles.bind permissions if using gke cluster)
kubectl apply -f service-account/role.yaml

Usage

  • secret-sync-controller

    • create ConfigMap config with key syncConfig.

    • deploy controller in continuous mode

        kubectl apply -f cmd/secret-sync-controller/deployment.yaml

    • run testing job

        kubectl apply -f cmd/secret-sync-controller/test-job.yaml

  • secret-rotator

    • create ConfigMap config with key rotConfig.

    • deploy rotator in continuous mode

        kubectl apply -f cmd/secret-rotator/deployment.yaml

  • test-svc-consumer

    • build image locally and push

        docker build --pull \
  --build-arg "cmd=consumer" \
  -t "gcr.io/<gcloud-project-id>/consumer:latest" \
  -f "./images/default/Dockerfile" .
  docker push gcr.io/<gcloud-project-id>/consumer

    • run consumer as a job

        kubectl apply -f experiment/cmd/consumer/job.yaml

Demo for rotating service account keys

  • create Secret Manager secret and Kubernetes namespace

      gcloud secrets create secret-1
  kubectl create namespace ns-a

  • deploy secret-sync-controller

      kubectl apply -f cmd/secret-sync-controller/deployment.yaml

  • deploy secret-rotator

      kubectl apply -f cmd/secret-rotator/deployment.yaml

  • deploy svc-consumer

      kubectl apply -f experiment/cmd/consumer/job.yaml

  • get logs

      kubectl logs -n ns-a <svc-consumer-pod>

  • cleanup

      kubectl delete -f cmd/secret-sync-controller/deployment.yaml
  kubectl delete -f cmd/secret-rotator/deployment.yaml
  kubectl delete -f experiment/cmd/consumer/job.yaml
  gcloud secrets delete secret-1
  kubectl create namespace ns-a

Building / pushing images

To build images locally:

make images

If you have access to a GCP project that has Google Cloud Build enabled:

gcloud builds submit --config=./images/cloudbuild.yaml .

This file can be used by a prow image-pushing job to push to the project's repository

About

Controllers to sync and rotate kubernetes secrets with google secret manager

Topics

k8s-sig-testing

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

14 stars

Watchers

2 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 5

Languages