kubernetesgoogle-cloud-platformkubernetes-secretskustomizegoogle-secret-manager

Look up secrets from gcloud secrets manager directly as secretGenerator with kustomize


I am setting up my Kubernetes cluster using kubectl -k (kustomize). Like any other such arrangement, I depend on some secrets during deployment. The route I want go is to use the secretGenerator feature of kustomize to fetch my secrets from files or environment variables.

However managing said files or environment variables in a secure and portable manner has shown itself to be a challenge. Especially since I have 3 separate namespaces for test, stage and production, each requiring a different set of secrets.

So I thought surely there must be a way for me to manage the secrets in my cloud provider's official way (google cloud platform - secret manager).

So how would the secretGenerator that accesses secrets stored in the secret manager look like?

My naive guess would be something like this:

secretGenerator:
 - name: juicy-environment-config
   google-secret-resource-id: projects/133713371337/secrets/juicy-test-secret/versions/1
   type: some-google-specific-type

Solution

  • I'm not aware of a plugin for that. The plugin system in Kustomize is somewhat new (added about 6 months ago) so there aren't a ton in the wild so far, and Secrets Manager is only a few weeks old. You can find docs at https://github.com/kubernetes-sigs/kustomize/tree/master/docs/plugins for writing one though. That links to a few Go plugins for secrets management so you can probably take one of those and rework it to the GCP API.