openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
cef577401311e24b1b88fcc46f31e8fbbd99a894
openshift-docs/modules/secrets-store-google.adoc
xenolinux e72d67fdd5 OSDOCS#14994: Minor SSCSI fixes
2025-11-14 07:40:30 +00:00

308 lines
8.7 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * nodes/pods/nodes-pods-secrets-store.adoc
:_mod-docs-content-type: PROCEDURE
[id="secrets-store-google_{context}"]
= Mounting secrets from Google Secret Manager
You can use the {secrets-store-operator} to mount secrets from Google Secret Manager to a Container Storage Interface (CSI) volume in {product-title}. To mount secrets from Google Secret Manager, your cluster must be installed on {gcp-first}.
.Prerequisites
* You have access to the cluster as a user with the `cluster-admin` role.
* You have installed the {secrets-store-operator}. See "Installing the {secrets-store-driver}" for instructions.
* You have configured Google Secret Manager to store the required secrets.
* You have created a service account key named `key.json` from your {gcp-full} service account.
.Procedure
. Install the Google Secret Manager provider:
.. Create a YAML file Create a YAML file named `gcp-provider.yaml` that defines the `ServiceAccount` resource configuration. See the following example configuration:
+
.Example `gcp-provider.yaml` file
[source,yaml]
----
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-secrets-store-provider-gcp
namespace: openshift-cluster-csi-drivers
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: csi-secrets-store-provider-gcp-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: csi-secrets-store-provider-gcp-role
subjects:
- kind: ServiceAccount
name: csi-secrets-store-provider-gcp
namespace: openshift-cluster-csi-drivers
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: csi-secrets-store-provider-gcp-role
rules:
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: csi-secrets-store-provider-gcp
namespace: openshift-cluster-csi-drivers
labels:
app: csi-secrets-store-provider-gcp
spec:
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app: csi-secrets-store-provider-gcp
template:
metadata:
labels:
app: csi-secrets-store-provider-gcp
spec:
serviceAccountName: csi-secrets-store-provider-gcp
initContainers:
- name: chown-provider-mount
image: busybox
command:
- chown
- "1000:1000"
- /etc/kubernetes/secrets-store-csi-providers
volumeMounts:
- mountPath: "/etc/kubernetes/secrets-store-csi-providers"
name: providervol
securityContext:
privileged: true
hostNetwork: false
hostPID: false
hostIPC: false
containers:
- name: provider
image: us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin@sha256:a493a78bbb4ebce5f5de15acdccc6f4d19486eae9aa4fa529bb60ac112dd6650
securityContext:
privileged: true
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 50m
memory: 100Mi
env:
- name: TARGET_DIR
value: "/etc/kubernetes/secrets-store-csi-providers"
volumeMounts:
- mountPath: "/etc/kubernetes/secrets-store-csi-providers"
name: providervol
mountPropagation: None
readOnly: false
livenessProbe:
failureThreshold: 3
httpGet:
path: /live
port: 8095
initialDelaySeconds: 5
timeoutSeconds: 10
periodSeconds: 30
volumes:
- name: providervol
hostPath:
path: /etc/kubernetes/secrets-store-csi-providers
tolerations:
- key: kubernetes.io/arch
operator: Equal
value: amd64
effect: NoSchedule
nodeSelector:
kubernetes.io/os: linux
----
.. Grant privileged access to the `csi-secrets-store-provider-gcp` service account by running the following command:
+
[source,terminal]
----
$ oc adm policy add-scc-to-user privileged -z csi-secrets-store-provider-gcp -n openshift-cluster-csi-drivers
----
.. Create the provider resources by running the following command:
+
[source,terminal]
----
$ oc apply -f gcp-provider.yaml
----
. Grant a read permission to the Google Secret Manager secret:
.. Create a new project by running the following command:
+
[source,terminal]
----
$ oc new-project my-namespace
----
.. Label the `my-namespace` namespace for pod security admission by running the following command:
+
[source,terminal]
----
$ oc label ns my-namespace security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged --overwrite
----
.. Create a service account for the pod deployment:
+
[source,terminal]
----
$ oc create serviceaccount my-service-account --namespace=my-namespace
----
.. Create a generic secret from the `key.json` file by running the following command:
+
[source,terminal]
----
$ oc create secret generic secrets-store-creds -n my-namespace --from-file=key.json <1>
----
<1> You created this `key.json` file from the Google Secret Manager.
.. Apply the `secrets-store.csi.k8s.io/used=true` label to allow the provider to find this `nodePublishSecretRef` secret:
+
[source,terminal]
----
$ oc -n my-namespace label secret secrets-store-creds secrets-store.csi.k8s.io/used=true
----
. Create a secret provider class to define your secrets store provider:
.. Create a YAML file that defines the `SecretProviderClass` object:
+
.Example `secret-provider-class-gcp.yaml`
[source,yaml]
----
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: my-gcp-provider <1>
namespace: my-namespace <2>
spec:
provider: gcp <3>
parameters: <4>
secrets: |
- resourceName: "projects/my-project/secrets/testsecret1/versions/1"
path: "testsecret1.txt"
----
<1> Specify the name for the secret provider class.
<2> Specify the namespace for the secret provider class.
<3> Specify the provider as `gcp`.
<4> Specify the provider-specific configuration parameters.
.. Create the `SecretProviderClass` object by running the following command:
+
[source,terminal]
----
$ oc create -f secret-provider-class-gcp.yaml
----
. Create a deployment to use this secret provider class:
.. Create a YAML file that defines the `Deployment` object:
+
.Example `deployment.yaml`
[source,yaml]
----
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-gcp-deployment <1>
namespace: my-namespace <2>
spec:
replicas: 1
selector:
matchLabels:
app: my-storage
template:
metadata:
labels:
app: my-storage
spec:
serviceAccountName: my-service-account <3>
containers:
- name: busybox
image: k8s.gcr.io/e2e-test-images/busybox:1.29
command:
- "/bin/sleep"
- "10000"
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "my-gcp-provider" <4>
nodePublishSecretRef:
name: secrets-store-creds <5>
----
<1> Specify the name for the deployment.
<2> Specify the namespace for the deployment. This must be the same namespace as the secret provider class.
<3> Specify the service account you created.
<4> Specify the name of the secret provider class.
<5> Specify the name of the Kubernetes secret that contains the service principal credentials to access Google Secret Manager.
.. Create the `Deployment` object by running the following command:
+
[source,terminal]
----
$ oc create -f deployment.yaml
----
.Verification
* Verify that you can access the secrets from Google Secret Manager in the pod volume mount:
.. List the secrets in the pod mount by running the following command:
+
[source,terminal]
----
$ oc exec my-gcp-deployment-<hash> -n my-namespace -- ls /mnt/secrets-store/
----
+
.Example output
[source,terminal]
----
testsecret1
----
.. View a secret in the pod mount by running the following command:
+
[source,terminal]
----
$ oc exec my-gcp-deployment-<hash> -n my-namespace -- cat /mnt/secrets-store/testsecret1
----
+
.Example output
[source,terminal]
----
<secret_value>
----
View Git Blame Copy Permalink