Is your feature request related to a problem? Please describe.
The Helm Chart doesn't currently support managing secrets through GSM. For customers self-hosting on GKE, some may prefer to manage their secrets through GSM rather than use Kubernetes Secrets.
Describe the solution you'd like
By enabling Secret Provider Class and Secret Sync on the GKE cluster, GSM secrets can be imported and synced to Kubernetes Secrets so that they can be used by the deployment. Additional yamls must be added to the chart (the following yamls are a WIP, so additional changes will likely need to be made).
secret-provider-class.yaml:
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: {{ .Values.spc.name }}
namespace: {{ .Release.Namespace }}
spec:
provider: gke
parameters:
secrets: |
{{- range .Values.spc.secrets }}
- resourceName: "projects/{{ $.Values.spc.projectId }}/secrets/{{ .secretName }}/versions/latest"
fileName: "{{ .fileName }}"
{{- end }}
secret-sync.yaml:
apiVersion: secret-sync.gke.io/v1
kind: SecretSync
metadata:
name: {{ .Values.secretsync.name }}
namespace: {{ .Release.Namespace }}
spec:
serviceAccountName: {{ include "bindplane.fullname" . }}
secretProviderClassName: {{ .Values.spc.name }}
secretObject:
type: {{ .Values.secretsync.secretObject.type }}
data:
{{- toYaml .Values.secretsync.secretObject.data | nindent 6 }}
extraVolumes in values.yaml:
# -- Optional arbitrary volumes to add to the Bindplane pod(s).
extraVolumes:
- name: gsm-volume
csi:
# Must use the specific GKE managed driver
driver: secrets-store-gke.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "bindplane-gsm-secrets"
# -- Optional arbitrary volume mounts to add to the Bindplane pod(s).
extraVolumeMounts:
- name: gsm-volume
mountPath: "/mnt/secrets/bindplane"
readOnly: true
Additions to values.yaml:
# SecretProviderClass (spc) configuration
spc:
projectId: "example-google-project-id"
name: bindplane-gsm-secrets
# A list of secrets to fetch from Google Secret Manager.
# `secretName` is the name of the secret in GSM.
# `fileName` is the name of the file it will be mounted as in the pod.
secrets:
- secretName: bindplane-license
fileName: license.txt
- secretName: bindplane-username
fileName: username.txt
- secretName: bindplane-password
fileName: password.txt
- secretName: bindplane-session-secret
fileName: session.txt
# SecretSync configuration
secretsync:
name: bindplane-secrets
secretObject:
type: Opaque
# A list of mappings from the mounted secret file to a key in the Kubernetes secret.
data:
- { sourcePath: "license.txt", targetKey: "license" }
- { sourcePath: "username.txt", targetKey: "username" }
- { sourcePath: "password.txt", targetKey: "password" }
- { sourcePath: "session.txt", targetKey: "sessions_secret" }
Describe alternatives you've considered
Potentially, instead of using secret-sync, a startup script could be used to create the secrets as environment variables, but this would be a less robust solution (this would still require the Secret Provider Class to mount the GSM secrets in an additional volume).
# -- Optional command overrides for the Bindplane container in all
# Bindplane pods.
command: ["/bin/bash", "-c"]
# -- Optional arguments overrides for the Bindplane container in all
# Bindplane pods.
args:
- |
# Read CSI-mounted files and export as ENVs
# Secret files are mounted as read-only at /mnt/secrets/bindplane/
export BINDPLANE_LICENSE=$(cat /mnt/secrets/bindplane/license.txt)
export BINDPLANE_USERNAME=$(cat /mnt/secrets/bindplane/username.txt)
export BINDPLANE_PASSWORD=$(cat /mnt/secrets/bindplane/password.txt)
export BINDPLANE_SESSION_SECRET=$(cat /mnt/secrets/bindplane/session.txt)
/usr/bin/bindplane server
Is your feature request related to a problem? Please describe.
The Helm Chart doesn't currently support managing secrets through GSM. For customers self-hosting on GKE, some may prefer to manage their secrets through GSM rather than use Kubernetes Secrets.
Describe the solution you'd like
By enabling Secret Provider Class and Secret Sync on the GKE cluster, GSM secrets can be imported and synced to Kubernetes Secrets so that they can be used by the deployment. Additional yamls must be added to the chart (the following yamls are a WIP, so additional changes will likely need to be made).
secret-provider-class.yaml:
secret-sync.yaml:
extraVolumes in values.yaml:
Additions to values.yaml:
Describe alternatives you've considered
Potentially, instead of using secret-sync, a startup script could be used to create the secrets as environment variables, but this would be a less robust solution (this would still require the Secret Provider Class to mount the GSM secrets in an additional volume).