Google Secrets
The google_secret helper fetches secret data from Google Secrets.
Example
.kubes/resources/shared/secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: demo
labels:
app: demo
data:
PASS: <%= google_secret("demo-#{Kubes.env}-PASS") %>
USER: <%= google_secret("demo-#{Kubes.env}-USER") %>
The values are automatically base64 encoded.
For example if you have these secret values:
$ gcloud secrets versions access latest --secret demo-dev-USER
test1
$ gcloud secrets versions access latest --secret demo-dev-PASS
test2
$
.kubes/output/shared/secret.yaml
metadata:
namespace: demo
name: demo-2a78a13682
labels:
app: demo
apiVersion: v1
kind: Secret
data:
PASS: dGVzdDEK
USER: dGVzdDIK
Variables
These environment variables can be set:
| Name | Description |
|---|---|
| GOOGLE_PROJECT | Google project id. This is required. |
Base64 Option
By default, the values are automatically base64 encoded. You can change the default behavior with a config option.
.kubes/config.rb
KubesGoogle.configure do |config|
config.secrets.base64 = false
end
Note: The use of KubesGoogle.configure instead of Kubes.configure here.
You can also set the base64 option to turn on and off the automated base64 encoding on a per secret basis.
google_secret("demo-#{Kubes.env}-USER", base64: true) # default is base64=true
google_secret("demo-#{Kubes.env}-PASS", base64: false)
Note, Kubernetes secrets are only base64 encoded. So users who have access to read Kubernetes secrets will be able to decode and get the value trivially. Depending on your security posture requirements, this may or may not suffice.
Fetcher Strategy
Some systems configured with a VPN seem to have issues with the Google secrets SDK. You may see an error:
Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
As a workaround to this error, you can use the gcloud instead of the default sdk fetcher strategy. To configure it:
.kubes/config.rb
KubesGoogle.configure do |config|
config.secrets.fetcher = "gcloud"
end