Evolution of application deployment over the past 20 years.
Configure your local and remote lab environments.
Covers the resource types that are included with Kubernetes.
•Pod
•Job
Using helm to manage Kubernetes resources
Example microservice application.
Kubernetes manifests to deploy the demo application.
Explore how custom resources can add functionality
Install additional software to enhance the deployment.
Improving the DevX when working with Kubernetes.
How to safely upgrade your clusters and nodes.
Implement CI/CD for your applications (with GitOps!)
Managing sensitive data such as API keys or database passwords is often one of the most painful parts of running applications on Kubernetes. While the rest of your manifests can live in Git, secrets should not be stored in plain text. This lesson summarizes several approaches to managing those secrets and demonstrates how to use the External Secrets Operator (ESO) with Google Cloud Secret Manager.
Secret
objects by hand outside your normal workflow.
Easy to start with but hard to audit and prone to mistakes.The remainder of this lesson focuses on option 2 using ESO on a GKE cluster. The YAML manifests referenced below are available in the course repository.
Install ESO with Helm (from Taskfile.yaml
in the repo):
helm repo add external-secrets https://charts.external-secrets.io
helm upgrade --install external-secrets external-secrets/external-secrets \
-n external-secrets \
--values values.yaml \
--create-namespace \
--version 0.9.19
values.yaml
annotates the service account so it can impersonate a Google Cloud
IAM service account via Workload Identity:
serviceAccount:
annotations:
iam.gke.io/gcp-service-account: external-secrets@<PROJECT>.iam.gserviceaccount.com
roles/secretmanager.secretAccessor
role.roles/iam.workloadIdentityUser
role so the Kubernetes service account
can act as the IAM account.apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets
namespace: external-secrets
annotations:
iam.gke.io/gcp-service-account: external-secrets@<PROJECT>.iam.gserviceaccount.com
Create a ClusterSecretStore
that tells ESO to use Google Cloud Secret Manager:
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: gcp-store
spec:
provider:
gcpsm:
projectID: <PROJECT>
Then define an ExternalSecret
which maps a value from Secret Manager into a
Kubernetes Secret
:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example
namespace: external-secrets
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: gcp-store
target:
name: external-secrets-example-k8s
creationPolicy: Owner
data:
- secretKey: key-k8s
remoteRef:
key: external-secrets-example-gcp
Apply these manifests and ESO will retrieve the value from Secret Manager and
create the Kubernetes secret external-secrets-example-k8s
.
Verify it with:
kubectl get secrets external-secrets-example-k8s -o yaml
Using ESO keeps sensitive information out of Git, leverages your cloud provider's access controls, and still allows you to manage non-sensitive configuration alongside the rest of your manifests.