All products Terraform Google Cloud google
tf-k8s-eso-gcp

This Terraform module is designed to efficiently manage secrets within a Google Kubernetes Engine (GKE) cluster through the use of External Secrets Operator (ESO). The module ensures secrets in your GKE cluster are continuously synced with Google Cloud Secret Manager, providing a centralized access point for your secret backend.

Key features:

  • Deploys External Secrets Operator and cluster-level ClusterSecretStore
  • Creates and configures a Google Cloud Service Account with minimal required permissions
  • Establishes Workload Identity federation between GKE and Google Cloud for secure authentication
  • Sets up IAM bindings for Secret Manager access
  • Creates a Kubernetes Custom Resource Definition (CRD) for Google Cloud Secret Manager integration

NOTE: After deploying the module, create a Kubernetes ExternalSecret to point to the Secret Manager secrets to be synchronized.

If reloader.namespace_selector parameter is set, Namespace manifests are required to have specific labels configured to match Reloader namespace selector.
If reloader.resource_label_selector parameter is set, Secrets\Config manifests are required to have specific labels configured to match Reloader resource selector.

For example, to match documentation, the Secret's labels must contain: app-secret: "yes"

Deployment resources that reference a secret in their configuration must have an annotation set: as mostly suitable, reloader.stakater.com/auto: "true"

More options can be found in Reloader documentation.

Above instruction result in the following Reloader behavior:

  • Reloader watches all resources inside a Namespace
  • Reloader watches all secrets with specific labels
  • Reloader is allowed to reload pod configuration once these secrets are updated

Kubernetes ESO for Google Cloud Secret Manager

External Secrets Operator integration with Secret Manager in Google Cloud
$400
Dependencies included: $250
tf-k8s-crd $50
tf-k8s-eso $200
Version:
1.0.0
259
259
v1.0.0
BUY
259
License
Log in to Corewide IaC registry

Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:

 shellterraform login solutions.corewide.com
Provision instructions

Initialize mandatory providers:

Copy and paste into your Terraform configuration and insert the variables:

 hclmodule "tf_k8s_eso_gcp" {
  source  = "solutions.corewide.com/google-cloud/tf-k8s-eso-gcp/google"
  version = "~> 1.0.0"

  # specify module inputs here or try one of the examples below
  ...
}

Initialize the setup:

 shellterraform init
Define update strategy

Corewide DevOps team strictly follows Semantic Versioning Specification to provide our clients with products that have predictable upgrades between versions. We recommend pinning patch versions of our modules using pessimistic constraint operator (~>) to prevent breaking changes during upgrades.

To get new features during the upgrades (without breaking compatibility), use ~> 1.0 and run terraform init -upgrade

For the safest setup, use strict pinning with version = "1.0.0"

v1.0.0 released 3 months ago
Changelog

Full ExternalSecret API documentation can be found here

 yamlapiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secret
  namespace: external-secrets
  labels:
    app-secret: "yes"
spec:
  refreshInterval: 5m
  secretStoreRef:
    name: gcp-secret-manager
    kind: ClusterSecretStore
  target:
    name: my-k8s-secret
    creationPolicy: Owner
  data:
    - secretKey: my-secret-key
      remoteRef:
        key: projects/${PROJECT_ID}/secrets/${SECRET_NAME}/versions/latest

Basic secret management setup with required parameters only:

 hclmodule "eso" {
  source  = "solutions.corewide.com/google-cloud/tf-k8s-eso-gcp/google"
  version = "~> 1.0"

  name_prefix      = "eso"
  gke_cluster_name = "my-gke-cluster"
}

External Secrets Operator (ESO) with customizable namespace, service account, secret management, node selection, and automatic secret reloading:

 hclmodule "eso" {
  source  = "solutions.corewide.com/google-cloud/tf-k8s-eso-gcp/google"
  version = "~> 1.0"

  project_id           = "my-project-id"
  name_prefix          = "eso"
  namespace            = "external-secrets"
  create_namespace     = true
  service_account_name = "eso-operator"
  gke_cluster_name     = "my-gke-cluster"

  node_selector = {
    "cloud\\.google\\.com/gke-nodepool" = "maintenance"
  }

  eso = {
    chart_version = "yyyy"
    app_version   = "xxxx"

    custom_values = {
      foo = "bar"
    }
  }

  reloader = {
    chart_version      = "yyyy"
    app_version        = "xxxx"
    namespace_selector = ["external-secrets"]
    resource_selector  = ["app-secret"]
  }
}
Variable Description Type Default Required Sensitive
gke_cluster_name Name of the GKE cluster string yes no
name_prefix Name prefix for the created resources string yes no
create_namespace Indicates creation of dedicated namespace for the stack deployment bool true no no
eso External Secrets Operator parameters. These parameters are passed to tf-k8s-eso module's eso parameter. eso.service_account parameter is ignored as it is managed by tf-k8s-eso-gcp module itself any {} no no
namespace The namespace to install the stack into string external-secrets-operator no no
node_selector Node selector for the stack components map(string) {} no no
project_id GCP Project ID where Secret Manager secrets are stored. If not set, takes provider-level project ID as default string no no
region GCP default region to deploy the Secret Manager into. If not set, takes provider-level location as default string no no
reloader Reloader parameters. These parameters are passed to tf-k8s-eso module's reloader parameter any {} no no
service_account_name Kubernetes ServiceAccount name string external-secrets-operator no no
Output Description Type Sensitive
cluster_secret_store_name Name of Kubernetes ClusterSecretStore resource that is used for creation of ExternalSecret resources attribute no
namespace The namespace name where External Secrets Operator and Reloader are installed resource no
workload_identity_principal The full Workload Identity principal for the ESO ServiceAccount computed no
Dependency Version Kind
terraform >= 1.3 CLI
hashicorp/google ~> 6.2 provider
hashicorp/kubernetes ~> 2.9 provider
tf-k8s-crd ~> 2.0 module
tf-k8s-eso ~> 1.0 module

References

Not sure where to start?
Let's find your perfect match.