Kubernetes ESO for Google Cloud Secret Manager

This Terraform module is designed to efficiently manage secrets within a Google Kubernetes Engine (GKE) cluster through the use of External Secrets Operator (ESO). The module ensures secrets in your GKE cluster are continuously synced with Google Cloud Secret Manager, providing a centralized access point for your secret backend.

Key features:

Deploys External Secrets Operator and cluster-level ClusterSecretStore
Creates and configures a Google Cloud Service Account with minimal required permissions
Establishes Workload Identity federation between GKE and Google Cloud for secure authentication
Sets up IAM bindings for Secret Manager access
Creates a Kubernetes Custom Resource Definition (CRD) for Google Cloud Secret Manager integration

NOTE: After deploying the module, create a Kubernetes ExternalSecret to point to the Secret Manager secrets to be synchronized.

If reloader.namespace_selector parameter is set, Namespace manifests are required to have specific labels configured to match Reloader namespace selector.
If reloader.resource_label_selector parameter is set, Secrets\Config manifests are required to have specific labels configured to match Reloader resource selector.

For example, to match documentation, the Secret's labels must contain: app-secret: "yes"

Deployment resources that reference a secret in their configuration must have an annotation set: as mostly suitable, reloader.stakater.com/auto: "true"

More options can be found in Reloader documentation.

Above instruction result in the following Reloader behavior:

Reloader watches all resources inside a Namespace

Reloader watches all secrets with specific labels

Reloader is allowed to reload pod configuration once these secrets are updated

Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:

 shellterraform login solutions.corewide.com

Provision instructions

Initialize mandatory providers:

Copy and paste into your Terraform configuration and insert the variables:

 hclmodule "tf_k8s_eso_gcp" {
  source  = "solutions.corewide.com/google-cloud/tf-k8s-eso-gcp/google"
  version = "~> 1.0.0"

  # specify module inputs here or try one of the examples below
  ...
}

Initialize the setup:

 shellterraform init

Define update strategy

Corewide DevOps team strictly follows Semantic Versioning Specification to provide our clients with products that have predictable upgrades between versions. We recommend pinning patch versions of our modules using pessimistic constraint operator (~>) to prevent breaking changes during upgrades.

To get new features during the upgrades (without breaking compatibility), use ~> 1.0 and run terraform init -upgrade

For the safest setup, use strict pinning with version = "1.0.0"

$400

Dependencies included: $250

tf-k8s-crd	$50
tf-k8s-eso	$200

BUY

473

License

v1.0.0 released 9 months, 1 week ago

Changelog

Key features:

Deploys External Secrets Operator and cluster-level ClusterSecretStore
Creates and configures a Google Cloud Service Account with minimal required permissions
Establishes Workload Identity federation between GKE and Google Cloud for secure authentication
Sets up IAM bindings for Secret Manager access
Creates a Kubernetes Custom Resource Definition (CRD) for Google Cloud Secret Manager integration

NOTE: After deploying the module, create a Kubernetes ExternalSecret to point to the Secret Manager secrets to be synchronized.

If reloader.namespace_selector parameter is set, Namespace manifests are required to have specific labels configured to match Reloader namespace selector.
If reloader.resource_label_selector parameter is set, Secrets\Config manifests are required to have specific labels configured to match Reloader resource selector.

For example, to match documentation, the Secret's labels must contain: app-secret: "yes"

Deployment resources that reference a secret in their configuration must have an annotation set: as mostly suitable, reloader.stakater.com/auto: "true"

More options can be found in Reloader documentation.

Above instruction result in the following Reloader behavior:

Reloader watches all resources inside a Namespace

Reloader watches all secrets with specific labels

Reloader is allowed to reload pod configuration once these secrets are updated

Basic secret management setup with required parameters only:

 hclmodule "eso" {
  source  = "solutions.corewide.com/google-cloud/tf-k8s-eso-gcp/google"
  version = "~> 1.0"

  name_prefix      = "eso"
  gke_cluster_name = "my-gke-cluster"
}

External Secrets Operator (ESO) with customizable namespace, service account, secret management, node selection, and automatic secret reloading:

 hclmodule "eso" {
  source  = "solutions.corewide.com/google-cloud/tf-k8s-eso-gcp/google"
  version = "~> 1.0"

  project_id           = "my-project-id"
  name_prefix          = "eso"
  namespace            = "external-secrets"
  create_namespace     = true
  service_account_name = "eso-operator"
  gke_cluster_name     = "my-gke-cluster"

  node_selector = {
    "cloud\\.google\\.com/gke-nodepool" = "maintenance"
  }

  eso = {
    chart_version = "yyyy"
    app_version   = "xxxx"

    custom_values = {
      foo = "bar"
    }
  }

  reloader = {
    chart_version      = "yyyy"
    app_version        = "xxxx"

    resource_selector  = ["app-secret=yes"]
  }
}

Full ExternalSecret API documentation can be found here

 yamlapiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secret
  namespace: external-secrets
spec:
  refreshInterval: 5m
  secretStoreRef:
    name: gcp-secret-manager
    kind: ClusterSecretStore
  target:
    name: my-k8s-secret
    creationPolicy: Owner
    template:
      metadata:
        labels:
          app-secret: "yes"
  data:
    - secretKey: my-secret-key
      remoteRef:
        key: projects/${PROJECT_ID}/secrets/${SECRET_NAME}/versions/latest

Variable	Description	Type	Default	Required	Sensitive
`gke_cluster_name`	Name of the GKE cluster	`string`		yes	no
`name_prefix`	Name prefix for the created resources	`string`		yes	no
`create_namespace`	Indicates creation of dedicated namespace for the stack deployment	`bool`	`true`	no	no
`eso`	External Secrets Operator parameters. These parameters are passed to `tf-k8s-eso` module's `eso` parameter. `eso.service_account` parameter is ignored as it is managed by `tf-k8s-eso-gcp` module itself	`any`	`{}`	no	no
`namespace`	The namespace to install the stack into	`string`	`external-secrets-operator`	no	no
`node_selector`	Node selector for the stack components	`map(string)`	`{}`	no	no
`project_id`	GCP Project ID where Secret Manager secrets are stored. If not set, takes provider-level project ID as default	`string`		no	no
`region`	GCP default region to deploy the Secret Manager into. If not set, takes provider-level location as default	`string`		no	no
`reloader`	Reloader parameters. These parameters are passed to `tf-k8s-eso` module's `reloader` parameter	`any`	`{}`	no	no
`service_account_name`	Kubernetes `ServiceAccount` name	`string`	`external-secrets-operator`	no	no

Output	Description	Type	Sensitive
`cluster_secret_store_name`	Name of Kubernetes `ClusterSecretStore` resource that is used for creation of `ExternalSecret` resources	`attribute`	no
`namespace`	The namespace name where External Secrets Operator and Reloader are installed	`resource`	no
`workload_identity_principal`	The full Workload Identity principal for the ESO `ServiceAccount`	`computed`	no

Dependency	Version	Kind
`terraform`	`>= 1.3`	CLI
`hashicorp/google`	`~> 6.2`	provider
`hashicorp/kubernetes`	`~> 2.9`	provider
`tf-k8s-crd`	`~> 2.0`	module
`tf-k8s-eso`	`~> 1.0`	module

References

Artifact Registry management in Google Cloud

2 months, 3 weeks ago 702

Google Cloud DNS RBAC for integration with Cert Manager in a Kubernetes cluster

6 months, 1 week ago 53

Kubernetes ESO for Google Cloud Secret Manager

v1.0.0 - 2025-01-21

Added

References

Not sure where to start?Let's find your perfect match.

Not sure where to start?
Let's find your perfect match.