4.6.4 Installing GCP Provider for Secret Store CSI Driver

Enterprise Postgres 18 for Kubernetes User's Guide

Chapter 4 Deployment Container > 4.6 Deploying FEPClusters with Cloud-based Secret Management > 4.6.4 Installing GCP Provider for Secret Store CSI Driver

4.6.4 Installing GCP Provider for Secret Store CSI Driver

4.6.4.1 Install GCP Provider drivers using Kubernetes

wget https://raw.githubusercontent.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/main/deploy/provider-gcp-plugin.yaml

kubectl apply -f provider-gcp-plugin.yaml -namespace kube-system

4.6.4.2 Configure GCP secret manager and IAM

Create Service Account:

gcloud iam service-accounts create my-secret-acc;

Attach SecretManagerAdmin policy to the new service account

gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount: my-secret-acc @$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/secretmanager.admin" \
--condition="None";

Generate a key for your new service account

gcloud iam service-accounts keys create iam-key.json \
--iam-account=" my-secret-acc @$PROJECT_ID.iam.gserviceaccount.com";

4.6.4.3 Create Secret to access GCP Secret manager

Use keys generated from "4.6.4.2 Configure GCP secret manager and IAM" (iam-key.json file)

kubectl create secret generic <secret-name> --from-file=<iam-key.json>

4.6.4.4 Store secret in GCP Secret manager

gcloud secrets create <secret name> --data-file="/path/to/file"

4.6.4.5 Store Cert in GCP Secret manager

Certificate should be in below format before uploading cert to GCP Secret Manager i.e it should be one .pem file (key, crt and CA in one file)

(Refer "mycert.pem" for sample certificate format)

gcloud secrets create <secret name> --data-file="/path/to/file"

Note

Only single key value for secret to be stored in Secret Manager.