Skip to content

HOWTO: Sync Secrets to Google Secret Manager

Purpose: Configure ESO to synchronise platform secrets into Google Secret Manager for GCP workloads and DR scenarios.

Difficulty: Intermediate

Track: Platform Services

Overview

Secrets that live only on-prem cannot be consumed by GCP-side workloads or DR automation. The ESO-to-GSM synchronisation pipeline solves this by pushing a defined subset of platform secrets into GSM under controlled lifecycle management. This HOWTO covers the full setup.

1. Prerequisites

  • ESO installed on the RKE2 cluster.
  • GCP project with Secret Manager API enabled.
  • Workload Identity or service account key for ESO GSM access.

2. SecretStore Configuration

  • GCP SecretStore resource definition.
  • Workload Identity vs service account key authentication.
  • Validating the SecretStore with kubectl get secretstore.

3. ExternalSecret Definition

  • Mapping Vault KV paths to GSM secret names.
  • Refresh interval and version policy.
  • ExternalSecret resource creation and sync status check.

4. Sync Validation

  • Confirming secrets appear in GSM console.
  • Version metadata and creation timestamp.
  • IAM binding: which GCP identities can access each secret.

5. Rotation Lifecycle

  • Vault secret rotation triggering ESO re-sync.
  • GSM secret version management.
  • Ensuring workloads consume the latest version.

References

License: MIT-0 for code, CC-BY-4.0 for documentation unless otherwise stated.