diff --git a/sidebarTutorials.js b/sidebarTutorials.js index 839f1cfe7..ed7c6a137 100644 --- a/sidebarTutorials.js +++ b/sidebarTutorials.js @@ -28,6 +28,7 @@ module.exports = { 'external-resources', 'webpack', 'using-launchdarkly-and-okteto-to-automate-modern-feature-flag-management', + 'gcp-secret-manager', 'divert', 'optimize-your-development-environment', 'create-and-use-volume-snapshots', diff --git a/src/tutorials/gcp-secret-manager.mdx b/src/tutorials/gcp-secret-manager.mdx new file mode 100644 index 000000000..d122dad70 --- /dev/null +++ b/src/tutorials/gcp-secret-manager.mdx @@ -0,0 +1,102 @@ +--- +title: Using Google Cloud Secret Manager with Okteto +description: Inject secrets stored in Google Cloud Secret Manager into your Okteto Development and Preview Environments +id: gcp-secret-manager +--- + +[Google Cloud Secret Manager](https://cloud.google.com/security/products/secret-manager) stores API keys, passwords, certificates, and other sensitive data in your GCP account. Okteto can retrieve these secrets when deploying your application, so your Development and Preview Environments use the same secret store as the rest of your infrastructure and developers never handle the secret values directly. + +This tutorial deploys the [okteto-community/gcp-secret-manager](https://github.com/okteto-community/gcp-secret-manager) sample application: a Go web server that reads its configuration from an `.env` file created at deploy time from a secret stored in Secret Manager. + +## Prerequisites + +- Admin access to an Okteto instance +- A GCP project with the [Secret Manager API enabled](https://cloud.google.com/secret-manager/docs/configuring-secret-manager) +- The [gcloud CLI](https://cloud.google.com/sdk/docs/install) installed and authenticated against your GCP project +- The [Okteto CLI](/docs/get-started/install-okteto-cli/) installed and configured + +## Giving your Okteto instance access to your GCP account + +Okteto authenticates to GCP with a dedicated service account whose key you store as [Admin Variables](/docs/core/okteto-variables/#admin-variables). Admin Variables are available to the deploy commands of every Development and Preview Environment in your Okteto instance. + +1. [Create a service account](https://cloud.google.com/iam/docs/service-accounts-create) for your Okteto instance. Grant it the minimum set of permissions it needs — for this tutorial, the `Secret Manager Secret Accessor` role is enough. +2. [Create a service account key](https://cloud.google.com/iam/docs/keys-create-delete) and save it locally. +3. In the Okteto Admin Dashboard, navigate to **Admin → Variables** and create the following Admin Variables: + - `GCP_PROJECT_ID`: the ID of the GCP project you are using + - `GCP_SERVICE_KEY`: the base64-encoded value of the service account key you created + +You can generate the base64 value of the key with: + +```bash +base64 -i .json +``` + +:::tip +If you prefer not to manage long-lived service account keys, you can configure keyless authentication with [Workload Identity Federation](/docs/admin/cloud-credentials/gcp-cloud-credentials/) instead. The rest of this tutorial uses the service account key approach. +::: + +## Creating the secret + +The sample application expects a secret named `top-secret-information` containing an `.env` file with two values. Create a local file with the secret content: + +```bash +echo -e "MY_NAME=cindy\nMY_COLOR=valencia green" > top-secret-information.txt +``` + +Create the secret in Secret Manager: + +```bash +gcloud secrets create top-secret-information --replication-policy="automatic" +``` + +Upload the file as the first version of the secret: + +```bash +gcloud secrets versions add top-secret-information --data-file=top-secret-information.txt +``` + +Verify the secret by retrieving it: + +```bash +gcloud secrets versions access latest --secret=top-secret-information +``` + +## Deploying the Development Environment + +Clone the sample repository and deploy it: + +```bash +git clone https://github.com/okteto-community/gcp-secret-manager.git +cd gcp-secret-manager +okteto deploy +``` + +You can also deploy the repository directly from the Okteto UI. + +The deploy section of the `okteto.yaml` in the sample repository authenticates to GCP using the Admin Variables you created, downloads the secret into an `.env` file, and deploys the application with it: + +```yaml +deploy: + # this image already contains the gcloud CLI, so developers don't need to + # install or configure anything except the Okteto CLI + image: google/cloud-sdk:alpine + commands: + - name: Configure GCP credentials + command: | + echo ${GCP_SERVICE_KEY} | base64 -d | gcloud auth activate-service-account --key-file=- + gcloud --quiet config set project ${GCP_PROJECT_ID} + + - name: Create the .env file using the secrets stored in Secret Manager + command: gcloud secrets versions access "latest" --secret=top-secret-information > .env-okteto + + - name: Deploy the application + command: okteto deploy --file docker-compose.yaml +``` + +When the deploy finishes, open the endpoint Okteto created for you from the Okteto UI. The application reads `MY_NAME` and `MY_COLOR` from the `.env` file built from your secret: + +``` +Hi, my name is cindy, and my favorite color is valencia green +``` + +To use a different secret in your own application, change the `--secret` flag in the deploy command to the name of your secret. Secrets are downloaded only during deployment — rotate a secret in Secret Manager and redeploy to pick up the new value.