Feature: Enable support for Google Secrets Manager

[nycnewman]

Seems that a minor change to konlet-startup would enable the use of Secrets Manager to inject environment variables directly into container from Secrets Manager. Using existing Auth credentials, one could make a call to Secrets Manager after it calls the Metadata store, get the secrets and map to environment variables. Something along lines of:

• Set an Env variable as a flag to enable Secrets Manager (or use presences of the following....)
• Set an Env variable with a list of Environment Variables to secrets name mappings
• In konlet-startup, if the above is set then make authenticated call to Secrets Manager to pull secrets and add to spec.Container.Env
• Startup container using existing process

We are going to see about creating a Pull Request with this change

[jawnsy]

This would be awesome, and I'd be happy to open a PR to add this capability as well, though I'd need some guidance for the desired implementation approach

[bschaatsbergen]

This would be very nice to have, I'm currently a bit lost on how to properly implement a secret integration between konlet/cos and my container.

[jimmyntu]

After 4 years, it's amazing that Container Optimised OS is still not able to support load secret from secret manager. Google, please wake up to see what is available by other competitors.

[runa]

You can use this script to get the secret value. Credits to Gemini, I guess

#!/bin/bash

# Set the project ID
PROJECT_ID="your-project-id"

# Set the secret ID
SECRET_ID="foobarbaz"

# Set the version (optional, defaults to 'latest')
VERSION="latest"  # or a specific version number

# Get an access token using the metadata server
ACCESS_TOKEN=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
  -H "Metadata-Flavor: Google")
ACCESS_TOKEN=$(echo $ACCESS_TOKEN | jq -r '.access_token')

# Construct the Secret Manager API URL
API_URL="https://secretmanager.googleapis.com/v1/projects/$PROJECT_ID/secrets/$SECRET_ID/versions/$VERSION:access"

# Make the API call using CURL
SECRET_VALUE=$(curl -s -H "Authorization: Bearer $ACCESS_TOKEN" $API_URL | jq -r '.payload.data' | base64 -d)

echo "The secret value is: $SECRET_VALUE"

[BlueTogepi]

Bumping this in hope there will be any update ;-;

[Daumis102]

You can use this script to get the secret value. Credits to Gemini, I guess

#!/bin/bash

# Set the project ID
PROJECT_ID="your-project-id"

# Set the secret ID
SECRET_ID="foobarbaz"

# Set the version (optional, defaults to 'latest')
VERSION="latest"  # or a specific version number

# Get an access token using the metadata server
ACCESS_TOKEN=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
  -H "Metadata-Flavor: Google")
ACCESS_TOKEN=$(echo $ACCESS_TOKEN | jq -r '.access_token')

# Construct the Secret Manager API URL
API_URL="https://secretmanager.googleapis.com/v1/projects/$PROJECT_ID/secrets/$SECRET_ID/versions/$VERSION:access"

# Make the API call using CURL
SECRET_VALUE=$(curl -s -H "Authorization: Bearer $ACCESS_TOKEN" $API_URL | jq -r '.payload.data' | base64 -d)

echo "The secret value is: $SECRET_VALUE"

This doesn't work as it loads the secrets to the host VM variables, which are not accessible from the docker container. At least I couldn't find a way to make them accessible...