Skip to content

Commit

Permalink
Updated with issue description
Browse files Browse the repository at this point in the history
  • Loading branch information
HebertCL committed Jan 2, 2025
1 parent 9de217e commit b8ff4c8
Showing 1 changed file with 28 additions and 12 deletions.
40 changes: 28 additions & 12 deletions charts/gcp-iam-externalsecrets/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,32 @@ A Helm chart to create a service account in your desired project, and grant it a

## Values

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| externalSecrets.clusterLocation | string | `"europe-west3"` | Location of the cluster in which to create the External Secrets K8s resources |
| externalSecrets.clusterName | string | `"cluster-name"` | Name of the cluster in which to create the External Secrets K8s resources |
| externalSecrets.clusterProjectID | string | `"project"` | GCP Project of the cluster in which to create the External Secrets K8s resources |
| externalSecrets.create | bool | `true` | Wether to create both the SecretStore and the ExternalSecret K8s Resources |
| iamPolicyMember.iamMember | string | `"service-account-name"` | Name of the GCP Service Account to create. The service account will be created under the same project as the cluster in order to allow Workload Identity to work |
| iamPolicyMember.secretID | string | `"my-secret"` | Secret ID that the created service account will have access to |
| iamPolicyMember.secretProjectID | string | `"project"` | GCP Project that contains the secret that the created service account will have access to |


----------------------------------------------
| Key | Type | Default | Description |
| -------------------------------- | ------ | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| externalSecrets.clusterLocation | string | `"europe-west3"` | Location of the cluster in which to create the External Secrets K8s resources |
| externalSecrets.clusterName | string | `"cluster-name"` | Name of the cluster in which to create the External Secrets K8s resources |
| externalSecrets.clusterProjectID | string | `"project"` | GCP Project of the cluster in which to create the External Secrets K8s resources |
| externalSecrets.create | bool | `true` | Wether to create both the SecretStore and the ExternalSecret K8s Resources |
| iamPolicyMember.iamMember | string | `"service-account-name"` | Name of the GCP Service Account to create. The service account will be created under the same project as the cluster in order to allow Workload Identity to work |
| iamPolicyMember.secretID | string | `"my-secret"` | Secret ID that the created service account will have access to |
| iamPolicyMember.secretProjectID | string | `"project"` | GCP Project that contains the secret that the created service account will have access to |

---

Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

## IMPORTANT⚠️

Make sure your GKE cluster has properly configured config connector with project-wide permissions.

In the event you find the `iamPolicyMember` resources are sourcing the secrets but also showing `403` errors stating permission denied or resource does not exist, ensure that config connector has the right access to the resource.
You can do so running the following command:

```sh
gcloud secrets add-iam-policy-binding my-secret \
--role=roles/secretmanager.admin \
--member=serviceAccount:cnrm-system@my-gcp-project-name.iam.gserviceaccount.com \
--project=my-gcp-project-name
```

In the event you face this with more than one secret, you'll need to run this command against all the affected resources.

0 comments on commit b8ff4c8

Please sign in to comment.