Skip to content

GCP_SECRETS_SETUP.md

Latest commit

 

History

History
78 lines (55 loc) · 2.54 KB

GCP_SECRETS_SETUP.md

File metadata and controls

78 lines (55 loc) · 2.54 KB

Google Cloud Secret Manager Setup

This guide explains how to set up secrets in Google Cloud Secret Manager for the PlayMeme Helm chart deployment.

Step 1: Enable APIs

gcloud services enable secretmanager.googleapis.com

Step 2: Create Secrets

Create PostgreSQL Password Secret

$PASSWORD = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count 32 | ForEach-Object {[char]$_})
echo -n $PASSWORD | gcloud secrets create playmeme-postgres-password --data-file=- --replication-policy="automatic"

Create Admin Wallets Secret

Create the admin wallets secret (comma-separated list of Solana wallet addresses):

# Replace with your actual admin wallet addresses
$ADMIN_WALLETS = "wallet1_address,wallet2_address,wallet3_address"
echo -n $ADMIN_WALLETS | gcloud secrets create playmeme-admin-wallets --data-file=- --replication-policy="automatic"

Important:

  • Use comma-separated wallet addresses (no spaces, or trim spaces)
  • Example: "ABC123...,XYZ789...,DEF456..."
  • These wallets will have admin access to the admin panel and can update configuration values

Step 3: Grant Access

Grant the Secret Manager Secret Accessor role to your GKE service account. The default compute service account uses your project number:

$PROJECT_ID = "your-project-id"
$PROJECT_NUMBER = gcloud projects describe $PROJECT_ID --format="value(projectNumber)"
$GKE_SA = "$PROJECT_NUMBER-compute@developer.gserviceaccount.com"

gcloud projects add-iam-policy-binding $PROJECT_ID `
  --member="serviceAccount:$GKE_SA" `
  --role="roles/secretmanager.secretAccessor"

Note: If your GKE cluster uses a custom service account, find it with:

gcloud container clusters describe CLUSTER_NAME --zone=ZONE --format="value(nodeConfig.serviceAccount)"

Then grant the role to that service account instead.

Verify Secrets Setup

After deploying with Helm, verify secrets are mounted:

# Check SecretProviderClass
kubectl get secretproviderclass

# Check Kubernetes secrets created by CSI driver
kubectl get secrets | grep playmeme

# Verify pods can access secrets
kubectl describe pod -l app=playmeme-backend | grep -A 5 "Mounts:"

Troubleshooting

Secret not found

  • Verify secret name in values.yaml matches the secret in GCP Secret Manager
  • Check that gcp.projectId is set correctly in values.yaml

Permission denied

  • Ensure the service account has roles/secretmanager.secretAccessor role
  • Verify the service account email matches your GKE cluster's service account