Support secrets from a different GCP project

[chaodaiG]

This would be very handy in a collaborative setting, imagine the scenario of:

• cluster cA lives in project pA contains lots of secrets from different teams
• the maintainer of cluster cA doesn't want subteam to have write access on secrets in project pA for security reason
• team B owns project pB but not pA, and doesn't mind for cluster cA to have read access on secrets in project pB

If gsm supports a different project, the workflow can become:

1. team B grant project pB secret read access to the service account from project pA
2. team B creates secret precious in pB
3. team B creates a PullRequest to the repo that contains config of cluster cA, with an empty secret says this is a secret precious from project pB
4. cluster cA then can pull precious from pB and fill it in

[chaodaiG]

@rawlingsj , if this repo is open to collaboration I won't mind contribute

[rawlingsj]

Absolutely! All contributions welcome :)

[rawlingsj]

Fwiw it might be worth looking at https://github.com/external-secrets/kubernetes-external-secrets if you need to work with multiple secret managers which Jenkins X does so we default to that. Having said that this controller is totally fine if you prefer. Just wanted to mention both incase you'd not seen the other project.

[chaodaiG]

Fwiw it might be worth looking at https://github.com/external-secrets/kubernetes-external-secrets if you need to work with multiple secret managers which Jenkins X does so we default to that. Having said that this controller is totally fine if you prefer. Just wanted to mention both incase you'd not seen the other project.

Actually I was also just checking here :)
https://github.com/external-secrets/kubernetes-external-secrets#gcp-secret-manager

And I believe it solves both problems I would like gsm to solve, will take a look there. Thank you for your prompt response btw