Creating secrets for GCP experiments
This section describes the steps you can follow to create a secret to execute GCP chaos experiments.
Step 1: Create a service account
Create a service account to derive the authentication secret to run experiments on GCP. To create the service account and secret:
- Set your current project. Replace <project-id> with your project ID:
gcloud config set project <project-id>
- Create a new service account. Replace <service-account-name> with the name you want to give to the service account:
gcloud iam service-accounts create <service-account-name>
Step 2: Generate new JSON key file
- After you create a new service account, generate a new JSON key file. Replace <service-account-name> with the name of your service account and <key-file> with the path where you want to save the key file:
gcloud iam service-accounts keys create <key-file> \
--iam-account <service-account-name>@<project-id>.iam.gserviceaccount.com
The generated JSON key file will contain the fields you mentioned, and it looks something like this:
{
"type": "service_account",
"project_id": "<project-id>",
"private_key_id": "<private-key-id>",
"private_key": "<private-key>",
"client_email": "<service-account-name>@<project-id>.iam.gserviceaccount.com",
"client_id": "<client-id>",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/<service-account-name>%40<project-id>.iam.gserviceaccount.com"
}
Step 3: Prepare the secret YAML
- Based on the JSON key file you created earlier, prepare the secret YAML:
apiVersion: v1
kind: Secret
metadata:
name: cloud-secret
type: Opaque
stringData:
type: "<type>"
project_id: "<project-id>"
private_key_id: "<private-key-id>"
private_key: <private-key>
client_email: "<client-email>"
client_id: "<client-id>"
auth_uri: "<auth-uri>"
token_uri: "<token-uri>"
auth_provider_x509_cert_url: "<auth-provider-x509-cert-url>"
client_x509_cert_url: "<client-x509-cert-url>"
warning
Newline (\n) characters within the private key are crucial. Avoid using double quotes to prevent their loss.
Step 4: Apply the secret YAML in desired namespace
- Apply the secret YAML file you created earlier in the chaos infrastructure namespace using the command:
kubectl apply -f secret.yaml -n <CHAOS-NAMESPACE>