Using Console
Using CLI
kubectl get secrets
gcloud kms keyrings create [KEYRING-NAME] --location [LOCATION] gcloud kms keys create [KEY-NAME] --location [LOCATION] --keyring [KEYRING-NAME] --purpose encryption
gcloud kms encrypt --key [KEY-NAME] --keyring [KEYRING-NAME] --location [LOCATION] --plaintext-file [SECRET-FILE-PATH] --ciphertext-file [ENCRYPTED-FILE-PATH]
kubectl create secret generic [SECRET-NAME] --from-file=[SECRET-FILE-PATH]=[ENCRYPTED-FILE-PATH]
kubectl get secrets kubectl describe secret [SECRET-NAME]
kubectl delete secret [SECRET-NAME]
Using Python
from google.oauth2 import service_account credentials = service_account.Credentials.from_service_account_file('key.json')
from google.cloud import kms_v1 kms_client = kms_v1.KeyManagementServiceClient(credentials=credentials)
key_name = kms_client.crypto_key_path_path('project-id', 'location', 'key-ring', 'key')
from kubernetes import client, config config.load_kube_config() v1 = client.CoreV1Api() secret = v1.read_namespaced_secret('secret-name', 'namespace')
from google.cloud import kms_v1 plaintext = secret.data['key'] response = kms_client.encrypt(key_name, plaintext.encode('utf-8'))
secret.data['key'] = response.ciphertext v1.replace_namespaced_secret('secret-name', 'namespace', secret)