Skip to content

GCP GSM and Landing Zone

This project uses GSM (Google Secret Manager) for secret keeping.

There are two kinds of GCP (Google Cloud Platform) project that contain the secrets - platform-secret-manager-prod - ftmo-cr-Xs-trader-0 where X is one of [d]evelopment, [s]tage, [p]roduction

platform-secret-manager-prod

This project is handled and maintained by DevOps/CloudInfra team and its configuration is located here.

The secrets are prepended according to their team and environment, e.g. 

trader--[environment]--[secretName]

Where environment can be one of the following: - dev - stage - preprod - prod

Access to these secrets is handled here.

Landing Zone

In order to allow developers to take care of their own infra, Landing Zone projects were created. The convention in naming the projects is as follows

ftmo-cr-XY-trader-0

Where X is one of [d]evelopment, [s]tage, [p]roduction and Y is one of [a]utomation, [s]ervice.

Only maintainers need to know about the automation project.

For developers, the service configuration can be found in trader-infrastructure.

Access to Secrets

Historically, trader has the need to access secrets through all possible channels. These include - direct developer access - kubernetes access - gitlab pipelines access

Direct Developer Access

In order to access secrets on your development machine, you have to be granted accessor permissions through LZ. Please see user-access.tf for more information and details about the access.

All developers also have access to adding and editing of secret versions through Google Console.

Kubernetes Access

For our applications running in k8s to access the secrets, there is a service account configured for every kubernetes namespace. These are preconfigured in user-access.tf - it is still prescient you know about this avenue of access.

Gitlab Pipeline Access

When a developer wants to run a pipeline that requires a GSM secret, they need proper access to the secrets. This is done through WIF (Workload Identity Federation), better known as magic. The configuration is in user-access.tf and you will have to provide GitLab user id for those you want to grant pipeline access to.

Debugging Secret Access in Landing Zone

There is a canary check for proper access - you can run command ./bin/console debug:test-lz-gsm to verify your local access - the same command can be used in kube service to verify its access - every pipeline that needs secret access has the canary secret as requirement

If any of these fail, consult with maintainers, preferably directly with Karel Syrový.