harness · uditgaurav · Sep 4, 2025
@@ -28,16 +28,20 @@ metadata:
   name: cloud-secret
 type: Opaque
 stringData:
-  type:
-  project_id:
-  private_key_id:
-  private_key:
-  client_email:
-  client_id:
-  auth_uri:
-  token_uri:
-  auth_provider_x509_cert_url:
-  client_x509_cert_url:
+  gcp.auth: |-
+    {
+      "type": "service_account",
+      "project_id": "<PROJECT_ID>",
+      "private_key_id": "<PRIVATE_KEY_ID>",
+      "private_key": "<PRIVATE_KEY>",
+      "client_email": "<CLIENT_EMAIL>",
+      "client_id": "<CLIENT_ID>",
+      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+      "token_uri": "https://oauth2.googleapis.com/token",
+      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+      "client_x509_cert_url": "<CLIENT_X509_CERT_URL>"
+      "universe_domain": "googleapis.com"
+    }
 ```
 
 ### Mandatory tunables

@@ -28,16 +28,20 @@ metadata:
   name: cloud-secret
 type: Opaque
 stringData:
-  type:
-  project_id:
-  private_key_id:
-  private_key:
-  client_email:
-  client_id:
-  auth_uri:
-  token_uri:
-  auth_provider_x509_cert_url:
-  client_x509_cert_url:
+  gcp.auth: |-
+    {
+      "type": "service_account",
+      "project_id": "<PROJECT_ID>",
+      "private_key_id": "<PRIVATE_KEY_ID>",
+      "private_key": "<PRIVATE_KEY>",
+      "client_email": "<CLIENT_EMAIL>",
+      "client_id": "<CLIENT_ID>",
+      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+      "token_uri": "https://oauth2.googleapis.com/token",
+      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+      "client_x509_cert_url": "<CLIENT_X509_CERT_URL>"
+      "universe_domain": "googleapis.com"
+    }
 ```
 
 ### Mandatory tunables

@@ -29,16 +29,20 @@ metadata:
   name: cloud-secret
 type: Opaque
 stringData:
-  type:
-  project_id:
-  private_key_id:
-  private_key:
-  client_email:
-  client_id:
-  auth_uri:
-  token_uri:
-  auth_provider_x509_cert_url:
-  client_x509_cert_url:
+  gcp.auth: |-
+    {
+      "type": "service_account",
+      "project_id": "<PROJECT_ID>",
+      "private_key_id": "<PRIVATE_KEY_ID>",
+      "private_key": "<PRIVATE_KEY>",
+      "client_email": "<CLIENT_EMAIL>",
+      "client_id": "<CLIENT_ID>",
+      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+      "token_uri": "https://oauth2.googleapis.com/token",
+      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+      "client_x509_cert_url": "<CLIENT_X509_CERT_URL>"
+      "universe_domain": "googleapis.com"
+    }
 ```
 
 ## Fault tunables

@@ -26,16 +26,20 @@ metadata:
   name: cloud-secret
 type: Opaque
 stringData:
-  type:
-  project_id:
-  private_key_id:
-  private_key:
-  client_email:
-  client_id:
-  auth_uri:
-  token_uri:
-  auth_provider_x509_cert_url:
-  client_x509_cert_url:
+  gcp.auth: |-
+    {
+      "type": "service_account",
+      "project_id": "<PROJECT_ID>",
+      "private_key_id": "<PRIVATE_KEY_ID>",
+      "private_key": "<PRIVATE_KEY>",
+      "client_email": "<CLIENT_EMAIL>",
+      "client_id": "<CLIENT_ID>",
+      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+      "token_uri": "https://oauth2.googleapis.com/token",
+      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+      "client_x509_cert_url": "<CLIENT_X509_CERT_URL>"
+      "universe_domain": "googleapis.com"
+    }
 ```
 
 ### Mandatory tunables

@@ -29,16 +29,20 @@ metadata:
   name: cloud-secret
 type: Opaque
 stringData:
-  type:
-  project_id:
-  private_key_id:
-  private_key:
-  client_email:
-  client_id:
-  auth_uri:
-  token_uri:
-  auth_provider_x509_cert_url:
-  client_x509_cert_url:
+  gcp.auth: |-
+    {
+      "type": "service_account",
+      "project_id": "<PROJECT_ID>",
+      "private_key_id": "<PRIVATE_KEY_ID>",
+      "private_key": "<PRIVATE_KEY>",
+      "client_email": "<CLIENT_EMAIL>",
+      "client_id": "<CLIENT_ID>",
+      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+      "token_uri": "https://oauth2.googleapis.com/token",
+      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+      "client_x509_cert_url": "<CLIENT_X509_CERT_URL>"
+      "universe_domain": "googleapis.com"
+    }
 ```
 
 ### Mandatory tunables

@@ -35,16 +35,20 @@ metadata:
   name: cloud-secret
 type: Opaque
 stringData:
-  type:
-  project_id:
-  private_key_id:
-  private_key:
-  client_email:
-  client_id:
-  auth_uri:
-  token_uri:
-  auth_provider_x509_cert_url:
-  client_x509_cert_url:
+  gcp.auth: |-
+    {
+      "type": "service_account",
+      "project_id": "<PROJECT_ID>",
+      "private_key_id": "<PRIVATE_KEY_ID>",
+      "private_key": "<PRIVATE_KEY>",
+      "client_email": "<CLIENT_EMAIL>",
+      "client_id": "<CLIENT_ID>",
+      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+      "token_uri": "https://oauth2.googleapis.com/token",
+      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+      "client_x509_cert_url": "<CLIENT_X509_CERT_URL>"
+      "universe_domain": "googleapis.com"
+    }
 ```
 
 ### Mandatory tunables

@@ -14,21 +14,21 @@ Create a service account to derive the authentication secret to run experiments
 
 1. Set your current project. Replace &lt;project-id&gt; with your project ID:
 
-  ```bash
+```bash
   gcloud config set project <project-id>
-  ```
+```
 
 2. Create a new service account. Replace &lt;service-account-name&gt; with the name you want to give to the service account:
 
-  ```bash
-  gcloud iam service-accounts create <service-account-name>
-  ```
+```bash
+    gcloud iam service-accounts create <service-account-name>
+```
 ### Step 2: Generate new JSON key file
 
 3. After you create a new service account, generate a new JSON key file. Replace &lt;service-account-name&gt; with the name of your service account and &lt;key-file&gt; with the path where you want to save the key file:
 
   ```bash
-  gcloud iam service-accounts keys create <key-file> \
+    gcloud iam service-accounts keys create <key-file> \
   --iam-account <service-account-name>@<project-id>.iam.gserviceaccount.com
   ```
 
@@ -37,15 +37,16 @@ The generated JSON key file will contain the fields you mentioned, and it looks
 ```json
   {
       "type": "service_account",
-      "project_id": "<project-id>",
-      "private_key_id": "<private-key-id>",
-      "private_key": "<private-key>",
-      "client_email": "<service-account-name>@<project-id>.iam.gserviceaccount.com",
-      "client_id": "<client-id>",
+      "project_id": "<PROJECT_ID>",
+      "private_key_id": "<PRIVATE_KEY_ID>",
+      "private_key": "<PRIVATE_KEY>",
+      "client_email": "<CLIENT_EMAIL>",
+      "client_id": "<CLIENT_ID>",
       "auth_uri": "https://accounts.google.com/o/oauth2/auth",
       "token_uri": "https://oauth2.googleapis.com/token",
       "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/<service-account-name>%40<project-id>.iam.gserviceaccount.com"
+      "client_x509_cert_url": "<CLIENT_X509_CERT_URL>",
+      "universe_domain": "googleapis.com"
   }
 ```
 
@@ -59,25 +60,25 @@ The generated JSON key file will contain the fields you mentioned, and it looks
     name: cloud-secret
   type: Opaque
   stringData:
-    type: "<type>"
-    project_id: "<project-id>"
-    private_key_id: "<private-key-id>"
-    private_key: <private-key>
-    client_email: "<client-email>"
-    client_id: "<client-id>"
-    auth_uri: "<auth-uri>"
-    token_uri: "<token-uri>"
-    auth_provider_x509_cert_url: "<auth-provider-x509-cert-url>"
-    client_x509_cert_url: "<client-x509-cert-url>"
+    gcp.auth: |-
+      {
+        "type": "service_account",
+        "project_id": "<PROJECT_ID>",
+        "private_key_id": "<PRIVATE_KEY_ID>",
+        "private_key": "<PRIVATE_KEY>",
+        "client_email": "<CLIENT_EMAIL>",
+        "client_id": "<CLIENT_ID>",
+        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+        "token_uri": "https://oauth2.googleapis.com/token",
+        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+        "client_x509_cert_url": "<CLIENT_X509_CERT_URL>"
+        "universe_domain": "googleapis.com"
+      }
 ```
 
-:::warning
-Newline (\n) characters within the private key are crucial. Avoid using double quotes to prevent their loss.
-:::
-
 ### Step 4: Apply the secret YAML in desired namespace
 5. Apply the secret YAML file you created earlier in the chaos infrastructure namespace using the command:
 
-  ```bash
+```bash
   kubectl apply -f secret.yaml -n <CHAOS-NAMESPACE>
-  ```
+```