roachprod: fetch secrets from cloud store

Due to the complexity of fetching the secrets from the secrets manager, the secrets are now maintained in cloud storage. Fixes: #117125 Epic: none
cockroachdb · May 15, 2024 · 8d3b7c9 · 8d3b7c9
1 parent d883247
commit 8d3b7c9
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 28 deletions.
diff --git a/go.mod b/go.mod
@@ -87,7 +87,6 @@ require (
 )
 
 require (
-	cloud.google.com/go/secretmanager v1.10.0
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.9.0

diff --git a/go.sum b/go.sum
@@ -61,8 +61,6 @@ cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIA
 cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
 cloud.google.com/go/pubsub v1.28.0 h1:XzabfdPx/+eNrsVVGLFgeUnQQKPGkMb8klRCeYK52is=
 cloud.google.com/go/pubsub v1.28.0/go.mod h1:vuXFpwaVoIPQMGXqRyUQigu/AX1S3IWugR9xznmcXX8=
-cloud.google.com/go/secretmanager v1.10.0 h1:pu03bha7ukxF8otyPKTFdDz+rr9sE3YauS5PliDXK60=
-cloud.google.com/go/secretmanager v1.10.0/go.mod h1:MfnrdvKMPNra9aZtQFvBcvRU54hbPD8/HayQdlUgJpU=
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=

diff --git a/pkg/cmd/roachprod/main.go b/pkg/cmd/roachprod/main.go
@@ -559,9 +559,6 @@ var updateTargetsCmd = &cobra.Command{
 The "start" command updates the prometheus target configuration every time. But, in case of any  
 failure, this command can be used to update the configurations. 
 
-The --args and --env flags can be used to pass arbitrary command line flags and
-environment variables to the cockroach process.
-` + tagHelp + `
 The default prometheus url is https://grafana.testeng.crdb.io/. This can be overwritten by using the
 environment variable COCKROACH_PROM_HOST_URL
 
@@ -570,9 +567,7 @@ Note that if the cluster is started in insecure mode, set the insecure mode here
 	Args: cobra.ExactArgs(1),
 	Run: wrap(func(cmd *cobra.Command, args []string) error {
 		clusterSettingsOpts := []install.ClusterSettingOption{
-			install.TagOption(tag),
 			install.SecureOption(isSecure),
-			install.EnvOption(nodeEnv),
 		}
 		return roachprod.UpdateTargets(context.Background(), config.Logger, args[0], clusterSettingsOpts...)
 	}),

diff --git a/pkg/roachprod/promhelperclient/BUILD.bazel b/pkg/roachprod/promhelperclient/BUILD.bazel
@@ -12,8 +12,7 @@ go_library(
         "//pkg/roachprod/logger",
         "//pkg/util/httputil",
         "@com_github_cockroachdb_errors//:errors",
-        "@com_google_cloud_go_secretmanager//apiv1",
-        "@com_google_cloud_go_secretmanager//apiv1/secretmanagerpb",
+        "@com_google_cloud_go_storage//:storage",
         "@org_golang_google_api//idtoken",
         "@org_golang_x_oauth2//:oauth2",
     ],

diff --git a/pkg/roachprod/promhelperclient/promhelper_utils.go b/pkg/roachprod/promhelperclient/promhelper_utils.go
@@ -13,12 +13,12 @@ package promhelperclient
 import (
 	"context"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"strings"
 
-	secretmanager "cloud.google.com/go/secretmanager/apiv1"
-	"cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
+	"cloud.google.com/go/storage"
 	"github.com/cockroachdb/cockroach/pkg/roachprod/logger"
 )
 
@@ -33,18 +33,17 @@ var (
 type FetchedFrom string
 
 const (
-	Env       FetchedFrom = "Env"       // fetched from environment
-	File      FetchedFrom = "File"      // fetched from the promCredFile
-	SecretMgr FetchedFrom = "SecretMgr" // fetched from the secrets manager
+	Env   FetchedFrom = "Env"   // fetched from environment
+	File  FetchedFrom = "File"  // fetched from the promCredFile
+	Store FetchedFrom = "Store" // fetched from the secrets manager
 
-	// secretsDelimiter is used as a delimeter between service account audience and JSON when stored in promCredFile or
-	// secrets manager
+	// secretsDelimiter is used as a delimiter between service account audience and JSON when stored in
+	// promCredFile or cloud storage
 	secretsDelimiter = "--||--"
 
-	// project secrets and versions are for fetching the creds from secrets manager
-	project  = "cockroach-ephemeral"
-	secrets  = "prom-helpers-access"
-	versions = "latest"
+	// bucket and objectLocation are for fetching the creds for store
+	bucket         = "promhelpers"
+	objectLocation = "promhelpers-secrets"
 )
 
 // SetPromHelperCredsEnv sets the environment variables ServiceAccountAudience and
@@ -82,21 +81,24 @@ func SetPromHelperCredsEnv(
 	if creds == "" {
 		// creds == "" means (env is not set and the file does not have the creds) or forFetch is true
 		l.Printf("creds need to be fetched from secret manager.")
-		client, err := secretmanager.NewClient(ctx)
+		client, err := storage.NewClient(ctx)
 		if err != nil {
 			return fetchedFrom, err
 		}
 		defer func() { _ = client.Close() }()
-		req := &secretmanagerpb.AccessSecretVersionRequest{
-			Name: fmt.Sprintf("projects/%s/secrets/%s/versions/%s", project, secrets, versions),
+		fetchedFrom = Store
+		obj := client.Bucket(bucket).Object(objectLocation)
+		r, err := obj.NewReader(ctx)
+		if err != nil {
+			return fetchedFrom, err
 		}
-		fetchedFrom = SecretMgr
-		secrets, err := client.AccessSecretVersion(ctx, req)
+		defer func() { _ = r.Close() }()
+		body, err := io.ReadAll(r)
+		creds = string(body)
 		if err != nil {
 			return fetchedFrom, err
 		}
-		creds = string(secrets.GetPayload().GetData())
-		err = os.WriteFile(promCredFile, []byte(creds), 0700)
+		err = os.WriteFile(promCredFile, body, 0700)
 		if err != nil {
 			l.Errorf("error writing to the credential file: %v", err)
 		}