BREAKING: feat: GCP Secret Manager Backend Enhancements (#347)

BREAKING CHANGES: Changes how keys are specified for external secrets using GCP Secret manager backend. `projects/111122223333/secrets/my-secret/versions/latest` -> `my-secret`
external-secrets · Apr 27, 2020 · 865caeb · 865caeb
1 parent 002536a
commit 865caeb
Show file tree

Hide file tree

Showing 7 changed files with 43 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -475,4 +475,4 @@ Add secrets using the AWS cli (example)
 
 ```sh
 AWS_ACCESS_KEY_ID=foobar AWS_SECRET_ACCESS_KEY=foobar aws --region=us-west-2 --endpoint-url=http://localhost:4584 secretsmanager create-secret --name hello-service/password --secret-string "1234"
-```
+```
diff --git a/charts/kubernetes-external-secrets/templates/deployment.yaml b/charts/kubernetes-external-secrets/templates/deployment.yaml
@@ -86,4 +86,4 @@ spec:
         secret:
           secretName: {{ $value.secret }}
       {{- end }}
-      {{- end }}
+      {{- end }}
diff --git a/charts/kubernetes-external-secrets/values.yaml b/charts/kubernetes-external-secrets/values.yaml
@@ -9,7 +9,7 @@ env:
   LOG_LEVEL: info
   METRICS_PORT: 3001
   VAULT_ADDR: http://127.0.0.1:8200
-# GOOGLE_APPLICATION_CREDENTIALS: /app/gcp-creds.json
+  GOOGLE_APPLICATION_CREDENTIALS: /app/gcp-creds/gcp-creds.json
 
 # Create environment variables from existing k8s secrets
 # envVarsFromSecret:
@@ -33,7 +33,7 @@ env:
 # filesFromSecret:
 #   gcp-creds:
 #     secret: gcp-creds
-#     mountPath: /app/gcp-creds.json
+#     mountPath: /app/gcp-creds
 
 rbac:
   # Specifies whether RBAC resources should be created
@@ -86,4 +86,4 @@ affinity: {}
 serviceMonitor:
   enabled: false
   interval: "30s"
-  namespace: 
+  namespace: 
diff --git a/examples/gcpsecretsmanager-example copy.yaml → ...les/hello-service-external-secret-gcp.yml b/examples/gcpsecretsmanager-example copy.yaml → ...les/hello-service-external-secret-gcp.yml
@@ -4,7 +4,9 @@ metadata:
   name: gcp-secrets-manager-example
 spec:
   backendType: gcpSecretsManager
+  gcpProjectId: hello-service-project-id
   data:
-    - key: projects/111122223333/secrets/my-secret/versions/latest
+    - key: hello-service-password
       name: password
       property: value
+      version: 1
diff --git a/lib/backends/gcp-secrets-manager-backend.js b/lib/backends/gcp-secrets-manager-backend.js
@@ -14,16 +14,38 @@ class GCPSecretsManagerBackend extends KVBackend {
     this._client = client
   }
 
+  /**
+  * Gets the project id from auth object from the GCP Secret Manager Client
+  */
+  _getProjectId () {
+    return this._client.auth._cachedProjectId
+  }
+
   /**
    * Get secret property value from GCP Secrets Manager.
-   * @param {string} key - Key used to store secret property value in GCP Secrets Manager.
-   * @param {boolean} keyOptions.isBinary - Is the secret base64 encoded? Set to true to handle as binary.
+   * @param {string} key - Key used to store secret property value in Azure Key Vault.
+   * @param {string} specOptions.projectId - Id of the gcp project, if not passed, this will be fetched from the client auth
+   * @param {string} keyOptions.version - If version is passed then fetch that version, else fetch the latest version
    * @returns {Promise} Promise object representing secret property value.
    */
-  async _get ({ key, keyOptions }) {
-    this._logger.info(`fetching secret ${key} from GCP Secret Manager`)
+  async _get ({ key, keyOptions, specOptions: { projectId } }) {
+    if (!projectId) {
+      // get the project id from client
+      projectId = this._getProjectId()
+    }
+
+    let secretVersion
+    if (!keyOptions || !keyOptions.version) {
+      // get the latest version
+      secretVersion = 'latest'
+    } else {
+      secretVersion = keyOptions.version
+    }
+
+    this._logger.info(`fetching secret ${key} from GCP Secret for project ${projectId} with version ${secretVersion}`)
+
     const version = await this._client.accessSecretVersion({
-      name: key
+      name: 'projects/' + projectId + '/secrets/' + key + '/versions/' + secretVersion
     })
     const secret = { value: version[0].payload.data.toString('utf8') }
     // Handle binary files - this is useful when you've stored a base64 encoded string

diff --git a/lib/backends/gcp-secrets-manager-backend.test.js b/lib/backends/gcp-secrets-manager-backend.test.js
@@ -24,12 +24,18 @@ describe('GCPSecretsManagerBackend', () => {
       logger: loggerMock,
       client: clientMock
     })
+
+    gcpSecretsManagerBackend._getProjectId = sinon.stub().returns('111122223333')
   })
 
   describe('_get', () => {
     it('returns secret property value', async () => {
       const secretPropertyValue = await gcpSecretsManagerBackend._get({
-        key: key
+        key: key,
+        keyOptions: { version: 1 },
+        specOptions: {
+          projectId: '111122223333'
+        }
       })
       expect(secretPropertyValue).equals(secret)
     })

diff --git a/package-lock.json b/package-lock.json
-Original file line number
+Diff line change
@@ Expand Up / @@ -475,4 +475,4 @@ Add secrets using the AWS cli (example) @@
     ```sh
     AWS_ACCESS_KEY_ID=foobar AWS_SECRET_ACCESS_KEY=foobar aws --region=us-west-2 --endpoint-url=http://localhost:4584 secretsmanager create-secret --name hello-service/password --secret-string "1234"
-    ```
+    ```