Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(secrets): begin migration to secret manager from keystore #587

Merged
merged 11 commits into from
Jun 8, 2020
Merged

feat(secrets): begin migration to secret manager from keystore #587

merged 11 commits into from
Jun 8, 2020

Conversation

bcoe
Copy link
Contributor

@bcoe bcoe commented May 29, 2020

This work begins migrating secrets for Node.js from keystore to Secret Manager.

After discussing a few possible approaches with @chingor13, @tmatsuo, and @busunkim96, I ultimately landed on the dead simple approach of:

  1. using a shared service account that has access to the secrets in question.
  2. running a script in the context of the docker container that's running tests (which we can have a new version of secret manager with secrets on).

I think the only impact this has on Trampoline V2, is that we might want to use a service account made specifically for this purpose.

@googlebot googlebot added the cla: yes This human has signed the Contributor License Agreement. label May 29, 2020
@bcoe bcoe requested review from busunkim96 and chingor13 May 29, 2020 00:29
tmatsuo
tmatsuo approved these changes May 29, 2020
View reviewed changes
Copy link
Contributor

@tmatsuo tmatsuo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trampoline V2 will pass down KOKORO_GFILE_DIR and it's content, so as long as your Kokoro job has the configuration for the bucket, it should be fine.

synthtool/gcp/templates/node_library/.kokoro/populate-secrets.sh Outdated Show resolved Hide resolved
@bcoe
Copy link
Contributor Author

bcoe commented May 29, 2020

Here's an example of the approach outlined here in action:

googleapis/nodejs-secret-manager#110

SurferJeffAtGoogle
SurferJeffAtGoogle approved these changes Jun 2, 2020
View reviewed changes
Copy link
Contributor

@SurferJeffAtGoogle SurferJeffAtGoogle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the kokoro-trampoline.service-account.json file in place and ready to go?

tmatsuo
tmatsuo reviewed Jun 2, 2020
View reviewed changes
synthtool/gcp/templates/node_library/.kokoro/populate-secrets.sh
mkdir -p ${SECRET_LOCATION}
for key in $(echo ${SECRET_MANAGER_KEYS} | sed "s/,/ /g")
do
docker run --entrypoint=gcloud \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion:

Docker runs with uid 0 by default. It will likely create root owned files which might be ok, but who knows.
I'd try detecting uid and gid then pass --user flag.

user_uid="$(id -u)"
user_gid="$(id -g)"
# then pass
--user "${user_uid}:${user_gid}"

WDYT?

@bcoe bcoe merged commit 1c92077 into master Jun 8, 2020
@bcoe bcoe deleted the secret-manager-start branch June 8, 2020 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tmatsuo tmatsuo tmatsuo approved these changes

@SurferJeffAtGoogle SurferJeffAtGoogle SurferJeffAtGoogle approved these changes

@busunkim96 busunkim96 busunkim96 approved these changes

@chingor13 chingor13 Awaiting requested review from chingor13

Assignees
No one assigned
Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bcoe @tmatsuo @busunkim96 @SurferJeffAtGoogle @googlebot