fix!: Handle JSON in GCP Secrets Manager (#373)

BREAKING CHANGE: Changes the values return type from GCP secret manager
Previously secret value was wrapped in an object `{ "value": <secret> }` while now `<secret>` will be returned directly so KES features can be properly used

Author: eraac

examples/hello-service-external-secret-gcp.yml

@@ -4,8 +4,16 @@ metadata:
   name: gcp-secrets-manager-example
 spec:
   backendType: gcpSecretsManager
-  projectId: my-gsm-secret-project
+  # Project to use for GCP Secrets Manager (use the service account project by default)
+  projectId: hello-service-project-id
   data:
-    - key: my-gsm-secret-name
-      name: my-kubernetes-secret-name
-      version: latest
+      # Key in GCP Secrets Manager (without projet and version)
+    - key: hello-service-password
+      # Key to use in Kubernetes secret (not the secret name, who is determined by metadata.name)
+      name: password
+      # If the secret is a valid JSON, try to get this property
+      property: value
+      # Version of the secret (default: 'latest')
+      version: 1
+      # If the secret is encoded in base64 then decodes it (default: false)
+      isBinary: false

lib/backends/gcp-secrets-manager-backend.js

@@ -23,7 +23,7 @@ class GCPSecretsManagerBackend extends KVBackend {
 
   /**
    * Get secret property value from GCP Secrets Manager.
-   * @param {string} key - Key used to store secret property value in Azure Key Vault.
+   * @param {string} key - Key used to store secret property value in GCP Secrets Manager.
    * @param {string} specOptions.projectId - Id of the gcp project, if not passed, this will be fetched from the client auth
    * @param {string} keyOptions.version - If version is passed then fetch that version, else fetch the latest version
    * @returns {Promise} Promise object representing secret property value.
@@ -34,11 +34,8 @@ class GCPSecretsManagerBackend extends KVBackend {
       projectId = this._getProjectId()
     }
 
-    let secretVersion
-    if (!keyOptions || !keyOptions.version) {
-      // get the latest version
-      secretVersion = 'latest'
-    } else {
+    let secretVersion = 'latest'
+    if (keyOptions && keyOptions.version) {
       secretVersion = keyOptions.version
     }
 
@@ -47,12 +44,13 @@ class GCPSecretsManagerBackend extends KVBackend {
     const version = await this._client.accessSecretVersion({
       name: 'projects/' + projectId + '/secrets/' + key + '/versions/' + secretVersion
     })
-    const secret = { value: version[0].payload.data.toString('utf8') }
+    const secret = version[0].payload.data.toString('utf8')
     // Handle binary files - this is useful when you've stored a base64 encoded string
     if (keyOptions && keyOptions.isBinary) {
-      return Buffer.from(secret.value, 'base64')
+      return Buffer.from(secret, 'base64')
     }
-    return JSON.stringify(secret)
+
+    return secret
   }
 }
 

lib/backends/gcp-secrets-manager-backend.test.js

@@ -12,7 +12,7 @@ describe('GCPSecretsManagerBackend', () => {
   let gcpSecretsManagerBackend
   const key = 'password'
   const version = [{ name: 'projects/111122223333/secrets/password/versions/1', payload: { data: Buffer.from('test', 'utf8') } }, null, null]
-  const secret = '{"value":"test"}'
+  const secret = 'test'
 
   beforeEach(() => {
     loggerMock = sinon.mock()