feat: add GCP support (#312)

Co-authored-by: Joel Damata <[email protected]>

Author: Silas Boyd-Wickizer

README.md

@@ -389,6 +389,27 @@ spec:
       property: value
 ```
 
+### GCP Secret Manager
+
+kubernetes-external-secrets supports fetching secrets from [GCP Secret Manager](https://cloud.google.com/solutions/secrets-management)
+
+A service account is required to grant the controller access to pull secrets. Instructions are her: [Enable Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable_workload_identity_on_a_new_cluster)
+
+Alternatively you can create and mount a kubernetes secret containing google service account credentials and set the GOOGLE_APPLICATION_CREDENTIALS env variable.
+
+```yml
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: gcp-secrets-manager-example
+spec:
+  backendType: gcpSecretsManager
+  data:
+    - key: projects/111122223333/secrets/my-secret/versions/latest
+      name: password
+      property: value
+```
+
 ## Metrics
 
 kubernetes-external-secrets exposes the following metrics over a prometheus endpoint:

charts/kubernetes-external-secrets/values.yaml

@@ -9,6 +9,7 @@ env:
   LOG_LEVEL: info
   METRICS_PORT: 3001
   VAULT_ADDR: http://127.0.0.1:8200
+# GOOGLE_APPLICATION_CREDENTIALS: /app/gcp-creds.json
 
 # Create environment variables from existing k8s secrets
 # envVarsFromSecret:
@@ -30,9 +31,9 @@ env:
 
 # Create files from existing k8s secrets
 # filesFromSecret:
-#   examplefile:
-#     secret: secretname
-#     mountPath: /a/mount/point/
+#   gcp-creds:
+#     secret: gcp-creds
+#     mountPath: /app/gcp-creds.json
 
 rbac:
   # Specifies whether RBAC resources should be created

config/gcp-config.js

@@ -0,0 +1,15 @@
+'use strict'
+
+const { SecretManagerServiceClient } = require('@google-cloud/secret-manager')
+
+// First, ADC checks to see if the environment variable GOOGLE_APPLICATION_CREDENTIALS is set.
+// If the variable is set, ADC uses the service account file that the variable points to
+// If the environment variable isn't set, ADC uses the default service account that the Kubernetes Engine
+// provides, for applications that run on those services
+
+module.exports = {
+  gcpSecretsManager: () => {
+    const client = new SecretManagerServiceClient()
+    return client
+  }
+}

config/index.js

@@ -10,12 +10,14 @@ const path = require('path')
 
 const awsConfig = require('./aws-config')
 const azureConfig = require('./azure-config')
+const gcpConfig = require('./gcp-config')
 const envConfig = require('./environment')
 const CustomResourceManager = require('../lib/custom-resource-manager')
 const SecretsManagerBackend = require('../lib/backends/secrets-manager-backend')
 const SystemManagerBackend = require('../lib/backends/system-manager-backend')
 const VaultBackend = require('../lib/backends/vault-backend')
 const AzureKeyVaultBackend = require('../lib/backends/azure-keyvault-backend')
+const GCPSecretsManagerBackend = require('../lib/backends/gcp-secrets-manager-backend')
 
 // Get document, or throw exception on error
 // eslint-disable-next-line security/detect-non-literal-fs-filename
@@ -54,12 +56,17 @@ const azureKeyVaultBackend = new AzureKeyVaultBackend({
   credential: azureConfig.azureKeyVault(),
   logger
 })
+const gcpSecretsManagerBackend = new GCPSecretsManagerBackend({
+  client: gcpConfig.gcpSecretsManager(),
+  logger
+})
 const backends = {
   // when adding a new backend, make sure to change the CRD property too
   secretsManager: secretsManagerBackend,
   systemManager: systemManagerBackend,
   vault: vaultBackend,
-  azureKeyVault: azureKeyVaultBackend
+  azureKeyVault: azureKeyVaultBackend,
+  gcpSecretsManager: gcpSecretsManagerBackend
 }
 
 // backwards compatibility

crd.yaml

@@ -43,6 +43,7 @@ spec:
                 - systemManager
                 - vault
                 - azureKeyVault
+                - gcpSecretsManager
             vaultRole:
               type: string
             vaultMountPoint:
@@ -92,6 +93,10 @@ spec:
                     - azureKeyVault
               required:
                 - keyVaultName
+            - properties:
+                backendType:
+                  enum:
+                    - gcpSecretsManager
           anyOf:
             - required:
               - data

examples/gcpsecretsmanager-example copy.yaml

@@ -0,0 +1,10 @@
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: gcp-secrets-manager-example
+spec:
+  backendType: gcpSecretsManager
+  data:
+    - key: projects/111122223333/secrets/my-secret/versions/latest
+      name: password
+      property: value

lib/backends/gcp-secrets-manager-backend.js

@@ -0,0 +1,32 @@
+'use strict'
+
+const KVBackend = require('./kv-backend')
+
+/** GCP Secrets Manager backend class. */
+class GCPSecretsManagerBackend extends KVBackend {
+  /**
+   * Create Secrets manager backend.
+   * @param {Object} logger - Logger for logging stuff.
+   * @param {Object} client - Secrets manager client.
+   */
+  constructor ({ logger, client }) {
+    super({ logger })
+    this._client = client
+  }
+
+  /**
+   * Get secret property value from GCP Secrets Manager.
+   * @param {string} key - Key used to store secret property value in GCP Secrets Manager.
+   * @returns {Promise} Promise object representing secret property value.
+   */
+  async _get ({ key }) {
+    this._logger.info(`fetching secret ${key} from GCP Secret Manager`)
+    const version = await this._client.accessSecretVersion({
+      name: key
+    })
+    const secret = { value: version[0].payload.data.toString('utf8') }
+    return JSON.stringify(secret)
+  }
+}
+
+module.exports = GCPSecretsManagerBackend

lib/backends/gcp-secrets-manager-backend.test.js

@@ -0,0 +1,37 @@
+/* eslint-env mocha */
+'use strict'
+
+const { expect } = require('chai')
+const sinon = require('sinon')
+
+const GCPSecretsManagerBackend = require('./gcp-secrets-manager-backend')
+
+describe('GCPSecretsManagerBackend', () => {
+  let loggerMock
+  let clientMock
+  let gcpSecretsManagerBackend
+  const key = 'password'
+  const version = [{ name: 'projects/111122223333/secrets/password/versions/1', payload: { data: Buffer.from('test', 'utf8') } }, null, null]
+  const secret = '{"value":"test"}'
+
+  beforeEach(() => {
+    loggerMock = sinon.mock()
+    loggerMock.info = sinon.stub()
+    clientMock = sinon.mock()
+    clientMock.accessSecretVersion = sinon.stub().returns(version)
+
+    gcpSecretsManagerBackend = new GCPSecretsManagerBackend({
+      logger: loggerMock,
+      client: clientMock
+    })
+  })
+
+  describe('_get', () => {
+    it('returns secret property value', async () => {
+      const secretPropertyValue = await gcpSecretsManagerBackend._get({
+        key: key
+      })
+      expect(secretPropertyValue).equals(secret)
+    })
+  })
+})