fix(secretmanager): add role and fix secretPrefix (#316)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/artifact-cas/cmd/main.go

@@ -20,11 +20,12 @@ import (
 	"os"
 	"time"
 
-	credsConfig "github.com/chainloop-dev/chainloop/internal/credentials/api/credentials/v1"
 	"github.com/getsentry/sentry-go"
 
 	"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/conf"
 	"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/server"
+	"github.com/chainloop-dev/chainloop/internal/credentials"
+	"github.com/chainloop-dev/chainloop/internal/credentials/manager"
 	"github.com/chainloop-dev/chainloop/internal/servicelogger"
 
 	"github.com/go-kratos/kratos/v2"
@@ -103,7 +104,7 @@ func main() {
 		panic(err)
 	}
 
-	credentialsReader, err := credsConfig.NewFromConfig(bc.GetCredentialsService(), logger)
+	credentialsReader, err := manager.NewFromConfig(bc.GetCredentialsService(), credentials.RoleReader, logger)
 	if err != nil {
 		panic(err)
 	}

app/artifact-cas/configs/config.devel.yaml

@@ -13,6 +13,8 @@ server:
     addr: 0.0.0.0:5001
 
 credentials_service:
+  # we will check that we can read there
+  secret_prefix: chainloop-devel
   # Remember to run vault via docker compose up
   vault:
     address: ${VAULT_ADDRESS:http://0.0.0.0:8200}

app/artifact-cas/configs/samples/config.yaml

@@ -13,6 +13,8 @@ server:
     addr: 0.0.0.0:5001
 
 credentials_service:
+  # We use the prefix to check that we can read from it on initialization
+  secret_prefix: chainloop-devel
   # Remember to run vault via docker compose up
   vault:
     address: ${VAULT_ADDRESS:http://0.0.0.0:8200}

app/controlplane/cmd/main.go

@@ -31,7 +31,7 @@ import (
 	backends "github.com/chainloop-dev/chainloop/internal/blobmanager"
 	"github.com/chainloop-dev/chainloop/internal/blobmanager/oci"
 	"github.com/chainloop-dev/chainloop/internal/credentials"
-	credsConfig "github.com/chainloop-dev/chainloop/internal/credentials/api/credentials/v1"
+	"github.com/chainloop-dev/chainloop/internal/credentials/manager"
 	"github.com/chainloop-dev/chainloop/internal/servicelogger"
 
 	"github.com/go-kratos/kratos/v2"
@@ -105,7 +105,7 @@ func main() {
 		panic(err)
 	}
 
-	credsWriter, err := credsConfig.NewFromConfig(bc.GetCredentialsService(), logger)
+	credsWriter, err := manager.NewFromConfig(bc.GetCredentialsService(), credentials.RoleWriter, logger)
 	if err != nil {
 		panic(err)
 	}

app/controlplane/configs/config.devel.yaml

@@ -27,7 +27,7 @@ credentials_service:
   vault:
     address: ${VAULT_ADDRESS:http://0.0.0.0:8200}
     token: ${VAULT_TOKEN:notasecret}
-    secret_prefix: chainloop-devel
+  secret_prefix: chainloop-devel
 
 data:
   database:

app/controlplane/configs/samples/config.yaml

@@ -25,15 +25,13 @@ credentials_service:
   vault:
     address: ${VAULT_ADDRESS:http://0.0.0.0:8200}
     token: ${VAULT_TOKEN:notasecret}
-    secret_prefix: chainloop-devel
+  secret_prefix: chainloop-devel
   # aws_secret_manager:
   #   creds:
   #     access_key: not-a-key
   #     secret_key: not-a-secret
   #   region: us-east-1
-  #   secret_prefix: i-e chainloop-devel
 
   # gcp_secret_manager:
   #   project_id: 522312304548
-  #   auth_key: "./configs/gcp_auth_key.json"
-  #   secret_prefix: "pre-"
+  #   auth_key: "./configs/gcp_auth_key.json"

deployment/chainloop/templates/_helpers.tpl

@@ -59,9 +59,9 @@ WBiBSPaJtz6JYk/fye4=
 
 {{- define "chainloop.credentials_service_settings" -}}
 {{- with .Values.secretsBackend }}
+secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
 {{- if eq .backend "vault" }}
 vault:
-  secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
   {{- if and $.Values.development (or (not .vault) not .vault.address) }}
   address: {{ printf "http://%s:8200" (include "chainloop.vault.fullname" $) | quote }}
   token: {{ $.Values.vault.server.dev.devRootToken | quote }}
@@ -72,15 +72,13 @@ vault:
 
 {{- else if eq .backend "awsSecretManager" }}
 awsSecretManager:
-  secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
   region: {{ required "region required" .awsSecretManager.region | quote }}
   creds:
     accessKey: {{ required "access key required" .awsSecretManager.accessKey | quote }}
     secretKey: {{ required "secret key required" .awsSecretManager.secretKey | quote }}
 
 {{- else if eq .backend "gcpSecretManager" }}
 gcpSecretManager:
-  secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
   projectId: {{ required "project id required" .gcpSecretManager.projectId | quote }}
   serviceAccountKey: "/gcp-secrets/serviceAccountKey.json"
   {{- if eq .gcpSecretManager.serviceAccountKey "" }}

internal/credentials/api/credentials/v1/config.pb.go

@@ -29,6 +29,9 @@ message Credentials {
     GCPSecretManager gcp_secret_manager = 3;
   }
 
+  // prefix used while writing a new secret
+  string secret_prefix = 4;
+
   // Top level is deprecated now
   message AWSSecretManager {
     Creds creds = 1 [(validate.rules).message.required = true];