feat: Add support for GCP Secret Manager (#124)

Signed-off-by: gr0 <[email protected]>
Co-authored-by: Miguel Martinez Trivino <[email protected]>

Author: gr0

app/artifact-cas/README.md

@@ -20,7 +20,7 @@ Its structure contains the following top to down layers.
 
 ## System Dependencies
 
-The CAS proxy **has only one running dependency**. A secret storage backend to retrieve the OCI repository credentials. Currently, we support both [Hashicorp Vault](https://www.vaultproject.io/) and [AWS Secret Manager](https://aws.amazon.com/secrets-manager/).
+The CAS proxy **has only one running dependency**. A secret storage backend to retrieve the OCI repository credentials. Currently, we support [Hashicorp Vault](https://www.vaultproject.io/), [AWS Secret Manager](https://aws.amazon.com/secrets-manager/) AND [GCP Secret Manager](https://cloud.google.com/secret-manager).
 
 This secret backend is used to download OCI repository credentials (repository path + key pair) during upload/downloads. This makes the Artifact CAS multi-tenant by default since the destination OCI backend gets selected at runtime.
 

app/artifact-cas/cmd/main.go

@@ -24,6 +24,7 @@ import (
 
 	"github.com/chainloop-dev/chainloop/internal/credentials"
 	awssecrets "github.com/chainloop-dev/chainloop/internal/credentials/aws"
+	"github.com/chainloop-dev/chainloop/internal/credentials/gcp"
 	"github.com/chainloop-dev/chainloop/internal/credentials/vault"
 	"github.com/getsentry/sentry-go"
 
@@ -125,18 +126,20 @@ func main() {
 }
 
 func newCredentialsReader(conf *conf.Credentials, l log.Logger) (credentials.Reader, error) {
-	awsc, vaultc := conf.GetAwsSecretManager(), conf.GetVault()
-	if awsc == nil && vaultc == nil {
+	awsc, vaultc, gcpc := conf.GetAwsSecretManager(), conf.GetVault(), conf.GetGcpSecretManager()
+	if awsc == nil && vaultc == nil && gcpc == nil {
 		return nil, errors.New("no credentials manager configuration found")
-	} else if awsc != nil && vaultc != nil {
-		return nil, errors.New("only one credentials manager can be configured")
 	}
 
-	if c := conf.GetAwsSecretManager(); c != nil {
-		return newAWSCredentialsManager(c, l)
+	if awsc != nil {
+		return newAWSCredentialsManager(awsc, l)
 	}
 
-	return newVaultCredentialsManager(conf.GetVault(), l)
+	if gcpc != nil {
+		return newGCPCredentialsManager(gcpc, l)
+	}
+
+	return newVaultCredentialsManager(vaultc, l)
 }
 
 func newAWSCredentialsManager(conf *conf.Credentials_AWSSecretManager, l log.Logger) (*awssecrets.Manager, error) {
@@ -180,6 +183,26 @@ func newVaultCredentialsManager(conf *conf.Credentials_Vault, l log.Logger) (*va
 	return m, nil
 }
 
+func newGCPCredentialsManager(conf *conf.Credentials_GCPSecretManager, l log.Logger) (*gcp.Manager, error) {
+	if conf == nil {
+		return nil, errors.New("uncompleted configuration for GCP secret manager")
+	}
+
+	opts := &gcp.NewManagerOpts{
+		ProjectID:         conf.ProjectId,
+		ServiceAccountKey: conf.ServiceAccountKey,
+		SecretPrefix:      conf.SecretPrefix,
+		Logger:            l,
+	}
+
+	m, err := gcp.NewManager(opts)
+	if err != nil {
+		return nil, fmt.Errorf("configuring the GCP secret manager: %w", err)
+	}
+
+	return m, nil
+}
+
 func initSentry(c *conf.Bootstrap, logger log.Logger) (cleanupFunc func(), err error) {
 	cleanupFunc = func() {
 		sentry.Flush(2 * time.Second)

app/artifact-cas/configs/samples/config.yaml

@@ -22,3 +22,8 @@ observability:
   sentry:
     dsn: "http://sentryDomain"
     environment: development # production
+
+## gcp_secret_manager:
+##   project_id: 522312304548
+##   auth_key: "./configs/gcp_auth_key.json"
+##   secret_prefix: "pre-"