Adding GSM and synk step (#499)

* Adding GSM and synk step

* required updates for publishing

Co-authored-by: Dustin Van Buskirk <[email protected]>

Author: anthonyrozario-codefresh

incubating/google-secret-manager/README.md

@@ -0,0 +1,32 @@
+# Step to Fetch Secret from Google Secret Manager
+
+PreReqs:
+
+1. [Hybrid Codefresh Runner](https://codefresh.io/docs/docs/administration/codefresh-runner/) on GKE
+
+1. GKE w/ [Workload Identity Enabled](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
+
+1. GKE w/ [Config Connector Enabled](https://cloud.google.com/config-connector/docs/how-to/getting-started)
+
+1. Create IAM Policy Binding between GCP SA and GKE SA.
+
+```
+gcloud iam service-accounts add-iam-policy-binding <gcp-sa-name>@<gcp-project-name>.iam.gserviceaccount.com \
+    --role roles/iam.workloadIdentityUser \
+    --member "serviceAccount:<gcp-project-name>.svc.id.goog[<runner-namespace>/default]"
+```
+
+1. Hybrid Codefresh Runner's Service Account `default` in the Runner namepsace must be properly annotated with a GSM Service Account that has access to Google Secret Manager to read the Secret.
+
+Example of the annotation required.
+```
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: <gcp-sa-name>@<gcp-project-name>.iam.gserviceaccount.com
+  name: default
+  namespace: codefresh
+secrets:
+- name: default-token
+```

incubating/google-secret-manager/dockerfile

@@ -0,0 +1,10 @@
+# syntax=docker/dockerfile:1
+
+FROM python:3.11.0-alpine3.16
+
+COPY src/ / 
+
+RUN pip3 install -r requirements.txt
+
+CMD [ "python3" , "get-secrets.py"]
+

incubating/google-secret-manager/src/get-secrets.py

@@ -0,0 +1,43 @@
+# Import the Secret Manager client library.
+from google.cloud import secretmanager
+
+import google_crc32c
+
+import os, subprocess
+
+
+def access_secret_version(project_id, secret_id, version_id):
+
+    # Create the Secret Manager client.
+    client = secretmanager.SecretManagerServiceClient()
+
+     # Build the resource name of the secret version.
+    name = f"projects/{project_id}/secrets/{secret_id}/versions/{version_id}"
+
+
+    # Access the secret version.
+    response = client.access_secret_version(request={"name": name})
+     
+    # Verify payload checksum.
+    crc32c = google_crc32c.Checksum()
+    crc32c.update(response.payload.data)
+    if response.payload.data_crc32c != int(crc32c.hexdigest(), 16):
+        print("Data corruption detected.")
+
+    payload = response.payload.data.decode("UTF-8")
+
+    env_file = open('/meta/env_vars_to_export', 'w')
+
+    subprocess.call(["echo", f"{env_var_key}={payload}"], stdout=env_file)
+
+if __name__ == "__main__":
+
+    project_id = os.getenv('GCP_PROJECT_ID')
+
+    secret_id = os.getenv('GCP_SECRET_ID')
+
+    version_id= os.getenv('GCP_SECRET_VERSION')
+
+    env_var_key = os.getenv('ENV_VAR_KEY')
+
+    access_secret_version(project_id, secret_id, version_id)

incubating/google-secret-manager/src/requirements.txt

@@ -0,0 +1,42 @@
+auth==0.5.3
+beautifulsoup4==4.11.1
+blinker==1.5
+cachetools==5.2.0
+certifi==2022.9.24
+charset-normalizer==2.1.1
+click==8.1.3
+dnspython==2.2.1
+eventlet==0.33.1
+falcon==3.1.0
+Flask==2.2.2
+google==3.0.0
+google-api-core==2.10.2
+google-auth==2.14.1
+google-cloud-secret-manager==2.12.6
+google-crc32c==1.5.0
+googleapis-common-protos==1.57.0
+greenlet==2.0.1
+grpc-google-iam-v1==0.12.4
+grpcio==1.50.0
+grpcio-status==1.50.0
+gunicorn==20.1.0
+idna==3.4
+importlib-metadata==5.0.0
+install==1.3.5
+itsdangerous==2.1.2
+Jinja2==3.1.2
+MarkupSafe==2.1.1
+mongoengine==0.24.2
+proto-plus==1.22.1
+protobuf==4.21.9
+pyasn1==0.4.8
+pyasn1-modules==0.2.8
+pymongo==4.3.2
+requests==2.28.1
+rsa==4.9
+six==1.16.0
+soupsieve==2.3.2.post1
+typing_extensions==4.3.0
+urllib3==1.26.12
+Werkzeug==2.2.2
+zipp==3.8.1

incubating/google-secret-manager/step/google-secret-manager-step.yml

@@ -0,0 +1,73 @@
+version: '1.0'
+kind: step-type
+metadata:
+  name: google-secret-manager
+  version: 0.0.1
+  title: Fetch secrets from Google Secret Manager 
+  isPublic: true
+  description: Read secrets from Google Secret Manager inside a Codefresh pipeline.
+  sources:
+    - 'https://github.com/codefresh-contrib/google-secret-manager/tree/main/step'
+  maintainers:
+    - name: Anthony Rozario
+  official: true
+  icon:
+    type: image
+    url: 'https://cdn.jsdelivr.net/gh/codefresh-contrib/google-secret-manager@main/step/secret_manager.png'
+    background: '#f4f4f4'
+  examples:
+    - description: fetch-secret-from-gsm
+      workflow:
+        get-secret:
+          title: Importing GSM Secret
+          type: google-secret-manager
+          arguments:
+            GCP_PROJECT_ID: '${{PROJECT_ID}}'
+            GCP_SECRET_ID: '${{SECRET_ID}}'
+            GCP_SECRET_VERSION: '${{SECRET_VERSION}}'
+            ENV_VAR_KEY: '${{ENV_VAR}}'
+spec:
+  arguments: |-
+    {
+        "definitions": {},
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "type": "object",
+        "additionalProperties": false,
+        "patterns": [],
+        "required": [
+          "GCP_PROJECT_ID",
+          "GCP_SECRET_ID",
+          "GCP_SECRET_VERSION",
+          "ENV_VAR_KEY"
+        ],
+        "properties": {
+            "GCP_PROJECT_ID": {
+                "type": "string",
+                "description": "Name of the Secret's GCP Project"
+            },
+            "GCP_SECRET_ID": {
+                "type": "string",
+                "description": "Name of the Secret"
+            },
+            "GCP_SECRET_VERSION": {
+                "type": "string",
+                "description": "Version of the Secret"
+            },
+            "ENV_VAR_KEY": {
+              "type": "string",
+              "description": "Environment variable key to store the Secret's value"
+            }
+        }
+    }
+  steps:
+    main:
+      name: fetch-google-secret
+      image: codefreshplugins/google-secret-manager:0.0.1
+      working_directory: /
+      environment:
+        - 'GCP_PROJECT_ID=${{GCP_PROJECT_ID}}'
+        - 'GCP_SECRET_ID=${{GCP_SECRET_ID}}'
+        - 'GCP_SECRET_VERSION=${{GCP_SECRET_VERSION}}'
+        - 'ENV_VAR_KEY=${{ENV_VAR_KEY}}'
+      commands:
+        - python3 /get-secrets.py