Merge pull request #30 from vimeo/gsm-default-latest

sergiosalvatore · web-flow · commit cb7448cda7ce · 2025-09-12T10:40:26.000-04:00
Google Secret Manager: Default to Latest Version
diff --git a/README.md b/README.md
@@ -30,6 +30,9 @@ mappings:
   - sourceType: gsm
     path: projects/my-project/secrets/my-secret/versions/latest
     secretName: my-secret
+  - sourceType: gsm
+    path: projects/my-project/secrets/my-other-secret
+    secretName: defaults-to-latest-version
 ```
 
 ### Labels and Reconciliation
@@ -87,6 +90,8 @@ Google Secret Manager's API simply returns arbitrary bytes as the value of a sec
 
 In cases where `gsmEncoding` is not set to json, the key's value will default to the name of the secret (`secretName` in the mapping).  If you would like to override this, set `gsmSecretKeyValue` to your preferred key.
 
+Also, Google Secret Manager Secrets have versions which can be specified in the configuration mapping's `Path`.  If you do not specify a specific version (with the `/versions/...` suffix), `/versions/latest` will automatically be appended to the path.
+
 ## Return Values
 The application will return 0 on success (when all keys were copied/updated successfully).  A complete list of all possible return values follows:
 
diff --git a/config.go b/config.go
@@ -3,6 +3,8 @@ package pentagon
 import (
 	"fmt"
 	"log"
+	"path"
+	"regexp"
 
 	"github.com/hashicorp/vault/api"
 	"github.com/vimeo/pentagon/vault"
@@ -29,8 +31,15 @@ const (
 
 	// GSM encoded as json
 	GSMEncodingTypeJSON = "json"
+
+	// when a version isn't specified, just default to the latest
+	gsmLatestSuffix = "/versions/latest"
 )
 
+// regex to match the version suffix at the end of a GSM secret path.  Note that
+// this can be a version number, or a version alias.
+var gsmVersionSuffix = regexp.MustCompile(`/versions/[\w-]+$`)
+
 // Config describes the configuration for Pentagon.
 type Config struct {
 	// Vault is the configuration used to connect to vault.
@@ -88,6 +97,10 @@ func (c *Config) SetDefaults() {
 		if m.SecretType == "" {
 			c.Mappings[i].SecretType = corev1.SecretTypeOpaque
 		}
+
+		if m.SourceType == GSMSourceType && !gsmVersionSuffix.MatchString(m.Path) {
+			c.Mappings[i].Path = path.Join(m.Path, gsmLatestSuffix)
+		}
 	}
 }
 
diff --git a/config_test.go b/config_test.go
@@ -20,6 +20,31 @@ func TestSetDefaults(t *testing.T) {
 				VaultPath:  "path",
 				SecretName: "theSecret",
 			},
+			{
+				SourceType: GSMSourceType,
+				Path:       "projects/my-project/secrets/my-secret/versions/latest",
+				SecretName: "latestSecret",
+			},
+			{
+				SourceType: GSMSourceType,
+				Path:       "projects/my-project/secrets/my-secret/versions/3",
+				SecretName: "3secret",
+			},
+			{
+				SourceType: GSMSourceType,
+				Path:       "projects/my-project/secrets/my-secret/versions/prod-alias",
+				SecretName: "prodAliasSecret",
+			},
+			{
+				SourceType: GSMSourceType,
+				Path:       "projects/my-project/secrets/my-secret",
+				SecretName: "noVersionSecret",
+			},
+			{
+				SourceType: GSMSourceType,
+				Path:       "projects/my-project/secrets/my-secret/",
+				SecretName: "noVersionSecretWithTrailingSlash",
+			},
 		},
 	}
 
@@ -36,10 +61,19 @@ func TestSetDefaults(t *testing.T) {
 		t.Fatalf("unexpected default engine type: %s", c.Vault.DefaultEngineType)
 	}
 
+	if c.Mappings[0].SourceType != VaultSourceType {
+		t.Fatalf("source type should have defaulted to vault: %+v", c.Mappings[0].SourceType)
+	}
+
+	if c.Mappings[1].SourceType != VaultSourceType {
+		t.Fatalf("source type should have defaulted to vault: %+v", c.Mappings[1].SourceType)
+	}
+
+	if c.Mappings[0].Path != "path" {
+		t.Fatalf("path should be unchanged, is %s", c.Mappings[0].Path)
+	}
+
 	for _, m := range c.Mappings {
-		if m.SourceType != VaultSourceType {
-			t.Fatalf("source type should have defaulted to vault: %+v", m)
-		}
 		if m.Path == "" {
 			t.Fatalf("empty path for vault secret: %+v", m)
 		}
@@ -50,6 +84,26 @@ func TestSetDefaults(t *testing.T) {
 			t.Fatalf("empty Kubernetes secret type for mapping: %+v", m)
 		}
 	}
+
+	if c.Mappings[2].Path != "projects/my-project/secrets/my-secret/versions/latest" {
+		t.Fatalf("latest GSM path should be unchanged, is %s", c.Mappings[2].Path)
+	}
+
+	if c.Mappings[3].Path != "projects/my-project/secrets/my-secret/versions/3" {
+		t.Fatalf("versioned GSM path should be unchanged, is %s", c.Mappings[3].Path)
+	}
+
+	if c.Mappings[4].Path != "projects/my-project/secrets/my-secret/versions/prod-alias" {
+		t.Fatalf("aliased GSM path should be unchanged, is %s", c.Mappings[4].Path)
+	}
+
+	if c.Mappings[5].Path != "projects/my-project/secrets/my-secret/versions/latest" {
+		t.Fatalf("GSM path without version should have latest suffix, is %s", c.Mappings[5].Path)
+	}
+
+	if c.Mappings[6].Path != "projects/my-project/secrets/my-secret/versions/latest" {
+		t.Fatalf("GSM path without version (but with trailing slash) should have latest suffix, is %s", c.Mappings[6].Path)
+	}
 }
 
 func TestNoClobber(t *testing.T) {
