Create protocol for specifying secrets' project and versions

[dzou]

This creates a protocol for specifying secrets' projects and versions.

The protocol format uses the same conventions as https://github.com/GoogleCloudPlatform/github-actions/tree/master/get-secretmanager-secrets#inputs

# 1. Long form
spring.property=${secret-prefix:projects/<project-id>/secrets/<secret-id>/versions/<version-id>}

# 2.  Long form - "latest" version
spring.property=${secret-prefix:projects/<project-id>/secrets/<secret-id>}

# 3. Short form
spring.property=${secret-prefix:<project-id>/<secret-id>/<version-id>}

# 4. Short form - default project; specify secret + version
spring.property=${secret-prefix:<secret-id>/<version>} 

# 5. Shortest form - "latest" version and default project.
spring.property=${secret-prefix:<secret-id>}

Some further questions:

• How to introduce this feature? And how to deprecate old way of specifying secrets? Can they co-exist for some time?

• Which of the two approaches for specifying the default project do you like here: Allow to select the source projectId when using secret #2283 (comment) The OP makes a good point about how the #4 form above might be better replaced by <secret-id>/<version> with it defaulting to a project instead. However this approach comes with the drawback that it diverges from the github actions convention.

• Perhaps people need <secret-id>/<version-id> more based on discussion offline.

[codecov]

Codecov Report

Merging #2302 into master will decrease coverage by 7.69%.
The diff coverage is 69.73%.

@@             Coverage Diff              @@
##             master    #2302      +/-   ##
============================================
- Coverage     80.95%   73.25%   -7.70%     
+ Complexity     2309     2072     -237     
============================================
  Files           258      258              
  Lines          7456     7471      +15     
  Branches        762      775      +13     
============================================
- Hits           6036     5473     -563     
- Misses         1100     1641     +541     
- Partials        320      357      +37     

Flag	Coverage Δ	Complexity Δ
#integration	?	?
#unittests	73.25% <69.73%> (+0.57%)	2072.00 <15.00> (+13.00)

Impacted Files	Coverage Δ	Complexity Δ
...anager/GcpSecretManagerBootstrapConfiguration.java	0.00% <0.00%> (-90.91%)	0.00 <0.00> (-3.00)
...gure/secretmanager/GcpSecretManagerProperties.java	0.00% <ø> (-73.34%)	0.00 <0.00> (-6.00)
...gcp/secretmanager/SecretManagerPropertySource.java	0.00% <0.00%> (ø)	0.00 <0.00> (?)
...retmanager/SecretManagerPropertySourceLocator.java	0.00% <0.00%> (ø)	0.00 <0.00> (?)
.../gcp/secretmanager/SecretManagerPropertyUtils.java	77.50% <77.50%> (ø)	7.00 <7.00> (?)
...cloud/gcp/secretmanager/SecretManagerTemplate.java	98.14% <95.65%> (+0.27%)	14.00 <8.00> (ø)
...a/spanner/repository/query/SpannerQueryMethod.java	0.00% <0.00%> (-100.00%)	0.00% <0.00%> (-6.00%)
...figure/config/GcpConfigBootstrapConfiguration.java	0.00% <0.00%> (-100.00%)	0.00% <0.00%> (-2.00%)
...restore/repository/query/FirestoreQueryMethod.java	0.00% <0.00%> (-100.00%)	0.00% <0.00%> (-2.00%)
...epository/config/SpannerRepositoriesRegistrar.java	0.00% <0.00%> (-100.00%)	0.00% <0.00%> (-3.00%)
... and 61 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 820a5dc...a81143b. Read the comment docs.

[elefeint]

Looks great, just a couple of typos and a question (which you also had in PR description) about what to do with the old one.

[elefeint]

Do we want to have both resolvable? The new version is more comprehensive. Or are we doing it for backwards compatibility?

Perhaps we could automatically configure only the newest property source, and provide a "legacy" property for loading the old one?

[dzou]

Yeah I wasn't sure how to handle this. I think would prefer if we only have the new version. Maybe if it's ok, I'd like to just remove the existing functionality and replace it with the new method. @meltsufin

I guess it doesn't make sense for both to co-exist since the legacy one already does the work of downloading all the secrets, and then if the new system exists they might redownload secrets they already loaded into their properties.

[dzou]

Consider different prefix usage

[dzou]

Can also be a project number for projects/ value

[dzou]

Redid the PR to just remove the legacy way of doing things and replace with new. If you feel good about this, I can move forward with doc updates.

[meltsufin]

Did the Secrets Manager team comment on this prefix? Have you looked into using sm://?

[dzou]

Colon can't be used in a property name because it means something special in SPEL. I wouldn't want to try to escape the colon either; I think it would look worse with the back slashes.

Am open to other secret prefixes though.

[meltsufin]

I wonder if we can tap into that "special meaning" and configure it for our purpose.

[dzou]

Colon is like the null-safety operator. If the left side of the colon is evaluated to null, then it defaults to the value on the right side.

So if i do gs://blah/blah - it firsts evaluates gs which it finds to be null, then returns the string //blah/blah.

[meltsufin]

This is only the case if SPEL is used, such as with @Value, right?
Notice that with @Value on a Resource it's interpreted as a protocol instead.
For example, see the "gs://" implementation we have for Storage.

[dzou]

Ran the code through the debugger, the colon is a special character; i don't think this is configurable. I think we should avoid it to avoid unexpected behavior in the future with null values.

I would be open to other choices of prefixes, maybe sm| or gcp-sm| these seem to all work. I recall Seth suggested using | as an alternative.

[meltsufin]

Should we ever return null though? Is there something wrong with throwing an exception for a property that doesn't exist?

[dzou]

Yeah I can see the argument where if a user specifies a secret using our syntax, there is the expectation that a secret is there; if it's missing then that's most likely an error and they probably don't want null there.

I would be comfortable with either approach. We can still throw exception using | too by the way.

To me it seems the tradeoff here is purely cosmetic. I.e. if the cosmetic benefits of using : outweighs the risk that we need to change behavior to return null someday.

[meltsufin]

What's the prefix that the Secret Manager team suggested we use? There's value in being compatible with other libraries for this product. Let's confirm with the product team.

[dzou]

Based on discussion offline, looks like sm:// has precedent of being used, so I just changed it to that for now.

[meltsufin]

Wouldn't this be considered an error if we got here? Not sure we should swallow the exception.

[dzou]

Sure, let's throw exception, this might be good for supporting the gcp-sm:// prefix per our discussion above.

[meltsufin]

Missing a test for getSecretPayload.

[dzou]

We'll cover this directly in your configuration tests.

I don't think it's worth making it non-private to write tests for it unlike the parseProperty method which had a lot more code.

[meltsufin]

@dzou Please make sure the sample app integration tests work as well.
Also, I think at this point we should make the bootstrap auto-config enabled by default.

[dzou]

@dzou Please make sure the sample app integration tests work as well.
Also, I think at this point we should make the bootstrap auto-config enabled by default.

Done.
Done - I actually just deleted the normal autoconfiguration class and we'll use the bootstrap by default?

[meltsufin]

Docs need to be updated following this change.

[dzou]

Done, updated docs.

[meltsufin]

I'm not following fully. Let's discuss.

[meltsufin]

The main feedback I have is that the SecretManagerTemlate needs to be updated as well to accept fully qualified secret names.

[meltsufin]

Should this move to SecretManagerTemplate? We probably want to reconsider all those additional methods for specifying project and version and use the fully qualified secret identifiers instead.

[dzou]

Done; I added these methods for getSecret, but for createSecret and secretExists it doesn't quite fit since those methods can accept project and secretId as valid inputs but are not fixed to a version.

[meltsufin]

I think we can simplify further by removing the *Uri methods and re-using the template in the property source.

[meltsufin]

Do we really need a separate method for getting by URI?
We can easily detect that something is a URI and do it all in the existing getSecretString(String).

[dzou]

Done.

[meltsufin]

Same here.

[dzou]

Done.

[sonarqubecloud]

SonarCloud Quality Gate failed.

0 Bugs
0 Vulnerabilities (and 0 Security Hotspots to review)
2 Code Smells

70.6% Coverage
0.0% Duplication

[meltsufin]

Looks good at this point.
One minor comment which you can ignore.

[meltsufin]

Assert.hasText instead maybe?

[dzou]

Gotcha, i'll change it.

Let me submit this and i'll send a followup cleanup PR; some other stuff I want to cleanup too.

[gsdatta]

Apologies in advance for commenting on such an old PR! I'm currently in the process of setting up a spring boot project on GCP app engine, which requires us us to use secrets manager as a replacement for env vars.

One of my worries here is that the forced protocol prefix adds to vendor lock-in that we'd like to avoid. I was hoping I could add a custom prefix (e.g. MY_ENV_VAR_) to make it look like an environment variable (I initially misunderstood the secret-name-prefix property as a way to replace the sm://).

I'm curious to hear why the protocol prefix is necessary. Is it just to denote to the starter that it should be looked up via secrets manager? Can this protocol prefix be configurable?

[dzou]

Apologies in advance for commenting on such an old PR! I'm currently in the process of setting up a spring boot project on GCP app engine, which requires us us to use secrets manager as a replacement for env vars.

One of my worries here is that the forced protocol prefix adds to vendor lock-in that we'd like to avoid. I was hoping I could add a custom prefix (e.g. MY_ENV_VAR_) to make it look like an environment variable (I initially misunderstood the secret-name-prefix property as a way to replace the sm://).

I'm curious to hear why the protocol prefix is necessary. Is it just to denote to the starter that it should be looked up via secrets manager? Can this protocol prefix be configurable?

@gsdatta -- The sm:// prefix is necessary to indicate which property values should be looked up in Secret Manager. Basically all the property values with this prefix -- we assume that the string after the prefix corresponds to the secret's ID. We don't want to look up every value in an application.properties file in secret manager.

Hmm we could make the prefix configurable, but I have an alternative approach which may be simpler than a custom prefix like MY_ENV_VAR_.

What about a default value feature? Something like:

spring.properties.password=${sm://my-secret:PASSWORD_ENV} or spring.properties.password=${PASSWORD_ENV:sm://my-secret}

So we could check if the secret is present/null; if so, default to the provided value PASSWORD_ENV. Or the other way around in the second example.

This way you can keep the behavior with relying on env vars to be vendor-generic. Does that work for you?

[gsdatta]

Makes sense. I think the default value structure would work for us quite well! Gives us the flexibility of overriding in certain environments as required when secrets manager may not be necessary.

[dzou]

@gsdatta -- Thanks for the input. We're starting version 2.0.0 of our repo under the GoogleCloudPlatform organization; see: https://github.com/GoogleCloudPlatform/spring-cloud-gcp

We're going to start making all of our updates there.

I filed a new feature request for this in our new repo: GoogleCloudPlatform/spring-cloud-gcp#213

[dzou]

@gsdatta -- Hey I did some research, I think we have a decent way of doing this already in the current implementation.

You can try something like below; in the example FOOBAR is the environmental variable:

spring.password=${FOOBAR:${sm://application-secret/latest}}

In this case, if foobar is not null, it will use the value of FOOBAR. Otherwise, it will retrieve the secret manager secret. Let me know if this solution solves your problem.

This uses the : syntax in SPEL which will evaluate the expression on the left first, and then if it's null it will attempt to evaluate the expression on the right.