Load gcp secret from vault (#260)

* test GCP

* update GCP entry point scripts

* print more log

* fix ci

* add more log

* add some debug info

* revert secret manager change to test

* dry run to fetch secret

* use GCP retriever

* clean up code

* update ref binary

* remove unintended change

* ref new gcp lib

* update lib version

* bump version

* bump version

* bump lib version

* Released Snapshot version: 5.19.25-SNAPSHOT

* sleep to show error

* try to dump more logs

* Released Snapshot version: 5.19.28-SNAPSHOT

* wait a bit longer

* bump gcp version

* Released Snapshot version: 5.20.27-SNAPSHOT

* revert version change

---------

Co-authored-by: Release Workflow <[email protected]>

.github/workflows/publish-gcp-oidc-enclave-docker.yaml

@@ -136,7 +136,7 @@ jobs:
             BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }}
 
       - name: Generate Trivy vulnerability scan report
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.12.0
         if: inputs.publish_vulnerabilities == 'true'
         with:
           image-ref: ${{ steps.meta.outputs.tags }}
@@ -154,7 +154,7 @@ jobs:
           sarif_file: 'trivy-results.sarif'
 
       - name: Test with Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.12.0
         with:
           image-ref: ${{ steps.meta.outputs.tags }}
           format: 'table'

pom.xml

@@ -21,8 +21,8 @@
         <enclave-api.version>1.5.0-676519b018</enclave-api.version>
         <enclave-aws.version>1.1.0</enclave-aws.version>
         <enclave-azure.version>1.4.0-2195ee834a</enclave-azure.version>
-        <enclave-gcp.version>1.3.4-649b0b4f7f</enclave-gcp.version>
-        <uid2-shared.version>5.15.0-5e9fa2fc04</uid2-shared.version>
+        <enclave-gcp.version>1.4.2-dd1920710d</enclave-gcp.version>
+        <uid2-shared.version>5.16.0-a72b7d9dd1</uid2-shared.version>
         <image.version>${project.version}</image.version>
     </properties>
 

scripts/gcp-oidc/entrypoint.sh

@@ -8,20 +8,7 @@ if [ -z "${API_TOKEN_SECRET_NAME}" ]; then
   exit 1
 fi
 
-GCP_TOKEN=$(wget "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -q --header "Metadata-Flavor: Google" -O - | jq -e -r ".access_token")
-if [ $? -ne 0 -o -z "${GCP_TOKEN}" ]; then
-  echo "Failed to get GCP token"
-  exit 1
-fi
-
-API_TOKEN=$(wget "https://secretmanager.googleapis.com/v1/${API_TOKEN_SECRET_NAME}:access" -q --header "authorization: Bearer ${GCP_TOKEN}" --header "content-type: application/json" -O - | jq -e -r ".payload.data" | base64 -d)
-if [ $? -ne 0 -o -z "${API_TOKEN}" ]; then
-  echo "Failed to get API token"
-  exit 1
-fi
-
-export core_api_token="${API_TOKEN}"
-export optout_api_token="${API_TOKEN}"
+export gcp_secret_version_name="${API_TOKEN_SECRET_NAME}"
 
 # -- locate config file
 if [ -z "${DEPLOYMENT_ENVIRONMENT}" ]; then

src/main/java/com/uid2/operator/Const.java

@@ -19,5 +19,6 @@ public class Config extends com.uid2.shared.Const.Config {
         public static final String AzureVaultNameProp = "azure_vault_name";
         public static final String AzureSecretNameProp = "azure_secret_name";
 
+        public static final String GcpSecretVersionNameProp = "gcp_secret_version_name";
     }
 }

src/main/java/com/uid2/operator/Main.java

@@ -500,6 +500,10 @@ private IOperatorKeyRetriever createOperatorKeyRetriever() throws Exception {
                 var secretName = this.config.getString(Const.Config.AzureSecretNameProp);
                 return OperatorKeyRetrieverFactory.getAzureOperatorKeyRetriever(vaultName, secretName);
             }
+            case "gcp-oidc": {
+                var secretVersionName = this.config.getString(Const.Config.GcpSecretVersionNameProp);
+                return OperatorKeyRetrieverFactory.getGcpOperatorKeyRetriever(secretVersionName);
+            }
             default: {
                 throw new IllegalArgumentException(String.format("enclave_platform is providing the wrong value: %s", enclavePlatform));
             }