From 735c78765980000efdfd0674f9c9b6f35d7abc92 Mon Sep 17 00:00:00 2001
From: yishi-ttd <137876002+yishi-ttd@users.noreply.github.com>
Date: Fri, 3 Nov 2023 12:17:47 +0800
Subject: [PATCH] Load gcp secret from vault (#260)

* test GCP

* update GCP entry point scripts

* print more log

* fix ci

* add more log

* add some debug info

* revert secret manager change to test

* dry run to fetch secret

* use GCP retriever

* clean up code

* update ref binary

* remove unintended change

* ref new gcp lib

* update lib version

* bump version

* bump version

* bump lib version

* Released Snapshot version: 5.19.25-SNAPSHOT

* sleep to show error

* try to dump more logs

* Released Snapshot version: 5.19.28-SNAPSHOT

* wait a bit longer

* bump gcp version

* Released Snapshot version: 5.20.27-SNAPSHOT

* revert version change

---------

Co-authored-by: Release Workflow <unifiedid-admin+release@thetradedesk.com>
---
 .../publish-gcp-oidc-enclave-docker.yaml          |  4 ++--
 pom.xml                                           |  4 ++--
 scripts/gcp-oidc/entrypoint.sh                    | 15 +--------------
 src/main/java/com/uid2/operator/Const.java        |  1 +
 src/main/java/com/uid2/operator/Main.java         |  4 ++++
 5 files changed, 10 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml
index 71adb7ebd..4d1ea902f 100644
--- a/.github/workflows/publish-gcp-oidc-enclave-docker.yaml
+++ b/.github/workflows/publish-gcp-oidc-enclave-docker.yaml
@@ -136,7 +136,7 @@ jobs:
             BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }}
 
       - name: Generate Trivy vulnerability scan report
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.12.0
         if: inputs.publish_vulnerabilities == 'true'
         with:
           image-ref: ${{ steps.meta.outputs.tags }}
@@ -154,7 +154,7 @@ jobs:
           sarif_file: 'trivy-results.sarif'
 
       - name: Test with Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.12.0
         with:
           image-ref: ${{ steps.meta.outputs.tags }}
           format: 'table'
diff --git a/pom.xml b/pom.xml
index 2f83d5f54..56caf04c2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -21,8 +21,8 @@
         <enclave-api.version>1.5.0-676519b018</enclave-api.version>
         <enclave-aws.version>1.1.0</enclave-aws.version>
         <enclave-azure.version>1.4.0-2195ee834a</enclave-azure.version>
-        <enclave-gcp.version>1.3.4-649b0b4f7f</enclave-gcp.version>
-        <uid2-shared.version>5.15.0-5e9fa2fc04</uid2-shared.version>
+        <enclave-gcp.version>1.4.2-dd1920710d</enclave-gcp.version>
+        <uid2-shared.version>5.16.0-a72b7d9dd1</uid2-shared.version>
         <image.version>${project.version}</image.version>
     </properties>
 
diff --git a/scripts/gcp-oidc/entrypoint.sh b/scripts/gcp-oidc/entrypoint.sh
index 83d4c039e..ecd69ea7f 100644
--- a/scripts/gcp-oidc/entrypoint.sh
+++ b/scripts/gcp-oidc/entrypoint.sh
@@ -8,20 +8,7 @@ if [ -z "${API_TOKEN_SECRET_NAME}" ]; then
   exit 1
 fi
 
-GCP_TOKEN=$(wget "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -q --header "Metadata-Flavor: Google" -O - | jq -e -r ".access_token")
-if [ $? -ne 0 -o -z "${GCP_TOKEN}" ]; then
-  echo "Failed to get GCP token"
-  exit 1
-fi
-
-API_TOKEN=$(wget "https://secretmanager.googleapis.com/v1/${API_TOKEN_SECRET_NAME}:access" -q --header "authorization: Bearer ${GCP_TOKEN}" --header "content-type: application/json" -O - | jq -e -r ".payload.data" | base64 -d)
-if [ $? -ne 0 -o -z "${API_TOKEN}" ]; then
-  echo "Failed to get API token"
-  exit 1
-fi
-
-export core_api_token="${API_TOKEN}"
-export optout_api_token="${API_TOKEN}"
+export gcp_secret_version_name="${API_TOKEN_SECRET_NAME}"
 
 # -- locate config file
 if [ -z "${DEPLOYMENT_ENVIRONMENT}" ]; then
diff --git a/src/main/java/com/uid2/operator/Const.java b/src/main/java/com/uid2/operator/Const.java
index 3e00e9c47..3cd1e8409 100644
--- a/src/main/java/com/uid2/operator/Const.java
+++ b/src/main/java/com/uid2/operator/Const.java
@@ -19,5 +19,6 @@ public class Config extends com.uid2.shared.Const.Config {
         public static final String AzureVaultNameProp = "azure_vault_name";
         public static final String AzureSecretNameProp = "azure_secret_name";
 
+        public static final String GcpSecretVersionNameProp = "gcp_secret_version_name";
     }
 }
diff --git a/src/main/java/com/uid2/operator/Main.java b/src/main/java/com/uid2/operator/Main.java
index 5726d1d5c..f36150314 100644
--- a/src/main/java/com/uid2/operator/Main.java
+++ b/src/main/java/com/uid2/operator/Main.java
@@ -500,6 +500,10 @@ private IOperatorKeyRetriever createOperatorKeyRetriever() throws Exception {
                 var secretName = this.config.getString(Const.Config.AzureSecretNameProp);
                 return OperatorKeyRetrieverFactory.getAzureOperatorKeyRetriever(vaultName, secretName);
             }
+            case "gcp-oidc": {
+                var secretVersionName = this.config.getString(Const.Config.GcpSecretVersionNameProp);
+                return OperatorKeyRetrieverFactory.getGcpOperatorKeyRetriever(secretVersionName);
+            }
             default: {
                 throw new IllegalArgumentException(String.format("enclave_platform is providing the wrong value: %s", enclavePlatform));
             }