Skip to content

Commit

Permalink
feat(providers): add support for GCP KMS
Browse files Browse the repository at this point in the history
Signed-off-by: Mateusz Hromada <[email protected]>
  • Loading branch information
ruanda committed Nov 24, 2023
1 parent e126a3d commit dcd4763
Show file tree
Hide file tree
Showing 6 changed files with 115 additions and 1 deletion.
20 changes: 20 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ It supports various backends including:
- AWS Secrets Manager
- AWS S3
- GCP Secrets Manager
- GCP KMS
- [Google Sheets](#google-sheets)
- [SOPS](https://github.com/getsops/sops)-encrypted files
- Terraform State
Expand Down Expand Up @@ -203,6 +204,7 @@ Please see the [relevant unit test cases](https://github.com/helmfile/vals/blob/
- [AWS Secrets Manager](#aws-secrets-manager)
- [AWS S3](#aws-s3)
- [GCP Secrets Manager](#gcp-secrets-manager)
- [GCP KMS](#gcp-kms)
- [Google Sheets](#google-sheets)
- [Google GCS](#google-gcs)
- [SOPS](#sops) powered by [sops](https://github.com/getsops/sops)
Expand Down Expand Up @@ -391,6 +393,24 @@ Examples:
> In some cases like you need to use an alternative credentials or project,
> you'll likely need to set `GOOGLE_APPLICATION_CREDENTIALS` and/or `GCP_PROJECT` envvars.
### GCP KMS
- `ref+gkms://BASE64CIPHERTEXT?project=myproject&location=global&keyring=mykeyring&crypto_key=mykey`
- `ref+gkms://BASE64CIPHERTEXT?project=myproject&location=global&keyring=mykeyring&crypto_key=mykey#/yaml_or_json_key/in/secret`
Decrypts the URL-safe base64-encoded ciphertext using GCP KMS. Note that URL-safe base64 encoding is the same as "traditional" base64 encoding, except it uses _ and - in place of / and +, respectively. For example, to get a URL-safe base64-encoded ciphertext using the GCP CLI, you might run
```
echo test | gcloud kms encrypt \
--project myproject \
--location global \
--keyring mykeyring \
--key mykey \
--plaintext-file - \
--ciphertext-file - \
| base64 -w0 \
| tr '/+' '_-'
```
### Google Sheets
- `ref+googlesheets://SPREADSHEET_ID?credentials_file=credentials.json#/KEY`
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ module github.com/helmfile/vals
go 1.21

require (
cloud.google.com/go/kms v1.15.2
cloud.google.com/go/secretmanager v1.11.1
cloud.google.com/go/storage v1.33.0
github.com/1Password/connect-sdk-go v1.5.3
Expand All @@ -28,7 +29,6 @@ require (
cloud.google.com/go/compute v1.23.0 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
cloud.google.com/go/iam v1.1.1 // indirect
cloud.google.com/go/kms v1.15.2 // indirect
filippo.io/age v1.1.1 // indirect
github.com/AlecAivazis/survey/v2 v2.3.6 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0 // indirect
Expand Down
83 changes: 83 additions & 0 deletions pkg/providers/gkms/gkms.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
package gkms

import (
"context"
"encoding/base64"
"fmt"
"os"

"github.com/helmfile/vals/pkg/api"

Check failure on line 9 in pkg/providers/gkms/gkms.go

View workflow job for this annotation

GitHub Actions / Lint

File is not `gci`-ed with --skip-generated -s standard,default,prefix(github.com/helmfile/vals) (gci)
"github.com/helmfile/vals/pkg/log"
"gopkg.in/yaml.v3"

kms "cloud.google.com/go/kms/apiv1"
kmspb "cloud.google.com/go/kms/apiv1/kmspb"

Check failure on line 14 in pkg/providers/gkms/gkms.go

View workflow job for this annotation

GitHub Actions / Lint

File is not `gci`-ed with --skip-generated -s standard,default,prefix(github.com/helmfile/vals) (gci)
)

type provider struct {
log *log.Logger
Project string
Location string
Keyring string
CryptoKey string
}

func New(l *log.Logger, cfg api.StaticConfig) *provider {
p := &provider{
log: l,
}
p.Project = cfg.String("project")
p.Location = cfg.String("location")
p.Keyring = cfg.String("keyring")
p.CryptoKey = cfg.String("crypto_key")
return p
}

func (p *provider) GetString(key string) (string, error) {
ctx := context.Background()
value, err := p.getValue(ctx, key)
if err != nil {
return "", err
}
return string(value), nil
}

func (p *provider) GetStringMap(key string) (map[string]interface{}, error) {
ctx := context.Background()
value, err := p.getValue(ctx, key)
if err != nil {
return nil, err
}
var valueMap map[string]interface{}
if err := yaml.Unmarshal(value, &valueMap); err != nil {
return nil, fmt.Errorf("failed to unmarshal value: %w", err)
}
return valueMap, nil
}

func (p *provider) getValue(ctx context.Context, key string) ([]byte, error) {
c, err := kms.NewKeyManagementClient(ctx)
if err != nil {
fmt.Fprintf(os.Stderr, "failed to connect: %s", err)
return nil, err
}
defer func() {
if err := c.Close(); err != nil {
p.log.Debugf("gkms: %v", err)
}
}()
blob, err := base64.URLEncoding.DecodeString(key)
if err != nil {
return nil, err
}
req := &kmspb.DecryptRequest{
Name: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", p.Project, p.Location, p.Keyring, p.CryptoKey),
Ciphertext: blob,
}

resp, err := c.Decrypt(ctx, req)
if err != nil {
return nil, err
}
return resp.Plaintext, nil
}
3 changes: 3 additions & 0 deletions pkg/stringmapprovider/stringmapprovider.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"github.com/helmfile/vals/pkg/providers/azurekeyvault"
"github.com/helmfile/vals/pkg/providers/doppler"
"github.com/helmfile/vals/pkg/providers/gcpsecrets"
"github.com/helmfile/vals/pkg/providers/gkms"
"github.com/helmfile/vals/pkg/providers/onepasswordconnect"
"github.com/helmfile/vals/pkg/providers/sops"
"github.com/helmfile/vals/pkg/providers/ssm"
Expand Down Expand Up @@ -40,6 +41,8 @@ func New(l *log.Logger, provider api.StaticConfig) (api.LazyLoadedStringMapProvi
return onepasswordconnect.New(provider), nil
case "doppler":
return doppler.New(l, provider), nil
case "gkms":
return gkms.New(l, provider), nil
}

return nil, fmt.Errorf("failed initializing string-map provider from config: %v", provider)
Expand Down
3 changes: 3 additions & 0 deletions pkg/stringprovider/stringprovider.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"github.com/helmfile/vals/pkg/providers/gcpsecrets"
"github.com/helmfile/vals/pkg/providers/gcs"
"github.com/helmfile/vals/pkg/providers/gitlab"
"github.com/helmfile/vals/pkg/providers/gkms"
"github.com/helmfile/vals/pkg/providers/onepasswordconnect"
"github.com/helmfile/vals/pkg/providers/s3"
"github.com/helmfile/vals/pkg/providers/sops"
Expand Down Expand Up @@ -58,6 +59,8 @@ func New(l *log.Logger, provider api.StaticConfig) (api.LazyLoadedStringProvider
return onepasswordconnect.New(provider), nil
case "doppler":
return doppler.New(l, provider), nil
case "gkms":
return gkms.New(l, provider), nil
}

return nil, fmt.Errorf("failed initializing string provider from config: %v", provider)
Expand Down
5 changes: 5 additions & 0 deletions vals.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (
"github.com/helmfile/vals/pkg/providers/gcpsecrets"
"github.com/helmfile/vals/pkg/providers/gcs"
"github.com/helmfile/vals/pkg/providers/gitlab"
"github.com/helmfile/vals/pkg/providers/gkms"
"github.com/helmfile/vals/pkg/providers/googlesheets"
"github.com/helmfile/vals/pkg/providers/onepasswordconnect"
"github.com/helmfile/vals/pkg/providers/s3"
Expand Down Expand Up @@ -85,6 +86,7 @@ const (
ProviderEnvSubst = "envsubst"
ProviderOnePasswordConnect = "onepasswordconnect"
ProviderDoppler = "doppler"
ProviderGKMS = "gkms"
)

var (
Expand Down Expand Up @@ -238,6 +240,9 @@ func (r *Runtime) prepare() (*expansion.ExpandRegexMatch, error) {
case ProviderDoppler:
p := doppler.New(r.logger, conf)
return p, nil
case ProviderGKMS:
p := gkms.New(r.logger, conf)
return p, nil
}
return nil, fmt.Errorf("no provider registered for scheme %q", scheme)
}
Expand Down

0 comments on commit dcd4763

Please sign in to comment.