feat(google): add support for Google config-secret adapter

moabu · Feb 24, 2021 · f277eb2 · f277eb2
1 parent 9dac207
commit f277eb2
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 7 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -5,7 +5,7 @@ FROM alpine:3.13
 # ===============
 
 RUN apk update \
-    && apk add --no-cache openssl py3-pip tini curl bash openjdk11-jre-headless py3-cryptography \
+    && apk add --no-cache openssl py3-pip tini curl bash openjdk11-jre-headless py3-cryptography py3-grpcio \
     && apk add --no-cache --virtual build-deps wget git \
     && mkdir -p /usr/java/latest \
     && ln -sf /usr/lib/jvm/default-jvm/jre /usr/java/latest/jre
@@ -106,7 +106,9 @@ ENV CN_CONFIG_ADAPTER=consul \
     CN_CONFIG_CONSUL_NAMESPACE=jans \
     CN_CONFIG_KUBERNETES_NAMESPACE=default \
     CN_CONFIG_KUBERNETES_CONFIGMAP=jans \
-    CN_CONFIG_KUBERNETES_USE_KUBE_CONFIG=false
+    CN_CONFIG_KUBERNETES_USE_KUBE_CONFIG=false \
+    CN_CONFIG_GOOGLE_SECRET_VERSION_ID=latest \
+    CN_CONFIG_GOOGLE_SECRET_NAME_PREFIX=jans
 
 # ==========
 # Secret ENV
@@ -125,7 +127,10 @@ ENV CN_SECRET_ADAPTER=vault \
     CN_SECRET_VAULT_NAMESPACE=jans \
     CN_SECRET_KUBERNETES_NAMESPACE=default \
     CN_SECRET_KUBERNETES_SECRET=jans \
-    CN_SECRET_KUBERNETES_USE_KUBE_CONFIG=false
+    CN_SECRET_KUBERNETES_USE_KUBE_CONFIG=false \
+    CN_SECRET_GOOGLE_SECRET_MANAGER_PASSPHRASE=secret \
+    CN_SECRET_GOOGLE_SECRET_VERSION_ID=latest \
+    CN_SECRET_GOOGLE_SECRET_NAME_PREFIX=jans
 
 # ===============
 # Persistence ENV
@@ -158,7 +163,9 @@ ENV CN_MAX_RAM_PERCENTAGE=75.0 \
     CN_JACKRABBIT_ADMIN_PASSWORD_FILE=/etc/jans/conf/jackrabbit_admin_password \
     CN_JAVA_OPTIONS="" \
     CN_SYNC_JKS_ENABLED=false \
-    CN_SYNC_JKS_INTERVAL=30
+    CN_SYNC_JKS_INTERVAL=30 \
+    GOOGLE_PROJECT_ID="" \
+    GOOGLE_APPLICATION_CREDENTIALS=/etc/jans/conf/google-credentials.json
 
 # ==========
 # misc stuff

diff --git a/README.md b/README.md
@@ -11,7 +11,7 @@ For bleeding-edge/unstable version, use `janssenproject/auth-server:1.0.0_dev`.
 
 The following environment variables are supported by the container:
 
-- `CN_CONFIG_ADAPTER`: The config backend adapter, can be `consul` (default) or `kubernetes`.
+- `CN_CONFIG_ADAPTER`: The config backend adapter, can be `consul` (default), `kubernetes`, or `google`.
 - `CN_CONFIG_CONSUL_HOST`: hostname or IP of Consul (default to `localhost`).
 - `CN_CONFIG_CONSUL_PORT`: port of Consul (default to `8500`).
 - `CN_CONFIG_CONSUL_CONSISTENCY`: Consul consistency mode (choose one of `default`, `consistent`, or `stale`). Default to `stale` mode.
@@ -24,7 +24,9 @@ The following environment variables are supported by the container:
 - `CN_CONFIG_KUBERNETES_NAMESPACE`: Kubernetes namespace (default to `default`).
 - `CN_CONFIG_KUBERNETES_CONFIGMAP`: Kubernetes configmaps name (default to `jans`).
 - `CN_CONFIG_KUBERNETES_USE_KUBE_CONFIG`: Load credentials from `$HOME/.kube/config`, only useful for non-container environment (default to `false`).
-- `CN_SECRET_ADAPTER`: The secrets adapter, can be `vault` or `kubernetes`.
+- `CN_CONFIG_GOOGLE_SECRET_VERSION_ID`: Google Secret Manager version ID (default to `latest`).
+- `CN_CONFIG_GOOGLE_SECRET_NAME_PREFIX`: Prefix for Google Secret Manager name (default to `jans`).
+- `CN_SECRET_ADAPTER`: The secrets adapter, can be `vault` (default), `kubernetes`, or `google`.
 - `CN_SECRET_VAULT_SCHEME`: supported Vault scheme (`http` or `https`).
 - `CN_SECRET_VAULT_HOST`: hostname or IP of Vault (default to `localhost`).
 - `CN_SECRET_VAULT_PORT`: port of Vault (default to `8200`).
@@ -37,6 +39,9 @@ The following environment variables are supported by the container:
 - `CN_SECRET_KUBERNETES_NAMESPACE`: Kubernetes namespace (default to `default`).
 - `CN_SECRET_KUBERNETES_SECRET`: Kubernetes secrets name (default to `jans`).
 - `CN_SECRET_KUBERNETES_USE_KUBE_CONFIG`: Load credentials from `$HOME/.kube/config`, only useful for non-container environment (default to `false`).
+- `CN_SECRET_GOOGLE_SECRET_VERSION_ID`: Google Secret Manager version ID (default to `latest`).
+- `CN_SECRET_GOOGLE_SECRET_NAME_PREFIX`: Prefix for Google Secret Manager name (default to `jans`).
+- `CN_SECRET_GOOGLE_SECRET_MANAGER_PASSPHRASE`: Passphrase for Google Secret Manager (default to `secret`).
 - `CN_WAIT_MAX_TIME`: How long the startup "health checks" should run (default to `300` seconds).
 - `CN_WAIT_SLEEP_DURATION`: Delay between startup "health checks" (default to `10` seconds).
 - `CN_MAX_RAM_PERCENTAGE`: Value passed to Java option `-XX:MaxRAMPercentage`.
@@ -61,3 +66,5 @@ The following environment variables are supported by the container:
 - `CN_JACKRABBIT_ADMIN_PASSWORD_FILE`: Absolute path to file contains password for admin user (default to `/etc/jans/conf/jackrabbit_admin_password`).
 - `CN_SYNC_JKS_ENABLED`: Whether to enable JKS sync (default to `false`). Enable this flag if using `gluufederation/key-rotation:4.1.1_02` and below (for key-regeneration).
 - `CN_SYNC_JKS_INTERVAL`: Interval of JKS sync in seconds (if needed); obsolete.
+- `GOOGLE_PROJECT_ID`: Google Project ID (default to empty string). Used when `CN_CONFIG_ADAPTER` or `CN_SECRET_ADAPTER` set to `google`.
+- `GOOGLE_APPLICATION_CREDENTIALS`: Path to Google credentials JSON file (default to `/etc/jans/conf/google-credentials.json`). Used when `CN_CONFIG_ADAPTER` or `CN_SECRET_ADAPTER` set to `google`.
diff --git a/requirements.txt b/requirements.txt
@@ -1 +1 @@
--e git+https://github.com/JanssenProject/jans-pycloudlib@8c56ce10f32743ddb8925b8cf5315d5b1db22faf#egg=jans-pycloudlib
+-e git+https://github.com/JanssenProject/jans-pycloudlib@1d095e183b969cce461d21398407284f6934db1f#egg=jans-pycloudlib
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		-e git+https://github.com/JanssenProject/jans-pycloudlib@8c56ce10f32743ddb8925b8cf5315d5b1db22faf#egg=jans-pycloudlib
		-e git+https://github.com/JanssenProject/jans-pycloudlib@1d095e183b969cce461d21398407284f6934db1f#egg=jans-pycloudlib