Google Secret Manager support #928
Conversation
|
|
skisel-bt
changed the title
skisel-bt
changed the title
skisel-bt
changed the title
|
Unfortunately I cannot add labels, as well as assign reviewers as per contributing guideline. Please suggest what to do in this case. |
Thanks for your contribution. re: labels and assigning reviewers, that isn't necessary. I will assign some reviewers to have a look at your PR. |
keystorage/src/main/java/tech/pegasys/web3signer/keystorage/gcp/GcpSecretManager.java
Show resolved
Hide resolved
keystorage/src/main/java/tech/pegasys/web3signer/keystorage/gcp/GcpSecretManager.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Would you able to add acceptance tests around bulkloading and/or list public keys dealing with GCP? Similar to https://github.com/Consensys/web3signer/blob/master/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java ... I'll work with our DevOps department to obtain GCP access to run these ATs on master build. These ATs would only work/run if appropriate environment variables are defined.
Yes, just pushed the update |
usmansaleem
dismissed
their stale review
will re-review as the changes has been addressed
skisel-bt
force-pushed
the
skisel-bt/676-google-secret-manager-support
branch
from
876de61 to
99c03ac
Compare
|
Tested |
usmansaleem
added
the
doc-change-required
|
@skisel-bt PR looks good to me. Let me know if you are good to get it merge (the title of PR still has WIP in it :)). |
skisel-bt
changed the title
|
@usmansaleem I am good to get it merged and I've also renamed the PR. If I understand correctly there is also doc change required, is there any help there I could do? |
bgravenorst
removed
the
doc-change-required
PR Description
This PR introduces the Google Cloud Platform's Secret Manager as an alternative backend option for storing BLS keys, extending the flexibility for users and organizations that operate within GCP's ecosystem. The addition of this backend doesn’t enhance existing functionality but provides an additional choice.
Key Additions:
CLI Arguments:
--gcp-secrets-enabled: Enable the GCP Secret Manager for storing BLS keys.
--gcp-project-id: (required) Define the GCP Project ID to interact with the Secret Manager APIs.
--gcp-secrets-filter: Specify filtering criteria for fetching secrets from the GCP Secret Manager. (Filter syntax)
Authentication:
We're utilizing Application Default Credentials (ADC) for authenticating interactions with GCP Secret Manager. ADC simplifies the acquisition of an access token, automatically finding credentials and managing token retrieval, allowing the authentication code to operate across various deployment options without modification.
Libraries Added:
Java GCP Secret Manager library and its dependencies have been incorporated, license has to be checked.
Batch Storage:
The keys are stored in batches, akin to the AWS backend implementation, to streamline performance and minimize API call overheads.
Testing:
Testing was performed by deploying a modified version of the application as a Docker container to the GCP Cloud Run service. Testing strategies included:
Validating the storage and retrieval of BLS keys using GCP Secret Manager as the backend.
Ensuring the application behaves as expected when deployed as a container in a cloud environment.
Verifying error handling, logging, and graceful failure mechanisms.
Fixed Issue(s)
Fixes #676
Documentation
doc-change-requiredlabel to this PR if updates are required.Changelog
Testing