feat(deployment): Add support for GCP secret manager to Helm charts (#225)

Signed-off-by: Rafał Kuć <r.kuc@solr.pl>

Author: gr0

deployment/chainloop/Chart.yaml

@@ -4,7 +4,7 @@ description: Chainloop is an open source software supply chain control plane, a
 
 type: application
 # Bump the patch (not minor, not major) version on each change in the Chart Source code
-version: 1.8.1
+version: 1.8.2
 # Do not update appVersion, this is handled automatically by the release process
 appVersion: v0.13.0
 
@@ -21,4 +21,4 @@ dependencies:
   - condition: development
     name: vault
     repository: https://helm.releases.hashicorp.com
-    version: 0.24.x
+    version: 0.24.x

deployment/chainloop/README.md

@@ -89,6 +89,20 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
     # ...
 ```
 
+Deploy using GCP secret manager instead of Vault
+
+```console
+helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
+    # Open ID Connect (OIDC)
+    # ...
+    # Secrets backend
+    --set secretsBackend.backend=gcpSecretManager \
+    --set secretsBackend.gcpSecretManager.projectId=[GCP Project ID] \
+    --set secretsBackend.gcpSecretManager.authKey=[GCP Auth KEY] \
+    # Server Auth KeyPair
+    # ...
+```
+
 Connect to an external PostgreSQL database instead
 
 ```console
@@ -292,6 +306,19 @@ secretsBackend:
         secretKey: [SECRET]
         region: [REGION]
 ```
+
+### Use GCP secret manager
+
+You can swap the secret manager backend with the following settings
+
+```yaml
+secretsBackend:
+    backend: gcpSecretManager
+    gcpSecretManager:
+        projectId: [PROJECT_ID]
+        authKey: [KEY]
+```
+
 ### Send exceptions to Sentry
 
 ```yaml
@@ -332,15 +359,17 @@ chainloop config save \
 
 ### Secrets Backend
 
-| Name                                        | Description                                                          | Value       |
-| ------------------------------------------- | -------------------------------------------------------------------- | ----------- |
-| `secretsBackend.backend`                    | Secrets backend type ("vault" or "awsSecretManager")                 | `vault`     |
-| `secretsBackend.secretPrefix`               | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` |
-| `secretsBackend.vault.address`              | Vault address                                                        |             |
-| `secretsBackend.vault.token`                | Vault authentication token                                           |             |
-| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID                                                    |             |
-| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key                                                       |             |
-| `secretsBackend.awsSecretManager.region`    | AWS Secret Manager Region                                            |             |
+| Name                                        | Description                                                           | Value       |
+| ------------------------------------------- | --------------------------------------------------------------------- | ----------- |
+| `secretsBackend.backend`                    | Secrets backend type ("vault", "awsSecretManager", "gcpSecretManager")| `vault`     |
+| `secretsBackend.secretPrefix`               | Prefix that will be pre-pended to all secrets in the storage backend  | `chainloop` |
+| `secretsBackend.vault.address`              | Vault address                                                         |             |
+| `secretsBackend.vault.token`                | Vault authentication token                                            |             |
+| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID                                                     |             |
+| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key                                                        |             |
+| `secretsBackend.awsSecretManager.region`    | AWS Secret Manager Region                                             |             |
+| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID                                                        |             |
+| `secretsBackend.gcpSecretManager.authKey`   | GCP Auth Key                                                          |             |
 
 ### Authentication
 
@@ -508,4 +537,4 @@ Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
-limitations under the License.
+limitations under the License.

deployment/chainloop/templates/_helpers.tpl

@@ -77,6 +77,13 @@ awsSecretManager:
   creds:
     accessKey: {{ required "access key required" .awsSecretManager.accessKey | quote }}
     secretKey: {{ required "secret key required" .awsSecretManager.secretKey | quote }}
+
+{{- else if eq .backend "gcpSecretManager" }}
+gcpSecretManager:
+  secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
+  projectId: {{ required "project id required" .gcpSecretManager.projectId | quote }}
+  authKey: {{ required "auth key required" .gcpSecretManager.authKey | quote }}
+
 {{- end }}
 {{- end }}
 {{- end -}}

deployment/chainloop/values.yaml

@@ -30,14 +30,14 @@ sentry:
 
 ## Location where to store sensitive data. If development.true? and no overrides provided, the setup will connect to a development instance of Vault
 secretsBackend:
-  ## @param secretsBackend.backend Secrets backend type ("vault" or "awsSecretManager") 
+  ## @param secretsBackend.backend Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager") 
   ##
   backend: "vault" # "awsSecretManager"
   ## @param secretsBackend.secretPrefix Prefix that will be pre-pended to all secrets in the storage backend
   ##
   secretPrefix: "chainloop"
 
-  # Either vault or AWS secret manager enabled at the same time
+  # Either vault, AWS secret manager or GCP secret manager enabled at the same time
   ## @extra secretsBackend.vault.address Vault address
   ## @extra secretsBackend.vault.token Vault authentication token
   ##
@@ -54,6 +54,13 @@ secretsBackend:
   #   secretKey: ""
   #   region: ""
 
+  ## @extra secretsBackend.gcpSecretManager.projectId GCP Project ID
+  ## @extra secretsBackend.gcpSecretManager.authKey GCP Auth Key
+  ##
+  # gcpSecretManager:
+  #   projectId: ""
+  #   authKey: ""
+
 ## @section Authentication
 ##
 
@@ -632,4 +639,4 @@ vault:
   server:
     dev:
       enabled: true
-      devRootToken: "notapassword"
+      devRootToken: "notapassword"