chainloop-dev · migmartri · Aug 31, 2023 · Aug 30, 2023 · Aug 30, 2023 · Aug 30, 2023
diff --git a/app/artifact-cas/cmd/main.go b/app/artifact-cas/cmd/main.go
@@ -20,11 +20,12 @@ import (
 	"os"
 	"time"
 
-	credsConfig "github.com/chainloop-dev/chainloop/internal/credentials/api/credentials/v1"
 	"github.com/getsentry/sentry-go"
 
 	"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/conf"
 	"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/server"
+	"github.com/chainloop-dev/chainloop/internal/credentials"
+	"github.com/chainloop-dev/chainloop/internal/credentials/manager"
 	"github.com/chainloop-dev/chainloop/internal/servicelogger"
 
 	"github.com/go-kratos/kratos/v2"
@@ -103,7 +104,7 @@ func main() {
 		panic(err)
 	}
 
-	credentialsReader, err := credsConfig.NewFromConfig(bc.GetCredentialsService(), logger)
+	credentialsReader, err := manager.NewFromConfig(bc.GetCredentialsService(), credentials.RoleReader, logger)
 	if err != nil {
 		panic(err)
 	}

diff --git a/app/artifact-cas/configs/config.devel.yaml b/app/artifact-cas/configs/config.devel.yaml
@@ -13,6 +13,8 @@ server:
     addr: 0.0.0.0:5001
 
 credentials_service:
+  # we will check that we can read there
+  secret_prefix: chainloop-devel
   # Remember to run vault via docker compose up
   vault:
     address: ${VAULT_ADDRESS:http://0.0.0.0:8200}

diff --git a/app/artifact-cas/configs/samples/config.yaml b/app/artifact-cas/configs/samples/config.yaml
@@ -13,6 +13,8 @@ server:
     addr: 0.0.0.0:5001
 
 credentials_service:
+  # We use the prefix to check that we can read from it on initialization
+  secret_prefix: chainloop-devel
   # Remember to run vault via docker compose up
   vault:
     address: ${VAULT_ADDRESS:http://0.0.0.0:8200}

diff --git a/app/controlplane/cmd/main.go b/app/controlplane/cmd/main.go
@@ -31,7 +31,7 @@ import (
 	backends "github.com/chainloop-dev/chainloop/internal/blobmanager"
 	"github.com/chainloop-dev/chainloop/internal/blobmanager/oci"
 	"github.com/chainloop-dev/chainloop/internal/credentials"
-	credsConfig "github.com/chainloop-dev/chainloop/internal/credentials/api/credentials/v1"
+	"github.com/chainloop-dev/chainloop/internal/credentials/manager"
 	"github.com/chainloop-dev/chainloop/internal/servicelogger"
 
 	"github.com/go-kratos/kratos/v2"
@@ -105,7 +105,7 @@ func main() {
 		panic(err)
 	}
 
-	credsWriter, err := credsConfig.NewFromConfig(bc.GetCredentialsService(), logger)
+	credsWriter, err := manager.NewFromConfig(bc.GetCredentialsService(), credentials.RoleWriter, logger)
 	if err != nil {
 		panic(err)
 	}

diff --git a/app/controlplane/configs/config.devel.yaml b/app/controlplane/configs/config.devel.yaml
@@ -27,7 +27,7 @@ credentials_service:
   vault:
     address: ${VAULT_ADDRESS:http://0.0.0.0:8200}
     token: ${VAULT_TOKEN:notasecret}
-    secret_prefix: chainloop-devel
+  secret_prefix: chainloop-devel
 
 data:
   database:

diff --git a/app/controlplane/configs/samples/config.yaml b/app/controlplane/configs/samples/config.yaml
@@ -25,15 +25,13 @@ credentials_service:
   vault:
     address: ${VAULT_ADDRESS:http://0.0.0.0:8200}
     token: ${VAULT_TOKEN:notasecret}
-    secret_prefix: chainloop-devel
+  secret_prefix: chainloop-devel
   # aws_secret_manager:
   #   creds:
   #     access_key: not-a-key
   #     secret_key: not-a-secret
   #   region: us-east-1
-  #   secret_prefix: i-e chainloop-devel
 
   # gcp_secret_manager:
   #   project_id: 522312304548
-  #   auth_key: "./configs/gcp_auth_key.json"
-  #   secret_prefix: "pre-"
+  #   auth_key: "./configs/gcp_auth_key.json"
diff --git a/deployment/chainloop/templates/_helpers.tpl b/deployment/chainloop/templates/_helpers.tpl
@@ -59,9 +59,9 @@ WBiBSPaJtz6JYk/fye4=
 
 {{- define "chainloop.credentials_service_settings" -}}
 {{- with .Values.secretsBackend }}
+secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
 {{- if eq .backend "vault" }}
 vault:
-  secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
   {{- if and $.Values.development (or (not .vault) not .vault.address) }}
   address: {{ printf "http://%s:8200" (include "chainloop.vault.fullname" $) | quote }}
   token: {{ $.Values.vault.server.dev.devRootToken | quote }}
@@ -72,15 +72,13 @@ vault:
 
 {{- else if eq .backend "awsSecretManager" }}
 awsSecretManager:
-  secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
   region: {{ required "region required" .awsSecretManager.region | quote }}
   creds:
     accessKey: {{ required "access key required" .awsSecretManager.accessKey | quote }}
     secretKey: {{ required "secret key required" .awsSecretManager.secretKey | quote }}
 
 {{- else if eq .backend "gcpSecretManager" }}
 gcpSecretManager:
-  secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
   projectId: {{ required "project id required" .gcpSecretManager.projectId | quote }}
   serviceAccountKey: "/gcp-secrets/serviceAccountKey.json"
   {{- if eq .gcpSecretManager.serviceAccountKey "" }}

diff --git a/internal/credentials/api/credentials/v1/config.pb.go b/internal/credentials/api/credentials/v1/config.pb.go
diff --git a/internal/credentials/api/credentials/v1/config.pb.validate.go b/internal/credentials/api/credentials/v1/config.pb.validate.go
diff --git a/internal/credentials/api/credentials/v1/config.proto b/internal/credentials/api/credentials/v1/config.proto
@@ -29,6 +29,9 @@ message Credentials {
     GCPSecretManager gcp_secret_manager = 3;
   }
 
+  // prefix used while writing a new secret
+  string secret_prefix = 4;
+
   // Top level is deprecated now
   message AWSSecretManager {
     Creds creds = 1 [(validate.rules).message.required = true];

diff --git a/internal/credentials/aws/secretmanager.go b/internal/credentials/aws/secretmanager.go
@@ -51,6 +51,7 @@ type Manager struct {
 type NewManagerOpts struct {
 	Region, AccessKey, SecretKey, SecretPrefix string
 	Logger                                     log.Logger
+	Role                                       credentials.Role
 }
 
 func NewManager(opts *NewManagerOpts) (*Manager, error) {
@@ -64,7 +65,7 @@ func NewManager(opts *NewManagerOpts) (*Manager, error) {
 	}
 
 	logger := servicelogger.ScopedHelper(l, "credentials/aws-secrets-manager")
-	logger.Infow("msg", "configuring secrets-manager", "region", opts.Region)
+	logger.Infow("msg", "configuring secrets-manager", "region", opts.Region, "role", opts.Role, "prefix", opts.SecretPrefix)
 
 	config, err := config.LoadDefaultConfig(
 		context.TODO(),

diff --git a/internal/credentials/credentials.go b/internal/credentials/credentials.go
@@ -43,6 +43,13 @@ type Reader interface {
 	ReadCredentials(ctx context.Context, secretName string, credentials any) error
 }
 
+type Role int64
+
+const (
+	RoleReader Role = iota
+	RoleWriter
+)
+
 var ErrNotFound = errors.New("credentials not found")
 var ErrValidation = errors.New("credentials validation error")
 

diff --git a/internal/credentials/gcp/secretmanager.go b/internal/credentials/gcp/secretmanager.go
@@ -52,6 +52,7 @@ type Manager struct {
 type NewManagerOpts struct {
 	ProjectID, ServiceAccountKey, SecretPrefix string
 	Logger                                     log.Logger
+	Role                                       credentials.Role
 }
 
 func NewManager(opts *NewManagerOpts) (*Manager, error) {
@@ -65,13 +66,14 @@ func NewManager(opts *NewManagerOpts) (*Manager, error) {
 	}
 
 	logger := servicelogger.ScopedHelper(l, "credentials/gcp-secrets-manager")
-	logger.Infow("msg", "configuring gcp secrets-manager", "projectID", opts.ProjectID)
+	logger.Infow("msg", "configuring gcp secrets-manager", "projectID", opts.ProjectID, "role", opts.Role, "prefix", opts.SecretPrefix)
 
 	cli, err := secretmanager.NewClient(context.TODO(), option.WithCredentialsFile(opts.ServiceAccountKey))
 	if err != nil {
 		return nil, fmt.Errorf("error while creating the client: %w", err)
 	}
-	logger.Infow("msg", "created GCP connection", "projectID", opts.ProjectID)
+
+	logger.Infow("msg", "created GCP connection", "projectID", opts.ProjectID, "role", opts.Role, "prefix", opts.SecretPrefix)
 
 	return &Manager{
 		projectID:    opts.ProjectID,