Skip to content

Added support for fetching secrets based on labels #478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Added support for fetching secrets based on labels #478

wants to merge 8 commits into from

Conversation

abheda-crest
Copy link
Collaborator

The PR focuses on retrieving secrets based on specified labels.

  • For each secret that matches the filter, the file name will correspond to the resource path of that secret (e.g., projects/<project_id>/secrets/<secret_id>).
  • The system has successfully fetched up to 1,000 secrets, leading to the decision to set a cap at this limit.
  • Limitation: Attempting to mount the value of larger secrets resulted in a resource exhaustion error due to a size exceeding 4 MB.

Related to: #384

We have tested this with the following scenarios:

  • Attempting to mount more than 1,000 secrets results in a "Too many secrets" error.
  • If there are no secrets which matches the filter, then returns "No secrets matched while filtering."
  • Relevant logs messages are added at each stage.
  • Global Secrets (All scenarios functioning as expected):
    • Secrets with no versions are not mounted.
    • Secrets with destroyed version is not mounted and are skipped.
    • Secrets with disabled version is not mounted and are skipped.
    • Secrets with enabled version is successfully mounted.
  • Regional Secrets (All scenarios functioning as expected)
    (Location value provided in labels)
    • Secrets with no versions are not mounted.
    • Secrets with destroyed version is not mounted and are skipped.
    • Secrets with the disabled version is not mounted and are skipped.
    • Secrets with enabled version is successfully mounted.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 23, 2024
View reviewed changes
@dargudear-google
Copy link
Member

Please plan to add e2e test or add a load test at load-test.sh. May be this is a good opportunity to use labels in load test.

@abheda-crest
Copy link
Collaborator Author

Please plan to add e2e test or add a load test at load-test.sh. May be this is a good opportunity to use labels in load test.

We have added load test for fetching multiple secrets based on labels.

@dargudear-google
Copy link
Member

@abheda-crest this will require additional permission to be configured on Secret Manager side, right?
It won't work with just secetAccessor I guess.

@abheda-crest
Copy link
Collaborator Author

@abheda-crest this will require additional permission to be configured on Secret Manager side, right? It won't work with just secetAccessor I guess.

Yes, we would require the secretmanager.viewer permission to list secrets from Secret Manager side.

Reference: https://cloud.google.com/secret-manager/docs/access-control#secretmanager.viewer

@dargudear-google
Copy link
Member

@abheda-crest this will require additional permission to be configured on Secret Manager side, right? It won't work with just secetAccessor I guess.

Yes, we would require the secretmanager.viewer permission to list secrets from Secret Manager side.

Reference: https://cloud.google.com/secret-manager/docs/access-control#secretmanager.viewer

Can you please update the documentation?
cc: @jainsuyogj

@abheda-crest
Copy link
Collaborator Author

Can you please update the documentation? cc: @jainsuyogj

I have updated the documentation to include additional Secret Manager permission.

dargudear-google
dargudear-google reviewed Feb 26, 2025
View reviewed changes
README.md Outdated
@@ -60,6 +60,11 @@ $ rm secret.data
$ gcloud secrets add-iam-policy-binding testsecret \
--member=serviceAccount:gke-workload@$PROJECT_ID.iam.gserviceaccount.com \
--role=roles/secretmanager.secretAccessor

# grant the new service account permission to list the secrets
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If secrets will be fetched using the label Add this condition

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have updated the condition.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dargudear-google dargudear-google dargudear-google left review comments

@amitmodak amitmodak Awaiting requested review from amitmodak amitmodak is a code owner

@NaMNDV NaMNDV Awaiting requested review from NaMNDV NaMNDV is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@abheda-crest @dargudear-google