feat(secrets): begin migration to secret manager from keystore (#587)

Benjamin E. Coe · web-flow · commit 1c92077459db · 2020-06-08T09:51:11.000-07:00
diff --git a/synthtool/gcp/templates/node_library/.kokoro/populate-secrets.sh b/synthtool/gcp/templates/node_library/.kokoro/populate-secrets.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+# Copyright 2020 Google LLC.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -eo pipefail
+
+# Populates requested secrets set in SECRET_MANAGER_KEYS from service account:
+# kokoro-trampoline@cloud-devrel-kokoro-resources.iam.gserviceaccount.com
+SECRET_LOCATION="${KOKORO_GFILE_DIR}/secret_manager"
+mkdir -p ${SECRET_LOCATION}
+for key in $(echo ${SECRET_MANAGER_KEYS} | sed "s/,/ /g")
+do
+  docker run --entrypoint=gcloud \
+    --volume=${KOKORO_GFILE_DIR}:${KOKORO_GFILE_DIR} \
+    gcr.io/google.com/cloudsdktool/cloud-sdk \
+    secrets versions access latest \
+    --credential-file-override=${KOKORO_GFILE_DIR}/kokoro-trampoline.service-account.json \
+    --project cloud-devrel-kokoro-resources \
+    --secret $key > \
+    "$SECRET_LOCATION/$key"
+done
diff --git a/synthtool/gcp/templates/node_library/.kokoro/publish.sh b/synthtool/gcp/templates/node_library/.kokoro/publish.sh
@@ -24,7 +24,7 @@ python3 -m releasetool publish-reporter-script > /tmp/publisher-script; source /
 
 cd $(dirname $0)/..
 
-NPM_TOKEN=$(cat $KOKORO_KEYSTORE_DIR/73713_{{ publish_token }})
+NPM_TOKEN=$(cat $KOKORO_GFILE_DIR/secret_manager/npm_publish_token
 echo "//wombat-dressing-room.appspot.com/:_authToken=${NPM_TOKEN}" > ~/.npmrc
 
 npm install
diff --git a/synthtool/gcp/templates/node_library/.kokoro/release/publish.cfg b/synthtool/gcp/templates/node_library/.kokoro/release/publish.cfg
@@ -47,13 +47,9 @@ before_action {
   }
 }
 
-before_action {
-  fetch_keystore {
-    keystore_resource {
-      keystore_config_id: 73713
-      keyname: "{{ publish_token }}"
-    }
-  }
+env_vars: {
+  key: "SECRET_MANAGER_KEYS"
+  value: "npm_publish_token"
 }
 
 # Download trampoline resources.
diff --git a/synthtool/gcp/templates/node_library/.kokoro/trampoline.sh b/synthtool/gcp/templates/node_library/.kokoro/trampoline.sh
@@ -24,4 +24,5 @@ function cleanup() {
 }
 trap cleanup EXIT
 
+$(dirname $0)/populate-secrets.sh # Secret Manager secrets.
 python3 "${KOKORO_GFILE_DIR}/trampoline_v1.py"

Original file line number	Diff line number	Diff line change
`@@ -47,13 +47,9 @@ before_action {`
`47`	`47`	`}`
`48`	`48`	`}`
`49`	`49`
`50`		`-before_action {`
`51`		`- fetch_keystore {`
`52`		`- keystore_resource {`
`53`		`- keystore_config_id: 73713`
`54`		`- keyname: "{{ publish_token }}"`
`55`		`- }`
`56`		`- }`
	`50`	`+env_vars: {`
	`51`	`+ key: "SECRET_MANAGER_KEYS"`
	`52`	`+ value: "npm_publish_token"`
`57`	`53`	`}`
`58`	`54`
`59`	`55`	`# Download trampoline resources.`
Original file line number	Diff line number	Diff line change
`@@ -24,4 +24,5 @@ function cleanup() {`
`24`	`24`	`}`
`25`	`25`	`trap cleanup EXIT`
`26`	`26`
	`27`	`+$(dirname $0)/populate-secrets.sh # Secret Manager secrets.`
`27`	`28`	`python3 "${KOKORO_GFILE_DIR}/trampoline_v1.py"`