cloudfns: fetch secrets from Secret Manager
This makes the deploy into something that can be executed without
the need to seek external context on where the secrets are kept.
It's especially helpful since we deploy cloud functions less
frequently than many other services.
A future change can explore removing secrets from the environment,
preferring to have the cloud function access secrets directly from
Secret Manager.
Updates golang/go#37171.
Change-Id: I1b1468c6f02d45b764f65396027d9bdca69ac5e4
Reviewed-on: https://go-review.googlesource.com/c/build/+/300230
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
diff --git a/cloudfns/issueswebhook/README.md b/cloudfns/issueswebhook/README.md
index 3ca4b84..60ff042 100644
--- a/cloudfns/issueswebhook/README.md
+++ b/cloudfns/issueswebhook/README.md
@@ -14,5 +14,5 @@
--project=symbolic-datum-552 \
--runtime go113 \
--trigger-http \
- --set-env-vars=GCS_BUCKET=<bucket name>,GITHUB_WEBHOOK_SECRET=<github webhook secret>
+ --set-env-vars="GCS_BUCKET=golang-github-issue-data,GITHUB_WEBHOOK_SECRET=$(gcloud --project=symbolic-datum-552 secrets versions access latest --secret=github-webhook-secret)"
```
diff --git a/cloudfns/sendwikidiff/README.md b/cloudfns/sendwikidiff/README.md
index 3db8ac4..26d48c9 100644
--- a/cloudfns/sendwikidiff/README.md
+++ b/cloudfns/sendwikidiff/README.md
@@ -15,5 +15,5 @@
--runtime go113 \
--trigger-topic github.webhooks.golang.go.wiki \
--memory 1024 \
- --set-env-vars=SENDGRID_API_KEY=<SENDGRID_API_KEY>
+ --set-env-vars="SENDGRID_API_KEY=$(gcloud --project=symbolic-datum-552 secrets versions access latest --secret=sendgrid-sendonly-api-key)"
```
diff --git a/cloudfns/wikiwebhook/README.md b/cloudfns/wikiwebhook/README.md
index de365c8..a6586ad 100644
--- a/cloudfns/wikiwebhook/README.md
+++ b/cloudfns/wikiwebhook/README.md
@@ -14,5 +14,5 @@
--project=symbolic-datum-552 \
--runtime go113 \
--trigger-http \
- --set-env-vars=PUBSUB_TOPIC=github.webhooks.golang.go.wiki,GITHUB_WEBHOOK_SECRET=<github webhook secret>
+ --set-env-vars="PUBSUB_TOPIC=github.webhooks.golang.go.wiki,GITHUB_WEBHOOK_SECRET=$(gcloud --project=symbolic-datum-552 secrets versions access latest --secret=github-webhook-secret)"
```
diff --git a/internal/secret/gcp_secret_manager.go b/internal/secret/gcp_secret_manager.go
index 1e0717a..da02dff 100644
--- a/internal/secret/gcp_secret_manager.go
+++ b/internal/secret/gcp_secret_manager.go
@@ -31,7 +31,7 @@
// NameGitHubSSH is the secret name for GitHub SSH key.
NameGitHubSSH = "github-ssh"
- // NameGithubSSHKey is the secret name for the GitHub SSH private key.
+ // NameGitHubSSHKey is the secret name for the GitHub SSH private key.
NameGitHubSSHKey = "github-ssh-private-key"
// NameGobotPassword is the secret name for the Gobot password.
@@ -43,6 +43,9 @@
// NameMaintnerGitHubToken is the secret name for the Maintner GitHub token.
NameMaintnerGitHubToken = "maintner-github-token"
+ // NameGitHubWebhookSecret is the secret name for a golang/go GitHub webhook secret.
+ NameGitHubWebhookSecret = "github-webhook-secret"
+
// NamePubSubHelperWebhook is the secret name for the pubsub helper webhook secret.
NamePubSubHelperWebhook = "pubsubhelper-webhook-secret"
@@ -51,6 +54,10 @@
// NameAWSKeyID is the secret name for the AWS key id.
NameAWSKeyID = "aws-key-id"
+
+ // NameSendGridAPIKey is the secret name for a Go project SendGrid API key.
+ // This API key only allows sending email.
+ NameSendGridAPIKey = "sendgrid-sendonly-api-key"
)
type secretClient interface {
