Skip to content

ParameterManagerPrivateKeyStore implementation for KeyStore using GCP Parameter Manager #3030

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
havetisyan merged 1 commit into from
Aug 6, 2025
Merged

ParameterManagerPrivateKeyStore implementation for KeyStore using GCP Parameter Manager #3030

havetisyan merged 1 commit into from
Aug 6, 2025

Conversation

@psasidhar
Copy link
Contributor

@psasidhar psasidhar commented Aug 2, 2025

Description

Providing KeyStore implementation for GCP using Parameter Manager
Moving common code among Cloud Parameter storage into a static methond in a Util class that can be reused

Contribution Checklist:

  • The pull request does not introduce any breaking changes
  • I have read the contribution guidelines.
  • Create an issue and link to the pull request.

@psasidhar psasidhar force-pushed the gcp_keystore branch 7 times, most recently from 8eb78fb to 80c4496 Compare August 5, 2025 01:56
havetisyan
havetisyan requested changes Aug 5, 2025
View reviewed changes
libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/util/PrivateKeyStoreUtil.java Outdated
private static final String ZTS_SERVICE = "zts";
private static final String MSD_SERVICE = "msd";

private static final String ATHENZ_PROP_ZMS_KEY_NAME = "athenz.aws.zms.key_name";
Copy link
Collaborator

@havetisyan havetisyan Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the key names, we should make them cloud specific. It's not right to say I have a keystore implementation for gcp but my property name is based on aws. So it should be:

"athenz." + cloud + "." + service + ".key_name"

add add the cloud as an argument to the getPrivateKeyFromCloudParameter method

Copy link
Contributor Author

@psasidhar psasidhar Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. Updated the code.

libs/java/server_gcp_common/pom.xml Outdated
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>libraries-bom</artifactId>
<version>26.64.0</version>
Copy link
Collaborator

@havetisyan havetisyan Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should not hard code the version here but use the version parameter from the main pom.xml

Copy link
Contributor Author

@psasidhar psasidhar Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed it

...c/main/java/io/athenz/server/gcp/common/key/impl/ParameterManagerPrivateKeyStoreFactory.java Outdated
return ParameterManagerClient.create();
}

String apiEndpoint = String.format("parametermanager.googleapis.com:443", location);
Copy link
Collaborator

@havetisyan havetisyan Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where is location used?

Copy link
Contributor Author

@psasidhar psasidhar Aug 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oversight. Matched the non-global location endpoint with the documentation here.

https://cloud.google.com/secret-manager/parameter-manager/docs/list-parameter-versions

Still working with Google Support for testing this with real values in us-central1.

...c/main/java/io/athenz/server/gcp/common/key/impl/ParameterManagerPrivateKeyStoreFactory.java Outdated
}

public static boolean isGlobalLocation(String location) {
return "global".equalsIgnoreCase(location);
Copy link
Collaborator

@havetisyan havetisyan Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we use "global" in a couple of places so we should probably define as a static const

Copy link
Contributor Author

@psasidhar psasidhar Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

havetisyan
havetisyan requested changes Aug 5, 2025
View reviewed changes
libs/java/server_gcp_common/pom.xml
<relativePath>../../../pom.xml</relativePath>
</parent>

<groupId>com.yahoo.athenz</groupId>
Copy link
Collaborator

@havetisyan havetisyan Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let' define a code coverage block as well - hopefully with 100% coverage

Copy link
Contributor Author

@psasidhar psasidhar Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@havetisyan havetisyan merged commit ce45057 into AthenZ:master Aug 6, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@havetisyan havetisyan havetisyan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@psasidhar @havetisyan