Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret Manager Secrets with (intentional) line breaks not handled correctly #449

Open
albrechtflo-hg opened this issue Jul 7, 2021 · 2 comments
Open

Secret Manager Secrets with (intentional) line breaks not handled correctly #449

albrechtflo-hg opened this issue Jul 7, 2021 · 2 comments
Assignees
@jeremyg484
Labels
info: workaround available A workaround is available for the issue

Comments

@albrechtflo-hg
Copy link

The implementation of the property source for Secret Manager secrets removes line breaks (\n) in the secrets:

https://github.com/micronaut-projects/micronaut-gcp/blob/master/gcp-secret-manager/src/main/java/io/micronaut/gcp/secretmanager/SecretManagerConfigurationClient.java#L92

This causes problems, as e.g. in our case, we want to put the PEM Private Key for a Kafka connection to the Secret Manager. The PEM contains newlines, which you could include in YAML without any problem. But when referring to a property from the Secret Manager, the PEM is invalid, as the newlines are removed (at least the newline after ---- BEGIN PRIVATE KEY --- must be included).

Steps to Reproduce

  1. Create a Secret in Google Cloud with intentional newlines
  2. Refer to this Secret in a property
  3. Output the property value, e.g. to STDOUT.

Expected Behaviour

The property, including its line breaks, are written to STDOUT.

Actual Behaviour

The property is written to STDOUT, without its line breaks.

Environment Information

  • Operating System: Linux / JIB Docker
  • Micronaut Version: io.micronaut.gcp:micronaut-gcp-secret-manager:3.5.0
  • JDK Version: 11

Example Application

I think this is quite trivial to reproduce; more trivial than giving access to our Secret Manager to the world.
@graemerocher
Copy link
Contributor

Seems like you have identified the issue, would you be interested in sending a PR that resolves the issue?

@albrechtflo-hg
Copy link
Author

albrechtflo-hg commented Jul 8, 2021
edited
Loading

Well, it would be easy to just remove the replaceAll() from that line, but that might break some applications - I think this call is intentional there, as it happens easily to add a terminating newline when editing secrets via Google Cloud Console.

So most elegant solution would be to make this "newline removal" configurable - but that is a rather huge change I wouldn't be able to provide currently due to capacity restrictions on my side.

For now, we were able to solve this for us with a workaround, by "concatenating" the newlines with the "real" secret directly in the application.yml:

kafka:
  ssl:
    keystore:
      type: PEM
      key: |
        -----BEGIN PRIVATE KEY-----
        ${sm.kafka.private.key.pem}
        -----END PRIVATE KEY-----

This works fine for us and may help others running into similar issues.

@graemerocher graemerocher added the info: workaround available A workaround is available for the issue label Jul 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeremyg484 jeremyg484

Labels
info: workaround available A workaround is available for the issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@graemerocher @jeremyg484 @albrechtflo-hg