add support to Google Secret Manager

Author: alexei-led

.gitignore

@@ -1,7 +1,23 @@
+# code coverage
+.cover
+
+# git repo
+.git
+
+# IDE customization
+.idea
 .vscode
 
-# ignore binary
-secrets-init
+# binaries
+.bin
+
+# env customization
+.env
+
+# goreleaser binaries
+dist
 
-# ignore goreleaser binaries
-dist/
+# temporary
+**/.DS_Store
+**/debug
+**/debug.test

Makefile

@@ -0,0 +1,108 @@
+MODULE   = $(shell env GO111MODULE=on $(GO) list -m)
+DATE    ?= $(shell date +%FT%T%z)
+VERSION ?= $(shell git describe --tags --always --dirty --match="v*" 2> /dev/null || \
+			cat $(CURDIR)/.version 2> /dev/null || echo v0)
+PKGS     = $(or $(PKG),$(shell env GO111MODULE=on $(GO) list ./...))
+TESTPKGS = $(shell env GO111MODULE=on $(GO) list -f \
+			'{{ if or .TestGoFiles .XTestGoFiles }}{{ .ImportPath }}{{ end }}' \
+			$(PKGS))
+BIN      = $(CURDIR)/.bin
+
+GO      = go
+TIMEOUT = 15
+V = 0
+Q = $(if $(filter 1,$V),,@)
+M = $(shell printf "\033[34;1m▶\033[0m")
+
+export GO111MODULE=on
+export CGO_ENABLED=0
+export GOPROXY=https://proxy.golang.org
+
+.PHONY: all
+all: fmt lint | $(BIN) ; $(info $(M) building executable…) @ ## Build program binary
+	$Q $(GO) build \
+		-tags release \
+		-ldflags '-X main.Version=$(VERSION) -X main.BuildDate=$(DATE)' \
+		-o $(BIN)/$(basename $(MODULE)) main.go
+
+# Tools
+
+$(BIN):
+	@mkdir -p $@
+$(BIN)/%: | $(BIN) ; $(info $(M) building $(PACKAGE)…)
+	$Q tmp=$$(mktemp -d); \
+	   env GO111MODULE=off GOPATH=$$tmp GOBIN=$(BIN) $(GO) get $(PACKAGE) \
+		|| ret=$$?; \
+	   rm -rf $$tmp ; exit $$ret
+
+GOLINT = $(BIN)/golint
+$(BIN)/golint: PACKAGE=golang.org/x/lint/golint
+
+GOCOV = $(BIN)/gocov
+$(BIN)/gocov: PACKAGE=github.com/axw/gocov/...
+
+GOCOVXML = $(BIN)/gocov-xml
+$(BIN)/gocov-xml: PACKAGE=github.com/AlekSi/gocov-xml
+
+GO2XUNIT = $(BIN)/go2xunit
+$(BIN)/go2xunit: PACKAGE=github.com/tebeka/go2xunit
+
+# Tests
+
+TEST_TARGETS := test-default test-bench test-short test-verbose test-race
+.PHONY: $(TEST_TARGETS) test-xml check test tests
+test-bench:   ARGS=-run=__absolutelynothing__ -bench=. ## Run benchmarks
+test-short:   ARGS=-short        ## Run only short tests
+test-verbose: ARGS=-v            ## Run tests in verbose mode with coverage reporting
+test-race:    ARGS=-race         ## Run tests with race detector
+$(TEST_TARGETS): NAME=$(MAKECMDGOALS:test-%=%)
+$(TEST_TARGETS): test
+check test tests: fmt lint ; $(info $(M) running $(NAME:%=% )tests…) @ ## Run tests
+	$Q $(GO) test -timeout $(TIMEOUT)s $(ARGS) $(TESTPKGS)
+
+test-xml: fmt lint | $(GO2XUNIT) ; $(info $(M) running xUnit tests…) @ ## Run tests with xUnit output
+	$Q mkdir -p test
+	$Q 2>&1 $(GO) test -timeout $(TIMEOUT)s -v $(TESTPKGS) | tee test/tests.output
+	$(GO2XUNIT) -fail -input test/tests.output -output test/tests.xml
+
+COVERAGE_MODE    = atomic
+COVERAGE_PROFILE = $(COVERAGE_DIR)/profile.out
+COVERAGE_XML     = $(COVERAGE_DIR)/coverage.xml
+COVERAGE_HTML    = $(COVERAGE_DIR)/index.html
+.PHONY: test-coverage test-coverage-tools
+test-coverage-tools: | $(GOCOV) $(GOCOVXML)
+test-coverage: COVERAGE_DIR := $(CURDIR)/test/coverage.$(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
+test-coverage: fmt lint test-coverage-tools ; $(info $(M) running coverage tests…) @ ## Run coverage tests
+	$Q mkdir -p $(COVERAGE_DIR)
+	$Q $(GO) test \
+		-coverpkg=$$($(GO) list -f '{{ join .Deps "\n" }}' $(TESTPKGS) | \
+					grep '^$(MODULE)/' | \
+					tr '\n' ',' | sed 's/,$$//') \
+		-covermode=$(COVERAGE_MODE) \
+		-coverprofile="$(COVERAGE_PROFILE)" $(TESTPKGS)
+	$Q $(GO) tool cover -html=$(COVERAGE_PROFILE) -o $(COVERAGE_HTML)
+	$Q $(GOCOV) convert $(COVERAGE_PROFILE) | $(GOCOVXML) > $(COVERAGE_XML)
+
+.PHONY: lint
+lint: | $(GOLINT) ; $(info $(M) running golint…) @ ## Run golint
+	$Q $(GOLINT) -set_exit_status $(PKGS)
+
+.PHONY: fmt
+fmt: ; $(info $(M) running gofmt…) @ ## Run gofmt on all source files
+	$Q $(GO) fmt $(PKGS)
+
+# Misc
+
+.PHONY: clean
+clean: ; $(info $(M) cleaning…)	@ ## Cleanup everything
+	@rm -rf $(BIN)
+	@rm -rf test/tests.* test/coverage.*
+
+.PHONY: help
+help:
+	@grep -E '^[ a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | \
+		awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-15s\033[0m %s\n", $$1, $$2}'
+
+.PHONY: version
+version:
+	@echo $(VERSION)

README.md

@@ -4,7 +4,11 @@
 
 # secrets-init
 
-`secrets-init` is a minimalistic init system designed to run as PID 1 inside container environments, similar to [dumb-init](https://github.com/Yelp/dumb-init), integrated with [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) and [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) services.
+`secrets-init` is a minimalistic init system designed to run as PID 1 inside container environments, similar to [dumb-init](https://github.com/Yelp/dumb-init), integrated with multiple secrets manager services:
+
+- [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/)
+- [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html)
+- [Google Secret Manager](https://cloud.google.com/secret-manager/docs/)
 
 ## Why you need an init system
 
@@ -23,7 +27,7 @@ Summary:
 
 ### Integration with AWS Secrets Manager
 
-User can put AWS secret ARN as environment variable value. The `secrets-manager` will resolve any environment value, using specified ARN, to referenced secret value.
+User can put AWS secret ARN as environment variable value. The `secrets-init` will resolve any environment value, using specified ARN, to referenced secret value.
 
 ```sh
 # environment variable passed to `secrets-init`
@@ -37,7 +41,7 @@ MY_DB_PASSWORD=very-secret-password
 
 It is possible to use AWS Systems Manager Parameter Store to store application parameters and secrets.
 
-User can put AWS Parameter Store ARN as environment variable value. The `secrets-manager` will resolve any environment value, using specified ARN, to referenced parameter value.
+User can put AWS Parameter Store ARN as environment variable value. The `secrets-init` will resolve any environment value, using specified ARN, to referenced parameter value.
 
 ```sh
 # environment variable passed to `secrets-init`
@@ -47,6 +51,20 @@ MY_API_KEY=arn:aws:ssm:$AWS_REGION:$AWS_ACCOUNT_ID:parameter/api/key
 MY_API_KEY=key-123456789
 ```
 
+### Integration with Google Secret Manager
+
+User can put Google secret name (prefixed with `gcp:secretmanager:`) as environment variable value. The `secrets-init` will resolve any environment value, using specified name, to referenced secret value.
+
+```sh
+# environment variable passed to `secrets-init`
+MY_DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/mydbpassword
+# OR versioned secret (with version or 'latest')
+MY_DB_PASSWORD=gcp:secretmanager:projects/$PROJECT_ID/secrets/mydbpassword/versions/2
+
+# environment variable passed to child process, resolved by `secrets-init`
+MY_DB_PASSWORD=very-secret-password
+```
+
 ### Requirement
 
 In order to resolve AWS secrets from AWS Secret Manager and Parameter Store, `secrets-init` should run under IAM role that has permission to access desired secrets.

go.mod

@@ -3,7 +3,12 @@ module secrets-init
 go 1.13
 
 require (
+	cloud.google.com/go v0.50.0
 	github.com/aws/aws-sdk-go v1.24.1
+	github.com/sirupsen/logrus v1.4.2
 	github.com/stretchr/testify v1.4.0 // indirect
+	github.com/urfave/cli/v2 v2.0.0
 	golang.org/x/net v0.0.0-20190918130420-a8b05e9114ab // indirect
+	google.golang.org/api v0.15.0 // indirect
+	google.golang.org/genproto v0.0.0-20191220175831-5c49e3ecc1c1
 )