-
Notifications
You must be signed in to change notification settings - Fork 322
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SecretManager autoconfiguration ignores and superseeds spring.cloud.gcp.project-id #3181
Comments
On first pass, this looks like a bug to me. I will take another look when I can.
Generally speaking, we expect project-id set by module property to override the one set across modules via GcpContextAutoConfiguration. That said, I run your sample code and agree it seems weird when turning on config. I will revisit this.
This is likely a bug/typo in the documentation. Will double check on this. |
I have the same issue and analyzed the problem. There are two places where the GcpProjectIdProvider is registered:
The problem occurs because the second method will be executed before the GcpContextAutoConfiguration and registers
The SecretManagerConfigDataLocationResolver must not register a GcpProjectIdProvider otherwise it will be used across all modules. |
I've possibly fixed the issue and opened the following PR: https://github.com/GoogleCloudPlatform/spring-cloud-gcp/pull/3383/files |
Hi @PatrickGotthard , I build your repository locally and tried to use your version in my example code. However, my plan to verify if your changes fixes the problem was to:
If you could give me a hint on how to get away the checkstyle issues, I could continue with testing.
Anyway, I will try now with adding the whitespaces manually.... |
Hi @mieseprem, I wasn't able to fix the issue on the main branch so I checked out the latest release tag and opened only some of the modules in Eclipse. Eclipse then uses the code of the open projects instead of the downloaded artifacts. Regards, |
To put it right away, I am not a code owner here and cannot approve or merge. I am just the creator of the issue. Regarding your fix I can verify two things:
There is still one thing left (but that is not part of your PR):
But, this point is nothing I challenge at moment. So, in my opinion, it's up to Google if they want to have it handled or keep it as it is. Regarding your PR, I'm very fine with integrating the code here. But to be compliant with Checkstyle, you should add the following to your branch: Subject: [PATCH] Add whitespaces to comply with Checkstyle rules
---
Index: spring-cloud-gcp-autoconfigure/src/main/java/com/google/cloud/spring/autoconfigure/secretmanager/SecretManagerConfigDataLocationResolver.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/spring-cloud-gcp-autoconfigure/src/main/java/com/google/cloud/spring/autoconfigure/secretmanager/SecretManagerConfigDataLocationResolver.java b/spring-cloud-gcp-autoconfigure/src/main/java/com/google/cloud/spring/autoconfigure/secretmanager/SecretManagerConfigDataLocationResolver.java
--- a/spring-cloud-gcp-autoconfigure/src/main/java/com/google/cloud/spring/autoconfigure/secretmanager/SecretManagerConfigDataLocationResolver.java (revision 1bb45e4ff9986e9a5009fe4db69dbb3eae8632ae)
+++ b/spring-cloud-gcp-autoconfigure/src/main/java/com/google/cloud/spring/autoconfigure/secretmanager/SecretManagerConfigDataLocationResolver.java (date 1732099490028)
@@ -108,13 +108,13 @@
ConfigurableBootstrapContext bootstrapContext = context.getBootstrapContext();
GcpSecretManagerProperties secretManagerProperties = bootstrapContext.get(GcpSecretManagerProperties.class);
- if(secretManagerProperties.getProjectId() != null) {
- return secretManagerProperties::getProjectId;
+ if (secretManagerProperties.getProjectId() != null) {
+ return secretManagerProperties::getProjectId;
}
GcpProperties gcpProperties = bootstrapContext.get(GcpProperties.class);
- if(gcpProperties.getProjectId() != null) {
- return gcpProperties::getProjectId;
+ if (gcpProperties.getProjectId() != null) {
+ return gcpProperties::getProjectId;
}
return new DefaultGcpProjectIdProvider(); |
Hi @mieseprem, you can just add |
Thank you for your hint! 👍 |
As I understand it still doesn't fix the issue which I'm facing in my project. For me the issue still exists even with Patrick's PR. |
This issue is regarding the projectId value returned by GcpProjectIdProvider when SecretManager is enabled.
I know, as an example, theses two closed issues, but I think they doesn't cover the root cause:
Regarding the documentation, the
GcpProjectIdProvider.getProjectId()
method will always return the value of the propertyspring.cloud.gcp.project-id
if set. There is no limitation regarding the use of SecretManager.In addition, in the SecretManager section of the documentation the project-id is (if not set as property): "By default, infers the project from Application Default Credentials"
I wasn't able to to determine the method who creates the
GcpProjectIdProvider
bean for the SecretManagerAutoConfiguration, but it definitivley get its values not from thespring.cloud.gcp.project-id
property.Because of this presence of a
GcpProjectIdProvider
bean there is no propper one created in GcpContextAutoConfiguration.I created a simple repository to demonstrate the issue: https://github.com/mieseprem/projectIdIssue
Please keep in mind that this issue is not on how to access secrets or other services in GCP. This is only about how the project-id value is determined and provided to all beans that relay on the
GcpProjectIdProvider
In my example project, there is a profile named "xxx" and the project-id is set to a specific value. If you run the application with active profile "xxx" you will see 2 things:
GcpProjectIdProvider
is created via 'GcpContextAutoConfiguration'spring.cloud.gcp.project-id
If you now enable the Config Data API to get Secret value via "sm://" prefix, the
GcpProjectIdProvider
is created in a different way andspring.cloud.gcp.project-id
is not used anymore.(Please uncomment these lines in application.yml and run again with "xxx" profile)
You'll see, the
GcpProjectIdProvider
is not created viaGcpContextAutoConfiguration
but - strong guess - determined from this places:If none of them is present/configured this will happen:
Note: even if I move
spring.cloud.gcp.project-id
into default profile it is ignored as of activatingspring.cloud.import
As a workarount we can provide the project-id via
spring.cloud.gcp.secretmanager.project-id
property.(Please uncomment these lines in application.yml
As a result you'll see the project-id isn't
null
anymore, but the variable is not resolved:Btw. the
spring.cloud.gcp.secretmanager.project-id
property can't be set in any profile (only in default). If set in any profile it is ignored.Now, why do I think this is a bug (or at least not the expected behaviour)?
I think it's not okay that the SecretManager auto configuration disturbes all other GCP beans from being configured propperly.
spring.cloud.gcp.project-id
is set it should be usedspring.cloud.gcp.secretmanager.project-id
shoul'd change the ProjectIdProvider for all GCP componentsspring.cloud.gcp.secretmanager.project-id
can't be set in a profile or can't use a property value from a profile there is no way to configure a value based on a profile from within springboot. I must provide the value from outside via paramater, env var, or from the list mentioned further up.The text was updated successfully, but these errors were encountered: