Skip to content

[WIP] feat: implement OAuth client secret rotation#166

Closed
IlonaShishov wants to merge 2 commits into
mainfrom
feature/cloudrun-secret-rotation-bootstrap
Closed

[WIP] feat: implement OAuth client secret rotation#166
IlonaShishov wants to merge 2 commits into
mainfrom
feature/cloudrun-secret-rotation-bootstrap

Conversation

@IlonaShishov
Copy link
Copy Markdown
Collaborator

@IlonaShishov IlonaShishov commented Apr 27, 2026

Summary

Implements automatic OAuth client secret rotation for redhat-sso-client-secret and gma-client-secret using Google Secret
Manager's native rotation features.

What's Included

Infrastructure:

  • Deployment script to configure Secret Manager rotation schedules and Pub/Sub notifications
  • Rotation periods configurable via environment (default: 1 hour for testing)
  • Cleanup and documentation updates

Rotation Endpoint:

  • POST /rotation endpoint integrated with marketplace handler
  • Pub/Sub OIDC token verification for transport security
  • Provider registry pattern for routing secrets to appropriate APIs
  • Comprehensive error handling and structured audit logging
  • ~1700 lines of code, 27 tests passing

Architecture:

  • SecretValueProvider ABC with template method pattern
  • Inherited validation (32+ bytes, 10+ unique chars)
  • RedHatSSOSecretProvider for Red Hat Identity API integration
  • GMASecretProvider for Google Marketplace Admin API integration
  • SecretProviderRegistry routes secrets to providers

How It Works

  1. Secret Manager triggers event when next_rotation_time is reached
  2. Pub/Sub pushes notification to /rotation endpoint with OIDC JWT
  3. Endpoint validates Pub/Sub token and routes to appropriate provider
  4. Provider fetches new secret from upstream API (Red Hat Identity or GMA)
  5. Provider validates secret quality
  6. New version stored in Secret Manager
  7. Completion logged with structured event types

Testing

All rotation tests passing (27 tests):

  • Event parsing and workflow logic
  • Provider validation and template methods
  • Pub/Sub JWT verification
  • Endpoint authentication and error handling
  • Integration with marketplace handler

Deployment

See deploy/cloudrun/README.md for:

  • Running setup-secret-rotation.sh
  • Configuring Pub/Sub push endpoint
  • Monitoring rotation events
  • Testing instructions

IlonaShishov and others added 2 commits April 29, 2026 10:12
@IlonaShishov
feat(rotation): configure Secret Manager rotation schedules and Pub/S…
fde550c 
…ub notifications

Introduce a Cloud Run rotation setup script that configures Secret Manager rotation schedules and Pub/Sub SECRET_ROTATE notifications for redhat-sso-client-secret and gma-client-secret, and document/cleanup the new rotation resources in deployment scripts.

Made-with: Cursor
@IlonaShishov @claude
feat(rotation): add rotation endpoint with provider architecture
518058f 
- Add POST /rotation endpoint with Pub/Sub OIDC verification
- Implement provider registry with ABC template method pattern
- Add RedHatSSOSecretProvider and GMASecretProvider placeholders
- Add comprehensive error handling and structured logging
- Tests: 27 passing (~1700 lines new code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@IlonaShishov IlonaShishov force-pushed the feature/cloudrun-secret-rotation-bootstrap branch from 12fe38e to 518058f Compare April 29, 2026 07:13
@IlonaShishov
Copy link
Copy Markdown
Collaborator Author

IlonaShishov commented May 7, 2026

Credential providers do not support automated secret rotation, closing for now, implementing manual policy instead #181

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@luis5tb luis5tb Awaiting requested review from luis5tb luis5tb is a code owner

@yuvalk yuvalk Awaiting requested review from yuvalk yuvalk is a code owner

@dmartinol dmartinol Awaiting requested review from dmartinol dmartinol is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@IlonaShishov