JSON based Secret Manager values single property support

[thecanadianroot]

Is your feature request related to a problem? Please describe. No, it is more of a limitation I would say (or maybe more like missing a little bit of sugar :) ).

Describe the solution you'd like Not sure if I am the only one trying to inject a single key from a JSON based secret value with spring-cloud-gcp-secret-manager, but it would be great!

Let's say for example a new form that looks like this is added:

sm://<secret-id>/json/<JSONPath>

This could allow someone to pick a single value from let's say this JSON:

Content of my-database's secret within Secret Manager:

{
   "username": "user",
   "password": "very-secret"
}

Usage within Spring's application.yaml:

spring:
  datasource:
    username: ${sm://my-database/json/username}
    password: ${sm://my-database/json/password}

Describe alternatives you've considered The example I gave above is really simplified and can be avoided by creating two secrets within the Secret Manager, but when you are dealing with many services you end up with a ton of secrets holding single values that, in the end, relates to only one service. Plus, if multiple values must be changed at the same time, new versions must be added to a lot of secrets instead of just one. Here's an example with a Kafka service:

• a single JSON based secret (my-kafka):

  {
  "bootstrap-servers": "server-a:1234,server-b:1234",
  "trust-store-certificates": "MY CERT 1",
  "key-store-certificate-chain": "MY CERT 2",
  "key-store-key": "MY KEY",
  "schema-registry-url": "http://schema:1234",
  "schema-registry-username": "user",
  "schema-registry-password": "very-secret"
  }

• a bunch of secrets:

  my-kafka-bootstrap-servers: server-a:1234,server-b:1234
  my-kafka-trust-store-certificates: MY CERT 1
  my-kafka-key-store-certificate-chain: MY CERT 2
  my-kafka-key-store-key: MY KEY
  my-kafka-schema-registry-url: http://schema:1234
  my-kafka-schema-registry-username: user
  my-kafka-schema-registry-password: very-secret

Additional context This feature request came to me since I am using the ExternalSecrets operator (https://external-secrets.io/latest/) for Kubernetes clusters, and it supports it that kind of stuff with the Secret Manager:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-kafka
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: my-secret-store
  target:
    name: my-kafka-secret
    creationPolicy: Owner
  data:
    - secretKey: MY_KAFKA_SCHEMA_REGISTRY_USERNAME
      remoteRef:
        key: my-kafka
        property: schema-registry-username
        version: latest

If this feature might be considered, I could maybe lend a hand

[meltsufin]

@thecanadianroot This seems more like a feature request for Spring Boot. We simply provide an external config data source implementation. The feature request would make sense for any external configuration source. So, would you raise this FR in the spring-boot project instead?

[thecanadianroot]

Hi @meltsufin, do you happen to know where I should raise this feature request for Spring Boot exactly? I thought the whole thing was moved here when looking at https://github.com/spring-attic/spring-cloud-gcp. Thanks!

[meltsufin]

https://github.com/spring-projects/spring-boot/issues

[thecanadianroot]

Great, thanks!