feat: add GCP Secret Manager OpenFeature provider (#1772)

Signed-off-by: Ayushman Gaur <ayushmangaur2017@gmail.com>
Signed-off-by: Mahesh Patil <maheshfinity@gmail.com>
Signed-off-by: OpenFeature Bot <109696520+openfeaturebot@users.noreply.github.com>
Signed-off-by: Thomas Poignant <thomas.poignant@gofeatureflag.org>
Signed-off-by: Mahesh Patil <17205424+mahpatil@users.noreply.github.com>
Signed-off-by: Todd Baert <todd.baert@dynatrace.com>
Co-authored-by: Ayushman-Gaur <120575155+Ayushman-Gaur@users.noreply.github.com>
Co-authored-by: OpenFeature Bot <109696520+openfeaturebot@users.noreply.github.com>
Co-authored-by: Thomas Poignant <thomas.poignant@gofeatureflag.org>
Co-authored-by: Todd Baert <todd.baert@dynatrace.com>

Author: 5 people

.github/component_owners.yml

@@ -28,6 +28,8 @@ components:
   providers/flipt:
     - liran2000
     - markphelps
+  providers/gcp:
+    - mahpatil
   providers/configcat:
     - liran2000
     - z4kn4fein

.release-please-manifest.json

@@ -11,6 +11,7 @@
   "providers/statsig": "0.2.1",
   "providers/multiprovider": "0.0.3",
   "providers/ofrep": "0.0.1",
+  "providers/gcp": "0.0.1",
   "tools/junit-openfeature": "0.2.1",
   "tools/flagd-http-connector": "0.0.4",
   "tools/flagd-api": "1.0.0",

pom.xml

@@ -45,6 +45,7 @@
         <module>providers/optimizely</module>
         <module>providers/multiprovider</module>
         <module>providers/ofrep</module>
+        <module>providers/gcp</module>
         <module>tools/flagd-http-connector</module>
     </modules>
 

providers/gcp/CHANGELOG.md

@@ -0,0 +1,7 @@
+# Changelog
+
+## 0.0.1
+
+### ✨ New Features
+
+* Initial release with scaffolding for Google Cloud and GCP Secret Manager OpenFeature provider.

providers/gcp/README.md

@@ -0,0 +1,121 @@
+# GCP Provider
+
+An OpenFeature provider that reads feature flags from Google Cloud. Currently supports [Google Cloud Secret Manager](https://cloud.google.com/secret-manager), purpose-built for secrets requiring versioning, rotation, and fine-grained IAM access control.
+
+## Installation
+
+<!-- x-release-please-start-version -->
+```xml
+<dependency>
+    <groupId>dev.openfeature.contrib.providers</groupId>
+    <artifactId>gcp</artifactId>
+    <version>0.0.1</version>
+</dependency>
+```
+<!-- x-release-please-end-version -->
+
+## Quick Start
+
+```java
+import dev.openfeature.contrib.providers.gcp.GcpSecretManagerProvider;
+import dev.openfeature.contrib.providers.gcp.GcpSecretManagerProviderOptions;
+import dev.openfeature.sdk.OpenFeatureAPI;
+
+GcpProviderOptions options = GcpSecretManagerProviderOptions.builder()
+    .projectId("my-gcp-project")
+    .build();
+
+OpenFeatureAPI.getInstance().setProvider(new GcpSecretManagerProvider(options));
+
+// Evaluate a boolean flag stored as secret "enable-dark-mode" with value "true"
+boolean darkMode = OpenFeatureAPI.getInstance().getClient()
+    .getBooleanValue("enable-dark-mode", false);
+```
+
+## How It Works
+
+Each feature flag is stored as an individual **secret** in GCP Secret Manager. The flag key maps directly to the secret name (with an optional prefix). The `latest` version is accessed by default.
+
+Supported raw value formats:
+
+| Flag type | Secret value example |
+|-----------|---------------------|
+| Boolean   | `true` or `false`   |
+| Integer   | `42`                |
+| Double    | `3.14`              |
+| String    | `dark-mode`         |
+| Object    | `{"color":"blue","level":3}` |
+
+## Authentication
+
+The provider uses [Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/provide-credentials-adc) by default. No explicit credentials are required when running on GCP infrastructure (Cloud Run, GKE, Compute Engine) or when `gcloud auth application-default login` has been run locally.
+
+To use explicit credentials:
+
+```java
+import com.google.auth.oauth2.ServiceAccountCredentials;
+import java.io.FileInputStream;
+
+GoogleCredentials credentials = ServiceAccountCredentials.fromStream(
+    new FileInputStream("/path/to/service-account-key.json"));
+
+GcpSecretManagerProviderOptions options = GcpSecretManagerProviderOptions.builder()
+    .projectId("my-gcp-project")
+    .credentials(credentials)
+    .build();
+```
+
+## Configuration Options
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `projectId` | `String` | *(required)* | GCP project ID that owns the secrets |
+| `credentials` | `GoogleCredentials` | `null` (ADC) | Explicit credentials; falls back to Application Default Credentials when null |
+| `version` | `String` | `"latest"` | Secret version to access. Use `"latest"` for the current version or a numeric string (e.g. `"3"`) to pin to a specific version |
+| `cacheExpiry` | `Duration` | `5 minutes` | How long fetched secret values are cached before re-fetching from GCP |
+| `cacheMaxSize` | `int` | `500` | Maximum number of secret values held in the in-memory cache |
+| `namePrefix` | `String` | `null` | Optional prefix prepended to every flag key. E.g. prefix `"ff-"` maps flag `"my-flag"` to secret `"ff-my-flag"` |
+
+## Advanced Usage
+
+### Pinning to a specific secret version
+
+```java
+GcpSecretManagerProviderOptions options = GcpSecretManagerProviderOptions.builder()
+    .projectId("my-gcp-project")
+    .secretVersion("5")  // always use version 5
+    .build();
+```
+
+### Secret name prefix
+
+```java
+GcpSecretManagerProviderOptions options = GcpSecretManagerProviderOptions.builder()
+    .projectId("my-gcp-project")
+    .namePrefix("feature-flags/")
+    .build();
+```
+
+### Tuning cache for high-throughput scenarios
+
+Secret Manager has API quotas (10,000 access operations per minute per project). Use a longer `cacheExpiry` to stay within quota.
+
+```java
+GcpSecretManagerProviderOptions options = GcpSecretManagerProviderOptions.builder()
+    .projectId("my-gcp-project")
+    .cacheExpiry(Duration.ofMinutes(10))
+    .cacheMaxSize(1000)
+    .build();
+```
+
+## Running Integration Tests
+
+Integration tests require real GCP credentials and pre-created test secrets.
+
+1. Configure ADC: `gcloud auth application-default login`
+2. Create test secrets in your project (see `GcpSecretManagerProviderIntegrationTest` for the required secret names and values)
+3. Run:
+
+```bash
+GCP_PROJECT_ID=my-project mvn verify -pl providers/gcp -Dgroups=integration
+```

providers/gcp/pom.xml

@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<project
+    xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
+           https://maven.apache.org/xsd/maven-4.0.0.xsd"
+>
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>dev.openfeature.contrib</groupId>
+        <artifactId>parent</artifactId>
+        <version>[1.0,2.0)</version>
+        <relativePath>../../pom.xml</relativePath>
+    </parent>
+
+    <groupId>dev.openfeature.contrib.providers</groupId>
+    <artifactId>gcp</artifactId>
+    <version>0.0.1</version> <!--x-release-please-version -->
+
+    <properties>
+        <!-- "-" is not allowed in automatic module names -->
+        <module-name>${groupId}.gcp</module-name>
+    </properties>
+
+    <name>gcp</name>
+    <description>GCP provider for OpenFeature Java SDK</description>
+    <url>https://openfeature.dev</url>
+
+    <developers>
+        <developer>
+            <id>openfeaturebot</id>
+            <name>OpenFeature Bot</name>
+            <organization>OpenFeature</organization>
+            <url>https://openfeature.dev/</url>
+        </developer>
+    </developers>
+
+    <dependencies>
+        <!-- GCP Secret Manager client -->
+        <dependency>
+            <groupId>com.google.cloud</groupId>
+            <artifactId>google-cloud-secretmanager</artifactId>
+            <version>2.57.0</version>
+        </dependency>
+
+        <!-- JSON parsing for structured flag values -->
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.21.1</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+            <version>2.0.17</version>
+        </dependency>
+
+        <!-- test-only logging implementation -->
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-slf4j2-impl</artifactId>
+            <version>2.25.0</version>
+            <scope>test</scope>
+        </dependency>
+
+        <!-- concurrency testing -->
+        <dependency>
+            <groupId>com.vmlens</groupId>
+            <artifactId>api</artifactId>
+            <version>1.2.27</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <excludedGroups>integration</excludedGroups>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+    <profiles>
+        <profile>
+            <id>concurrency-tests</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>com.vmlens</groupId>
+                        <artifactId>vmlens-maven-plugin</artifactId>
+                        <version>1.2.27</version>
+                        <executions>
+                            <execution>
+                                <id>test</id>
+                                <goals>
+                                    <goal>test</goal>
+                                </goals>
+                                <configuration>
+                                    <includes>
+                                        <include>**/*CTest.java</include>
+                                    </includes>
+                                    <failIfNoTests>true</failIfNoTests>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+</project>

providers/gcp/src/main/java/dev/openfeature/contrib/providers/gcp/FlagCache.java

@@ -0,0 +1,100 @@
+package dev.openfeature.contrib.providers.gcp;
+
+import java.time.Clock;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Optional;
+
+/**
+ * Thread-safe TTL-based in-memory cache for flag values fetched from GCP services.
+ *
+ * <p>Entries expire after the configured {@code ttl}. When the cache reaches {@code maxSize},
+ * the entry with the earliest insertion time is evicted in O(1) via {@link LinkedHashMap}'s
+ * insertion-order iteration and {@code removeEldestEntry}.
+ */
+class FlagCache {
+
+    private final Map<String, CacheEntry> store;
+    private final Duration ttl;
+    private final Clock clock;
+
+    FlagCache(Duration ttl, int maxSize) {
+        this(ttl, maxSize, Clock.systemUTC());
+    }
+
+    FlagCache(Duration ttl, int maxSize, Clock clock) {
+        this.ttl = ttl;
+        this.clock = clock;
+        this.store = Collections.synchronizedMap(new LinkedHashMap<String, CacheEntry>(16, 0.75f, false) {
+            @Override
+            protected boolean removeEldestEntry(Map.Entry<String, CacheEntry> eldest) {
+                return size() > maxSize;
+            }
+        });
+    }
+
+    /**
+     * Returns the cached value for {@code key} if present and not expired.
+     *
+     * @param key the cache key
+     * @return an {@link Optional} containing the cached string, or empty if absent/expired
+     */
+    Optional<String> get(String key) {
+        synchronized (store) {
+            CacheEntry entry = store.get(key);
+            if (entry == null) {
+                return Optional.empty();
+            }
+            if (entry.isExpired()) {
+                store.remove(key);
+                return Optional.empty();
+            }
+            return Optional.of(entry.value);
+        }
+    }
+
+    /**
+     * Stores {@code value} under {@code key}. Eviction of the oldest entry (when the cache is
+     * full) is handled automatically by the underlying {@link LinkedHashMap}.
+     *
+     * @param key   the cache key
+     * @param value the value to cache
+     */
+    void put(String key, String value) {
+        store.put(key, new CacheEntry(value, ttl, clock));
+    }
+
+    /**
+     * Removes the entry for {@code key}, forcing re-fetch on next access.
+     *
+     * @param key the cache key to invalidate
+     */
+    void invalidate(String key) {
+        store.remove(key);
+    }
+
+    /** Removes all entries from the cache. */
+    void clear() {
+        store.clear();
+    }
+
+    private static final class CacheEntry {
+
+        final String value;
+        final Instant expiresAt;
+        final Clock clock;
+
+        CacheEntry(String value, Duration ttl, Clock clock) {
+            this.value = value;
+            this.clock = clock;
+            this.expiresAt = Instant.now(clock).plus(ttl);
+        }
+
+        boolean isExpired() {
+            return Instant.now(clock).isAfter(expiresAt);
+        }
+    }
+}