Add documentation for Google Secrets Manager backend (#3218)

Author: ryanjbaxter

docs/modules/ROOT/nav.adoc

@@ -14,6 +14,7 @@
 *** xref:server/environment-repository/aws-s3-backend.adoc[]
 *** xref:server/environment-repository/aws-parameter-store-backend.adoc[]
 *** xref:server/environment-repository/aws-secrets-manager-backend.adoc[]
+*** xref:server/environment-repository/gcp-secret-manager-backend.adoc[]
 *** xref:server/environment-repository/credhub-backend.adoc[]
 *** xref:server/environment-repository/mongo-backend.adoc[]
 *** xref:server/environment-repository/composite-repositories.adoc[]

docs/modules/ROOT/pages/server/environment-repository/gcp-secret-manager-backend.adoc

@@ -0,0 +1,143 @@
+[[gcp-secret-manager-backend]]
+= Google Secret Manager Backend
+
+Spring Cloud Config Server can use link:https://cloud.google.com/secret-manager[Google Cloud Secret Manager] as an `EnvironmentRepository`.
+Secrets are exposed as a `PropertySource` whose entries are built from secret payloads.
+
+== Enabling the backend
+
+The repository is registered when all of the following hold:
+
+* The Spring profile `secret-manager` is active.
+* `com.google.cloud.secretmanager.v1.SecretManagerServiceClient` is on the classpath (typically by adding `google-cloud-secretmanager`).
+
+[source,xml,indent=0]
+.pom.xml
+----
+<dependency>
+    <groupId>com.google.cloud</groupId>
+    <artifactId>google-cloud-secretmanager</artifactId>
+</dependency>
+----
+
+If you use `spring-cloud-config-server` without its optional Google libraries, add the artifacts your build needs explicitly.
+The permission check described below uses the Cloud Resource Manager API; include `google-api-services-cloudresourcemanager` and `google-auth-library-oauth2-http` when you rely on that behavior.
+
+[source,yaml]
+----
+spring:
+  profiles:
+    active: secret-manager
+  cloud:
+    config:
+      server:
+        gcp-secret-manager:
+          order: 0
+          application-label: application
+          profile-label: profile
+          service-account: /path/to/service-account.json
+          token-mandatory: true
+          version: 1
+----
+
+Configuration properties are bound under `spring.cloud.config.server.gcp-secret-manager`:
+
+|===
+| Property | Default | Description
+
+| `order`
+| Same as other environment repositories
+| Order in a composite repository (`org.springframework.core.Ordered`).
+
+| `application-label`
+| `application`
+| Secret Manager label key used to match the Config Server `\{application}` name (see <<gcp-secret-manager-mapping>>).
+
+| `profile-label`
+| `profile`
+| Secret Manager label key used to match each active profile (see <<gcp-secret-manager-mapping>>).
+
+| `service-account`
+| _empty_
+| Path to a Google Cloud service account JSON key file. If set, the Secret Manager client uses these credentials. If unset, the client uses https://cloud.google.com/docs/authentication/application-default-credentials[Application Default Credentials] (for example the metadata server on Google Compute Engine).
+
+| `token-mandatory`
+| `true`
+| When `true`, secrets are only loaded if <<gcp-secret-manager-permission-check>> succeeds. When `false`, that check is skipped and secrets are loaded using only the server-side Secret Manager credentials.
+
+| `version`
+| `1`
+| API access strategy version (only `1` is supported).
+
+|===
+
+[[gcp-secret-manager-mapping]]
+== Mapping applications and profiles
+
+The server lists secrets in the Google Cloud project (see <<gcp-secret-manager-project>>) and filters them for each Config Client request.
+
+* **Label-based matching (default):** A secret is included for a given `\{application}` and profile when its Secret Manager labels match, case-insensitively, on the configured keys (`application-label` and `profile-label`). If a label is missing on the secret, the code treats it as the default string `application` or `profile` respectively (same keys as the property names), so unlabeled secrets align with those defaults.
+
+* **Prefix-based matching:** If the HTTP request includes a non-empty `X-Secret-Prefix` header, secrets whose *short* name (the segment after `projects/.../secrets/`) starts with that prefix are also included. The prefix is stripped from the property key. This path can be combined with label filtering logic in the same loop (see `GoogleSecretManagerEnvironmentRepository`).
+
+The repository always ensures the `default` profile is considered before additional profiles (similar to other backends): if the client does not send `default` first, the server prepends it.
+
+For each matching secret, the property **value** is the payload of the **latest enabled** secret version, where “latest” is determined by comparing numeric version IDs (not the Secret Manager “latest” alias).
+
+Property sources are named `gsm:\{application}-\{profile}`.
+
+The Config Server `\{label}` path segment is accepted on the API but **this backend does not use it** to select secrets; version selection is based on secret versions as described above.
+
+[[gcp-secret-manager-project]]
+== Resolving the Google Cloud project
+
+Secret Manager API calls are scoped to a project ID. The server obtains it in this order:
+
+. The `X-Project-ID` HTTP header on the incoming Config Client request, if present.
+. Otherwise, a GET to `http://metadata.google.internal/computeMetadata/v1/project/project-id` with header `Metadata-Flavor: Google` (works when the Config Server runs on Google Compute Engine or similar).
+
+If neither source is available (for example local development without metadata), configure clients to send `X-Project-ID` or run the server where metadata is available.
+
+[[gcp-secret-manager-credentials]]
+== Credentials for listing and reading secrets
+
+Listing secrets and accessing secret values uses `SecretManagerServiceClient` only:
+
+* With `service-account` set: credentials from that JSON file.
+* Without it: Application Default Credentials.
+
+The OAuth access token in `X-Config-Token` is **not** passed to the Secret Manager client. Those credentials are always the server’s (or the key file’s), independent of the client token.
+
+[[gcp-secret-manager-permission-check]]
+== Optional permission check (`token-mandatory`)
+
+When `token-mandatory` is `true` (default), before loading any secrets the server calls `checkRemotePermissions()`:
+
+. It reads the access token from the `X-Config-Token` HTTP header (required for this check; a missing or invalid header causes the check to fail).
+. It uses the Cloud Resource Manager REST API `projects.testIamPermissions` for the target project with the permission `secretmanager.versions.access`.
+. If that permission is reported for the token, the check passes and secrets are loaded. If not, or if the API call fails, the check fails and **no** GSM-backed property sources are added for that request.
+
+So the token in `X-Config-Token` acts as a **gate** for whether GSM data is returned, while **reading** secrets still uses <<gcp-secret-manager-credentials,the server’s Secret Manager credentials>>. The principal that passes IAM testing and the principal used for Secret Manager API calls can differ.
+
+When `token-mandatory` is `false`, this remote check is not performed and secrets are loaded solely subject to server credentials and Secret Manager data access.
+
+== HTTP headers (Config Client to Config Server)
+
+|===
+| Header | Required when | Purpose
+
+| `X-Config-Token`
+| `token-mandatory` is `true` for the permission check
+| Bearer-style access token used only for Cloud Resource Manager `testIamPermissions`.
+
+| `X-Project-ID`
+| Recommended when not running on GCP with metadata
+| Google Cloud project ID for Secret Manager and IAM checks.
+
+| `X-Secret-Prefix`
+| Optional
+| Restricts which secrets contribute properties when matching by name prefix (see <<gcp-secret-manager-mapping>>).
+
+|===
+
+Header names are case-insensitive per HTTP; the implementation uses `X-Config-Token`, `X-Project-ID`, and `X-Secret-Prefix`.