[kokoro] testing: use secrets manager (#3857)

busunkim96 · web-flow · commit 79b0d63c5b5a · 2020-05-21T17:24:49.000-07:00
diff --git a/.kokoro/lint/common.cfg b/.kokoro/lint/common.cfg
@@ -17,7 +17,7 @@
 # Configure the docker image for kokoro-trampoline.
 env_vars: {
     key: "TRAMPOLINE_IMAGE"
-    value: "gcr.io/cloud-devrel-kokoro-resources/python"
+    value: "gcr.io/cloud-devrel-kokoro-resources/python-samples-testing-docker"
 }
 
 # Download trampoline resources.
diff --git a/.kokoro/tests/run_tests.sh b/.kokoro/tests/run_tests.sh
@@ -37,9 +37,11 @@ cd github/python-docs-samples
 # install nox for testing
 pip install -q nox
 
-# Unencrypt and extract secrets
-SECRETS_PASSWORD=$(cat "${KOKORO_GFILE_DIR}/secrets-password.txt")
-./scripts/decrypt-secrets.sh "${SECRETS_PASSWORD}"
+# Use secrets acessor service account to get secrets
+gcloud auth activate-service-account \
+      --key-file="${KOKORO_GFILE_DIR}/secrets_viewer_service_account.json" \
+      --project="cloud-devrel-kokoro-resources"
+./scripts/decrypt-secrets.sh
 
 source ./testing/test-env.sh
 export GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/testing/service-account.json
diff --git a/scripts/decrypt-secrets.sh b/scripts/decrypt-secrets.sh
@@ -20,7 +20,6 @@ ROOT=$( dirname "$DIR" )
 # Work from the project root.
 cd $ROOT
 
-openssl aes-256-cbc -k "$1" -md sha256 \
-	-in testing/secrets.tar.enc -out secrets.tar -d
-tar xvf secrets.tar
-rm secrets.tar
+gcloud secrets versions access latest --secret="python-docs-samples-test-env" > testing/test-env.sh
+gcloud secrets versions access latest --secret="python-docs-samples-service-account" > testing/service-account.json
+gcloud secrets versions access latest --secret="python-docs-samples-client-secrets" > testing/client-secrets.json
diff --git a/scripts/encrypt-secrets.sh b/scripts/encrypt-secrets.sh
@@ -20,10 +20,6 @@ ROOT=$( dirname "$DIR" )
 # Work from the project root.
 cd $ROOT
 
-read -s -p "Enter password for encryption: " PASSWORD
-echo
-
-tar cvf secrets.tar testing/{service-account.json,client-secrets.json,test-env.sh}
-openssl aes-256-cbc -k "$PASSWORD" -md sha256 \
-	-in secrets.tar -out testing/secrets.tar.enc
-rm secrets.tar
+gcloud secrets versions add "python-docs-samples-test-env" --data-file="testing/test-env.sh"
+gcloud secrets versions add "python-docs-samples-service-account" --data-file="testing/service-account.json"
+gcloud secrets versions add "python-docs-samples-client-secrets" --data-file="testing/test-env.sh"
diff --git a/testing/secrets.tar.enc b/testing/secrets.tar.enc

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@`
`17`	`17`	`# Configure the docker image for kokoro-trampoline.`
`18`	`18`	`env_vars: {`
`19`	`19`	`key: "TRAMPOLINE_IMAGE"`
`20`		`- value: "gcr.io/cloud-devrel-kokoro-resources/python"`
	`20`	`+ value: "gcr.io/cloud-devrel-kokoro-resources/python-samples-testing-docker"`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`# Download trampoline resources.`