You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(catalog): add GCP Cloud KMS support for secret decryption (#4243)
## Summary
- Add `PEERDB_KMS_PROVIDER` env var to dispatch between AWS KMS and GCP
Cloud KMS for catalog secret decryption
- **Rust** (`nexus/catalog`): GCP Cloud KMS REST API via `reqwest`,
using a Workload Identity token fetched from the GKE metadata server
- **Go** (`flow/internal/env.go`): GCP Cloud KMS via the official
`cloud.google.com/go/kms/apiv1` client (uses Application Default
Credentials, which resolves to Workload Identity on GKE)
- Provider switch on both sides enumerates `aws` (and empty for
back-compat), `gcp`, and returns an explicit error for unknown values;
constants `KmsProviderAWS` / `KmsProviderGCP` introduced in Go to mirror
the Rust pattern
- Defaults to `aws` everywhere — no behavior change for existing AWS
deployments
## Test plan
- [ ] End-to-end test on GCP GKE cluster with Workload Identity,
decrypting a catalog secret encrypted with a GCP KMS key
- [ ] Verify `PEERDB_KMS_PROVIDER=` (empty), unset, and
`PEERDB_KMS_PROVIDER=aws` all still hit the AWS path
- [ ] Verify `PEERDB_KMS_PROVIDER=invalid` returns the new error rather
than silently falling through to AWS
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
0 commit comments