feat: add GCP Secret Manager OpenFeature provider

[mahpatil]

Summary

• Adds a new OpenFeature provider for GCP Secret Manager that reads feature flags from GCP Secret Manager secrets
• Includes flag caching, value conversion for all OpenFeature types (bool, string, int, double, object), and background polling for updates
• Adds a sample application under samples/gcp-secret-manager-sample/ with setup/teardown scripts

Provider Details

• Package: providers/gcp-secret-manager
• Class: GcpSecretManagerProvider
• Supports all OpenFeature flag types via structured or plain-text secret values
• Configurable poll interval and GCP project settings

Test plan

• Unit tests for FlagCache, FlagValueConverter, and GcpSecretManagerProvider
• Integration test (GcpSecretManagerProviderIntegrationTest) requires a real GCP project — set GCP_PROJECT_ID env var to run
• Sample app: follow samples/gcp-secret-manager-sample/README.md to run end-to-end

[gemini-code-assist]

Code Review

This pull request introduces a new OpenFeature provider for Google Cloud Secret Manager, enabling feature flags to be managed as GCP secrets. The changes include the core provider implementation with caching and value conversion, along with comprehensive unit and integration tests, and a sample application. Feedback suggests adding an initial entry to the new module's CHANGELOG.md, refining the spotbugs-exclusions.xml to only include relevant exclusions, and improving the testability of FlagCache by injecting a Clock instance instead of relying on Instant.now() and Thread.sleep().

[aepfli]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a new OpenFeature provider for Google Cloud Secret Manager, enabling feature flags to be stored and managed as secrets. The implementation includes a TTL-based in-memory cache to optimize API usage and a converter to handle various OpenFeature data types. Feedback identifies several improvement opportunities, including fixing duplicate entries in the changelog, addressing a race condition and a potential 'thundering herd' issue in the caching logic, and strengthening input validation for the secret version configuration.

[chrfwow]

The build pipeline currently fails for two reasons:
The commits are not signed off. To fix this, you will need to sign off all your changes and force push them on this branch
The type check fails, this can be fixed automatically when you run the spotlessApply command

[mahpatil]

The build pipeline currently fails for two reasons: The commits are not signed off. To fix this, you will need to sign off all your changes and force push them on this branch The type check fails, this can be fixed automatically when you run the spotlessApply command

Signed off commits to fix DCO

[mahpatil]

I hope all comments have been addressed now. Please let me know if there's anything outstanding.

[mahpatil]

Good catch — removed the duplicate now, clock, and cache setup from concurrentExpiryAndInsertDoNotLoseNewEntry and switched to the T0/T1 constants and instance fields already initialised in @BeforeEach.

[toddbaert]

Re: #1771 (cc @aepfli @chrfwow @mahpatil)

Looking at #1771 + #1772 side by side, I think there's been a small misunderstanding of @aepfli's earlier feedback. IIUC he asked for the PR to be split for review hygiene ("a pull request is small, and provides just one additional feature"), not necessarily for two separate Maven modules. The split-PRs ask has been honoured; the split-modules part was an additional interpretation.

@chrfwow already raised the same question on #1771. Posting here too since this is where active review is happening, and IMO it's much cheaper to settle before #1772 merges than after.

Let's keep 2 PRs but land them in one module.

• The two PRs duplicate ~80% of code (FlagCache, FlagValueConverter, the provider scaffolding, tests). They're already drifting (Clock injection, STATIC vs CACHED, exception cause, log4j versions).
• The GCP client deps are technically different artifacts, but their transitive trees overlap heavily (gax, gRPC, protobuf, auth, etc.); the incremental footprint of having both on the classpath is small.
• One module = one CHANGELOG, one release, one set of internals to maintain. Two modules = ongoing duplication tax. A third gcp-common module is overkill for what's effectively one shared FlagCache.

@mahpatil - to keep things reviewable, suggest stacking the branches: rework this PR (#1772) to add a single providers/gcp module with pom.xml, shared internals (FlagCache, FlagValueConverter), and the Secret Manager provider. Then rebase #1771 on top, so it only adds the Parameter Manager provider on top of the shared scaffolding. SM-first makes sense since this PR is closer to approval. That way each PR stays small and focused, and the shared scaffolding only shows up in the diff once.

Suggested module name: providers/gcp (artifact gcp). Short, accurate, and leaves room if other GCP-backed providers ever land later. gcp-secret-and-parameter-manager works too but is mouthful-y. WDYT?

@aepfli - was your earlier ask only about the PR split, or did you also intend two artifacts? Happy to discuss if there's a packaging reason I'm missing.

[mahpatil]

Re: #1771 (cc @aepfli @chrfwow @mahpatil)

Looking at #1771 + #1772 side by side, I think there's been a small misunderstanding of @aepfli's earlier feedback. IIUC he asked for the PR to be split for review hygiene ("a pull request is small, and provides just one additional feature"), not necessarily for two separate Maven modules. The split-PRs ask has been honoured; the split-modules part was an additional interpretation.

@chrfwow already raised the same question on #1771. Posting here too since this is where active review is happening, and IMO it's much cheaper to settle before #1772 merges than after.

Let's keep 2 PRs but land them in one module.

• The two PRs duplicate ~80% of code (FlagCache, FlagValueConverter, the provider scaffolding, tests). They're already drifting (Clock injection, STATIC vs CACHED, exception cause, log4j versions).
• The GCP client deps are technically different artifacts, but their transitive trees overlap heavily (gax, gRPC, protobuf, auth, etc.); the incremental footprint of having both on the classpath is small.
• One module = one CHANGELOG, one release, one set of internals to maintain. Two modules = ongoing duplication tax. A third gcp-common module is overkill for what's effectively one shared FlagCache.

@mahpatil - to keep things reviewable, suggest stacking the branches: rework this PR (#1772) to add a single providers/gcp module with pom.xml, shared internals (FlagCache, FlagValueConverter), and the Secret Manager provider. Then rebase #1771 on top, so it only adds the Parameter Manager provider on top of the shared scaffolding. SM-first makes sense since this PR is closer to approval. That way each PR stays small and focused, and the shared scaffolding only shows up in the diff once.

Suggested module name: providers/gcp (artifact gcp). Short, accurate, and leaves room if other GCP-backed providers ever land later. gcp-secret-and-parameter-manager works too but is mouthful-y. WDYT?

@aepfli - was your earlier ask only about the PR split, or did you also intend two artifacts? Happy to discuss if there's a packaging reason I'm missing.

This is a bit frustrating as I have been receiving feedback on the PR and now requested to refactor again. @aepfli please finalize with @chrfwow what you would want, I don't want to be keep coming back and incorporating comments, wasting everyones time. I feel the process very slow even though we are using gemini and im using claude, this PR has been going back and forth for a while.
Please provide concrete steps that I can incorporate quickly so we can merge this PR.

[aepfli]

@mahpatil first of all, I want to apologise. Reading back through the thread, I can absolutely see how
my original comment landed the way it did, and the frustration you are voicing is completely fair. You
have been responsive, you have been thorough, and the last thing I want is for a contributor putting in
this kind of effort to feel that the goalposts keep moving. That is on me for not being clearer the
first time, and I am sorry for the churn it has caused.

Let me try to clear up the misunderstanding, because I think @toddbaert read my intent correctly. When I
asked you to split the work, I was talking about splitting the pull request for review hygiene —
keeping each PR small and focused on one feature so that we as maintainers can evaluate it properly. I
was not asking for two separate Maven modules or two separate artifacts. That part was an interpretation
on top of my ask, and I should have spelled it out at the time. The duplication that has surfaced
between #1771 and #1772 is exactly the kind of thing the "one module" approach avoids.

The technique that makes "split the PR" and "share the code" coexist is what is usually called stacked
diffs (or stacked PRs). The idea is simple: instead of two independent branches off main, you stack
them. PR A branches off main and contains the shared scaffolding plus the first provider. PR B then
branches off PR A's branch (not main) and adds only the second provider on top. Each PR stays small and
reviewable on its own, the shared code only shows up in the diff once, and once PR A merges, PR B's diff
naturally collapses to just its own delta. It is the same review benefit I was originally asking for,
without paying the duplication tax.

Concretely, for your case I think Todd's suggestion is exactly right: rework #1772 to add a single
providers/gcp module containing the shared internals (FlagCache, FlagValueConverter, scaffolding) and
the Secret Manager provider, then rebase #1771 on top of that branch so it only adds the Parameter
Manager provider. SM-first makes sense since this PR is closer to approval anyway.

Again, I am sorry for the back-and-forth — your contribution is genuinely appreciated and we want to
land it. If it would help, I am happy to jump on a quick call or pair on the rebase so we can get this
over the line without another round of comments.

[mahpatil]

@mahpatil first of all, I want to apologise. Reading back through the thread, I can absolutely see how my original comment landed the way it did, and the frustration you are voicing is completely fair. You have been responsive, you have been thorough, and the last thing I want is for a contributor putting in this kind of effort to feel that the goalposts keep moving. That is on me for not being clearer the first time, and I am sorry for the churn it has caused.

Let me try to clear up the misunderstanding, because I think @toddbaert read my intent correctly. When I asked you to split the work, I was talking about splitting the pull request for review hygiene — keeping each PR small and focused on one feature so that we as maintainers can evaluate it properly. I was not asking for two separate Maven modules or two separate artifacts. That part was an interpretation on top of my ask, and I should have spelled it out at the time. The duplication that has surfaced between #1771 and #1772 is exactly the kind of thing the "one module" approach avoids.

The technique that makes "split the PR" and "share the code" coexist is what is usually called stacked diffs (or stacked PRs). The idea is simple: instead of two independent branches off main, you stack them. PR A branches off main and contains the shared scaffolding plus the first provider. PR B then branches off PR A's branch (not main) and adds only the second provider on top. Each PR stays small and reviewable on its own, the shared code only shows up in the diff once, and once PR A merges, PR B's diff naturally collapses to just its own delta. It is the same review benefit I was originally asking for, without paying the duplication tax.

Concretely, for your case I think Todd's suggestion is exactly right: rework #1772 to add a single providers/gcp module containing the shared internals (FlagCache, FlagValueConverter, scaffolding) and the Secret Manager provider, then rebase #1771 on top of that branch so it only adds the Parameter Manager provider. SM-first makes sense since this PR is closer to approval anyway.

Again, I am sorry for the back-and-forth — your contribution is genuinely appreciated and we want to land it. If it would help, I am happy to jump on a quick call or pair on the rebase so we can get this over the line without another round of comments.

okay thanks for clarifying. I have now consolidated this into single provider for GCP. Do we also want to have single factory and tests to instantiate & test both the providers? Happy to incorporate that here or when merging Parameter manager.

[mahpatil]

@chrfwow @aepfli just checking next steps on this? I dont see any responses to my comments or updated PR. Are you still keen to include this contribution?

[chrfwow]

The CI fails because there are some formatting issue. You can fix them by running spotless:apply

[mahpatil]

Fixed formatting issues.

[toddbaert]

Approved. I have some recommendations that I think are mostly around doc, and one about potentially improving the deps with a BOM ref, but I will leave that up to you. If I don't hear anything in the next 24 hrs, I will merge; otherwise feel free to make those minor fixes or tell me to hold off.

Thanks again for your contribution and patience.

PS: I made a small change to revert whitespace noise in the parent POM.

[mahpatil]

Approved. I have some recommendations that I think are mostly around doc, and one about potentially improving the deps with a BOM ref, but I will leave that up to you. If I don't hear anything in the next 24 hrs, I will merge; otherwise feel free to make those minor fixes or tell me to hold off.

Thanks again for your contribution and patience.

PS: I made a small change to revert whitespace noise in the parent POM.

Thank you @toddbaert, only one outstanding option on use of BOM, will incorporate it as part of parameter mgr, which is coming next. If you can now merge I can start on Parameter mgr which is really the more common usecase for us.

[toddbaert]

FYI I added you as a "component_owner" for this, which will add you as assignee/reviewer to PRs in this folder.