Contribute GCP load balancer source/destination plugin

[gijzelaerr]

Proposal

We'd like to contribute a GCP Compute Engine load balancer plugin for Lemur, providing both source and destination functionality — similar to how lemur_aws provides AWS integration.

We've been running this plugin in production for several months managing TLS certificates on GCP global load balancers (both HTTPS and TCP SSL proxies). We'd like to clean it up and contribute it upstream.

What it does

Source plugin (GcpSource)

• Discovers certificates: Lists all self-managed SSL certificates in a GCP project (skips Google-managed certs)
• Discovers endpoints: Maps GCP target proxies (HTTPS and TCP SSL) to their attached certificates, creating Lemur endpoints for each (load balancer, certificate) pair
• Rotates certificates: Attaches a new certificate to a load balancer, then detaches the old one
• Cleans up expired certificates: Deletes GCP SSL certificate resources that have been expired past a configurable grace period

Destination plugin (GcpDestination)

• Uploads certificates: Creates GCP SSL certificate resources from Lemur-issued certificates (with certificate chain bundling)
• Verifies uploads: Checks whether a certificate already exists in GCP before uploading
• Idempotent: If a certificate with the same name already exists and matches, it returns the existing resource

Implementation details

• Uses google-api-python-client for the GCP Compute API and google-auth for authentication
• Supports both targetHttpsProxies and targetSslProxies
• Includes exponential backoff retry for rate-limited GCP API calls
• Validates certificate names against GCP's naming regex ([a-z][-a-z0-9]{0,61}[a-z0-9]) before API calls to produce clear error messages
• Waits for GCP async operations to complete before returning
• Handles the GCP max of 15 certificates per load balancer

What we'd contribute

• Source plugin with endpoint discovery, certificate rotation (attach/detach), and cleanup
• Destination plugin with upload and verification
• GCP Compute API client wrapper
• Test suite
• Documentation

We'd strip out any organization-specific code and make it generic before submitting. The plugin would be configurable via Lemur's standard plugin options (GCP project ID, etc.) and use Application Default Credentials for authentication.

Note: there's also an open PR #5210 for a GCS (Cloud Storage) destination plugin. Our plugin is complementary — it targets GCP Compute load balancers rather than storage buckets.

Would you be interested in having this contributed? Happy to discuss the approach or any requirements you'd have for inclusion.