From 134d669d6a7eade2094e198bd15b7b98240cabc7 Mon Sep 17 00:00:00 2001 From: leefine02 <50836957+leefine02@users.noreply.github.com> Date: Mon, 18 Oct 2021 09:58:07 -0400 Subject: [PATCH 1/6] Update integration-manifest.json --- integration-manifest.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/integration-manifest.json b/integration-manifest.json index 17c85a7..a1b81cf 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -1,8 +1,8 @@ - { "$schema": "https://keyfactor.github.io/integration-manifest-schema.json", - "integration_type": "gcp", - "name": "GCP AnyAgent", - "status": "pilot", - "description": "This integration is used to inventory and manage certificates in GCP. " + "integration_type": "orchestrator", + "name": "GCP Load Balancer", + "status": "production", + "link_github": true, + "description": "The GCP Load Balancer Orchestrator allows for the management of Google Cloud Platform Load Balancer certificate stores. Inventory, Management-Add, and Management-Remove functions are supported. Also, re-binding to endpoints IS supported for certificate renewals (but NOT adding new certificates). The orchestrator uses the Google Cloud Compute Engine API to manage stores." } From 5dc9113de4fb06136d94d345d53ef873204c5c8c Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 18 Oct 2021 13:58:36 +0000 Subject: [PATCH 2/6] Update generated README --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e31bc41..dba8f51 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ -# GCP AnyAgent -## Gcp +# GCP Load Balancer +## Orchestrator -This integration is used to inventory and manage certificates in GCP. +The GCP Load Balancer Orchestrator allows for the management of Google Cloud Platform Load Balancer certificate stores. Inventory, Management-Add, and Management-Remove functions are supported. Also, re-binding to endpoints IS supported for certificate renewals (but NOT adding new certificates). The orchestrator uses the Google Cloud Compute Engine API to manage stores. *** From 144c1e5cb0af1d4f9b13f67ae957da0eab071979 Mon Sep 17 00:00:00 2001 From: leefine02 <50836957+leefine02@users.noreply.github.com> Date: Tue, 19 Oct 2021 15:11:40 -0400 Subject: [PATCH 3/6] Add files via upload --- README.md.tpl | 71 ++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 64 insertions(+), 7 deletions(-) diff --git a/README.md.tpl b/README.md.tpl index 8a02a5e..99f8100 100644 --- a/README.md.tpl +++ b/README.md.tpl @@ -1,15 +1,68 @@ # {{ name }} ## {{ integration_type | capitalize }} -{{ description }} - -*** + +*** # Introduction -- TODO: +- {{ description }} # Setting up GCP Cert Store Type +The certificate store type set up for the GCP Load Balancer Orchestrator should have the following options set: + +**Name:** A descriptive name for the certificate store type + +**Short Name:** Must be **GCP** + +**Needs Server:** Unchecked + +**Blueprint Allowed:** Unchecked + +**Requires Store Password:** Unchecked + +**Supports Entry Password:** Unchecked + +**Supports Custom Alias:** Optional (If unselected, a random alias will be generated by the GCP LB Orchestrator) + +**Uses PowerShell: ** Unchecked + +**Store Path Type:** FreeForm + +**Private Keys: ** Required (Adding a certificate to a GCP Load Balancer certificate store without the private key is not a valid use case) + +**PFX Password Style:** Default + +**Job Types:** Check Inventory, Add, and Remove. Leave Create, Discovery, and Reenrollment unchecked + +**Parameters:** Add 1 custom parameter if authenticating to the GCP API library by passing the GCP service account key from Keyfactor Command (see Authentication): + +- Name: Must be **jsonKey** +- Display Name: Desired custom display name +- Type: Secret +- Change Default Value: Unchecked +- Default Value: Leave blank + + + +# Setting up GCP Cert Store +When creating a GCP certificate store in Keyfactor, the various options should be set up a follows: + +**Category:** Must be GCP + +**Container:** Optional container name if using this feature. Please consult the Keyfactor Command Reference Guide for more information on this feature. + +**Client Machine:** The name or IP address of the Orchestrator server that will be handling GCP jobs. + +**Store Path:** This should be your Google Cloud project ID. This will work against GCP Global resources. Optionally, you can append "/" with the region you wish to process against. Please refer to the following page for a list of valid region codes (GCP code column): https://gist.github.com/rpkim/084046e02fd8c452ba6ddef3a61d5d59. + +**Service Account Key:** If you will be authenticating via passing credentials from Keyfactor Command, you must add this value as follows: +- No Service Account Key: Unchecked +- Secret Source: "Keyfactor Secrets" if you wish to store the GCP service account key in the Keyfactor secrets engine or "Load From PAM Provider" if you have set up a PAM provider integration within Keyfactor Command and wish to store this value there. +- Enter and Confirm Service Account Key: The JSON-based service account key you acquired from GCP (See Authentication). + +**Inventory Schedule:** Set whether to schedule Inventory jobs for this certificate store, and if so, the frequency here. + # Authentication A service account is necessary for authentication to GCP. The following are the required permissions: @@ -26,12 +79,16 @@ Remember to assign the appropriate role/permissions for the service account. Afterwards inside Keyfactor Command copy and paste the contents of the service account key in the password field for the GCP Certificate Store Type. # Supported Functionality -- Inventory, Management +- Inventory +- Management-Add (including re-binding of existing bindings for certificate renewals, no binding functionality available for new certificate adds) +- Management-Remove # Not Implemented/Supported -- Binding +- Discovery +- Management-Create +- Reenrollment - *** +*** ### License [Apache](https://apache.org/licenses/LICENSE-2.0) From 47fd0385960c5f854d1f4cdee572df419c96a363 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 19 Oct 2021 19:12:11 +0000 Subject: [PATCH 4/6] Update generated README --- README.md | 71 +++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 64 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index dba8f51..1e5d81f 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,68 @@ # GCP Load Balancer ## Orchestrator -The GCP Load Balancer Orchestrator allows for the management of Google Cloud Platform Load Balancer certificate stores. Inventory, Management-Add, and Management-Remove functions are supported. Also, re-binding to endpoints IS supported for certificate renewals (but NOT adding new certificates). The orchestrator uses the Google Cloud Compute Engine API to manage stores. - -*** + +*** # Introduction -- TODO: +- The GCP Load Balancer Orchestrator allows for the management of Google Cloud Platform Load Balancer certificate stores. Inventory, Management-Add, and Management-Remove functions are supported. Also, re-binding to endpoints IS supported for certificate renewals (but NOT adding new certificates). The orchestrator uses the Google Cloud Compute Engine API to manage stores. # Setting up GCP Cert Store Type +The certificate store type set up for the GCP Load Balancer Orchestrator should have the following options set: + +**Name:** A descriptive name for the certificate store type + +**Short Name:** Must be **GCP** + +**Needs Server:** Unchecked + +**Blueprint Allowed:** Unchecked + +**Requires Store Password:** Unchecked + +**Supports Entry Password:** Unchecked + +**Supports Custom Alias:** Optional (If unselected, a random alias will be generated by the GCP LB Orchestrator) + +**Uses PowerShell: ** Unchecked + +**Store Path Type:** FreeForm + +**Private Keys: ** Required (Adding a certificate to a GCP Load Balancer certificate store without the private key is not a valid use case) + +**PFX Password Style:** Default + +**Job Types:** Check Inventory, Add, and Remove. Leave Create, Discovery, and Reenrollment unchecked + +**Parameters:** Add 1 custom parameter if authenticating to the GCP API library by passing the GCP service account key from Keyfactor Command (see Authentication): + +- Name: Must be **jsonKey** +- Display Name: Desired custom display name +- Type: Secret +- Change Default Value: Unchecked +- Default Value: Leave blank + + + +# Setting up GCP Cert Store +When creating a GCP certificate store in Keyfactor, the various options should be set up a follows: + +**Category:** Must be GCP + +**Container:** Optional container name if using this feature. Please consult the Keyfactor Command Reference Guide for more information on this feature. + +**Client Machine:** The name or IP address of the Orchestrator server that will be handling GCP jobs. + +**Store Path:** This should be your Google Cloud project ID. This will work against GCP Global resources. Optionally, you can append "/" with the region you wish to process against. Please refer to the following page for a list of valid region codes (GCP code column): https://gist.github.com/rpkim/084046e02fd8c452ba6ddef3a61d5d59. + +**Service Account Key:** If you will be authenticating via passing credentials from Keyfactor Command, you must add this value as follows: +- No Service Account Key: Unchecked +- Secret Source: "Keyfactor Secrets" if you wish to store the GCP service account key in the Keyfactor secrets engine or "Load From PAM Provider" if you have set up a PAM provider integration within Keyfactor Command and wish to store this value there. +- Enter and Confirm Service Account Key: The JSON-based service account key you acquired from GCP (See Authentication). + +**Inventory Schedule:** Set whether to schedule Inventory jobs for this certificate store, and if so, the frequency here. + # Authentication A service account is necessary for authentication to GCP. The following are the required permissions: @@ -26,12 +79,16 @@ Remember to assign the appropriate role/permissions for the service account. Afterwards inside Keyfactor Command copy and paste the contents of the service account key in the password field for the GCP Certificate Store Type. # Supported Functionality -- Inventory, Management +- Inventory +- Management-Add (including re-binding of existing bindings for certificate renewals, no binding functionality available for new certificate adds) +- Management-Remove # Not Implemented/Supported -- Binding +- Discovery +- Management-Create +- Reenrollment - *** +*** ### License [Apache](https://apache.org/licenses/LICENSE-2.0) From 545c3ba7bf70a99d057f6cc0d5c24c5ac52ca581 Mon Sep 17 00:00:00 2001 From: leefine02 <50836957+leefine02@users.noreply.github.com> Date: Wed, 20 Oct 2021 11:33:01 -0400 Subject: [PATCH 5/6] Add files via upload --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..9e4f0a6 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,2 @@ +v1.0 +- Original Version \ No newline at end of file From 1f58a384a45634f4a2c1430221ce63ecfa92a338 Mon Sep 17 00:00:00 2001 From: Matthew Dobrowsky Date: Wed, 20 Oct 2021 14:40:32 -0400 Subject: [PATCH 6/6] update build workflows to latest --- .../keyfactor-extension-prerelease.yml | 113 +++++++++++++----- .../workflows/keyfactor-extension-release.yml | 8 +- 2 files changed, 86 insertions(+), 35 deletions(-) diff --git a/.github/workflows/keyfactor-extension-prerelease.yml b/.github/workflows/keyfactor-extension-prerelease.yml index b001a28..d95495b 100644 --- a/.github/workflows/keyfactor-extension-prerelease.yml +++ b/.github/workflows/keyfactor-extension-prerelease.yml @@ -1,20 +1,25 @@ -# This is a basic workflow to help you get started with Actions +# This workflow will build a Release Candidate (pre-release) +# It runs automatically when attempting a PR from pre-release branch to the release branch -name: Keyfactor Extension - Pre Release +name: Keyfactor Extension - Release Candidate + +env: + SOLUTION_FOLDER: '.' + PROJECT_FOLDER: 'GCPAnyAgent' # Controls when the action will run. on: - # Triggers the workflow on push - push: - #only run this workflow when pushing to a branch that has the prerelease suffix + # Triggers the workflow on PR open + pull_request: + types: [opened, synchronize] + # only run this workflow when opening PR to release branch branches: - - 'release-[0-9]+.[0-9]+.[0-9]+-pre' - - '!release-[0-9]+.[0-9]+.[0-9]+' + - '!release-[0-9]+.[0-9]+-pre' + - 'release-[0-9]+.[0-9]+' - # Allows you to run this workflow manually from the Actions tab + # Release Candidate can be triggered manually workflow_dispatch: -# A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" build: @@ -32,14 +37,17 @@ jobs: echo "Setup Envrionment Variables for Workflow" echo "Working Path: ${Env:GITHUB_WORKSPACE}" $slnPath = (Get-ChildItem -Include *.sln -File -Recurse).fullname - $relName = "${{ github.ref }}".Split("/") + $relName = "${{ github.base_ref }}".Split("/") $repoName = "${{ github.repository }}".Split("/") + $relVersion = "${{ github.base_ref }}".Split("-") echo "Solution File Path: ${slnPath}" echo "SOLUTION_PATH=${slnPath}" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append echo "Release Name: $($relName[-1])" echo "RELEASE_NAME=$($relName[-1])" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append echo "Repo Name: $($repoName[-1])" echo "REPO_NAME=$($repoName[-1])" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append + echo "Release Version: $($relVersion[-1])" + echo "RELEASE_VERSION=$($relVersion[-1])" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - uses: actions/setup-dotnet@v1 with: @@ -58,6 +66,65 @@ jobs: - name: restore nuget packages run: | nuget restore ${{ env.SOLUTION_PATH }} + + - name: GitHub Script checks for existing version tags + id: existing_version + uses: actions/github-script@v4.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION_NUMBER: ${{ env.RELEASE_VERSION }} + with: + script: | + // check for existing tags on this major.minor version + const tagsList = await github.git.listMatchingRefs({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: 'tags' + }); + + const { VERSION_NUMBER } = process.env; + const tags = tagsList.data.reverse(); + + // assume linear release pattern - i.e. always working on latest major.minor version + // if there are no tags, or latest tag does not start with VERSION_NUMBER, set a manual version for release + if (tags.length < 1 + || !tags.shift().ref.startsWith(`refs/tags/${VERSION_NUMBER}`)) { + core.exportVariable('MANUAL_VERSION', `${VERSION_NUMBER}.0-rc.0`); + } + + # Create a new release to auto-increment (or use manual version number) + - name: Create new release + id: create_release + #uses: zendesk/action-create-release@v1 + uses: keyfactor/action-create-release@786b73035fa09790f9eb11bb86834a6d7af1c256 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + MANUAL_VERSION: ${{ env.MANUAL_VERSION }} + with: + release_name: Release Candidate ${{ env.REPO_NAME }} ${{ env.RELEASE_VERSION }} + body: | + [Changelog](../CHANGELOG.MD) + draft: false + prerelease: true + prerelease_suffix: rc + tag_name: ${{ env.MANUAL_VERSION }} + auto_increment_type: prerelease + tag_schema: semantic + commitish: ${{ github.sha }} + + # update version number of AssemblyInfo.cs file + - name: Increment Assembly Version + run: | + $VersionRegex = "\d+\.\d+\.\d+" + $assemblyInfoFiles = (Get-ChildItem -Include AssemblyInfo.cs -File -Recurse).fullname + $newVer = "${{ steps.create_release.outputs.current_tag }}".TrimStart('v').Split('-')[0] + echo "Prepared to overwrite Assembly version to: ${newVer}" + foreach ($assemblyInfoFile in $assemblyInfoFiles) + { + $filecontent = Get-Content($assemblyInfoFile) + attrib $assemblyInfoFile -r + $filecontent -replace $VersionRegex, $newVer | Out-File $assemblyInfoFile + } # Runs a set of commands using the runners shell - name: Execute MSBuild Commands @@ -67,36 +134,22 @@ jobs: - name: Archive Files run: | md ${{ github.workspace }}\zip\Keyfactor - Compress-Archive -Path ${{ github.workspace }}\GCPAnyAgent\bin\Release\*.dll,${{ github.workspace }}\GCPAnyAgent\bin\Release\GCPAnyAgent.dll.config -DestinationPath ${{ github.workspace }}\zip\Keyfactor\$Env:REPO_NAME.zip -Force + Compress-Archive -Path ` + ${{ env.SOLUTION_FOLDER }}\${{ env.PROJECT_FOLDER }}\bin\Release\* ` + -DestinationPath ${{ github.workspace }}\zip\Keyfactor\$Env:REPO_NAME.zip -Force - name: Upload a Build Artifact uses: actions/upload-artifact@v2.2.2 with: # Artifact name - name: ${{ env.REPO_NAME}}.zip + name: ${{ env.REPO_NAME }}.zip # A file, directory or wildcard pattern that describes what to upload path: | ${{ github.workspace }}\zip\Keyfactor\${{ env.REPO_NAME}}.zip # The desired behavior if no files are found using the provided path. if-no-files-found: error # optional, default is warn - - - name: Create Release - id: create_release - #uses: zendesk/action-create-release@v1 - Update when PR is approved - uses: keyfactor/action-create-release@786b73035fa09790f9eb11bb86834a6d7af1c256 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - release_name: Release ${{ env.RELEASE_NAME }} - body: | - [Changelog](../CHANGELOG.MD) - draft: false - prerelease: true - auto_increment_type: patch - tag_schema: semantic - commitish: ${{ github.sha }} - + - name: Upload Release Asset (x64) id: upload-release-asset-x64 uses: actions/upload-release-asset@v1 @@ -105,5 +158,5 @@ jobs: with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_path: ${{ github.workspace }}\zip\Keyfactor\${{ env.REPO_NAME}}.zip - asset_name: ${{ env.REPO_NAME}}.zip + asset_name: ${{ env.REPO_NAME}}_${{ steps.create_release.outputs.current_tag }}.zip asset_content_type: application/zip diff --git a/.github/workflows/keyfactor-extension-release.yml b/.github/workflows/keyfactor-extension-release.yml index 9c687be..caa53d2 100644 --- a/.github/workflows/keyfactor-extension-release.yml +++ b/.github/workflows/keyfactor-extension-release.yml @@ -3,8 +3,8 @@ name: Keyfactor Extension - Release env: - SOLUTION_FOLDER: '' - PROJECT_FOLDER: '' + SOLUTION_FOLDER: '.' + PROJECT_FOLDER: 'GCPAnyAgent' # Controls when the action will run. on: @@ -109,9 +109,7 @@ jobs: run: | md ${{ github.workspace }}\zip\Keyfactor Compress-Archive -Path ` - ${{ env.SOLUTION_FOLDER }}\${{ env.PROJECT_FOLDER }}\bin\Release\*.dll, ` - ${{ env.SOLUTION_FOLDER }}\${{ env.PROJECT_FOLDER }}\bin\Release\*.json, ` - ${{ env.SOLUTION_FOLDER }}\${{ env.PROJECT_FOLDER }}\bin\Release\*.config ` + ${{ env.SOLUTION_FOLDER }}\${{ env.PROJECT_FOLDER }}\bin\Release\* ` -DestinationPath ${{ github.workspace }}\zip\Keyfactor\$Env:REPO_NAME.zip -Force - name: Upload Release Asset (x64)