Merge pull request #86 from covermymeds/format-all-secrets

Format certificates to separate out pem and key

.github/workflows/prbuild.yml

@@ -9,20 +9,20 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       -
         name: Unshallow
         run: git fetch --prune --unshallow
       -
         name: Set up Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v4
         with:
-          go-version: 1.13.x
+          go-version: 1.17.x
       -
         name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v1
+        uses: goreleaser/goreleaser-action@v3
         with:
           version: latest
           args: release --skip-publish
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/tagrelease.yml

@@ -19,7 +19,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v1
         with:
-          go-version: 1.13.x
+          go-version: 1.17.x
       -
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v1

.goreleaser.yaml

@@ -0,0 +1,9 @@
+builds:
+  -
+    goos:
+      - darwin
+      - linux
+    goarch:
+      - "386"
+      - "amd64"
+      - "arm64"

CHANGELOG.md

@@ -0,0 +1,9 @@
+# Changelog
+
+# [v1.7.0] - 2023-05-19
+
+### New minor release
+
+- Update Go version to 1.17.x
+- Update goreleaser github action to v3 and limit build OS types to darwin and linux
+- Add template helper `expandFullChain` - which returns a map of all secret objects from a keyvault, including pem and key files when a secret is a certificate

README.md

@@ -148,6 +148,8 @@ Complete List of Cert Helpers:
 
 `fullChain` - returns full certificate chain including leaf cert in PEM format.
 
+`expandFullChain` - returns a map of secrets, including separate PEM and keys.
+
 Note:
 - The resource type `cert` does not contain any chain information due to the way Azure stores the data.  If you wish to use `issuers` or `fullChain` helpers, you must do so on a `secret` resource.
 - The `issuers` and `fullChain` helpers will do their best to reconstruct the chain, but can only work with the data
@@ -214,6 +216,24 @@ will output the following in the `config.json` file
 { "dbHost": "my-host", "dbName": "my-db", "dbUser": "my-user", "dbPass": "my-pass" }
 ```
 
+Using the built-in `expandFullChain` helper will separate the PEM and key from certificates if present in your secrets, and return the pem and key as separate secrets along with any original secrets from a given keyvault.
+```yaml
+workers:
+  -
+    resources:
+      - kind: all-secrets
+        vaultBaseURL: https://test-kv.vault.azure.net/
+    frequency: 60s
+    postChange: docker restart webapp
+    sinks:
+      - path: ./config.json
+        template: "{{ index .Secrets | expandFullChain | toValues | toJson }"
+```
+will output the following in the `config.json` file
+```json
+{"test-cert":"...","test-cert.key":"...","test-cert.pem":"...","some-string-secret":"...","different-cert":"...","different-cert.key":"...","different-cert.pem":"..."}
+```
+
 ### Resources with special characters in their name
 
 Go's text/template syntax cannot handle reading fields with special characters (including hyphens)
@@ -296,3 +316,24 @@ A filesystem watch is placed on the specified config file, and if the file is ch
 # Known Issues
 
 - Using a 4 digit `mode` on MacOS will only support `sticky` (i.e. `1644`). `setuid` and `setgid` do not work.
+
+# Development
+
+## Building locally
+* Run `go mod download` to download dependencies in the module cache
+* Add any test configuration to a local akva.yaml file
+* Run `go build . && ./azure-key-vault-agent -c ./akva.yaml` to build and run
+
+## Troubleshooting builds
+* If you run into any issues when running `go build .`, you may need to update package dependencies
+* You can update a single package with `go get -u <package name>`
+## Releasing a new version
+
+1. Update the CHANGELOG accordingly
+1. Merge the PR
+1. Determine the most recent deployment tag version: `git checkout master && git fetch && git tag --sort=-creatordate | head -n1` - the new version tag should be above this using [semVer](https://semver.org/)
+1. Tag and push the new release; example:
+```
+git tag -a v1.7.0 -m "version 1.7.0"
+git push origin v1.7.0
+```

certutil/certutil.go

@@ -11,9 +11,10 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"strings"
+
 	"github.com/twmb/algoimpl/go/graph"
 	"golang.org/x/crypto/pkcs12"
-	"strings"
 )
 
 // Takes Base64 Encoded PKCS12 as String and produces PEM Encoded PCKS8 Private Key as String
@@ -148,7 +149,7 @@ func stringToPemBlocks(data string) []*pem.Block {
 }
 
 // Attempts to find Private key in array of pem.Block and return it as PEM Encoded PKCS8 String
-func findPrivateKeyInPemBlocks(blocks []*pem.Block ) string {
+func findPrivateKeyInPemBlocks(blocks []*pem.Block) string {
 	var keyBuffer bytes.Buffer
 	//Find the private key from all the blocks
 	for _, block := range blocks {
@@ -255,4 +256,4 @@ func findChainInPemBlocks(blocks []*pem.Block, justIssuers bool) string {
 	}
 
 	return certBuffer.String()
-}
+}

configparser/configparser.go

@@ -2,16 +2,17 @@ package configparser
 
 import (
 	"fmt"
-	"github.com/go-playground/validator/v10"
-	log "github.com/sirupsen/logrus"
-	"gopkg.in/yaml.v2"
 	"io/ioutil"
 	"os"
 	"os/user"
 	"regexp"
 	"strconv"
 	"time"
 
+	"github.com/go-playground/validator/v10"
+	log "github.com/sirupsen/logrus"
+	"gopkg.in/yaml.v2"
+
 	"github.com/covermymeds/azure-key-vault-agent/config"
 	"github.com/gobuffalo/envy"
 )

go.mod

@@ -1,34 +1,44 @@
 module github.com/covermymeds/azure-key-vault-agent
 
-go 1.13
+go 1.17
 
 require (
-	cloud.google.com/go v0.63.0 // indirect
 	github.com/Azure/azure-sdk-for-go v37.1.0+incompatible
 	github.com/Azure/go-autorest/autorest v0.9.3
 	github.com/Azure/go-autorest/autorest/adal v0.8.1
-	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
-	github.com/Azure/go-autorest/autorest/validation v0.3.0 // indirect
-	github.com/Masterminds/goutils v1.1.0 // indirect
-	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/fsnotify/fsnotify v1.4.7
 	github.com/go-playground/validator/v10 v10.1.0
 	github.com/gobuffalo/envy v1.8.1
-	github.com/google/uuid v1.1.1 // indirect
-	github.com/googleapis/gax-go v1.0.3 // indirect
-	github.com/huandu/xstrings v1.3.2 // indirect
-	github.com/imdario/mergo v0.3.10 // indirect
 	github.com/jpillora/backoff v1.0.0
-	github.com/julienschmidt/httprouter v1.3.0 // indirect
 	github.com/luci/luci-go v0.0.0-20200220034857-6a27eb3e318d
-	github.com/mitchellh/copystructure v1.0.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/sirupsen/logrus v1.4.2
-	github.com/smartystreets/goconvey v1.6.4 // indirect
 	github.com/twmb/algoimpl v0.0.0-20170717182524-076353e90b94
-	go.chromium.org/luci v0.0.0-20200814170619-378a717791e3 // indirect
-	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
-	google.golang.org/genproto v0.0.0-20200814021100-8c09557e8a18 // indirect
+	golang.org/x/crypto v0.9.0
 	gopkg.in/yaml.v2 v2.3.0
 )
+
+require (
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest/date v0.2.0 // indirect
+	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
+	github.com/Azure/go-autorest/autorest/validation v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.1.0 // indirect
+	github.com/Azure/go-autorest/tracing v0.5.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver v1.5.0 // indirect
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect
+	github.com/go-playground/locales v0.13.0 // indirect
+	github.com/go-playground/universal-translator v0.17.0 // indirect
+	github.com/google/uuid v1.1.1 // indirect
+	github.com/huandu/xstrings v1.3.2 // indirect
+	github.com/imdario/mergo v0.3.10 // indirect
+	github.com/joho/godotenv v1.3.0 // indirect
+	github.com/konsorten/go-windows-terminal-sequences v1.0.1 // indirect
+	github.com/leodido/go-urn v1.2.0 // indirect
+	github.com/mitchellh/copystructure v1.0.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.0 // indirect
+	github.com/rogpeppe/go-internal v1.3.2 // indirect
+	github.com/smartystreets/goconvey v1.6.4 // indirect
+	golang.org/x/sys v0.8.0 // indirect
+)