From 92c974738c60cfe8b34a6c0f97b42a4c6c974706 Mon Sep 17 00:00:00 2001 From: Byungsoo Kim <7953203+i1snow@users.noreply.github.com> Date: Wed, 15 May 2024 16:50:03 -0400 Subject: [PATCH] Initial check in --- .github/workflows/ci.yml | 81 +++++++ Dockerfile | 14 ++ README.md | 19 +- examples/postinit.yaml | 34 +++ go.mod | 119 ++++++++++ go.sum | 383 +++++++++++++++++++++++++++++++++ main.go | 113 ++++++++++ pkgs/aws/secrets.go | 84 ++++++++ pkgs/aws/secrets_test.go | 16 ++ pkgs/certs/decode.go | 21 ++ pkgs/files/files.go | 40 ++++ pkgs/gcp/secrets.go | 77 +++++++ pkgs/objects/clients.go | 16 ++ pkgs/objects/postTasks.go | 100 +++++++++ pkgs/objects/postTasks_test.go | 78 +++++++ pkgs/retry/options.go | 41 ++++ pkgs/retry/retry.go | 65 ++++++ pkgs/retry/retry_test.go | 64 ++++++ pkgs/url/file.go | 20 ++ pkgs/url/file_test.go | 52 +++++ pkgs/vault/certs.go | 45 ++++ pkgs/vault/certs_test.go | 66 ++++++ pkgs/vault/client.go | 43 ++++ pkgs/vault/sys.go | 173 +++++++++++++++ pkgs/vault/sys_objects.go | 15 ++ pkgs/vault/sys_test.go | 153 +++++++++++++ pkgs/vault/testutils.go | 62 ++++++ renovate.json | 23 ++ setup.go | 214 ++++++++++++++++++ setup_test.go | 96 +++++++++ 30 files changed, 2326 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/ci.yml create mode 100644 Dockerfile create mode 100644 examples/postinit.yaml create mode 100644 go.mod create mode 100644 go.sum create mode 100644 main.go create mode 100644 pkgs/aws/secrets.go create mode 100644 pkgs/aws/secrets_test.go create mode 100644 pkgs/certs/decode.go create mode 100644 pkgs/files/files.go create mode 100644 pkgs/gcp/secrets.go create mode 100644 pkgs/objects/clients.go create mode 100644 pkgs/objects/postTasks.go create mode 100644 pkgs/objects/postTasks_test.go create mode 100644 pkgs/retry/options.go create mode 100644 pkgs/retry/retry.go create mode 100644 pkgs/retry/retry_test.go create mode 100644 pkgs/url/file.go create mode 100644 pkgs/url/file_test.go create mode 100644 pkgs/vault/certs.go create mode 100644 pkgs/vault/certs_test.go create mode 100644 pkgs/vault/client.go create mode 100644 pkgs/vault/sys.go create mode 100644 pkgs/vault/sys_objects.go create mode 100644 pkgs/vault/sys_test.go create mode 100644 pkgs/vault/testutils.go create mode 100644 renovate.json create mode 100644 setup.go create mode 100644 setup_test.go diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..678e3e0 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,81 @@ +--- +name: CI +on: + pull_request: + branches: + - main +env: + # renovate: datasource=github-releases depName=golangci/golangci-lint versioning=semver-coerced + GOLANGCI_LINT_VERSION: "v1.59.0" + IMAGE_NAME: "${{ github.repository }}" + TAG: "ghcr.io/${{ github.repository }}:latest" + TEST_PARAMS: "--vault-addr localhost:1234 --initout file:/secret_out.txt --dry-run" + REGISTRY: "ghcr.io" +jobs: + go: + name: Go + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4 + - name: Set up Go + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 + with: + go-version-file: 'go.mod' + - name: golangci-lint + uses: golangci/golangci-lint-action@23faadfdeb23a6f9e511beaba149bb123b5b145a # v6 + with: + version: ${{ env.GOLANGCI_LINT_VERSION }} + args: --timeout=10m + - name: go test + run: | + go test -v ./... + - name: run vault-init + run: | + go build -o vault-init . + ./vault-init ${{ env.TEST_PARAMS }} + docker: + name: Docker Build vault-init + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3 + - name: Log in to the Container registry + if: ${{ github.ref == 'refs/heads/main' }} + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build test image + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5 + with: + context: . + push: false + load: true + tags: ${{ env.TAG }} + cache-from: type=gha + - name: Test image + run: | + docker run --rm ${{ env.TAG }} ${{ env.TEST_PARAMS }} + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=ref,event=pr + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} + - name: Build images + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: ${{ github.ref == 'refs/heads/main' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..506ed79 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,14 @@ +FROM golang:1.22@sha256:ab48cd7b8e2cffb6fa1199de232f61c76d3c33dc158be8a998c5407a8e5eb583 as builder + +WORKDIR / +COPY go.mod go.sum ./ +RUN go mod download + +COPY *.go ./ +COPY pkgs ./pkgs +RUN CGO_ENABLED=0 GOOS=linux go build -o /vault-init -trimpath . + +FROM gcr.io/distroless/base:latest@sha256:786007f631d22e8a1a5084c5b177352d9dcac24b1e8c815187750f70b24a9fc6 +WORKDIR / +COPY --from=builder /vault-init /vault-init +ENTRYPOINT ["/vault-init"] diff --git a/README.md b/README.md index 83c7357..bf239e5 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,19 @@ # vault-init -When a new hashicorp vault cluster starts, it needs to be initialized. The code handles the initialization and plus +When a new hashicorp vault cluster starts, it needs to be initialized. The code handles the initialization and some tasks after the initialization + +## Vault initialization for vault managed by Terraform Cloud + +`vault-init` initializes the vault in the given address and +saves the output to a gcp/aws secret or file. **Currently it does +NOT handle unseal process and it assumes that auto unseal is +implemented already (usually through KMS).** +After the intialization, with the initial root token, `vault-init` +can perform the following tasks + - Set up policies; in order for the authentication to work properly, + policies need to be set. Typically, `admin` policy can be set + through this task. + - Set up `jwt` type auth for oidc; oidc configuration and the initial + role can be set up. Typically, `admin` role is set up with the policy + created in the previous "policy task". For example, the role of + terraform agent and workspace for vault ACL can be set up through + this task. Refer to https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/vault-configuration for details diff --git a/examples/postinit.yaml b/examples/postinit.yaml new file mode 100644 index 0000000..4facbce --- /dev/null +++ b/examples/postinit.yaml @@ -0,0 +1,34 @@ +- type: policy + task: + name: admin + policy_content: | + path "sys/leases/*" + { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] + } + path "auth/*" + { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] + } + path "sys/auth/*" + { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] + } + path "sys/auth" + { + capabilities = ["read"] + } +- type: oidc_auth + task: + auth_path: jwt + oidc_discovery_url: "https://app.terraform.io" + bound_issuer: "https://app.terraform.io" + role: + name: tfc-agent + policy_names: + - admin + bound_audiences: + - vault.workload.identity + bound_claim_sub: "organization:my-org-name:project:my-project-name:workspace:my-workspace-name:run_phase:*" + user_claim: terraform_full_workspace + ttl: 20m \ No newline at end of file diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..eb2b174 --- /dev/null +++ b/go.mod @@ -0,0 +1,119 @@ +module github.com/retailnext/vault-init + +go 1.22.1 + +require ( + github.com/aws/aws-sdk-go-v2 v1.26.1 + github.com/stretchr/testify v1.9.0 + github.com/testcontainers/testcontainers-go v0.31.0 + github.com/testcontainers/testcontainers-go/modules/vault v0.31.0 + github.com/urfave/cli/v2 v2.27.2 + gopkg.in/yaml.v3 v3.0.1 +) + +require ( + cloud.google.com/go/auth v0.3.0 // indirect + cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect + cloud.google.com/go/compute/metadata v0.3.0 // indirect + cloud.google.com/go/iam v1.1.7 // indirect + dario.cat/mergo v1.0.0 // indirect + github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect + github.com/Microsoft/go-winio v0.6.1 // indirect + github.com/Microsoft/hcsshim v0.11.4 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.11 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect + github.com/aws/smithy-go v1.20.2 // indirect + github.com/cenkalti/backoff/v3 v3.2.2 // indirect + github.com/cenkalti/backoff/v4 v4.2.1 // indirect + github.com/containerd/containerd v1.7.15 // indirect + github.com/containerd/log v0.1.0 // indirect + github.com/cpuguy83/dockercfg v0.3.1 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/distribution/reference v0.5.0 // indirect + github.com/docker/docker v25.0.5+incompatible // indirect + github.com/docker/go-connections v0.5.0 // indirect + github.com/docker/go-units v0.5.0 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect + github.com/go-jose/go-jose/v4 v4.0.1 // indirect + github.com/go-logr/logr v1.4.1 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/go-ole/go-ole v1.2.6 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/google/s2a-go v0.1.7 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect + github.com/googleapis/gax-go/v2 v2.12.3 // indirect + github.com/hashicorp/errwrap v1.1.0 // indirect + github.com/hashicorp/go-cleanhttp v0.5.2 // indirect + github.com/hashicorp/go-multierror v1.1.1 // indirect + github.com/hashicorp/go-retryablehttp v0.7.5 // indirect + github.com/hashicorp/go-rootcerts v1.0.2 // indirect + github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 // indirect + github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect + github.com/hashicorp/go-sockaddr v1.0.6 // indirect + github.com/hashicorp/hcl v1.0.0 // indirect + github.com/klauspost/compress v1.16.0 // indirect + github.com/kr/text v0.2.0 // indirect + github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect + github.com/magiconair/properties v1.8.7 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/moby/patternmatcher v0.6.0 // indirect + github.com/moby/sys/sequential v0.5.0 // indirect + github.com/moby/sys/user v0.1.0 // indirect + github.com/moby/term v0.5.0 // indirect + github.com/morikuni/aec v1.0.0 // indirect + github.com/opencontainers/go-digest v1.0.0 // indirect + github.com/opencontainers/image-spec v1.1.0 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect + github.com/ryanuber/go-glob v1.0.0 // indirect + github.com/shirou/gopsutil/v3 v3.23.12 // indirect + github.com/shoenig/go-m1cpu v0.1.6 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect + github.com/tklauser/go-sysconf v0.3.12 // indirect + github.com/tklauser/numcpus v0.6.1 // indirect + github.com/yusufpapurcu/wmi v1.2.3 // indirect + go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect + go.opentelemetry.io/otel v1.24.0 // indirect + go.opentelemetry.io/otel/metric v1.24.0 // indirect + go.opentelemetry.io/otel/trace v1.24.0 // indirect + golang.org/x/crypto v0.22.0 // indirect + golang.org/x/mod v0.16.0 // indirect + golang.org/x/net v0.24.0 // indirect + golang.org/x/oauth2 v0.19.0 // indirect + golang.org/x/sync v0.7.0 // indirect + golang.org/x/sys v0.19.0 // indirect + golang.org/x/text v0.14.0 // indirect + golang.org/x/time v0.5.0 // indirect + golang.org/x/tools v0.13.0 // indirect + google.golang.org/api v0.177.0 // indirect + google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 // indirect + google.golang.org/grpc v1.63.2 // indirect + google.golang.org/protobuf v1.34.0 // indirect +) + +require ( + cloud.google.com/go/secretmanager v1.13.0 + github.com/aws/aws-sdk-go-v2/config v1.27.11 + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.6 + github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect + github.com/hashicorp/vault/api v1.13.0 + github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..1bb5ee2 --- /dev/null +++ b/go.sum @@ -0,0 +1,383 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.112.2 h1:ZaGT6LiG7dBzi6zNOvVZwacaXlmf3lRqnC4DQzqyRQw= +cloud.google.com/go v0.112.2/go.mod h1:iEqjp//KquGIJV/m+Pk3xecgKNhV+ry+vVTsy4TbDms= +cloud.google.com/go/auth v0.3.0 h1:PRyzEpGfx/Z9e8+lHsbkoUVXD0gnu4MNmm7Gp8TQNIs= +cloud.google.com/go/auth v0.3.0/go.mod h1:lBv6NKTWp8E3LPzmO1TbiiRKc4drLOfHsgmlH9ogv5w= +cloud.google.com/go/auth/oauth2adapt v0.2.2 h1:+TTV8aXpjeChS9M+aTtN/TjdQnzJvmzKFt//oWu7HX4= +cloud.google.com/go/auth/oauth2adapt v0.2.2/go.mod h1:wcYjgpZI9+Yu7LyYBg4pqSiaRkfEK3GQcpb7C/uyF1Q= +cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc= +cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= +cloud.google.com/go/iam v1.1.7 h1:z4VHOhwKLF/+UYXAJDFwGtNF0b6gjsW1Pk9Ml0U/IoM= +cloud.google.com/go/iam v1.1.7/go.mod h1:J4PMPg8TtyurAUvSmPj8FF3EDgY1SPRZxcUGrn7WXGA= +cloud.google.com/go/secretmanager v1.13.0 h1:nQ/Ca2Gzm/OEP8tr1hiFdHRi5wAnAmsm9qTjwkivyrQ= +cloud.google.com/go/secretmanager v1.13.0/go.mod h1:yWdfNmM2sLIiyv6RM6VqWKeBV7CdS0SO3ybxJJRhBEs= +dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= +dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= +github.com/Microsoft/hcsshim v0.11.4 h1:68vKo2VN8DE9AdN4tnkWnmdhqdbpUFM8OF3Airm7fz8= +github.com/Microsoft/hcsshim v0.11.4/go.mod h1:smjE4dvqPX9Zldna+t5FG3rnoHhaB7QYxPRqGcpAD9w= +github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA= +github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA= +github.com/aws/aws-sdk-go-v2/config v1.27.11/go.mod h1:SMsV78RIOYdve1vf36z8LmnszlRWkwMQtomCAI0/mIE= +github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHHvIq0l/pX3fwO+Tzs= +github.com/aws/aws-sdk-go-v2/credentials v1.17.11/go.mod h1:AQtFPsDH9bI2O+71anW6EKL+NcD7LG3dpKGMV4SShgo= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.6 h1:TIOEjw0i2yyhmhRry3Oeu9YtiiHWISZ6j/irS1W3gX4= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.6/go.mod h1:3Ba++UwWd154xtP4FRX5pUK3Gt4up5sDHCve6kVfE+g= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 h1:vN8hEbpRnL7+Hopy9dzmRle1xmDc7o8tmY0klsr175w= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.5/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.6/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw= +github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= +github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= +github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= +github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= +github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= +github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/containerd/containerd v1.7.15 h1:afEHXdil9iAm03BmhjzKyXnnEBtjaLJefdU7DV0IFes= +github.com/containerd/containerd v1.7.15/go.mod h1:ISzRRTMF8EXNpJlTzyr2XMhN+j9K302C21/+cr3kUnY= +github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= +github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= +github.com/cpuguy83/dockercfg v0.3.1 h1:/FpZ+JaygUR/lZP2NlFI2DVfrOEMAIKP5wWEJdoYe9E= +github.com/cpuguy83/dockercfg v0.3.1/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc= +github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= +github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0= +github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= +github.com/docker/docker v25.0.5+incompatible h1:UmQydMduGkrD5nQde1mecF/YnSbTOaPeFIeP5C4W+DE= +github.com/docker/docker v25.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= +github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= +github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= +github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= +github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U= +github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= +github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= +github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= +github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= +github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= +github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= +github.com/googleapis/gax-go/v2 v2.12.3 h1:5/zPPDvw8Q1SuXjrqrZslrqT7dL/uJT2CQii/cLCKqA= +github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBHwWRvkNFJUQcS4= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= +github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-hclog v0.16.2 h1:K4ev2ib4LdQETX5cSZBG0DVLk1jwGqSPXBjdah3veNs= +github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M= +github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8= +github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= +github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 h1:iBt4Ew4XEGLfh6/bPk4rSYmuZJGizr6/x/AEizP0CQc= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8/go.mod h1:aiJI+PIApBRQG7FZTEBx5GiiX+HbOHilUdNxUZi4eV0= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= +github.com/hashicorp/go-sockaddr v1.0.6 h1:RSG8rKU28VTUTvEKghe5gIhIQpv8evvNpnDEyqO4u9I= +github.com/hashicorp/go-sockaddr v1.0.6/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/vault-client-go v0.4.3 h1:zG7STGVgn/VK6rnZc0k8PGbfv2x/sJExRKHSUg3ljWc= +github.com/hashicorp/vault-client-go v0.4.3/go.mod h1:4tDw7Uhq5XOxS1fO+oMtotHL7j4sB9cp0T7U6m4FzDY= +github.com/hashicorp/vault/api v1.13.0 h1:RTCGpE2Rgkn9jyPcFlc7YmNocomda44k5ck8FKMH41Y= +github.com/hashicorp/vault/api v1.13.0/go.mod h1:0cb/uZUv1w2cVu9DIvuW1SMlXXC6qtATJt+LXJRx+kg= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4= +github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= +github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= +github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= +github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= +github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= +github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc= +github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo= +github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg= +github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU= +github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= +github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= +github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw= +github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg= +github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= +github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= +github.com/shirou/gopsutil/v3 v3.23.12 h1:z90NtUkp3bMtmICZKpC4+WaknU1eXtp5vtbQ11DgpE4= +github.com/shirou/gopsutil/v3 v3.23.12/go.mod h1:1FrWgea594Jp7qmjHUUPlJDTPgcsb9mGnXDxavtikzM= +github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM= +github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ= +github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU= +github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/testcontainers/testcontainers-go v0.31.0 h1:W0VwIhcEVhRflwL9as3dhY6jXjVCA27AkmbnZ+UTh3U= +github.com/testcontainers/testcontainers-go v0.31.0/go.mod h1:D2lAoA0zUFiSY+eAflqK5mcUx/A5hrrORaEQrd0SefI= +github.com/testcontainers/testcontainers-go/modules/vault v0.31.0 h1:UYUDPWdAaea6X/c24wDCerEj8LmIITotBn6B+hKCOsU= +github.com/testcontainers/testcontainers-go/modules/vault v0.31.0/go.mod h1:pgbNbHxWkql7ctY/Vc5KA1f+b1jtMj6L9/fDc2LPpIA= +github.com/tidwall/gjson v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U= +github.com/tidwall/gjson v1.17.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= +github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= +github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= +github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU= +github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI= +github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk= +github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY= +github.com/urfave/cli/v2 v2.27.2 h1:6e0H+AkS+zDckwPCUrZkKX38mRaau4nL2uipkJpbkcI= +github.com/urfave/cli/v2 v2.27.2/go.mod h1:g0+79LmHHATl7DAcHO99smiR/T7uGLw84w8Y42x+4eM= +github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 h1:+qGGcbkzsfDQNPPe9UDgpxAWQrhbbBXOYJFQDq/dtJw= +github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQutDLsQv2Deui4iYQ6DWTxR14g6m8Wv88+Xqk= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw= +github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= +go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo= +go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= +go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI= +go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco= +go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw= +go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg= +go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI= +go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU= +go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= +go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= +golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= +golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= +golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg= +golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= +golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/api v0.177.0 h1:8a0p/BbPa65GlqGWtUKxot4p0TV8OGOfyTjtmkXNXmk= +google.golang.org/api v0.177.0/go.mod h1:srbhue4MLjkjbkux5p3dw/ocYOSZTaIEvf7bCOnFQDw= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda h1:wu/KJm9KJwpfHWhkkZGohVC6KRrc1oJNr4jwtQMOQXw= +google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda/go.mod h1:g2LLCvCeCSir/JJSWosk19BR4NVxGqHUC6rxIRsd7Aw= +google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 h1:DTJM0R8LECCgFeUwApvcEJHz85HLagW8uRENYxHh1ww= +google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6/go.mod h1:10yRODfgim2/T8csjQsMPgZOMvtytXKTDRzH6HRGzRw= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 h1:DujSIu+2tC9Ht0aPNA7jgj23Iq8Ewi5sgkQ++wdvonE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM= +google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.34.0 h1:Qo/qEd2RZPCf2nKuorzksSknv0d3ERwp1vFG38gSmH4= +google.golang.org/protobuf v1.34.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY= +gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/main.go b/main.go new file mode 100644 index 0000000..6711263 --- /dev/null +++ b/main.go @@ -0,0 +1,113 @@ +package main + +import ( + "fmt" + "log/slog" + "os" + "path/filepath" + "time" + + "github.com/retailnext/vault-init/pkgs/aws" + "github.com/retailnext/vault-init/pkgs/gcp" + "github.com/retailnext/vault-init/pkgs/retry" + "github.com/urfave/cli/v2" +) + +const ( + ADMINPOLICYNAME = "admin" + VAULTSTATUSFAIL = "fail_to_get_status" + CLIENTCONTEXT = "client" +) + +func main() { + App := &cli.App{ + Name: "vault-init", + Usage: "Initialize vault", + Flags: []cli.Flag{ + &cli.StringFlag{Name: "vault-addr", Usage: "Vault address", EnvVars: []string{"VAULT_ADDR"}, Required: true}, + &cli.StringFlag{Name: "cacert", Usage: "CA cert for vault server", EnvVars: []string{"VAULT_CA"}, Required: false}, + &cli.StringFlag{ + Name: "initout", + Usage: "Output destination for the output of vault init", + EnvVars: []string{"VAULT_OUT"}, + Required: true, + }, + &cli.StringFlag{ + Name: "post-init", + Usage: "Instruction on what to do after vault init", + EnvVars: []string{"POST_INIT"}, + Required: false, + }, + &cli.BoolFlag{ + Name: "dry-run", + Usage: "Dry run to check the input", + Required: false, + }, + }, + Before: validateFlag, + Action: retryInitVault, + } + if err := App.Run(os.Args); err != nil { + slog.Error(err.Error()) + os.Exit(1) + } +} + +func validateFlag(cCtx *cli.Context) (err error) { + // Action in cli.StringFlag occurs AFTER beforeAPP so it is not useful + + // Check initout + if initOutPathType(cCtx.String("initout")) == "" { + return fmt.Errorf("unrecognizable initout path: %s does not match of the known types", cCtx.String("initout")) + } + + return err +} + +func retryInitVault(cCtx *cli.Context) error { + clients, err := SetupClients(cCtx) + if err != nil { + return err + } + if cCtx.String("post-init") != "" { + err = clients.SetupPostTasks([]byte(cCtx.String("post-init"))) + if err != nil { + return err + } + } + if cCtx.Bool("dry-run") { + fmt.Println("All the clients can be created") + return nil + } + + return retry.Do( + func() error { + err := clients.InitVault() + if err != nil { + return err + } + err = clients.CheckHealthVault() + if err != nil { + return err + } + + return clients.ExecutePostTasks() + }, + retry.Delay(5*time.Second), + retry.Attempts(10), + ) +} + +func initOutPathType(path string) string { + if gcp.CheckSecretPath(path) { + return "gcp" + } + if aws.CheckSecretPath(path) { + return "aws" + } + if _, err := filepath.Abs(path); err == nil { + return "file" + } + + return "" +} diff --git a/pkgs/aws/secrets.go b/pkgs/aws/secrets.go new file mode 100644 index 0000000..c397ee7 --- /dev/null +++ b/pkgs/aws/secrets.go @@ -0,0 +1,84 @@ +package aws + +import ( + "context" + "fmt" + "log/slog" + "regexp" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/secretsmanager" +) + +type AWSSM struct { + ctx context.Context + client *secretsmanager.Client +} + +const ( + SecretPathExp = `^arn:.*:secretsmanager:(?P[^:]+):(?P[^:]+):secret:(?P[^:]+)-[^-]+$` +) + +func NewSecretClient(ctx context.Context, region string) (*AWSSM, error) { + config, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region)) + if err != nil { + return nil, err + } + return &AWSSM{ + ctx: ctx, + client: secretsmanager.NewFromConfig(config), + }, nil +} + +func (s *AWSSM) GetVersion(secretName string, version string) (secretContent []byte, err error) { + input := &secretsmanager.GetSecretValueInput{ + SecretId: aws.String(secretName), + VersionStage: aws.String(version), // VersionStage defaults to AWSCURRENT if unspecified + } + result, err := s.client.GetSecretValue(s.ctx, input) + if err != nil { + return secretContent, fmt.Errorf("get_aws_secret_fail: %v", err) + } + fmt.Println(result.SecretString) + secretContent = []byte(*result.SecretString) + return +} + +func (s *AWSSM) GetValue(secretName string) ([]byte, error) { + return s.GetVersion(secretName, "AWSCURRENT") +} + +func (s *AWSSM) AddVersion(secretName string, secretContent []byte) (string, error) { + secretString := string(secretContent) + addVersionReq := &secretsmanager.PutSecretValueInput{ + SecretId: aws.String(secretName), + SecretString: &secretString, + } + result, err := s.client.PutSecretValue(s.ctx, addVersionReq) + if err != nil { + return "", fmt.Errorf("add_aws_secret_fail: %v", err) + } + return *result.VersionId, nil +} + +func CheckSecretPath(secretPath string) bool { + match, err := regexp.MatchString(SecretPathExp, secretPath) + if err != nil { + slog.Error("error_regexp_secret_path", "error", err) + } + return match +} + +func ParseSecretArn(secretPath string) (name, accountID, region string, err error) { + if !CheckSecretPath(secretPath) { + err = fmt.Errorf("%s fails to match %s", secretPath, SecretPathExp) + return + } + pattern := regexp.MustCompile(SecretPathExp) + matches := pattern.FindStringSubmatch(secretPath) + region = matches[1] + accountID = matches[2] + name = matches[3] + return +} diff --git a/pkgs/aws/secrets_test.go b/pkgs/aws/secrets_test.go new file mode 100644 index 0000000..df0a523 --- /dev/null +++ b/pkgs/aws/secrets_test.go @@ -0,0 +1,16 @@ +package aws + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestParseSecretArnValid(t *testing.T) { + secretArn := "arn:aws:secretsmanager:us-east-1:418627201366:secret:vault0-ca-private20240430134312612000000003-6F1Z6A" + name, accountID, region, err := ParseSecretArn(secretArn) + assert.NoError(t, err) + assert.Equal(t, "vault0-ca-private20240430134312612000000003", name) + assert.Equal(t, "418627201366", accountID) + assert.Equal(t, "us-east-1", region) +} diff --git a/pkgs/certs/decode.go b/pkgs/certs/decode.go new file mode 100644 index 0000000..70c93a2 --- /dev/null +++ b/pkgs/certs/decode.go @@ -0,0 +1,21 @@ +package certs + +import ( + "crypto/x509" + "encoding/pem" + "fmt" +) + +func ParsePEMCertificate(cert string) (*x509.Certificate, error) { + block, trailing := pem.Decode([]byte(cert)) + if block == nil { + return nil, fmt.Errorf("PEM decoding failed") + } + if len(trailing) > 0 { + return nil, fmt.Errorf("trailing data (%d bytes) after PEM certificate", len(trailing)) + } + if block.Type != "CERTIFICATE" { + return nil, fmt.Errorf("non-certificate PEM block") + } + return x509.ParseCertificate(block.Bytes) +} diff --git a/pkgs/files/files.go b/pkgs/files/files.go new file mode 100644 index 0000000..76eb386 --- /dev/null +++ b/pkgs/files/files.go @@ -0,0 +1,40 @@ +package files + +import ( + "context" + "os" + "path/filepath" +) + +type LocalFile struct { + ctx context.Context +} + +func NewLocalFileClient(ctx context.Context) (*LocalFile, error) { + return &LocalFile{ + ctx: ctx, + }, nil +} + +func (s *LocalFile) GetValue(filePath string) (content []byte, err error) { + _, err = os.Stat(filePath) + if err != nil { + return + } + content, err = os.ReadFile(filePath) + return +} + +func (s *LocalFile) AddVersion(filePath string, content []byte) (fileFullPath string, err error) { + if fileFullPath, err = filepath.Abs(filePath); err != nil { + return + } + fileout, err := os.Create(filePath) + if err != nil { + return + } + defer fileout.Close() + _, err = fileout.Write(content) + + return +} diff --git a/pkgs/gcp/secrets.go b/pkgs/gcp/secrets.go new file mode 100644 index 0000000..2834457 --- /dev/null +++ b/pkgs/gcp/secrets.go @@ -0,0 +1,77 @@ +package gcp + +import ( + "context" + "fmt" + "log/slog" + "regexp" + + secretmanager "cloud.google.com/go/secretmanager/apiv1" + "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" +) + +type GCPSSM struct { + ctx context.Context + client *secretmanager.Client +} + +const ( + SecretPathExp = "projects\\/([^\\/]+)\\/secrets\\/([^\\/]+)" +) + +func NewSecretClient(ctx context.Context) (*GCPSSM, error) { + client, err := secretmanager.NewClient(ctx) + if err != nil { + return nil, err + } + + return &GCPSSM{ + ctx: ctx, + client: client, + }, nil +} + +func (s *GCPSSM) GetVersion(secretPath string, version string) (secretContent []byte, err error) { + if !CheckSecretPath(secretPath) { + return secretContent, fmt.Errorf("wrong secret path: %s does not match %s", secretPath, SecretPathExp) + } + + accessRequest := &secretmanagerpb.AccessSecretVersionRequest{ + Name: fmt.Sprintf("%s/versions/%s", secretPath, version), + } + result, err := s.client.AccessSecretVersion(s.ctx, accessRequest) + if err != nil { + return secretContent, fmt.Errorf("get_version_fail: %v", err) + } + return result.Payload.Data, nil +} + +func (s *GCPSSM) GetValue(secretPath string) ([]byte, error) { + return s.GetVersion(secretPath, "latest") +} + +func (s *GCPSSM) AddVersion(secretPath string, secretContent []byte) (string, error) { + if !CheckSecretPath(secretPath) { + return "", fmt.Errorf("wrong secret path: %s does not match %s", secretPath, SecretPathExp) + } + + addSecretVersionReq := &secretmanagerpb.AddSecretVersionRequest{ + Parent: secretPath, + Payload: &secretmanagerpb.SecretPayload{ + Data: secretContent, + }, + } + version, err := s.client.AddSecretVersion(s.ctx, addSecretVersionReq) + if err != nil { + return "", fmt.Errorf("add_version_fail: %v", err) + } + return version.Name, nil +} + +func CheckSecretPath(secretPath string) bool { + match, err := regexp.MatchString(SecretPathExp, secretPath) + if err != nil { + slog.Error("error_regexp_secret_path", "error", err) + } + return match +} diff --git a/pkgs/objects/clients.go b/pkgs/objects/clients.go new file mode 100644 index 0000000..cc0974a --- /dev/null +++ b/pkgs/objects/clients.go @@ -0,0 +1,16 @@ +package objects + +import "github.com/retailnext/vault-init/pkgs/vault" + +// Secret client interface +type SSMClient interface { + GetValue(string) ([]byte, error) + AddVersion(string, []byte) (string, error) +} + +// Client setup +type Clients struct { + VaultClient *vault.Vault + SSMClient SSMClient + InitOutSecret string +} diff --git a/pkgs/objects/postTasks.go b/pkgs/objects/postTasks.go new file mode 100644 index 0000000..00b35e4 --- /dev/null +++ b/pkgs/objects/postTasks.go @@ -0,0 +1,100 @@ +package objects + +import ( + "fmt" + "log/slog" + + "gopkg.in/yaml.v3" +) + +type Task interface { + Do() error + Set(c *Clients, task []byte) error +} + +// === PolicyTask ===== + +type PolicyTask struct { + Name string `yaml:"name"` + PolicyContent string `yaml:"policy_content"` + Client *Clients +} + +func (p *PolicyTask) Set(c *Clients, task []byte) (err error) { + err = yaml.Unmarshal(task, p) + if err != nil { + return err + } + p.Client = c + if p.Client.VaultClient == nil { + return fmt.Errorf("vault client is not initialized") + } + return nil +} + +func (p *PolicyTask) Do() (err error) { + slog.Info("add_policy", "name", p.Name) + return p.Client.VaultClient.SetPolicy(p.Name, p.PolicyContent) +} + +// == OIDC jwt auth setup task === +type OIDCAuthTask struct { + AuthPath string `yaml:"auth_path"` + OIDCDiscoveryURL string `yaml:"oidc_discovery_url"` + BoundIssuer string `yaml:"bound_issuer"` + Role JWTAuthRole `yaml:"role"` + Client *Clients +} + +type JWTAuthRole struct { + Name string `yaml:"name"` + PolicyNames []string `yaml:"policy_names"` + BoundAudiences []string `yaml:"bound_audiences"` + BoundClaimSub string `yaml:"bound_claim_sub"` + UserClaim string `yaml:"user_claim"` + TTL string `yaml:"ttl"` +} + +func (a *OIDCAuthTask) Set(c *Clients, task []byte) (err error) { + err = yaml.Unmarshal(task, a) + if err != nil { + return err + } + a.Client = c + if a.Client.VaultClient == nil { + return fmt.Errorf("vault client is not initialized") + } + return nil +} + +func (a *OIDCAuthTask) Do() (err error) { + slog.Info("enable jwt auth", "path", a.AuthPath) + authType, err := a.Client.VaultClient.GetAuthType(a.AuthPath) + if err != nil { + // try to enable it + err = a.Client.VaultClient.EnableAuthByPath(a.AuthPath, "jwt") + if err != nil { + return err + } + } else { + if authType == "jwt" { + slog.Info("jwt auth path is already set") + } else { + return fmt.Errorf("auth path is already set by something else: auth_type = %s", authType) + } + } + + err = a.Client.VaultClient.AddAuthJWTConfig(a.AuthPath, a.OIDCDiscoveryURL, a.BoundIssuer) + if err != nil { + return err + } + return a.Client.VaultClient.AddAuthRoleJWTType( + a.AuthPath, + a.Role.Name, + a.Role.PolicyNames, + a.Role.BoundAudiences, + a.Role.BoundClaimSub, + a.Role.UserClaim, + a.Role.TTL, + ) +} diff --git a/pkgs/objects/postTasks_test.go b/pkgs/objects/postTasks_test.go new file mode 100644 index 0000000..9f07f50 --- /dev/null +++ b/pkgs/objects/postTasks_test.go @@ -0,0 +1,78 @@ +package objects + +import ( + "context" + "testing" + + "github.com/retailnext/vault-init/pkgs/vault" + "github.com/stretchr/testify/assert" +) + +func TestOIDCAuthTask(t *testing.T) { + oidcTaskContent := `auth_path: jwt +oidc_discovery_url: "https://app.terraform.io" +bound_issuer: "https://app.terraform.io" +role: + name: tfc-agent + policy_names: + - admin + bound_audiences: + - vault.workload.identity + bound_claim_sub: "organization:my-org-name:project:my-project-name:workspace:my-workspace-name:run_phase:*" + user_claim: terraform_full_workspace + ttl: 20m +` + expectedJwtAuthRole := map[string]interface{}{ + "allowed_redirect_uris": interface{}(nil), + "bound_audiences": []interface{}{"vault.workload.identity"}, + "bound_claims": map[string]interface{}{ + "sub": "organization:my-org-name:project:my-project-name:workspace:my-workspace-name:run_phase:*", + }, + "bound_claims_type": "glob", + "bound_subject": "", + "claim_mappings": interface{}(nil), + "clock_skew_leeway": float64(0), + "expiration_leeway": float64(0), + "groups_claim": "", + "max_age": float64(0), + "not_before_leeway": float64(0), + "oidc_scopes": interface{}(nil), + "policies": []interface{}{"admin"}, + "role_type": "jwt", + "token_bound_cidrs": []interface{}{}, + "token_explicit_max_ttl": float64(0), + "token_max_ttl": float64(0), + "token_no_default_policy": false, + "token_num_uses": float64(0), + "token_period": float64(0), + "token_policies": []interface{}{"admin"}, + "token_ttl": float64(1200), + "token_type": "default", + "user_claim": "terraform_full_workspace", + "user_claim_json_pointer": false, + "verbose_oidc_logging": false, + } + ctx := context.Background() + _, vclient, err := vault.StartTestDevVaultInTest(t, ctx) + if err != nil { + t.Fatal(err) + } + oidcAuthTask := &OIDCAuthTask{} + clients := &Clients{ + VaultClient: vclient, + } + + if err = oidcAuthTask.Set(clients, []byte(oidcTaskContent)); err != nil { + t.Fatal(err) + } + if err = oidcAuthTask.Do(); err != nil { + t.Fatal(err) + } + + actualJwtAuthRole, err := vclient.GetRawAuthRole("jwt", "tfc-agent") + if err != nil { + t.Fatal(err) + } + + assert.Equal(t, expectedJwtAuthRole, actualJwtAuthRole) +} diff --git a/pkgs/retry/options.go b/pkgs/retry/options.go new file mode 100644 index 0000000..d771e8d --- /dev/null +++ b/pkgs/retry/options.go @@ -0,0 +1,41 @@ +package retry + +import ( + "context" + "time" +) + +type Config struct { + attempts uint + delay time.Duration + context context.Context + retryIf RetryIfFunc +} + +// Option represents an option for retry. +type Option func(*Config) + +type RetryIfFunc func(error) bool + +func emptyOption(c *Config) {} + +func RetryIf(retryIf RetryIfFunc) Option { + if retryIf == nil { + return emptyOption + } + return func(c *Config) { + c.retryIf = retryIf + } +} + +func Delay(delay time.Duration) Option { + return func(c *Config) { + c.delay = delay + } +} + +func Attempts(attempts uint) Option { + return func(c *Config) { + c.attempts = attempts + } +} diff --git a/pkgs/retry/retry.go b/pkgs/retry/retry.go new file mode 100644 index 0000000..d36c5ef --- /dev/null +++ b/pkgs/retry/retry.go @@ -0,0 +1,65 @@ +package retry + +import ( + "context" + "log/slog" + "time" +) + +// Function signature of retryable function +type RetryableFunc func() error + +func Do(retryableFunc RetryableFunc, opts ...Option) (err error) { + var n uint + + // default + config := newDefaultRetryConfig() + + // apply opts + for _, opt := range opts { + opt(config) + } + + if err := config.context.Err(); err != nil { + return err + } + + for n < config.attempts { + err = retryableFunc() + if err == nil { + break + } + + if !config.retryIf(err) { + break + } + + // last attempt. exit right away + if n == config.attempts-1 { + break + } + slog.Info("iteration_err_result", "err", err) + + select { + case <-time.After(config.delay): + case <-config.context.Done(): + return config.context.Err() + } + + n++ + } + return err +} + +func newDefaultRetryConfig() *Config { + return &Config{ + attempts: uint(10), + delay: 100 * time.Millisecond, + retryIf: AlwaysRetry, + context: context.Background(), + } +} + +func AlwaysRetry(_ error) bool { + return true +} diff --git a/pkgs/retry/retry_test.go b/pkgs/retry/retry_test.go new file mode 100644 index 0000000..3276c31 --- /dev/null +++ b/pkgs/retry/retry_test.go @@ -0,0 +1,64 @@ +package retry + +import ( + "fmt" + "math" + "testing" + "time" + + "github.com/stretchr/testify/assert" +) + +func TestDoRetryAlways(t *testing.T) { + count := 0 + startTime := time.Now() + err := Do(func() error { + count++ + if count < 3 { + return fmt.Errorf("less than 3") + } + return nil + }, + RetryIf(func(_ error) bool { + // retry always + return true + }), + Delay(time.Second), + ) + duration := math.Round(time.Since(startTime).Seconds()) + assert.NoError(t, err) + assert.Equal(t, 3, count) + assert.Equal(t, 2.0, duration) +} + +func TestDoRetryCertainError(t *testing.T) { + count := 0 + errorRetry := "do it" + errorDontRetry := "don't do it" + err := Do(func() error { + count++ + if count < 5 { + return fmt.Errorf("%s", errorRetry) + } + return fmt.Errorf("%s", errorDontRetry) + }, + RetryIf(func(err error) bool { + return err.Error() == errorRetry + }), + ) + assert.Equal(t, err.Error(), errorDontRetry) + assert.Equal(t, 5, count) +} + +func TestDoRetryMax(t *testing.T) { + count := 0 + errorMsg := "error msg" + err := Do(func() error { + count++ + return fmt.Errorf("%s", errorMsg) + }, + Attempts(10), + ) + assert.Equal(t, err.Error(), errorMsg) + assert.Equal(t, 10, count) +} diff --git a/pkgs/url/file.go b/pkgs/url/file.go new file mode 100644 index 0000000..135b795 --- /dev/null +++ b/pkgs/url/file.go @@ -0,0 +1,20 @@ +package url + +import ( + "fmt" + "net/url" +) + +func GetLocalFilePath(rawURL string) (localFilePath string, err error) { + url, err := url.Parse(rawURL) + if err != nil { + return + } + if url.Scheme != "file" || url.Path == "" { + err = fmt.Errorf("%s is not for local file", rawURL) + return + } + + localFilePath = url.Path + return +} diff --git a/pkgs/url/file_test.go b/pkgs/url/file_test.go new file mode 100644 index 0000000..4a65995 --- /dev/null +++ b/pkgs/url/file_test.go @@ -0,0 +1,52 @@ +package url + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestGetLocalFilePath(t *testing.T) { + type filePathTestCases struct { + description string + inputString string + expectedPath string + expectErr bool + } + for _, testCase := range []filePathTestCases{ + { + description: "valid absolute path", + inputString: "file:///absolute.txt", + expectedPath: "/absolute.txt", + expectErr: false, + }, + { + description: "valid absolute path 2", + inputString: "file:/path1/absolute.txt", + expectedPath: "/path1/absolute.txt", + expectErr: false, + }, + { + description: "invalid", + inputString: "file://absolute.txt", + expectedPath: "", + expectErr: true, + }, + { + description: "with host", + inputString: "file://localhost/absolute.txt", + expectedPath: "/absolute.txt", + expectErr: false, + }, + } { + t.Run(testCase.description, func(t *testing.T) { + filePath, err := GetLocalFilePath(testCase.inputString) + if testCase.expectErr { + assert.NotNil(t, err) + } else { + assert.Nil(t, err) + } + assert.Equal(t, testCase.expectedPath, filePath) + }) + } +} diff --git a/pkgs/vault/certs.go b/pkgs/vault/certs.go new file mode 100644 index 0000000..a4f8dfb --- /dev/null +++ b/pkgs/vault/certs.go @@ -0,0 +1,45 @@ +package vault + +import ( + "errors" + "fmt" +) + +var ( + ErrCertIssueFailed = errors.New("failed to issue new certificate from vault") +) + +type VaultPKI struct { + Path string + Role string + CN string + CertTTL string +} + +type Certs struct { + CA string + Certificate string + Key string +} + +func (v *Vault) IssueNewCertificate(vaultpki VaultPKI) (certs Certs, err error) { + data := map[string]interface{}{ + "common_name": vaultpki.CN, + "ttl": vaultpki.CertTTL, + } + issuePath := fmt.Sprintf("%s/issue/%s", vaultpki.Path, vaultpki.Role) + resp, err := v.client.Logical().Write(issuePath, data) + if err != nil { + return certs, err + } + if resp == nil { + return certs, ErrCertIssueFailed + } + + certs = Certs{ + CA: resp.Data["issuing_ca"].(string), + Certificate: resp.Data["certificate"].(string), + Key: resp.Data["private_key"].(string), + } + return +} diff --git a/pkgs/vault/certs_test.go b/pkgs/vault/certs_test.go new file mode 100644 index 0000000..d32fbb7 --- /dev/null +++ b/pkgs/vault/certs_test.go @@ -0,0 +1,66 @@ +package vault + +import ( + "context" + "fmt" + "log/slog" + "reflect" + "testing" + + certutil "github.com/retailnext/vault-init/pkgs/certs" + "github.com/stretchr/testify/assert" +) + +func TestIssueNewCertificate(t *testing.T) { + ctx := context.Background() + vserver, vclient, err := StartTestDevVaultInTest(t, ctx) + if err != nil { + t.Fatal(err) + } + + // Setup rootCA + _, err = vserver.Execute(ctx, "vault secrets enable pki") + if err != nil { + t.Fatal(err) + } + _, err = vserver.Execute(ctx, "vault secrets tune -max-lease-ttl=87600h pki") + if err != nil { + t.Fatal(err) + } + execOutput, err := vserver.Execute(ctx, "vault write -field=certificate pki/root/generate/internal common_name=example.com issuer_name=root-2023 ttl=87600h") + if err != nil { + t.Fatal(err) + } + slog.Info(string(execOutput)) + _, err = vserver.Execute(ctx, "vault write pki/roles/2023-servers allow_any_name=true") + if err != nil { + t.Fatal(err) + } + + commonName := "test.example.com" + certs, err := vclient.IssueNewCertificate(VaultPKI{ + Path: "pki", + Role: "2023-servers", + CN: commonName, + CertTTL: "24h", + }) + + // verify that all the certs are generated + assert.NoError(t, err) + v := reflect.ValueOf(certs) + typeOfV := v.Type() + for i := 0; i < v.NumField(); i++ { + value := v.Field(i).Interface().(string) // better be string + if value == "" { + assert.Fail(t, fmt.Sprintf("%s should not be empty", typeOfV.Field(i).Name)) + } + } + + // verify that common_name is the same + parsed, err := certutil.ParsePEMCertificate(certs.Certificate) + if err != nil { + t.Fatal(err) + } + assert.Equal(t, commonName, parsed.Subject.CommonName) + assert.Equal(t, commonName, parsed.DNSNames[0]) +} diff --git a/pkgs/vault/client.go b/pkgs/vault/client.go new file mode 100644 index 0000000..ddea56b --- /dev/null +++ b/pkgs/vault/client.go @@ -0,0 +1,43 @@ +package vault + +import ( + "context" + + vaultapi "github.com/hashicorp/vault/api" +) + +type Vault struct { + client *vaultapi.Client + ctx context.Context +} + +func NewClient(vaultaddr string, caCertBytes []byte) (vaultClient *Vault, err error) { + return NewClientWithContext(context.Background(), vaultaddr, caCertBytes) +} + +func NewClientWithContext(ctx context.Context, vaultaddr string, caCertBytes []byte) (vaultClient *Vault, err error) { + config := vaultapi.DefaultConfig() + config.Address = vaultaddr + if len(caCertBytes) > 0 { + err = config.ConfigureTLS(&vaultapi.TLSConfig{ + CACertBytes: caCertBytes, + }) + if err != nil { + return + } + } + client, err := vaultapi.NewClient(config) + vaultClient = &Vault{ + client: client, + ctx: ctx, + } + return +} + +func (v *Vault) SetToken(token string) { + v.client.SetToken(token) +} + +func (v *Vault) GetToken() string { + return v.client.Token() +} diff --git a/pkgs/vault/sys.go b/pkgs/vault/sys.go new file mode 100644 index 0000000..6e430b5 --- /dev/null +++ b/pkgs/vault/sys.go @@ -0,0 +1,173 @@ +package vault + +import ( + "encoding/json" + "fmt" + "log/slog" + + vaultapi "github.com/hashicorp/vault/api" +) + +func (v *Vault) GetInitStatus() (init bool, err error) { + return v.client.Sys().InitStatusWithContext(v.ctx) +} + +func (v *Vault) GetHealthStatus() (*vaultapi.HealthResponse, error) { + return v.client.Sys().HealthWithContext(v.ctx) +} + +func (v *Vault) Initialize() (resp []byte, err error) { + initialized, err := v.client.Sys().InitStatus() + if err != nil || initialized { + // it is already initialized or fails to get the status + return + } + + initRequest := &vaultapi.InitRequest{ + StoredShares: 3, + RecoveryShares: 3, + RecoveryThreshold: 2, + } + initResponse, err := v.client.Sys().Init(initRequest) + if err != nil { + slog.Error("fail_to_init", "err", err) + return + } + + vaultRootToken := initResponse.RootToken + if vaultRootToken == "" { + slog.Error("no_root_token") + return resp, fmt.Errorf("no root token is found after initialized") + } + v.SetToken(vaultRootToken) + + return json.Marshal(initResponse) +} + +func (v *Vault) SetPolicy(policyName string, policyContent string) (err error) { + payload := map[string]interface{}{ + "policy": policyContent, + } + policyPath := fmt.Sprintf("sys/policy/%s", policyName) + resp, err := v.client.Logical().WriteWithContext(v.ctx, policyPath, payload) + slog.Info("set_policy", "resp", fmt.Sprintf("%v", resp)) + return err +} + +func (v *Vault) GetPolicy(policyName string) (policyContent string, err error) { + policyPath := fmt.Sprintf("sys/policy/%s", policyName) + resp, err := v.client.Logical().ReadWithContext(v.ctx, policyPath) + slog.Debug(fmt.Sprintf("%v", resp)) + + if resp.Data == nil { + return "", fmt.Errorf("there is no data in the response from vault") + } + var ok bool + if policyContent, ok = resp.Data["rules"].(string); !ok { + return "", fmt.Errorf("policy data content is not found in the response") + } + return +} + +func (v *Vault) EnableAuth(authMethod string) (err error) { + // setting authMethod as auth path for convience + return v.EnableAuthByPath(authMethod, authMethod) +} + +func (v *Vault) EnableAuthByPath(authPath string, authMethod string) (err error) { + payload := &vaultapi.EnableAuthOptions{ + Type: authMethod, + } + return v.client.Sys().EnableAuthWithOptionsWithContext(v.ctx, authPath, payload) +} + +func (v *Vault) GetAuthType(authPath string) (authType string, err error) { + resp, err := v.client.Logical().ReadWithContext(v.ctx, fmt.Sprintf("sys/auth/%s", authPath)) + if err != nil { + return + } + if resp.Data == nil { + return "", fmt.Errorf("there is no data in the response from vault") + } + var ok bool + if authType, ok = resp.Data["type"].(string); !ok { + return "", fmt.Errorf("policy data content is not found in the response") + } + return +} + +func (v *Vault) AddAuthJWTConfig(authPath, oidcDiscoveryUrl, boundIssuer string) (err error) { + payload := map[string]interface{}{ + "oidc_discovery_url": oidcDiscoveryUrl, + "bound_issuer": boundIssuer, + } + _, err = v.client.Logical().WriteWithContext(v.ctx, fmt.Sprintf("auth/%s/config", authPath), payload) + return err +} + +func (v *Vault) AddAuthRoleIAMType(authPath string, roleName string, policies []string, serviceAccounts []string) (err error) { + // Assume authMethod as auth path + payload := map[string]interface{}{ + "type": "iam", + "policies": policies, + "bound_service_accounts": serviceAccounts, + "max_jwt_exp": 3600, + } + rolePath := fmt.Sprintf("auth/%s/role/%s", authPath, roleName) + _, err = v.client.Logical().WriteWithContext(v.ctx, rolePath, payload) + return err +} + +func (v *Vault) GetAuthRole(authPath string, roleName string) (authRole AuthRole, err error) { + rolePath := fmt.Sprintf("auth/%s/role/%s", authPath, roleName) + resp, err := v.client.Logical().ReadRawWithContext(v.ctx, rolePath) + if err != nil { + return authRole, err + } + + defer resp.Body.Close() + + authRoleResp := &AuthRoleResp{} + err = json.NewDecoder(resp.Body).Decode(authRoleResp) + if err != nil { + return authRole, err + } + + return authRoleResp.Data, nil +} + +func (v *Vault) AddAuthRoleJWTType(authPath, roleName string, policies []string, boundAudiences []string, sub string, userClaim string, ttl string) (err error) { + // Assume authMethod as auth path + payload := map[string]interface{}{ + "role_type": "jwt", + "policies": policies, + "bound_audiences": boundAudiences, + "bound_claims_type": "glob", + "bound_claims": map[string]interface{}{ + "sub": sub, + }, + "user_claim": userClaim, + "token_ttl": ttl, + } + rolePath := fmt.Sprintf("auth/%s/role/%s", authPath, roleName) + _, err = v.client.Logical().WriteWithContext(v.ctx, rolePath, payload) + return err +} + +func (v *Vault) GetRawAuthRole(authMethod, roleName string) (authRole map[string]interface{}, err error) { + rolePath := fmt.Sprintf("auth/%s/role/%s", authMethod, roleName) + resp, err := v.client.Logical().ReadRawWithContext(v.ctx, rolePath) + if err != nil { + return authRole, err + } + + defer resp.Body.Close() + + msgData := &GeneralResp{} + err = json.NewDecoder(resp.Body).Decode(msgData) + if err != nil { + return + } + authRole = msgData.Data + return +} diff --git a/pkgs/vault/sys_objects.go b/pkgs/vault/sys_objects.go new file mode 100644 index 0000000..e166f78 --- /dev/null +++ b/pkgs/vault/sys_objects.go @@ -0,0 +1,15 @@ +package vault + +type AuthRole struct { + BoundServiceAccounts []string `json:"bound_service_accounts"` + MaxJWTExp int `json:"max_jwt_exp"` + Policies []string `json:"policies"` +} + +type AuthRoleResp struct { + Data AuthRole `json:"data"` +} + +type GeneralResp struct { + Data map[string]interface{} `json:"data"` +} diff --git a/pkgs/vault/sys_test.go b/pkgs/vault/sys_test.go new file mode 100644 index 0000000..f8c4da8 --- /dev/null +++ b/pkgs/vault/sys_test.go @@ -0,0 +1,153 @@ +package vault + +import ( + "context" + "strings" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestSetSAToAdmin(t *testing.T) { + ctx := context.Background() + testPolicyName := "admin" + testPolicy := ` +path "sys/leases/*" +{ + capabilities = ["create", "read", "update", "delete", "list", "sudo"] +} +path "auth/*" +{ + capabilities = ["create", "read", "update", "delete", "list", "sudo"] +} +` + _, vclient, err := StartTestDevVaultInTest(t, ctx) + if err != nil { + t.Fatal(err) + } + + // Create a policy + err = vclient.SetPolicy(testPolicyName, testPolicy) + assert.NoError(t, err) + + actualPolicy, err := vclient.GetPolicy(testPolicyName) + if err != nil { + t.Fatal(err) + } + assert.Equal(t, testPolicy, actualPolicy) + + // Enable gcp + err = vclient.EnableAuth("gcp") + if err != nil { + t.Fatal(err) + } + + // Add sa@test.com service account to admin role under gcp auth path + err = vclient.AddAuthRoleIAMType("gcp", "admin", []string{"admin"}, []string{"sa@test.com"}) + if err != nil { + t.Fatal(err) + } + + // Get the role + roleData, err := vclient.GetAuthRole("gcp", "admin") + if err != nil { + t.Fatal(err) + } + assert.Equal(t, []string{"admin"}, roleData.Policies) + assert.Equal(t, []string{"sa@test.com"}, roleData.BoundServiceAccounts) + assert.Equal(t, 3600, roleData.MaxJWTExp) +} + +func TestInitializeAlreadyInit(t *testing.T) { + ctx := context.Background() + _, vclient, err := StartTestDevVaultInTest(t, ctx) + if err != nil { + t.Fatal(err) + } + + resp, err := vclient.Initialize() + assert.NoError(t, err) + respString := string(resp) + assert.Equal(t, "", respString) +} + +func TestAddRoleJTWType(t *testing.T) { + ctx := context.Background() + testPolicyName := "admin" + testPolicy := ` +path "sys/leases/*" +{ + capabilities = ["create", "read", "update", "delete", "list", "sudo"] +} +path "auth/*" +{ + capabilities = ["create", "read", "update", "delete", "list", "sudo"] +} +` + _, vclient, err := StartTestDevVaultInTest(t, ctx) + if err != nil { + t.Fatal(err) + } + + // Create a policy + err = vclient.SetPolicy(testPolicyName, testPolicy) + assert.NoError(t, err) + + // Enable gcp + err = vclient.EnableAuth("jwt") + if err != nil { + t.Fatal(err) + } + + // Add sub to admin role under jwt auth path + roleName := "tfc-role" + sub := "organization:my-org-name:project:my-project-name:workspace:my-workspace-name:run_phase:*" + boundAudience := "vault.workload.identity" + userClaim := "terraform_full_workspace" + err = vclient.AddAuthRoleJWTType("jwt", roleName, []string{testPolicy}, []string{boundAudience}, sub, userClaim, "20m") + if err != nil { + t.Fatal(err) + } + + // Get the role + roleData, err := vclient.GetRawAuthRole("jwt", roleName) + if err != nil { + t.Fatal(err) + } + assert.Equal(t, boundAudience, roleData["bound_audiences"].([]interface{})[0].(string)) + assert.Equal(t, sub, roleData["bound_claims"].(map[string]interface{})["sub"].(string)) + assert.Equal(t, "glob", roleData["bound_claims_type"].(string)) + assert.Equal(t, strings.TrimSpace(testPolicy), roleData["policies"].([]interface{})[0].(string)) +} + +func TestGetAuthTypeNonExist(t *testing.T) { + ctx := context.Background() + _, vclient, err := StartTestDevVaultInTest(t, ctx) + if err != nil { + t.Fatal(err) + } + _, err = vclient.GetAuthType("jwt") + if err == nil { + t.Error("it expected an error but no error is returned") + t.Fail() + } else { + assert.ErrorContains(t, err, "No auth engine at jwt") + } +} + +func TestGetAuthType(t *testing.T) { + ctx := context.Background() + _, vclient, err := StartTestDevVaultInTest(t, ctx) + if err != nil { + t.Fatal(err) + } + err = vclient.EnableAuth("jwt") + if err != nil { + t.Fatal(err) + } + auth, err := vclient.GetAuthType("jwt") + if err != nil { + t.Fatal(err) + } + assert.Equal(t, "jwt", auth) +} diff --git a/pkgs/vault/testutils.go b/pkgs/vault/testutils.go new file mode 100644 index 0000000..c245df6 --- /dev/null +++ b/pkgs/vault/testutils.go @@ -0,0 +1,62 @@ +package vault + +import ( + "context" + "fmt" + "io" + "strings" + "testing" + "time" + + "github.com/testcontainers/testcontainers-go" + testvault "github.com/testcontainers/testcontainers-go/modules/vault" + "github.com/testcontainers/testcontainers-go/wait" +) + +const ( + VAULT_TOKEN = "root-token" +) + +type VaultServer struct { + *testvault.VaultContainer +} + +func (v *VaultServer) Execute(ctx context.Context, command string) ([]byte, error) { + _, out, err := v.Exec(ctx, strings.Split(command, " ")) + if err != nil { + return []byte{}, err + } + output, err := io.ReadAll(out) + return output, err + +} + +func StartTestDevVaultInTest(t *testing.T, ctx context.Context) (vserver *VaultServer, vclient *Vault, err error) { + vaultDevContainer, err := testvault.RunContainer(ctx, + testcontainers.WithImage("hashicorp/vault:1.13.0"), + testvault.WithToken(VAULT_TOKEN), + testcontainers.WithWaitStrategy( + wait.ForLog(fmt.Sprintf("Root Token: %s", VAULT_TOKEN)).WithOccurrence(1).WithStartupTimeout(10*time.Second), + ), + ) + if err != nil { + return + } + + vserver = &VaultServer{vaultDevContainer} + t.Cleanup(func() { + if err := vserver.Terminate(ctx); err != nil { + t.Fatalf("failed to terminate the vault container: %s", err) + } + }) + vaultAddr, err := vserver.HttpHostAddress(ctx) + if err != nil { + return + } + vclient, err = NewClient(vaultAddr, []byte{}) + if err != nil { + return + } + vclient.SetToken(VAULT_TOKEN) + return vserver, vclient, nil +} diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..846718b --- /dev/null +++ b/renovate.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base", + ":automergeAll", + ":gitSignOff", + ":semanticCommits", + "docker:pinDigests", + "regexManagers:githubActionsVersions" + ], + "labels": [ + "dependencies" + ], + "lockFileMaintenance": { + "enabled": true + }, + "platformAutomerge": true, + "postUpdateOptions": [ + "gomodTidy", + "gomodUpdateImportPaths" + ], + "rebaseWhen": "conflicted" +} diff --git a/setup.go b/setup.go new file mode 100644 index 0000000..2fdd1ac --- /dev/null +++ b/setup.go @@ -0,0 +1,214 @@ +package main + +import ( + "encoding/json" + "fmt" + "log/slog" + "path/filepath" + + vaultapi "github.com/hashicorp/vault/api" + "github.com/retailnext/vault-init/pkgs/aws" + "github.com/retailnext/vault-init/pkgs/files" + "github.com/retailnext/vault-init/pkgs/gcp" + "github.com/retailnext/vault-init/pkgs/objects" + "github.com/retailnext/vault-init/pkgs/vault" + "github.com/urfave/cli/v2" + "gopkg.in/yaml.v3" +) + +type MainClients struct { + Clients *objects.Clients + PostTasks []objects.Task +} + +type RawPostTask struct { + TaskType string `yaml:"type"` + TaskContent map[string]interface{} `yaml:"task"` +} + +func SetupClients(cCtx *cli.Context) (mainClients *MainClients, err error) { + // get clients + var vaultClient *vault.Vault + var ssmClient objects.SSMClient + var initOutSecret string + + vaultClient, err = vault.NewClientWithContext(cCtx.Context, cCtx.String("vault-addr"), []byte(cCtx.String("cacert"))) + if err != nil { + return + } + switch initOutType := initOutPathType(cCtx.String("initout")); initOutType { + case "gcp": + ssmClient, err = gcp.NewSecretClient(cCtx.Context) + if err != nil { + return mainClients, err + } + initOutSecret = cCtx.String("initout") + case "aws": + var name, region string + name, _, region, err = aws.ParseSecretArn(cCtx.String("initout")) + if err != nil { + return mainClients, err + } + ssmClient, err = aws.NewSecretClient(cCtx.Context, region) + if err != nil { + return mainClients, err + } + initOutSecret = name + case "file": + ssmClient, err = files.NewLocalFileClient(cCtx.Context) + if err != nil { + return mainClients, err + } + initOutSecret, err = filepath.Abs(cCtx.String("initout")) + if err != nil { + return mainClients, err + } + default: + return mainClients, fmt.Errorf("%s is %s type, which is invalid", cCtx.String("initout"), initOutType) + } + + objectClients := &objects.Clients{ + VaultClient: vaultClient, + SSMClient: ssmClient, + InitOutSecret: initOutSecret, + } + mainClients = &MainClients{ + Clients: objectClients, + PostTasks: []objects.Task{}, + } + + return mainClients, err +} + +func (c *MainClients) SetupPostTasks(taskContent []byte) (err error) { + if len(taskContent) == 0 { + return err + } + + // Set post tasks + var rawTasks []RawPostTask + err = yaml.Unmarshal(taskContent, &rawTasks) + if err != nil { + return err + } + for _, rawTask := range rawTasks { + subTaskContent, err := yaml.Marshal(rawTask.TaskContent) + if err != nil { + return err + } + + switch rawTask.TaskType { + case "policy": + postTask := &objects.PolicyTask{} + err = postTask.Set(c.Clients, subTaskContent) + if err != nil { + return err + } + c.PostTasks = append(c.PostTasks, postTask) + case "oidc_auth": + postTask := &objects.OIDCAuthTask{} + err = postTask.Set(c.Clients, subTaskContent) + if err != nil { + return err + } + c.PostTasks = append(c.PostTasks, postTask) + default: + return fmt.Errorf("%s is not valid task type", rawTask.TaskType) + } + } + + return err +} + +func (c *MainClients) InitVault() error { + // get clients + vaultClient := c.Clients.VaultClient + if vaultClient == nil { + return fmt.Errorf("vault client is not initialized") + } + ssmClient := c.Clients.SSMClient + if ssmClient == nil { + return fmt.Errorf("secret client is not initialized") + } + initOutSecret := c.Clients.InitOutSecret + if initOutSecret == "" { + return fmt.Errorf("the path for secret to be retrieved is not known") + } + + // initialize vault + isInitialized, err := vaultClient.GetInitStatus() + if err != nil { + slog.Error("fail_to_get_status", "error", err) + return err + } + if isInitialized { + // it is already initialized + slog.Info("vault is already initialized") + return c.SetVaultTokenFromSecret() + } + + slog.Info("vault_init") + initOutput, err := vaultClient.Initialize() + if err != nil { + slog.Error("fail_to_initialize", "error", err) + return err + } + + // save the output to secret + slog.Info("save_vault_init_out") + _, err = ssmClient.AddVersion(initOutSecret, initOutput) + if err != nil { + slog.Error("fail_to_add_to_secret", "error", err) + slog.Info(string(initOutput)) // so that we can add it manually + } + return nil +} + +func (c *MainClients) SetVaultTokenFromSecret() error { + // get clients + ssmClient := c.Clients.SSMClient + initOutSecret := c.Clients.InitOutSecret + vaultClient := c.Clients.VaultClient + + slog.Info("set_vault_token") + lastInitout, err := ssmClient.GetValue(initOutSecret) + if err != nil { + return err + } + initResp := &vaultapi.InitResponse{} + err = json.Unmarshal(lastInitout, initResp) + if err != nil { + return err + } + if initResp.RootToken == "" { + return fmt.Errorf("no root token is found from the secret") + } + vaultClient.SetToken(initResp.RootToken) + return nil +} + +func (c *MainClients) CheckHealthVault() error { + // get clients + vaultClient := c.Clients.VaultClient + if vaultClient == nil { + return fmt.Errorf("vault client is not initialized") + } + slog.Info("check_health_status") + healthStatus, err := vaultClient.GetHealthStatus() + if err != nil { + return err + } + if !healthStatus.Initialized || healthStatus.Sealed { + return fmt.Errorf("vault_not_ready: initialized = %v, sealed = %v", healthStatus.Initialized, healthStatus.Sealed) + } + return nil +} + +func (c *MainClients) ExecutePostTasks() error { + for _, postTask := range c.PostTasks { + if err := postTask.Do(); err != nil { + return err + } + } + return nil +} diff --git a/setup_test.go b/setup_test.go new file mode 100644 index 0000000..39dcbe6 --- /dev/null +++ b/setup_test.go @@ -0,0 +1,96 @@ +package main + +import ( + "context" + "flag" + "os" + "testing" + + "github.com/retailnext/vault-init/pkgs/objects" + "github.com/retailnext/vault-init/pkgs/vault" + "github.com/stretchr/testify/assert" + "github.com/urfave/cli/v2" +) + +func TestInitVault(t *testing.T) { + initoutFile := "./testinitout.txt" + initOut := ` + {"keys":[],"keys_base64":[],"recovery_keys":["35a24","1ac7","ac0f5"],"recovery_keys_base64":["AOk","dK3rH","rPA"],"root_token":"root-token"} + ` + if err := os.WriteFile(initoutFile, []byte(initOut), 0666); err != nil { + t.Fatal(err) + } + defer os.Remove(initoutFile) + + ctx := context.Background() + vserver, _, err := vault.StartTestDevVaultInTest(t, ctx) + if err != nil { + t.Fatal(err) + } + + // setup clients + vaultAddr, err := vserver.HttpHostAddress(ctx) + if err != nil { + t.Fatal(err) + } + set := flag.NewFlagSet("test", 0) + set.String("vault-addr", vaultAddr, "doc") + set.String("initout", initoutFile, "doc") + cliCtx := cli.NewContext(nil, set, nil) + mainClients, err := SetupClients(cliCtx) + if err != nil { + t.Fatal(err) + } + + // initVault + err = mainClients.InitVault() + if err != nil { + t.Fatal(err) + } + + vaultToken := mainClients.Clients.VaultClient.GetToken() + assert.Equal(t, "root-token", vaultToken) + +} + +func TestExecutePostTasks(t *testing.T) { + postTasks := ` +- type: policy + task: + name: admin + policy_content: | + path "sys/leases/*" + { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] + } +` + expectedPolicy := `path "sys/leases/*" +{ + capabilities = ["create", "read", "update", "delete", "list", "sudo"] +} +` + ctx := context.Background() + _, vclient, err := vault.StartTestDevVaultInTest(t, ctx) + if err != nil { + t.Fatal(err) + } + mainClients := &MainClients{} + mainClients.Clients = &objects.Clients{ + VaultClient: vclient, + } + err = mainClients.SetupPostTasks([]byte(postTasks)) + if err != nil { + t.Fatal(err) + } + err = mainClients.ExecutePostTasks() + if err != nil { + t.Fatal(err) + } + + actualPolicy, err := vclient.GetPolicy("admin") + if err != nil { + t.Fatal() + } + assert.Equal(t, expectedPolicy, actualPolicy) + +}