diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..feb41d2 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,51 @@ +name: release +on: + push: + tags: + - "*" +jobs: + publish: + name: release + runs-on: ubuntu-20.04 + permissions: + contents: write + steps: + - uses: actions/setup-go@v2 + with: + go-version: '1.19' + + - name: Set env + shell: bash + run: | + echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV + echo "${{ github.workspace }}/bin" >> $GITHUB_PATH + + - uses: actions/cache@v2 + with: + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: go-release-${{ hashFiles('**/go.sum') }} + restore-keys: go-release- + + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + path: src/github.com/fraima/key-keeper + + - run: | + make release + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + working-directory: src/github.com/fraima/key-keeper + + - uses: ncipollo/release-action@v1 + with: + allowUpdates: true + artifacts: src/github.com/fraima/key-keeper/_output/releases/* + bodyFile: src/github.com/fraima/key-keeper/release-notes.md + + - uses: actions/upload-artifact@v2 + with: + name: build-artifacts + path: src/github.com/fraima/key-keeper/_output \ No newline at end of file diff --git a/.gitignore b/.gitignore index 66fd13c..79d4c36 100644 --- a/.gitignore +++ b/.gitignore @@ -1,15 +1,6 @@ -# Binaries for programs and plugins -*.exe -*.exe~ -*.dll -*.so -*.dylib - -# Test binary, built with `go test -c` -*.test - -# Output of the go coverage tool, specifically when used with LiteIDE -*.out - -# Dependency directories (remove the comment below to include it) -# vendor/ +test/ +key-keeper +role_id +secret_id +test.yaml +src/_output/* \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..d0bfb4d --- /dev/null +++ b/Dockerfile @@ -0,0 +1,23 @@ +FROM golang:1.19.1-alpine3.16 as builder + +WORKDIR /app + +COPY go.mod . +COPY go.sum . +RUN go mod download +COPY . . + +ARG VERSION +ARG PROJECT + +RUN go install -ldflags "-s \ + -X main.Version=${VERSION}" \ + /app/cmd/${PROJECT} + +FROM alpine:3.16.0 + +ARG PROJECT + +COPY --from=builder /go/bin/${PROJECT} /usr/local/bin/app + +ENTRYPOINT ["app"] \ No newline at end of file diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..44bd482 --- /dev/null +++ b/Makefile @@ -0,0 +1,24 @@ +#change for new project +project = key-keeper +#change for new release +release = v1.0.0 + +tag = $(DOCKER_USER)/$(project):$(release) +pwd = $(shell pwd) +module = $(shell go list -m) + +build-and-push: + docker build -t $(tag) --build-arg VERSION=$(release) --build-arg PROJECT=$(project) -f Dockerfile . + docker image push $(tag) + echo $(tag) + +formatting: + go fmt ./... + go install github.com/daixiang0/gci@latest + gci write --skip-generated -s standard -s default -s "prefix($(module))" . + +linter: + docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.49.0 golangci-lint run -v + +release: + sh hack/release.sh diff --git a/README.md b/README.md index 69ca7b4..0de0a97 100644 --- a/README.md +++ b/README.md @@ -1 +1,184 @@ -# key-keeper \ No newline at end of file +# key-keeper + +инструмент для linux хостов, позволяющий заказывать в Vault хранилище сертификаты и секреты и следить за их актуальностью. + +## Build & Push image + +Поменять версию релиза в .release и выполнить: + +```bash +make build-and-push DOCKER_USER=geoirb +``` + +## Build bin + +```bash +go build -o key-keeper cmd/key-keeper/main.go +``` + +## Run bin + +```bash +key-keeper -config-dir /path/to/config-dir -config-regexp .*.conf +``` + +> config-dir - путь до каталога с конфигами +> +> config-regexp - регуляроное выражения для имени файлов которые содержат конфиги для key-keeper + +## Описание структуры конфигов: + +#### ISSUERS: + +| ключ | тип | описание | +| --------------------------------------- | ------ | ----------------------------------------------------------------------- | +| **`issuers `** | list | список инструкций подключений | +| `.name` | string | имя инструкции | +| `.vault.server` | string | адрес Vault server | +| `.vault.auth.caBundle` | object | ca bundle для tls | +| `.vault.auth.tlsInsecure` | bool | отключение проверки tls | +| `.vault.auth.bootstrap` | object | описание метода авторизации для получения secret_id_role_id | +| `.vault.auth.bootstrap.tokenPath` | string | временный токен Vault | +| `.vault.auth.bootstrap.file` | string | путь к временномсу токену Vault | +| `.vault.auth.appRole` | object | описание авторизации по approle | +| `.vault.auth.appRole.name` | string | имя approle | +| `.vault.auth.appRole.path` | string | базовый путь approle в Vault | +| `.vault.auth.appRole.roleIDLocalPath` | string | локальный путь, где будет искать role_id для авторизации | +| `.vault.auth.appRole.secretIDLocalPath` | string | локальный путь, где будет искать secret_id для авторизации | +| `.vault.resource` | object | инструция доступа к vault роли для выпуска сертификата | +| `.vault.resource.role` | string | имя роли через которую будет выпускаться сертификат | +| `.vault.resource.CAPath ` | string | базовый путь PKI хранилища, где прописана роль | +| `.vault.resource.rootCAPath` | string | базовый путь PKI root хранилища от кого будет выписываться intermediate | +| `.vault.resource.kv` | object | описание доступа в Vault к Key Value стореджу | +| `.vault.resource.kv.path` | string | путь в Vault до Key Value стореджа | +| `.vault.timeout ` | string | максимальное время ответа сервера Vault | + +```yaml +--- +issuers: + - name: kubernetes-ca + vault: + server: http://example.com:9200 + auth: + caBundle: + tlsInsecure: true + bootstrap: + token: ${token} # <- или + path: /tmp/bootstrap-token # <- или + appRole: + name: kubernetes-ca + path: "clusters/cluster-1/approle" + secretIDLocalPath: /var/lib/key-keeper/vault/kubernetes-ca/secret-id + roleIDLocalPath: /var/lib/key-keeper/vault/kubernetes-ca/role-id + resource: + role: kubelet-server + CAPath: "clusters/cluster-1/pki/kubernetes" + rootCAPath: "clusters/cluster-1/pki/root" + kv: + path: "clusters/cluster-1/kv" +``` + +#### CERTIFICATES: + +| ключ | тип | описание | +| ---------------------------------- | ------- | ----------------------------------------------------------------------------------------- | +| **`certificates `** | list | список инструкций заказа сертификатов из Vault | +| `.name` | string | имя инструкции | +| `.issuerRef` | object | ссылка на инструкцию issuer через которую произведется авторизация | +| `.issuerRef.name` | string | имя инструкции issuer | +| `.isCa` | bool | указатель, что заказывается сертификат типа CA | +| `.ca` | object | описание расширения для заказа CA | +| `.ca.exportedKey` | bool | инструкция - запрашивать приватный ключ или нет (требуется pki типа external) | +| `.ca.generate` | bool | создаст intermediate или запросит существующий (требуются права на создание intermediate) | +| `.spec` | object | поля для генерации сертификата | +| `.spec.subject` | object | Описывает принадлежность сертификата к... | +| `.spec.subject.commonName` | string | \* | +| `.spec.subject.country` | list | \* | +| `.spec.subject.localite` | list | \* | +| `.spec.subject.organization` | list | \* | +| `.spec.subject.organizationalUnit` | list | \* | +| `.spec.subject.province` | list | \* | +| `.spec.subject.postalCode` | list | \* | +| `.spec.subject.streetAddress` | list | \* | +| `.spec.subject.serialNumber` | string | \* | +| `.spec.privateKey` | object | Описание алгоритма для приватного ключа | +| `.spec.privateKey.algorithm` | string | Алгоритм | +| `.spec.privateKey.encoding` | string | Метод формирования | +| `.spec.privateKey.size` | integer | 2048 / 4096 | +| `.spec.hostnames` | list | список имен для блока alternative names | +| `.spec.ipAddresses` | object | описывает какие ip адреса попадут в ipSans | +| `.spec.ipAddresses.static` | list | список статичных ip адресов который попадет в ipSans | +| `.spec.ipAddresses.interfaces` | list | список ip адресов, взятый с интерфейсов хоста, попадет в ipSans | +| `.spec.ipAddresses.dnsLookup` | list | список ip адресов, взятый из функции dnslookup статичной A записи, попадет в ipSans | +| `.spec.ttl` | string | срок на который заказывается сертификат | +| `.spec.usage` | list | [Key usage extensions and extended key usage](https://pkg.go.dev/crypto/x509#KeyUsage) | +| `.hostPath` | string | путь в локальной файловой системе, где будет сохранен сертификат | +| `.withUpdate` | bool | данный параметр создаст сертификат без последующего перевыпуска | +| `.updateBefore` | string | время до истечения сертификата - при достижении сертификат перевыпустится | +| `.trigger` | list | список баш команд, которые выполнятся после обновления сертификата | + +```yaml +certificates: + - name: kubernetes-ca + issuerRef: + name: kubernetes-ca + isCa: true + ca: + exportedKey: false + generate: false + hostPath: "/etc/kubernetes/pki/ca" + + - name: kubelet-server + issuerRef: + name: kubelet-server + spec: + subject: + commonName: "system:node:master-0.cluster-1.example.com" + usage: + - server auth + privateKey: + algorithm: "RSA" + encoding: "PKCS1" + size: 4096 + ipAddresses: + static: + - 1.1.1.1 + ### + # * -> Позволяет указывать регексп интерфейсов (на выходе получаем список) + interfaces: + - lo + - eth* + ### + # * -> В цикле будет пытаться отрезолвить имя, без выходного значения, сертификат не будет заказан. + dnsLookup: + - api.example.com + ttl: 200h + ### + # * -> Указав $HOSTNAME - hostname хоста добавится в поле AltNames сертификата. + hostnames: + - $HOSTNAME + - localhost + - "master-0.cluster-1.example.com" + renewBefore: 100h + hostPath: "/etc/kubernetes/pki/certs/kubelet" +``` + +#### SECRETS: + +| ключ | тип | описание | +| ----------------- | ------ | ------------------------------------------------------------------ | +| **`secrets `** | list | список инструкций заказа секрета из Vault | +| `.name` | string | имя инструкции и одновременно имя секрета в Vault | +| `.issuerRef` | object | ссылка на инструкцию issuer через которую произведется авторизация | +| `.issuerRef.name` | string | имя инструкции issuer | +| `.key` | string | ключ в объекта секрета | +| `.hostPath` | string | путь в локальной файловой системе, где будет сохранен секрет | + +```yaml +secrets: + - name: kube-apiserver-sa + issuerRef: + name: kube-apiserver-sa + key: public + hostPath: /etc/kubernetes/pki/certs/kube-apiserver/kube-apiserver-sa.pub +``` diff --git a/cmd/key-keeper/main.go b/cmd/key-keeper/main.go new file mode 100644 index 0000000..9d5f4a3 --- /dev/null +++ b/cmd/key-keeper/main.go @@ -0,0 +1,68 @@ +package main + +import ( + "flag" + "os" + "os/signal" + "syscall" + + "go.uber.org/zap" + + "github.com/fraima/key-keeper/internal/config" + "github.com/fraima/key-keeper/internal/controller" + "github.com/fraima/key-keeper/internal/issuer/vault" + "github.com/fraima/key-keeper/internal/issuer/vault/client" +) + +var ( + Version = "undefined" +) + +func main() { + loggerConfig := zap.NewProductionConfig() + loggerConfig.Level.SetLevel(zap.DebugLevel) + logger, err := loggerConfig.Build() + if err != nil { + panic(err) + } + zap.ReplaceGlobals(logger) + + var configDir, configNameLayout string + flag.StringVar(&configDir, "config-dir", "", "path to dir with configs") + flag.StringVar(&configNameLayout, "config-regexp", "", "regexp for config files names") + flag.Parse() + + if configDir == "" { + zap.L().Fatal("not found config path param") + } + + if configNameLayout == "" { + zap.L().Fatal("not found regexp for config file's name") + } + + cfg, err := config.New(configDir, configNameLayout) + if err != nil { + zap.L().Fatal("read configuration", zap.Error(err)) + } + + zap.L().Debug("configuration", zap.Any("config", cfg), zap.String("version", Version)) + + cntl := controller.New( + cfg.GetNewConfig, + vault.Connector( + client.Connect, + ), + ) + + if err := cntl.Start(); err != nil { + zap.L().Fatal("start controller", zap.Error(err)) + } + + zap.L().Info("started") + + ch := make(chan os.Signal, 1) + signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM) + <-ch + + zap.L().Info("goodbye") +} diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..9f77880 --- /dev/null +++ b/go.mod @@ -0,0 +1,62 @@ +module github.com/fraima/key-keeper + +go 1.19 + +require ( + github.com/hashicorp/vault/api v1.7.1 + github.com/hashicorp/vault/api/auth/approle v0.1.1 + github.com/stretchr/testify v1.7.0 + go.uber.org/zap v1.21.0 + gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b +) + +require ( + github.com/armon/go-metrics v0.3.9 // indirect + github.com/armon/go-radix v1.0.0 // indirect + github.com/cenkalti/backoff/v3 v3.0.0 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/fatih/color v1.7.0 // indirect + github.com/golang/protobuf v1.5.2 // indirect + github.com/golang/snappy v0.0.4 // indirect + github.com/hashicorp/errwrap v1.1.0 // indirect + github.com/hashicorp/go-cleanhttp v0.5.2 // indirect + github.com/hashicorp/go-hclog v0.16.2 // indirect + github.com/hashicorp/go-immutable-radix v1.3.1 // indirect + github.com/hashicorp/go-multierror v1.1.1 // indirect + github.com/hashicorp/go-plugin v1.4.3 // indirect + github.com/hashicorp/go-retryablehttp v0.6.6 // indirect + github.com/hashicorp/go-rootcerts v1.0.2 // indirect + github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 // indirect + github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect + github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect + github.com/hashicorp/go-sockaddr v1.0.2 // indirect + github.com/hashicorp/go-uuid v1.0.2 // indirect + github.com/hashicorp/go-version v1.2.0 // indirect + github.com/hashicorp/golang-lru v0.5.4 // indirect + github.com/hashicorp/hcl v1.0.0 // indirect + github.com/hashicorp/vault/sdk v0.5.0 // indirect + github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect + github.com/mattn/go-colorable v0.1.6 // indirect + github.com/mattn/go-isatty v0.0.12 // indirect + github.com/mitchellh/copystructure v1.0.0 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/mitchellh/go-testing-interface v1.0.0 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/mitchellh/reflectwalk v1.0.0 // indirect + github.com/oklog/run v1.0.0 // indirect + github.com/pierrec/lz4 v2.5.2+incompatible // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/ryanuber/go-glob v1.0.0 // indirect + github.com/stretchr/objx v0.2.0 // indirect + go.uber.org/atomic v1.9.0 // indirect + go.uber.org/multierr v1.6.0 // indirect + golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect + golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4 // indirect + golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect + golang.org/x/text v0.3.7 // indirect + golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect + google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 // indirect + google.golang.org/grpc v1.41.0 // indirect + google.golang.org/protobuf v1.26.0 // indirect + gopkg.in/square/go-jose.v2 v2.5.1 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..7104e31 --- /dev/null +++ b/go.sum @@ -0,0 +1,369 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/armon/go-metrics v0.3.9 h1:O2sNqxBdvq8Eq5xmzljcYzAORli6RWCvEym4cJf9m18= +github.com/armon/go-metrics v0.3.9/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= +github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= +github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/cenkalti/backoff/v3 v3.0.0 h1:ske+9nBpD9qZsTBoF41nW5L+AIuFBKMeze18XQ3eG1c= +github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= +github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch/v5 v5.5.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= +github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= +github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= +github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y= +github.com/frankban/quicktest v1.13.0 h1:yNZif1OkDfNoDfb9zZa9aXIpejNR4F23Wely0c+Qdqk= +github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= +github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= +github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-hclog v0.16.2 h1:K4ev2ib4LdQETX5cSZBG0DVLk1jwGqSPXBjdah3veNs= +github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= +github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-plugin v1.4.3 h1:DXmvivbWD5qdiBts9TpBC7BYL1Aia5sxbRgQB+v6UZM= +github.com/hashicorp/go-plugin v1.4.3/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= +github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= +github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM= +github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= +github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= +github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= +github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 h1:cCRo8gK7oq6A2L6LICkUZ+/a5rLiRXFMf1Qd4xSwxTc= +github.com/hashicorp/go-secure-stdlib/mlock v0.1.1/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.5/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= +github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= +github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs= +github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= +github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE= +github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E= +github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= +github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/vault/api v1.3.0/go.mod h1:EabNQLI0VWbWoGlA+oBLC8PXmR9D60aUVgQGvangFWQ= +github.com/hashicorp/vault/api v1.7.1 h1:uUpxcZO3XV1Sb96dEtT+tZlSpV7U/zEi0NoksM7lU5M= +github.com/hashicorp/vault/api v1.7.1/go.mod h1:TlKWwxZySuDARVFz/H0sf6rgWddIlX4t4DO9baT2nXc= +github.com/hashicorp/vault/api/auth/approle v0.1.1 h1:R5yA+xcNvw1ix6bDuWOaLOq2L4L77zDCVsethNw97xQ= +github.com/hashicorp/vault/api/auth/approle v0.1.1/go.mod h1:mHOLgh//xDx4dpqXoq6tS8Ob0FoCFWLU2ibJ26Lfmag= +github.com/hashicorp/vault/sdk v0.3.0/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= +github.com/hashicorp/vault/sdk v0.5.0 h1:EED7p0OCU3OY5SAqJwSANofY1YKMytm+jDHDQ2EzGVQ= +github.com/hashicorp/vault/sdk v0.5.0/go.mod h1:UJZHlfwj7qUJG8g22CuxUgkdJouFrBNvBHCyx8XAPdo= +github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M= +github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jhump/protoreflect v1.6.0 h1:h5jfMVslIg6l29nsMs0D8Wj17RDVdNYti0vDN/PZZoE= +github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-colorable v0.1.6 h1:6Su7aK7lXmJ/U79bYtBjLNaha4Fs1Rg9plHpcH+vvnE= +github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= +github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= +github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ= +github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/reflectwalk v1.0.0 h1:9D+8oIskB4VJBN5SFlmc27fSlIBZaov1Wpk/IfikLNY= +github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw= +github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= +github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY= +github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI= +github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= +github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= +github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= +github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= +go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI= +go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= +go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= +go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +go.uber.org/zap v1.21.0 h1:WefMeulhovoZ2sYXz7st6K0sLj7bBhpiFaud4r4zST8= +go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 h1:7I4JAnoQBe7ZtJcBaYHi5UtiO8tQHbUSXxL+pnGRANg= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4 h1:4nGaVu0QrbjT/AK2PRLuQfQuh6DJve+pELhqTdAj3x0= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I= +golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 h1:NusfzzA6yGQ+ua51ck7E3omNUX/JuqbFSaRGqU8CcLI= +golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 h1:+kGHl1aib/qcwaRi1CbqBZ1rk19r85MNUf8HaBghugY= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.41.0 h1:f+PlOh7QV4iIJkPrx5NQ7qaNGFQ3OTse67yaDHfju4E= +google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w= +gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/hack/release.sh b/hack/release.sh new file mode 100644 index 0000000..b5a5cb8 --- /dev/null +++ b/hack/release.sh @@ -0,0 +1,53 @@ +#!/usr/bin/env bash + +# Copyright 2018 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +PROJECT="github.com/fraima/key-keeper" +VERSION=$(git describe --abbrev=0 --tag) + +TOOLS_ROOT="$GOPATH/src/$PROJECT" +OUTPUTDIR=$TOOLS_ROOT/_output/releases +mkdir -p "$OUTPUTDIR" + +GO_LDFLAGS="-X ${PROJECT}/pkg/version.Version=${VERSION}" + +os="linux" +arch=$(basename "linux/amd64") + +KEY_KEEPER_BIN="key-keeper" + +output_bin=${TOOLS_ROOT}/_output/bin/$arch-$os/${KEY_KEEPER_BIN} + +GOARCH="$arch" GOOS="$os" CGO_ENABLED=0 go build \ +-o ${output_bin} \ +-ldflags "${GO_LDFLAGS}" \ +cmd/key-keeper/main.go + +file ${output_bin} +tar zcf "$OUTPUTDIR/key-keeper-$VERSION-$os-$arch.tar.gz" \ +-C ${TOOLS_ROOT}/_output/bin/$arch-$os \ +${KEY_KEEPER_BIN} + + +printf "\n## Downloads\n\n" | tee -a release-notes.md +echo "| file | sha256 | sha512" | tee -a release-notes.md +echo "| ---- | ------ | ------" | tee -a release-notes.md + +for file in "$OUTPUTDIR"/*.tar.gz; do + SHA256=$(shasum -a 256 "$file" | sed -e "s,$file,," | awk '{print $1}' | tee "$file.sha256") + SHA512=$(shasum -a 512 "$file" | sed -e "s,$file,," | awk '{print $1}' | tee "$file.sha512") + BASE=$(basename "$file") + echo "| $BASE | $SHA256 | $SHA512 |" | tee -a release-notes.md +done diff --git a/internal/config/config.go b/internal/config/config.go new file mode 100644 index 0000000..bdd38e5 --- /dev/null +++ b/internal/config/config.go @@ -0,0 +1,76 @@ +package config + +import ( + "os" + "path/filepath" + "regexp" + + "go.uber.org/zap" + "gopkg.in/yaml.v3" +) + +type config struct { + dir string + reg *regexp.Regexp + + oldConfig map[string]struct{} +} + +// New return interface for work with config. +func New(configDir, configNameLayout string) (*config, error) { + reg, err := regexp.Compile(configNameLayout) + if err != nil { + return nil, err + } + + return &config{ + dir: configDir, + reg: reg, + + oldConfig: make(map[string]struct{}), + }, nil +} + +// GetNewConfig return new config from config dir. +func (s *config) GetNewConfig() (cfg Config, err error) { + list, err := s.getNewConfigFiles() + if err != nil { + return + } + + for _, path := range list { + data, err := os.ReadFile(path) + if err != nil { + zap.L().Error("read config file", zap.String("path", path), zap.Error(err)) + continue + } + + var tmpCfg Config + if err = yaml.Unmarshal(data, &tmpCfg); err != nil { + zap.L().Error("unmarshal config file", zap.String("path", path), zap.Error(err)) + continue + } + + cfg.Issuers = append(cfg.Issuers, tmpCfg.Issuers...) + cfg.Resource.Certificates = append(cfg.Resource.Certificates, tmpCfg.Resource.Certificates...) + cfg.Resource.Secrets = append(cfg.Resource.Secrets, tmpCfg.Resource.Secrets...) + s.oldConfig[path] = struct{}{} + } + return +} + +func (s *config) getNewConfigFiles() ([]string, error) { + var newConfigFiles []string + err := filepath.Walk(s.dir, func(path string, info os.FileInfo, err error) error { + if err != nil { + return nil + } + + _, isOld := s.oldConfig[path] + if !isOld && !info.IsDir() && s.reg.Match([]byte(info.Name())) { + newConfigFiles = append(newConfigFiles, path) + } + return nil + }) + return newConfigFiles, err +} diff --git a/internal/config/types.go b/internal/config/types.go new file mode 100644 index 0000000..c41a354 --- /dev/null +++ b/internal/config/types.go @@ -0,0 +1,114 @@ +package config + +import "time" + +type Config struct { + Issuers []Issuer `yaml:"issuers"` + Resource Resources `yaml:",inline"` +} + +type Issuer struct { + Name string `yaml:"name"` + Vault Vault `yaml:"vault"` +} + +type Resources struct { + Certificates []Certificate `yaml:"certificates"` + Secrets []Secret `yaml:"secrets"` +} + +type Certificate struct { + Name string `yaml:"name"` + IssuerRef IssuerRef `yaml:"issuerRef"` + IsCA bool `yaml:"isCa"` + CA CA `yaml:"ca"` + Spec Spec `yaml:"spec"` + HostPath string `yaml:"hostPath"` + WithUpdate bool `yaml:"withUpdate"` + RenewBefore time.Duration `yaml:"renewBefore"` + Trigger [][]string `yaml:"trigger"` +} + +type Secret struct { + Name string `yaml:"name"` + IssuerRef IssuerRef `yaml:"issuerRef"` + Key string `yaml:"key"` + HostPath string `yaml:"hostPath"` +} + +type Vault struct { + Server string `yaml:"server"` + Auth Auth `yaml:"auth"` + Resource Resource `yaml:"resource"` +} + +type Auth struct { + TLSInsecure bool `yaml:"tlsInsecure"` + CABundle string `yaml:"caBundle"` + Bootstrap Bootstrap `yaml:"bootstrap"` + AppRole AppRole `yaml:"appRole"` +} + +type Bootstrap struct { + Token string `yaml:"token"` + File string `yaml:"file"` +} + +type AppRole struct { + Name string `yaml:"name"` + Path string `yaml:"path"` + RoleIDLocalPath string `yaml:"roleIDLocalPath"` + SecretIDLocalPath string `yaml:"secretIDLocalPath"` +} + +type Resource struct { + Role string `yaml:"role"` + CAPath string `yaml:"CAPath"` + RootCAPath string `yaml:"rootCAPath"` + KV KV `yaml:"kv"` +} + +type KV struct { + Path string `yaml:"path"` +} + +type IssuerRef struct { + Name string `yaml:"name"` +} + +type CA struct { + ExportedKey bool `yaml:"exportedKey"` + Generate bool `yaml:"generate"` +} + +type Spec struct { + Subject Subject `yaml:"subject"` + PrivateKey PrivateKey `yaml:"privateKey"` + Hostnames []string `yaml:"hostnames"` + IPAddresses IPAddresses `yaml:"ipAddresses"` + TTL string `yaml:"ttl"` +} + +type Subject struct { + CommonName string `yaml:"commonName"` + Country []string `yaml:"country"` + Locality []string `yaml:"locality"` + Organization []string `yaml:"organization"` + OrganizationalUnit []string `yaml:"organizationalUnit"` + Province []string `yaml:"province"` + PostalCode []string `yaml:"postalCode"` + StreetAddress []string `yaml:"streetAddress"` + SerialNumber string `yaml:"serialNumber"` +} + +type PrivateKey struct { + Algorithm string `yaml:"algorithm"` + Encoding string `yaml:"encoding"` + Size int `yaml:"size"` +} + +type IPAddresses struct { + Static []string `yaml:"static"` + Interfaces []string `yaml:"interfaces"` + DNSLookup []string `yaml:"dnsLookup"` +} diff --git a/internal/controller/controller.go b/internal/controller/controller.go new file mode 100644 index 0000000..16f7267 --- /dev/null +++ b/internal/controller/controller.go @@ -0,0 +1,126 @@ +package controller + +import ( + "fmt" + "sync" + "time" + + "go.uber.org/zap" + + "github.com/fraima/key-keeper/internal/config" +) + +type Issuer interface { + Name() string + AddResource(config.Resources) + EnsureResource() +} + +type controller struct { + getConfig func() (config.Config, error) + issuerConnector func(cfg config.Issuer) (Issuer, error) + + issuer sync.Map +} + +// New returns controller. +func New( + config func() (config.Config, error), + issuerConnector func(cfg config.Issuer) (Issuer, error), +) *controller { + return &controller{ + getConfig: config, + issuerConnector: issuerConnector, + } +} + +// Start controller. +func (s *controller) Start() error { + if err := s.getNewResource(); err != nil { + return err + } + + // start getting new resources and issuers + go func() { + for range time.NewTicker(30 * time.Second).C { + if err := s.getNewResource(); err != nil { + zap.L().Error("refresh_resources", zap.Error(err)) + } + } + }() + + // start resource ensure + go func() { + for range time.NewTicker(30 * time.Second).C { + s.issuer.Range(func(key, value any) bool { + issuer := value.(Issuer) + zap.L().Debug("start_ensure", zap.String("issuer", issuer.Name())) + issuer.EnsureResource() + zap.L().Debug("finish_ensure", zap.String("issuer", issuer.Name())) + return true + }) + } + }() + + return nil +} + +func (s *controller) getNewResource() error { + cfg, err := s.getConfig() + if err != nil { + return fmt.Errorf("get new configs: %w", err) + } + + for _, issuer := range cfg.Issuers { + _, isExist := s.issuer.Load(issuer.Name) + if isExist { + zap.L().Error( + "issuer_connect", + zap.String("issuer_name", issuer.Name), + zap.String("status", "failed"), + zap.Error(errIssuerIsExist), + ) + continue + } + + conn, err := s.issuerConnector(issuer) + if err != nil { + zap.L().Error("issuer_connect", zap.String("issuer_name", issuer.Name), zap.Error(err)) + continue + } + + s.issuer.Store(issuer.Name, conn) + + zap.L().Debug("issuer_connect", zap.String("issuer_name", issuer.Name)) + } + + resources := s.separateResourcesByIssuers(cfg.Resource) + for issuerName, rCfg := range resources { + issuer, isExist := s.issuer.Load(issuerName) + if !isExist { + zap.L().Error("add_resource", zap.String("issuer_name", issuerName), zap.Error(errIssuerIsNotExist)) + continue + } + issuer.(Issuer).AddResource(rCfg) + + zap.L().Debug("add_resource", zap.String("issuer_name", issuerName)) + } + return nil +} + +func (s *controller) separateResourcesByIssuers(cfg config.Resources) map[string]config.Resources { + r := make(map[string]config.Resources) + + for _, cert := range cfg.Certificates { + resources := r[cert.IssuerRef.Name] + resources.Certificates = append(resources.Certificates, cert) + r[cert.IssuerRef.Name] = resources + } + + for _, secret := range cfg.Secrets { + resources := r[secret.IssuerRef.Name] + resources.Secrets = append(resources.Secrets, secret) + r[secret.IssuerRef.Name] = resources + } + return r +} diff --git a/internal/controller/error.go b/internal/controller/error.go new file mode 100644 index 0000000..4407ce5 --- /dev/null +++ b/internal/controller/error.go @@ -0,0 +1,8 @@ +package controller + +import "errors" + +var ( + errIssuerIsExist = errors.New("issuer is exist") + errIssuerIsNotExist = errors.New("issuer is not exist") +) diff --git a/internal/issuer/vault/ca-certificate.go b/internal/issuer/vault/ca-certificate.go new file mode 100644 index 0000000..6a1b802 --- /dev/null +++ b/internal/issuer/vault/ca-certificate.go @@ -0,0 +1,124 @@ +package vault + +import ( + "crypto/x509" + "fmt" + "path" + "time" + + "go.uber.org/zap" + + "github.com/fraima/key-keeper/internal/config" +) + +func (s *vault) ensureCA(cert config.Certificate) { + logger := zap.L().With(zap.String("resource_type", "intermediate_ca"), zap.String("name", cert.Name)) + + var ( + crt, key []byte + err error + ) + + defer func() { + if err := storeKeyPair(cert.HostPath, cert.Name, crt, key); err != nil { + logger.Error("store", zap.Error(err)) + } + logger.Debug("store") + }() + + crt, key, err = s.checkCA(cert, logger) + if err == nil { + return + } + logger.Warn("check", zap.Error(err)) + + if cert.CA.Generate { + crt, key, err = s.generateCA(cert) + if err != nil { + logger.Error("generate", zap.Error(err)) + return + } + zap.L().Info("generated") + } +} + +func (s *vault) checkCA(cert config.Certificate, l *zap.Logger) ([]byte, []byte, error) { + crt, key, err := s.readCA(s.caPath) + if crt == nil { + return nil, nil, fmt.Errorf("crt or key is empty path: %s", s.caPath) + } + if err == nil { + var ca *x509.Certificate + ca, err = parseCertificate(crt) + if err == nil { + if time.Until(ca.NotAfter) <= cert.RenewBefore { + err = fmt.Errorf("expired until(h) %f", time.Until(ca.NotAfter).Hours()) + } + } + } + return crt, key, err +} + +func (s *vault) readCA(vaultPath string) (crt, key []byte, err error) { + vaultPath = path.Join(vaultPath, "cert/ca_chain") + ica, err := s.cli.Read(vaultPath) + if ica != nil { + if c, ok := ica["certificate"]; ok { + crt = []byte(c.(string)) + } + if k, ok := ica["private_key"]; ok { + key = []byte(k.(string)) + } + } + return +} + +func (s *vault) generateCA(cert config.Certificate) (crt, key []byte, err error) { + csrData := map[string]interface{}{ + "common_name": fmt.Sprintf("%s Intermediate Authority", cert.Name), + "ttl": cert.Spec.TTL, + } + + keyType := "internal" + if cert.CA.ExportedKey { + keyType = "exported" + } + + vaultPath := path.Join(s.caPath, "intermediate/generate", keyType) + csr, err := s.cli.Write(vaultPath, csrData) + if err != nil { + err = fmt.Errorf("generate: %w", err) + return + } + + icaData := map[string]interface{}{ + "csr": csr["csr"], + "format": "pem_bundle", + "ttl": cert.Spec.TTL, + } + + vaultPath = path.Join(s.rootCAPath, "root/sign-intermediate") + ica, err := s.cli.Write(vaultPath, icaData) + if err != nil { + err = fmt.Errorf("send the intermediate ca CSR to the root CA for signing CA: %w", err) + return + } + + certData := map[string]interface{}{ + "certificate": ica["certificate"], + } + + vaultPath = path.Join(s.caPath, "intermediate/set-signed") + if _, err = s.cli.Write(vaultPath, certData); err != nil { + err = fmt.Errorf("publish the signed certificate back to the intermediate ca : %w", err) + return + } + + if data, ok := ica["certificate"]; ok { + crt = []byte(data.(string)) + } + if data, ok := csr["private_key"]; ok { + key = []byte(data.(string)) + } + return +} diff --git a/internal/issuer/vault/certificate.go b/internal/issuer/vault/certificate.go new file mode 100644 index 0000000..21300d3 --- /dev/null +++ b/internal/issuer/vault/certificate.go @@ -0,0 +1,244 @@ +package vault + +import ( + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "errors" + "fmt" + "net" + "os" + "os/exec" + "path" + "regexp" + "strings" + "time" + + "go.uber.org/zap" + + "github.com/fraima/key-keeper/internal/config" +) + +func (s *vault) ensureCertificate(cert config.Certificate) { + logger := zap.L().With(zap.String("resource_type", "certificate"), zap.String("name", cert.Name)) + + err := checkCertificate(cert, logger) + if err == nil { + return + } + zap.L().Warn("ensure", zap.Error(err)) + + if os.IsNotExist(err) || cert.WithUpdate { + crt, key, err := s.generateCertificate(cert.Spec) + if err != nil { + zap.L().Error("generate", zap.Error(err)) + } + + err = storeKeyPair(cert.HostPath, cert.Name, crt, key) + if err != nil { + zap.L().Error("store", zap.Error(err)) + return + } + + trigger(cert.Trigger, logger) + zap.L().Debug("generated") + } +} + +func (s *vault) generateCertificate(certSpec config.Spec) ([]byte, []byte, error) { + csr, key, err := s.createCSR(certSpec) + if err != nil { + return nil, nil, fmt.Errorf("create csr: %w", err) + } + + certData := map[string]interface{}{ + "csr": string(csr), + "ttl": certSpec.TTL, + } + + vaultPath := path.Join(s.caPath, "sign", s.role) + cert, err := s.cli.Write(vaultPath, certData) + if err != nil { + return nil, nil, fmt.Errorf("generate with vault path %s : %w", vaultPath, err) + } + + if crt, ok := cert["certificate"]; ok { + return []byte(crt.(string)), key, nil + } + + return nil, nil, fmt.Errorf("certificate block not found") +} + +func (s *vault) createCSR(spec config.Spec) (crt, key []byte, err error) { + pk, err := rsa.GenerateKey(rand.Reader, spec.PrivateKey.Size) + if err != nil { + err = fmt.Errorf("generate key: %w", err) + return + } + + commonName, err := getCommonName(spec.Subject.CommonName) + if err != nil { + err = fmt.Errorf("get common name: %w", err) + return + } + + ips, err := getIPAddresses(spec.IPAddresses) + if err != nil { + err = fmt.Errorf("get ip addresses: %w", err) + return + } + + dnsNames, err := getDNSNames(spec.Hostnames) + if err != nil { + err = fmt.Errorf("get hostname: %w", err) + return + } + + template := x509.CertificateRequest{ + Subject: pkix.Name{ + CommonName: commonName, + Country: spec.Subject.Country, + Locality: spec.Subject.Locality, + Organization: spec.Subject.Organization, + OrganizationalUnit: spec.Subject.OrganizationalUnit, + Province: spec.Subject.Province, + PostalCode: spec.Subject.PostalCode, + StreetAddress: spec.Subject.StreetAddress, + SerialNumber: spec.Subject.SerialNumber, + }, + IPAddresses: ips, + DNSNames: dnsNames, + SignatureAlgorithm: x509.SHA256WithRSA, + } + + csr, err := x509.CreateCertificateRequest(rand.Reader, &template, pk) + if err != nil { + err = fmt.Errorf("create request: %w", err) + return + } + + crt = pem.EncodeToMemory( + &pem.Block{ + Type: "CERTIFICATE REQUEST", + Bytes: csr, + }, + ) + key = pem.EncodeToMemory( + &pem.Block{ + Type: "RSA PRIVATE KEY", + Bytes: x509.MarshalPKCS1PrivateKey(pk), + }, + ) + return +} + +func getCommonName(src string) (string, error) { + hostname, err := os.Hostname() + return strings.ReplaceAll(src, "$HOSTNAME", hostname), err +} + +func getIPAddresses(cfg config.IPAddresses) ([]net.IP, error) { + ipAddresses := make(map[string]net.IP) + + for _, ip := range cfg.Static { + netIP := net.ParseIP(ip) + if netIP.To4() != nil { + ipAddresses[ip] = netIP + } + } + + ifaces, err := net.Interfaces() + if err != nil { + return nil, errors.New("get interfaces") + } + + for _, i := range ifaces { + if inSlice(i.Name, cfg.Interfaces) { + addrs, err := i.Addrs() + if err != nil { + return nil, fmt.Errorf("get interface %s addresses", i.Name) + } + + for _, addr := range addrs { + var ip net.IP + switch v := addr.(type) { + case *net.IPNet: + ip = v.IP + case *net.IPAddr: + ip = v.IP + } + + if ip.To4() != nil { + ipAddresses[ip.String()] = ip + } + } + } + } + + for _, h := range cfg.DNSLookup { + ips, err := net.LookupIP(h) + if err != nil { + return nil, fmt.Errorf("lookup ip for %s ", h) + } + for _, ip := range ips { + if ip.To4() != nil { + ipAddresses[ip.String()] = ip + } + } + } + + r := make([]net.IP, 0, len(ipAddresses)) + for _, ip := range ipAddresses { + r = append(r, ip) + } + return r, nil +} + +func getDNSNames(src []string) ([]string, error) { + hostname, err := os.Hostname() + if err != nil { + return nil, err + } + for i := range src { + src[i] = strings.ReplaceAll(src[i], "$HOSTNAME", hostname) + } + return src, nil +} + +func inSlice(str string, sl []string) bool { + for _, s := range sl { + if regexp.MustCompile(s).MatchString(str) { + return true + } + } + return false +} + +func checkCertificate(cert config.Certificate, l *zap.Logger) error { + crt, err := readCertificate(cert.HostPath, cert.Name) + if crt != nil { + if time.Until(crt.NotAfter) <= cert.RenewBefore { + err = fmt.Errorf("expired until(h) %f", time.Until(crt.NotAfter).Hours()) + } + } + return err +} + +func trigger(trigger [][]string, logger *zap.Logger) { + for _, command := range trigger { + var err error + if len(command) == 1 { + err = exec.Command(command[0]).Run() + } else { + err = exec.Command(command[0], command[1:]...).Run() + } + + if err != nil { + logger.Error("trigger", zap.Strings("command", command), zap.Error(err)) + continue + } + logger.Debug("trigger", zap.Strings("command", command)) + } +} diff --git a/internal/issuer/vault/client/auth.go b/internal/issuer/vault/client/auth.go new file mode 100644 index 0000000..fd5cb8d --- /dev/null +++ b/internal/issuer/vault/client/auth.go @@ -0,0 +1,142 @@ +package client + +import ( + "context" + "fmt" + "os" + "path" + "strings" + "time" + + auth "github.com/hashicorp/vault/api/auth/approle" + "go.uber.org/zap" + + "github.com/fraima/key-keeper/internal/config" +) + +func (s *client) auth(name string, a config.Auth) error { + token, err := s.getBootstrapToken(a.Bootstrap) + if err != nil { + return fmt.Errorf("get vault token: %w", err) + } + s.cli.SetToken(token) + + roleID, err := s.getRoleID(name, a.AppRole) + if err != nil { + return fmt.Errorf("get role id: %w", err) + } + secretID, err := s.getSecretID(name, a.AppRole) + if err != nil { + return fmt.Errorf("get secret id: %w", err) + } + + appRoleAuth, err := auth.NewAppRoleAuth( + roleID, + &auth.SecretID{ + FromString: secretID, + }, + auth.WithMountPath(a.AppRole.Path), + ) + if err != nil { + return fmt.Errorf("app role auth: %w", err) + } + + token, ttl, err := s.getRoleToken(appRoleAuth) + if err != nil { + return fmt.Errorf("get role token: %w", err) + } + s.cli.SetToken(token) + + go func() { + t := time.NewTimer(ttl / 2) + for range t.C { + token, ttl, err := s.getRoleToken(appRoleAuth) + if err != nil { + zap.L().Error("update auth token", zap.String("issuer_name", name), zap.Error(err)) + } + s.cli.SetToken(token) + t.Reset(ttl / 2) + } + }() + return nil +} + +func (s *client) getBootstrapToken(a config.Bootstrap) (string, error) { + if a.Token != "" { + return a.Token, nil + } + + data, err := os.ReadFile(a.File) + return strings.TrimSuffix(string(data), "\n"), err +} + +func (s *client) getRoleID(name string, appRole config.AppRole) (string, error) { + if roleID, err := os.ReadFile(appRole.RoleIDLocalPath); err == nil { + return string(roleID), nil + } + + vaultPath := path.Join("auth", appRole.Path, "role", appRole.Name, "role-id") + role, err := s.Read(vaultPath) + if err != nil { + return "", fmt.Errorf("read role_id for path: %s : %w", vaultPath, err) + } + if role == nil { + return "", fmt.Errorf("role_id info was not returned") + } + + roleID, ok := role["role_id"] + if !ok { + return "", fmt.Errorf("not found role_id") + } + + if err = writeToFile(appRole.RoleIDLocalPath, []byte(roleID.(string))); err != nil { + return "", fmt.Errorf("save role id path: %s : %w", appRole.RoleIDLocalPath, err) + } + return roleID.(string), err +} + +func (s *client) getSecretID(name string, appRole config.AppRole) (string, error) { + if secretID, err := os.ReadFile(appRole.SecretIDLocalPath); err == nil { + return string(secretID), nil + } + + vaultPath := path.Join("auth", appRole.Path, "role", appRole.Name, "secret-id") + secret, err := s.Write(vaultPath, nil) + if err != nil { + return "", fmt.Errorf("read secrete_id for path: %s : %w", vaultPath, err) + } + if secret == nil { + return "", fmt.Errorf("secrete_id info was not returned") + } + + secretID, ok := secret["secret_id"] + if !ok { + return "", fmt.Errorf("not found secrete_id") + } + + if err = writeToFile(appRole.SecretIDLocalPath, []byte(secretID.(string))); err != nil { + return "", fmt.Errorf("save secret id path: %s : %w", appRole.SecretIDLocalPath, err) + } + return secretID.(string), err +} + +func (s *client) getRoleToken(appRoleAuth *auth.AppRoleAuth) (string, time.Duration, error) { + authInfo, err := s.cli.Auth().Login(context.Background(), appRoleAuth) + if err != nil { + return "", 0, err + } + if authInfo == nil { + return "", 0, fmt.Errorf("auth info was not returned after login") + } + + token, err := authInfo.TokenID() + if err != nil { + return "", 0, err + } + + ttl, err := authInfo.TokenTTL() + if err != nil { + return "", 0, err + } + return token, ttl, nil +} diff --git a/internal/issuer/vault/client/client.go b/internal/issuer/vault/client/client.go new file mode 100644 index 0000000..146238e --- /dev/null +++ b/internal/issuer/vault/client/client.go @@ -0,0 +1,81 @@ +package client + +import ( + "context" + "fmt" + "net/http" + "time" + + "github.com/hashicorp/vault/api" + + "github.com/fraima/key-keeper/internal/config" + "github.com/fraima/key-keeper/internal/issuer/vault" +) + +type client struct { + cli *api.Client +} + +// Connect to vault issuer. +func Connect(name string, cfg config.Vault) (vault.Client, error) { + cli, err := api.NewClient( + &api.Config{ + Address: cfg.Server, + HttpClient: &http.Client{ + Timeout: 10 * time.Second, + }, + }, + ) + if err != nil { + return nil, fmt.Errorf("new vault client: %w", err) + } + + if !cfg.Auth.TLSInsecure { + err = cli.CloneConfig().ConfigureTLS(&api.TLSConfig{CACert: cfg.Auth.CABundle}) + if err != nil { + return nil, fmt.Errorf("configuring tls: %w", err) + } + } + + s := &client{ + cli: cli, + } + + if err = s.auth(name, cfg.Auth); err != nil { + return nil, fmt.Errorf("auth: %w", err) + } + return s, err +} + +// Read secret from vault by path. +func (s *client) Read(path string) (map[string]interface{}, error) { + sec, err := s.cli.Logical().Read(path) + if sec != nil { + return sec.Data, err + } + return nil, err +} + +// Write secret in vault by path. +func (s *client) Write(path string, data map[string]interface{}) (map[string]interface{}, error) { + sec, err := s.cli.Logical().Write(path, data) + if sec != nil { + return sec.Data, err + } + return nil, err +} + +// Put in Vault KV. +func (s *client) Put(kvMountPath, secretePath string, data map[string]interface{}) error { + _, err := s.cli.KVv2(kvMountPath).Put(context.Background(), secretePath, data) + return err +} + +// Get from Vault KV. +func (s *client) Get(kvMountPath, secretePath string) (map[string]interface{}, error) { + sec, err := s.cli.KVv2(kvMountPath).Get(context.Background(), secretePath) + if sec != nil { + return sec.Data, err + } + return nil, err +} diff --git a/internal/issuer/vault/client/utils.go b/internal/issuer/vault/client/utils.go new file mode 100644 index 0000000..96fe9fb --- /dev/null +++ b/internal/issuer/vault/client/utils.go @@ -0,0 +1,14 @@ +package client + +import ( + "os" + "path" +) + +func writeToFile(filepath string, date []byte) error { + dir := path.Dir(filepath) + if err := os.MkdirAll(dir, os.ModePerm); err != nil { + return err + } + return os.WriteFile(filepath, date, 0644) +} diff --git a/internal/issuer/vault/secret.go b/internal/issuer/vault/secret.go new file mode 100644 index 0000000..e6d7c97 --- /dev/null +++ b/internal/issuer/vault/secret.go @@ -0,0 +1,34 @@ +package vault + +import ( + "fmt" + + "go.uber.org/zap" + + "github.com/fraima/key-keeper/internal/config" +) + +func (s *vault) ensureSecret(i config.Secret) { + logger := zap.L().With(zap.String("resource_type", "secret"), zap.String("name", i.Name)) + + secret, err := s.readSecret(i) + if err != nil { + logger.Warn("read", zap.Error(err)) + } + + if err = writeToFile(i.HostPath, secret); err != nil { + zap.L().Error("store", zap.String("path", i.HostPath), zap.Error(err)) + } +} + +func (s *vault) readSecret(i config.Secret) ([]byte, error) { + storedSecrete, err := s.cli.Get(s.kv, i.Name) + if err != nil { + return nil, fmt.Errorf("get from vault_kv : %w", err) + } + + if data, ok := storedSecrete[i.Key]; ok { + return []byte(data.(string)), nil + } + return nil, fmt.Errorf("secrete not found : %w", err) +} diff --git a/internal/issuer/vault/utils.go b/internal/issuer/vault/utils.go new file mode 100644 index 0000000..b756af4 --- /dev/null +++ b/internal/issuer/vault/utils.go @@ -0,0 +1,59 @@ +package vault + +import ( + "crypto/x509" + "encoding/pem" + "fmt" + "os" + "path" + "reflect" +) + +func storeKeyPair(filepath string, name string, crt, key []byte) error { + if err := os.MkdirAll(filepath, 0777); err != nil { + return fmt.Errorf("mkdir all %s : %w", filepath, err) + } + + if crt != nil { + crtPath := path.Join(filepath, name+".pem") + data, err := os.ReadFile(crtPath) + if err != nil || !reflect.DeepEqual(crt, data) { + if err := os.WriteFile(crtPath, crt, 0644); err != nil { + return fmt.Errorf("failed to save certificate: %w", err) + } + } + } + + if key != nil { + keyPath := path.Join(filepath, name+"-key.pem") + data, err := os.ReadFile(keyPath) + if err != nil || !reflect.DeepEqual(key, data) { + if err := os.WriteFile(keyPath, key, 0600); err != nil { + return fmt.Errorf("failed to save key file: %w", err) + } + } + } + return nil +} + +func readCertificate(filepath string, name string) (*x509.Certificate, error) { + certPath := path.Join(filepath, name+".pem") + crt, err := os.ReadFile(certPath) + if err != nil { + return nil, err + } + return parseCertificate(crt) +} + +func parseCertificate(crt []byte) (*x509.Certificate, error) { + pBlock, _ := pem.Decode(crt) + return x509.ParseCertificate(pBlock.Bytes) +} + +func writeToFile(filepath string, date []byte) error { + dir := path.Dir(filepath) + if err := os.MkdirAll(dir, 0777); err != nil { + return err + } + return os.WriteFile(filepath, date, 0644) +} diff --git a/internal/issuer/vault/vault.go b/internal/issuer/vault/vault.go new file mode 100644 index 0000000..00e68af --- /dev/null +++ b/internal/issuer/vault/vault.go @@ -0,0 +1,74 @@ +package vault + +import ( + "github.com/fraima/key-keeper/internal/config" + "github.com/fraima/key-keeper/internal/controller" +) + +type Client interface { + Read(path string) (map[string]interface{}, error) + Write(path string, data map[string]interface{}) (map[string]interface{}, error) + Put(kvMountPath, secretePath string, data map[string]interface{}) error + Get(kvMountPath, secretePath string) (map[string]interface{}, error) +} + +type vault struct { + cli Client + + name string + role string + caPath string + rootCAPath string + kv string + certificate map[string]config.Certificate +} + +func Connector( + connect func(name string, cfg config.Vault) (Client, error), +) func(cfg config.Issuer) (controller.Issuer, error) { + return func(cfg config.Issuer) (controller.Issuer, error) { + driver, err := connect(cfg.Name, cfg.Vault) + if err != nil { + return nil, err + } + + v := &vault{ + cli: driver, + name: cfg.Name, + role: cfg.Vault.Resource.Role, + caPath: cfg.Vault.Resource.CAPath, + rootCAPath: cfg.Vault.Resource.RootCAPath, + kv: cfg.Vault.Resource.KV.Path, + certificate: make(map[string]config.Certificate), + } + return v, nil + } +} + +func (s *vault) Name() string { + return s.name +} + +func (s *vault) AddResource(r config.Resources) { + for _, cert := range r.Certificates { + s.certificate[cert.Name] = cert + } + for _, secret := range r.Secrets { + go func(secret config.Secret) { + s.ensureSecret(secret) + }(secret) + } + s.EnsureResource() +} + +func (s *vault) EnsureResource() { + for _, cert := range s.certificate { + go func(c config.Certificate) { + if c.IsCA { + s.ensureCA(c) + return + } + s.ensureCertificate(c) + }(cert) + } +} diff --git a/internal/mocks/vault-client.go b/internal/mocks/vault-client.go new file mode 100644 index 0000000..a8b7d4f --- /dev/null +++ b/internal/mocks/vault-client.go @@ -0,0 +1,108 @@ +// Code generated by mockery v2.13.1. DO NOT EDIT. + +package mocks + +import mock "github.com/stretchr/testify/mock" + +// Client is an autogenerated mock type for the Client type +type Client struct { + mock.Mock +} + +// Get provides a mock function with given fields: kvMountPath, secretePath +func (_m *Client) Get(kvMountPath string, secretePath string) (map[string]interface{}, error) { + ret := _m.Called(kvMountPath, secretePath) + + var r0 map[string]interface{} + if rf, ok := ret.Get(0).(func(string, string) map[string]interface{}); ok { + r0 = rf(kvMountPath, secretePath) + } else { + if ret.Get(0) != nil { + r0 = ret.Get(0).(map[string]interface{}) + } + } + + var r1 error + if rf, ok := ret.Get(1).(func(string, string) error); ok { + r1 = rf(kvMountPath, secretePath) + } else { + r1 = ret.Error(1) + } + + return r0, r1 +} + +// Put provides a mock function with given fields: kvMountPath, secretePath, data +func (_m *Client) Put(kvMountPath string, secretePath string, data map[string]interface{}) error { + ret := _m.Called(kvMountPath, secretePath, data) + + var r0 error + if rf, ok := ret.Get(0).(func(string, string, map[string]interface{}) error); ok { + r0 = rf(kvMountPath, secretePath, data) + } else { + r0 = ret.Error(0) + } + + return r0 +} + +// Read provides a mock function with given fields: path +func (_m *Client) Read(path string) (map[string]interface{}, error) { + ret := _m.Called(path) + + var r0 map[string]interface{} + if rf, ok := ret.Get(0).(func(string) map[string]interface{}); ok { + r0 = rf(path) + } else { + if ret.Get(0) != nil { + r0 = ret.Get(0).(map[string]interface{}) + } + } + + var r1 error + if rf, ok := ret.Get(1).(func(string) error); ok { + r1 = rf(path) + } else { + r1 = ret.Error(1) + } + + return r0, r1 +} + +// Write provides a mock function with given fields: path, data +func (_m *Client) Write(path string, data map[string]interface{}) (map[string]interface{}, error) { + ret := _m.Called(path, data) + + var r0 map[string]interface{} + if rf, ok := ret.Get(0).(func(string, map[string]interface{}) map[string]interface{}); ok { + r0 = rf(path, data) + } else { + if ret.Get(0) != nil { + r0 = ret.Get(0).(map[string]interface{}) + } + } + + var r1 error + if rf, ok := ret.Get(1).(func(string, map[string]interface{}) error); ok { + r1 = rf(path, data) + } else { + r1 = ret.Error(1) + } + + return r0, r1 +} + +type mockConstructorTestingTNewClient interface { + mock.TestingT + Cleanup(func()) +} + +// NewClient creates a new instance of Client. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations. +func NewClient(t mockConstructorTestingTNewClient) *Client { + mock := &Client{} + mock.Mock.Test(t) + + t.Cleanup(func() { mock.AssertExpectations(t) }) + + return mock +}