From d31951bd1d02f8628ddb7191d76e1ed6db14bf5e Mon Sep 17 00:00:00 2001 From: Lukas Jarosch Date: Thu, 8 Dec 2022 01:21:08 +0100 Subject: [PATCH 1/3] feat: rough poc to encrypt files with publicKey from KV Signed-off-by: Lukas Jarosch --- .../secrets/compiled/azure_keyvault/README.md | 101 ++++++++++++++++++ .../compiled/azure_keyvault/inventory.json | 28 ++++- examples/secrets/go.mod | 9 ++ examples/secrets/go.sum | 24 +++++ .../secrets/targets/azure_keyvault/rsa | 2 + .../inventory/targets/azure_keyvault.yaml | 6 +- examples/secrets/main.go | 15 ++- examples/secrets/templates/AzureReadme.md | 1 + 8 files changed, 176 insertions(+), 10 deletions(-) create mode 100644 examples/secrets/inventory/secrets/targets/azure_keyvault/rsa diff --git a/examples/secrets/compiled/azure_keyvault/README.md b/examples/secrets/compiled/azure_keyvault/README.md index 3fa3e15..bc8e428 100644 --- a/examples/secrets/compiled/azure_keyvault/README.md +++ b/examples/secrets/compiled/azure_keyvault/README.md @@ -1,2 +1,103 @@ # Azure KeyVault +{ + "alphaNum": "test", + "azure": { + "common": { + "baz": "test", + "baz2": "test", + "foo": { + "bar": "test" + }, + "from_target": "test_CHANGED", + "skipper": { + "copy": [ + { + "source": "inventory.json", + "target": "something_else/foobar.json" + } + ] + }, + "subscription_id": "INVALID DEFAULT VALUE", + "this": { + "complex": "object", + "is": "a", + "which": [ + "I", + "WANT", + "TO", + "INCLUDE" + ] + } + }, + "resources": { + "location": "westeurope", + "resource_group": { + "name": "rg-azure_keyvault-terraform-example-westeurope" + }, + "vnet": { + "address_space": [ + "10.1.0.0/16", + "10.2.0.0/16" + ], + "name": "vnet-azure_keyvault-terraform-example", + "subnets": { + "virtual_machines": { + "address_prefixes": [ + "10.1.1.0/24" + ], + "name": "virtual_machines" + } + } + } + } + }, + "import": { + "complex": "object", + "is": "a", + "which": [ + "I", + "WANT", + "TO", + "INCLUDE" + ] + }, + "secrets": { + "rsa": "Hallo Welt, das hab ich ganz alleine verschlüsselt" + }, + "skipper": { + "components": [ + { + "input_paths": [ + "AzureReadme.md", + "inventory.json" + ], + "output_path": ".", + "rename": [ + { + "filename": "README.md", + "input_path": "AzureReadme.md" + } + ] + } + ], + "copy": [ + { + "source": "inventory.json", + "target": "something/foobar.json" + } + ], + "secrets": { + "drivers": { + "azurekv": { + "ignore_version": true, + "key_id": "https://kv-markhub-sandbox-lukas.vault.azure.net/keys/sandbox-lukas-secrets-key/e1dd7010c47247da8b57782cbb8c4668" + } + } + }, + "use": [ + "azure.*" + ] + }, + "test": "azure_keyvault" +} diff --git a/examples/secrets/compiled/azure_keyvault/inventory.json b/examples/secrets/compiled/azure_keyvault/inventory.json index 93b360f..41958eb 100644 --- a/examples/secrets/compiled/azure_keyvault/inventory.json +++ b/examples/secrets/compiled/azure_keyvault/inventory.json @@ -16,7 +16,17 @@ } ] }, - "subscription_id": "INVALID DEFAULT VALUE" + "subscription_id": "INVALID DEFAULT VALUE", + "this": { + "complex": "object", + "is": "a", + "which": [ + "I", + "WANT", + "TO", + "INCLUDE" + ] + } }, "resources": { "location": "westeurope", @@ -40,10 +50,18 @@ } } }, + "import": { + "complex": "object", + "is": "a", + "which": [ + "I", + "WANT", + "TO", + "INCLUDE" + ] + }, "secrets": { - "test1": "?{azurekv:targets/azure_keyvault/test1||randomstring:32}", - "test2": "?{azurekv:targets/azure_keyvault/test2||randomstring:64}", - "test3": "?{azurekv:targets/azure_keyvault/test2}" + "rsa": "Hallo Welt, das hab ich ganz alleine verschlüsselt" }, "skipper": { "components": [ @@ -71,7 +89,7 @@ "drivers": { "azurekv": { "ignore_version": true, - "key_id": "https://kv-dev-infra-platform.vault.azure.net/keys/dev-infra-secrets-key/6e0360a098eb4808af5ec1f970d399c0" + "key_id": "https://kv-markhub-sandbox-lukas.vault.azure.net/keys/sandbox-lukas-secrets-key/e1dd7010c47247da8b57782cbb8c4668" } } }, diff --git a/examples/secrets/go.mod b/examples/secrets/go.mod index 1f52f86..2d7138f 100644 --- a/examples/secrets/go.mod +++ b/examples/secrets/go.mod @@ -19,15 +19,24 @@ require ( github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.1.1 // indirect github.com/Masterminds/sprig/v3 v3.2.2 // indirect + github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d // indirect + github.com/goccy/go-json v0.9.7 // indirect github.com/golang-jwt/jwt v3.2.1+incompatible // indirect github.com/google/uuid v1.1.2 // indirect github.com/huandu/xstrings v1.3.1 // indirect github.com/imdario/mergo v0.3.11 // indirect github.com/kylelemons/godebug v1.1.0 // indirect + github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect + github.com/lestrrat-go/blackmagic v1.0.0 // indirect + github.com/lestrrat-go/httpcc v1.0.1 // indirect + github.com/lestrrat-go/iter v1.0.1 // indirect + github.com/lestrrat-go/jwx v1.2.25 // indirect + github.com/lestrrat-go/option v1.0.0 // indirect github.com/mitchellh/copystructure v1.0.0 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.0 // indirect github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect + github.com/pkg/errors v0.9.1 // indirect github.com/shopspring/decimal v1.2.0 // indirect github.com/spf13/cast v1.3.1 // indirect golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 // indirect diff --git a/examples/secrets/go.sum b/examples/secrets/go.sum index a082559..00667ae 100644 --- a/examples/secrets/go.sum +++ b/examples/secrets/go.sum @@ -67,6 +67,9 @@ github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnht github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d h1:1iy2qD6JEhHKKhUOA9IWs7mjco7lnw2qx8FsRI2wirE= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE= github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -77,6 +80,8 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/goccy/go-json v0.9.7 h1:IcB+Aqpx/iMHu5Yooh7jEzJk1JZ7Pjtmys2ukPr7EeM= +github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c= github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= @@ -155,6 +160,18 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A= +github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y= +github.com/lestrrat-go/blackmagic v1.0.0 h1:XzdxDbuQTz0RZZEmdU7cnQxUtFUzgCSPq8RCz4BxIi4= +github.com/lestrrat-go/blackmagic v1.0.0/go.mod h1:TNgH//0vYSs8VXDCfkZLgIrVTTXQELZffUV0tz3MtdQ= +github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= +github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= +github.com/lestrrat-go/iter v1.0.1 h1:q8faalr2dY6o8bV45uwrxq12bRa1ezKrB6oM9FUgN4A= +github.com/lestrrat-go/iter v1.0.1/go.mod h1:zIdgO1mRKhn8l9vrZJZz9TUMMFbQbLeTsbqPDrJ/OJc= +github.com/lestrrat-go/jwx v1.2.25 h1:tAx93jN2SdPvFn08fHNAhqFJazn5mBBOB8Zli0g0otA= +github.com/lestrrat-go/jwx v1.2.25/go.mod h1:zoNuZymNl5lgdcu6P7K6ie2QRll5HVfF4xwxBBK1NxY= +github.com/lestrrat-go/option v1.0.0 h1:WqAWL8kh8VcSoD6xjSH34/1m8yxluXQbDeKNfvFeEO4= +github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= @@ -164,6 +181,7 @@ github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 h1:Qj1ukM4GlMWXNdMBuXcXfz/Kw9s1qm0CLY32QxuSImI= github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -180,8 +198,10 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -200,6 +220,7 @@ golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 h1:Tgea0cVUD0ivh5ADBX4WwuI12DUd2to3nCYe2eayMIw= golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -266,6 +287,7 @@ golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 h1:HVyaeDAYux4pnY+D/SiwmLOR36ewZ4iGQIIrtnuCjFA= golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -320,6 +342,7 @@ golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM= @@ -331,6 +354,7 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/examples/secrets/inventory/secrets/targets/azure_keyvault/rsa b/examples/secrets/inventory/secrets/targets/azure_keyvault/rsa new file mode 100644 index 0000000..24d7439 --- /dev/null +++ b/examples/secrets/inventory/secrets/targets/azure_keyvault/rsa @@ -0,0 +1,2 @@ +data: NDfoqlxuE9vhOKz9x+lzz95jic0GMwYX+ADgast8kFvi7+Hut/LP42LTQUoAziY+UeW7SsNF1rhUQGoiXOS1zzB4iv2h7CONdvhyW32eXJ6z+glZpz69ebbDupe2Yw4SvdBGWHzX1pPJKyxaXjXdUl2zTt3e9bpI7WG7YYb8FRxoH5pMaJFJY9BAeJBqjlHpB2Pag+sC73Q3iWgXzhzH+EnIGnDtZoEvairddzOVxBJzMe1XIJ6+/QqbhebsaP51u/nljU+BWC8qCRcTcHVCtgi5oUg1dnCOqJvK3J5TraZkkNFTllnR2SEaLcydZlEbrPOqYbo/xU7tSenOGC5BhfbLoKffftZb961h89zJh8iext2sdz6rG6EuY9/OuVuLQx+s2uU3VkcwG5hZO501JRvUpdvFPZYxp033Zt0KvugQVC/vL5s/r34GcrddLBIpugovh9be62IdhFK5AQdop8V+9uGGY51U0sucH9ZlAxRmzjxcOMh/KlSMu2nA583bmG6Mz6WoULOju3Qd3ixndLjoyZnYTDTqoNPDoKqlfa/bz4xhxMBY8XdpwAhFIXMhQlqv8aI87DdpBF8oBhacxRQVfegE/6azMWZ0uGxhzEoTrhA4SEFtb7lKvsVYUPd4TuHYV64bzrhbX24iScQGOT6B+Q4m6+W3YeQiMsuRJ0g +type: azurekv diff --git a/examples/secrets/inventory/targets/azure_keyvault.yaml b/examples/secrets/inventory/targets/azure_keyvault.yaml index e10e762..28f970b 100644 --- a/examples/secrets/inventory/targets/azure_keyvault.yaml +++ b/examples/secrets/inventory/targets/azure_keyvault.yaml @@ -18,12 +18,10 @@ target: drivers: azurekv: ignore_version: true - key_id: "https://kv-dev-infra-platform.vault.azure.net/keys/dev-infra-secrets-key/6e0360a098eb4808af5ec1f970d399c0" + key_id: "https://kv-markhub-sandbox-lukas.vault.azure.net/keys/sandbox-lukas-secrets-key/e1dd7010c47247da8b57782cbb8c4668" secrets: - test1: ?{azurekv:targets/${target_name}/test1||randomstring:32} - test2: ?{azurekv:targets/${target_name}/test2||randomstring:64} - test3: ?{azurekv:targets/${target_name}/test2} + rsa: ?{azurekv:targets/${target_name}/rsa} test: ${target_name} alphaNum: "%{loweralpha:${azure:common:foo:bar}}" diff --git a/examples/secrets/main.go b/examples/secrets/main.go index 7fe9b23..e4ca6dc 100644 --- a/examples/secrets/main.go +++ b/examples/secrets/main.go @@ -1,6 +1,7 @@ package main import ( + "bytes" "log" "path" @@ -27,7 +28,7 @@ func main() { } // Process the inventory, given the target name - data, err := inventory.Data(target, nil, false) + data, err := inventory.Data(target, nil, true) if err != nil { panic(err) } @@ -53,6 +54,18 @@ func main() { panic(err) } + driver, err := skipper.SecretDriverFactory("azurekv") + if err != nil { + log.Fatalf("cannot get secret driver %q: %w", "azurekv", err) + } + + source := bytes.NewBuffer([]byte("Hallo Welt, das hab ich ganz alleine verschlüsselt")) + sink := bytes.NewBuffer([]byte{}) + err = driver.(skipper.SecretFileEncrypter).EncryptFile(source, sink) + if err != nil { + panic(err) + } + // execute templates ---------------------------------------------------------------------------------- err = templater.ExecuteComponents(templateData, skipperConfig.Components, false) if err != nil { diff --git a/examples/secrets/templates/AzureReadme.md b/examples/secrets/templates/AzureReadme.md index 3fa3e15..a364d6f 100644 --- a/examples/secrets/templates/AzureReadme.md +++ b/examples/secrets/templates/AzureReadme.md @@ -1,2 +1,3 @@ # Azure KeyVault +{{ .Inventory | toPrettyJson }} From dbff9892bc412f9671104535e0b7d51150387d0a Mon Sep 17 00:00:00 2001 From: Lukas Jarosch Date: Thu, 8 Dec 2022 01:22:56 +0100 Subject: [PATCH 2/3] feat: add `SecretFileEncrypter` interface for drivers which support file encryption --- driver.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/driver.go b/driver.go index 99b7b5a..99ad11b 100644 --- a/driver.go +++ b/driver.go @@ -2,6 +2,7 @@ package skipper import ( "fmt" + "io" "strings" driver "github.com/lukasjarosch/skipper/internal/secret" @@ -13,6 +14,11 @@ type SecretDriver interface { Decrypt(encrypted string) (string, error) } +type SecretFileEncrypter interface { + SecretDriver + EncryptFile(source io.Reader, sink io.Writer) error +} + type ConfigurableSecretDriver interface { SecretDriver Configure(config map[string]interface{}) error From cd010b2f58dfa938eba4c267e2d77477f05fe2fb Mon Sep 17 00:00:00 2001 From: Lukas Jarosch Date: Thu, 8 Dec 2022 01:23:24 +0100 Subject: [PATCH 3/3] feat: poc: encrypt file using the public key --- internal/secret/azure.go | 62 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/internal/secret/azure.go b/internal/secret/azure.go index 792d587..e9afabe 100644 --- a/internal/secret/azure.go +++ b/internal/secret/azure.go @@ -2,14 +2,21 @@ package secret import ( "context" + "crypto/rand" + "crypto/rsa" + "crypto/sha256" "encoding/base64" "fmt" + "io" + "io/ioutil" + "log" "net/url" "strings" "github.com/Azure/azure-sdk-for-go/sdk/azcore/to" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys" + "github.com/lestrrat-go/jwx/jwk" "github.com/mitchellh/mapstructure" ) @@ -87,6 +94,61 @@ func (driver *Azure) Encrypt(input string) (string, error) { return base64.RawStdEncoding.EncodeToString(res.Result), nil } +func (driver *Azure) EncryptFile(source io.Reader, sink io.Writer) error { + keyResp, err := driver.client.GetKey(context.TODO(), driver.config.KeyName, driver.config.KeyVersion, &azkeys.GetKeyOptions{}) + if err != nil { + return err + } + + keyJson, err := keyResp.Key.MarshalJSON() + if err != nil { + return err + } + + set, err := jwk.Parse([]byte(keyJson)) + if err != nil { + return err + } + + for it := set.Iterate(context.Background()); it.Next(context.Background()); { + pair := it.Pair() + key := pair.Value.(jwk.Key) + + var rawkey interface{} // This is the raw key, like *rsa.PrivateKey or *ecdsa.PrivateKey + if err := key.Raw(&rawkey); err != nil { + log.Printf("failed to create public key: %s", err) + return err + } + + // We know this is an RSA Key so... + rsaKey, ok := rawkey.(*rsa.PublicKey) + if !ok { + panic(fmt.Sprintf("expected ras key, got %T", rawkey)) + } + // As this is a demo just dump the key to the console + fmt.Println(rsaKey) + + sourceData, err := ioutil.ReadAll(source) + if err != nil { + return err + } + + encrypted, err := rsa.EncryptOAEP(sha256.New(), rand.Reader, rsaKey, sourceData, nil) + if err != nil { + return err + } + log.Println(base64.RawStdEncoding.EncodeToString(encrypted)) + + } + + // b := rsa.PublicKey{ + // N: keyResp.Key.N, + // E: 0, + // } + + return nil +} + func (driver *Azure) Decrypt(input string) (string, error) { decoded, err := base64.RawStdEncoding.DecodeString(input) if err != nil {