Merge pull request #37 from ovotech/add-aws-creds-file

Add functionality for AWS creds to be written to GitHub locations

Author: siwally

pkg/crypt/crypt.go

@@ -1,7 +1,6 @@
 package crypt
 
 import (
-	b64 "encoding/base64"
 	"errors"
 	"os"
 	"strings"
@@ -12,17 +11,11 @@ import (
 
 //EncryptedServiceAccountKey uses github.com/ovotech/mantle to encrypt the
 // key string that's passed in
-func EncryptedServiceAccountKey(key, kmsKey string) (encKey []byte, err error) {
+func EncryptedServiceAccountKey(key, kmsKey string) (encKey []byte) {
 	const singleLine = false
 	const disableValidation = true
-
-	var decodedKey []byte
-	if decodedKey, err = b64.StdEncoding.DecodeString(key); err != nil {
-		return
-	}
-
-	return enc.CipherBytesFromPrimitives([]byte(decodedKey), singleLine,
-		disableValidation, "", "", "", "", kmsKey), nil
+	return enc.CipherBytesFromPrimitives([]byte(key), singleLine,
+		disableValidation, "", "", "", "", kmsKey)
 }
 
 //CommitSignKey creates an openPGP Entity based on a user's name, email,

pkg/location/circleci.go

@@ -21,7 +21,7 @@ var logger = log.StdoutLogger().Sugar()
 
 //updateCircleCI updates the circleCI environment variable by deleting and
 //then creating it again with the new key
-func (circle CircleCI) Write(serviceAccountName, keyID, key string, creds cred.Credentials) (updated UpdatedLocation, err error) {
+func (circle CircleCI) Write(serviceAccountName string, keyWrapper KeyWrapper, creds cred.Credentials) (updated UpdatedLocation, err error) {
 	logger.Info("Starting CircleCI env var updates")
 	client := &circleci.Client{Token: creds.CircleCIAPIToken}
 	keyIDEnvVarName := circle.KeyIDEnvVar
@@ -30,12 +30,12 @@ func (circle CircleCI) Write(serviceAccountName, keyID, key string, creds cred.C
 	project := splitUsernameProject[1]
 
 	if len(keyIDEnvVarName) > 0 {
-		if err = updateCircleCIEnvVar(username, project, keyIDEnvVarName, keyID, client); err != nil {
+		if err = updateCircleCIEnvVar(username, project, keyIDEnvVarName, keyWrapper.KeyID, client); err != nil {
 			return
 		}
 	}
 
-	if err = updateCircleCIEnvVar(username, project, circle.KeyEnvVar, key, client); err != nil {
+	if err = updateCircleCIEnvVar(username, project, circle.KeyEnvVar, keyWrapper.Key, client); err != nil {
 		return
 	}
 

pkg/location/github.go

@@ -1,6 +1,7 @@
 package location
 
 import (
+	b64 "encoding/base64"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -25,33 +26,38 @@ type GitHub struct {
 	CircleCIDeployJobName string
 }
 
-func (gitHub GitHub) Write(serviceAccountName, keyID, key string, creds cred.Credentials) (updated UpdatedLocation, err error) {
+func (gitHub GitHub) Write(serviceAccountName string, keyWrapper KeyWrapper, creds cred.Credentials) (updated UpdatedLocation, err error) {
 
 	if len(creds.KmsKey) == 0 {
 		err = errors.New("Not updating un-encrypted new key in a Git repository. Use the" +
 			"'KmsKey' field in config to specify the KMS key to use for encryption")
 		return
 	}
-
-	// const localDir = "/etc/cloud-key-rotator/cloud-key-rotator-tmp-repo"
+	var key string
+	if keyWrapper.KeyProvider == "aws" {
+		key = fmt.Sprintf("[default]\naws_access_key_id = %s\naws_secret_access_key = %s", keyWrapper.KeyID, keyWrapper.Key)
+	} else {
+		var keyBytes []byte
+		if keyBytes, err = b64.StdEncoding.DecodeString(keyWrapper.Key); err == nil {
+			key = string(keyBytes)
+		}
+	}
 
 	const localDir = "/etc/cloud-key-rotator/cloud-key-rotator-tmp-repo"
 
 	defer os.RemoveAll(localDir)
 
-	// TODO Move me out of git-specific code
-	var encKey []byte
-	if encKey, err = crypt.EncryptedServiceAccountKey(key, creds.KmsKey); err != nil {
-		return
-	}
-
 	var signKey *openpgp.Entity
 	if signKey, err = crypt.CommitSignKey(creds.GitHubAccount.GitName, creds.GitHubAccount.GitEmail, creds.AkrPass); err != nil {
 		return
 	}
 
 	var committed *object.Commit
-	if committed, err = writeKeyToRemoteGitRepo(gitHub, serviceAccountName, encKey, localDir, signKey, creds); err != nil {
+	const singleLine = false
+	const disableValidation = true
+	if committed, err = writeKeyToRemoteGitRepo(gitHub, serviceAccountName,
+		crypt.EncryptedServiceAccountKey(key, creds.KmsKey),
+		localDir, signKey, creds); err != nil {
 		return
 	}
 

pkg/location/k8s.go

@@ -48,7 +48,7 @@ func init() {
 	}
 }
 
-func (k8s K8s) Write(serviceAccountName, keyID, key string, creds cred.Credentials) (updated UpdatedLocation, err error) {
+func (k8s K8s) Write(serviceAccountName string, keyWrapper KeyWrapper, creds cred.Credentials) (updated UpdatedLocation, err error) {
 	var cluster *gkev1.Cluster
 
 	if cluster, err = gkeCluster(k8s.Project, k8s.Location, k8s.ClusterName); err != nil {
@@ -60,7 +60,7 @@ func (k8s K8s) Write(serviceAccountName, keyID, key string, creds cred.Credentia
 		return
 	}
 
-	if _, err = updateK8sSecret(k8s.SecretName, k8s.DataName, k8s.Namespace, key, k8sClient); err != nil {
+	if _, err = updateK8sSecret(k8s.SecretName, k8s.DataName, k8s.Namespace, keyWrapper.Key, k8sClient); err != nil {
 		return
 	}
 

pkg/location/keywriter.go

@@ -5,5 +5,5 @@ import "github.com/ovotech/cloud-key-rotator/pkg/cred"
 
 //KeyWriter interface
 type KeyWriter interface {
-	Write(serviceAccountName, keyID, key string, creds cred.Credentials) (UpdatedLocation, error)
+	Write(serviceAccountName string, keyWrapper KeyWrapper, creds cred.Credentials) (UpdatedLocation, error)
 }

pkg/location/locations.go

@@ -6,3 +6,10 @@ type UpdatedLocation struct {
 	LocationURI  string
 	LocationIDs  []string
 }
+
+//KeyWrapper type
+type KeyWrapper struct {
+	Key         string
+	KeyID       string
+	KeyProvider string
+}

pkg/rotate/rotatekeys.go

@@ -105,7 +105,8 @@ func rotateKey(account string, rotationCandidate rotationCandidate, creds cred.C
 	if newKeyID, newKey, err = createKey(account, key, keyProvider); err != nil {
 		return
 	}
-	if err = updateKeyLocation(account, rotationCandidate.keyLocation, newKeyID, newKey, keyProvider, creds); err != nil {
+	keyWrapper := location.KeyWrapper{Key: newKey, KeyID: newKeyID, KeyProvider: keyProvider}
+	if err = updateKeyLocation(account, rotationCandidate.keyLocation, keyWrapper, creds); err != nil {
 		return
 	}
 	return deleteKey(account, key, keyProvider)
@@ -237,7 +238,8 @@ func locationsToUpdate(keyLocation config.KeyLocations) (kws []location.KeyWrite
 }
 
 //updateKeyLocation updates locations specified in keyLocations with the new key, e.g. GitHub, CircleCI an K8s
-func updateKeyLocation(account string, keyLocations config.KeyLocations, keyID, key, keyProvider string, creds cred.Credentials) (err error) {
+func updateKeyLocation(account string, keyLocations config.KeyLocations,
+	keyWrapper location.KeyWrapper, creds cred.Credentials) (err error) {
 
 	// update locations
 	var updatedLocations []location.UpdatedLocation
@@ -246,7 +248,7 @@ func updateKeyLocation(account string, keyLocations config.KeyLocations, keyID,
 
 		var updated location.UpdatedLocation
 
-		if updated, err = locationToUpdate.Write(keyLocations.ServiceAccountName, keyID, key, creds); err != nil {
+		if updated, err = locationToUpdate.Write(keyLocations.ServiceAccountName, keyWrapper, creds); err != nil {
 			return
 		}
 
@@ -255,9 +257,9 @@ func updateKeyLocation(account string, keyLocations config.KeyLocations, keyID,
 
 	// all done
 	logger.Infow("Key locations updated",
-		"keyProvider", keyProvider,
+		"keyProvider", keyWrapper.KeyProvider,
 		"account", account,
-		"keyID", keyID,
+		"keyID", keyWrapper.KeyID,
 		"keyLocationUpdates", updatedLocations)
 
 	return