diff --git a/.gitignore b/.gitignore index aafda3a6..569e6d25 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .vscode .idea +.DS_Store \ No newline at end of file diff --git a/examples/plugin-cli/docker-compose.yml b/examples/plugin-cli/docker-compose.yml index d9324f09..64812588 100644 --- a/examples/plugin-cli/docker-compose.yml +++ b/examples/plugin-cli/docker-compose.yml @@ -8,7 +8,7 @@ version: "3.8" services: vault-server: - image: vault:latest + image: hashicorp/vault:latest ports: - "8200:8200" environment: diff --git a/examples/plugin-cli/go.mod b/examples/plugin-cli/go.mod index fd7b40fc..f8210447 100644 --- a/examples/plugin-cli/go.mod +++ b/examples/plugin-cli/go.mod @@ -2,6 +2,8 @@ module github.com/hashicorp/go-kms-wrapping/v2/examples/plugin-cli go 1.20 +replace github.com/hashicorp/go-kms-wrapping/v2 => ../../ + require ( github.com/hashicorp/go-hclog v1.4.0 github.com/hashicorp/go-kms-wrapping/v2 v2.0.9-0.20230228100945-740d2999c798 @@ -50,10 +52,10 @@ require ( github.com/shopspring/decimal v1.3.1 // indirect github.com/spf13/cast v1.5.0 // indirect github.com/stretchr/testify v1.8.2 // indirect - golang.org/x/crypto v0.6.0 // indirect - golang.org/x/net v0.7.0 // indirect - golang.org/x/sys v0.5.0 // indirect - golang.org/x/text v0.7.0 // indirect + golang.org/x/crypto v0.11.0 // indirect + golang.org/x/net v0.10.0 // indirect + golang.org/x/sys v0.10.0 // indirect + golang.org/x/text v0.11.0 // indirect google.golang.org/genproto v0.0.0-20230227214838-9b19f0bdc514 // indirect google.golang.org/grpc v1.53.0 // indirect google.golang.org/protobuf v1.28.1 // indirect diff --git a/examples/plugin-cli/go.sum b/examples/plugin-cli/go.sum index 623f6f6a..a3ede913 100644 --- a/examples/plugin-cli/go.sum +++ b/examples/plugin-cli/go.sum @@ -39,8 +39,6 @@ github.com/hashicorp/go-hclog v1.4.0 h1:ctuWFGrhFha8BnnzxqeRGidlEcQkDyL5u8J8t5eA github.com/hashicorp/go-hclog v1.4.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-kms-wrapping/plugin/v2 v2.0.3 h1:RcEyqlOdRXgiTF8pXXbYim1ga7qiWvCEcB+DNsGnxAA= github.com/hashicorp/go-kms-wrapping/plugin/v2 v2.0.3/go.mod h1:e/xXrQ8uKG1GEEseVg6l0XKVaOtYggl75MPd6osZQ0I= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.9-0.20230228100945-740d2999c798 h1:22yjMhn+kJ7u8RaP5qcYEn02zHWnIg1/JxE4BL8JLtQ= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.9-0.20230228100945-740d2999c798/go.mod h1:iRHxwFG8L24HhemSuvDYtuwVkjkl+OkTLvQ5bmqzAqE= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= @@ -151,16 +149,16 @@ golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc= -golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= +golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= +golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= -golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -177,8 +175,8 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -186,8 +184,8 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= +golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= diff --git a/go.mod b/go.mod index dbd4c34e..c7ce86ab 100644 --- a/go.mod +++ b/go.mod @@ -3,12 +3,11 @@ module github.com/hashicorp/go-kms-wrapping/v2 go 1.20 require ( - github.com/favadi/protoc-go-inject-tag v1.4.0 github.com/hashicorp/go-uuid v1.0.3 github.com/mr-tron/base58 v1.2.0 github.com/stretchr/testify v1.8.2 - golang.org/x/crypto v0.6.0 - golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 + golang.org/x/crypto v0.11.0 + golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 google.golang.org/protobuf v1.28.1 ) @@ -16,7 +15,7 @@ require ( github.com/davecgh/go-spew v1.1.1 // indirect github.com/kr/pretty v0.3.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - golang.org/x/sys v0.5.0 // indirect + golang.org/x/sys v0.10.0 // indirect gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 1aa4ed78..118bbb3d 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,6 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/favadi/protoc-go-inject-tag v1.4.0 h1:K3KXxbgRw5WT4f43LbglARGz/8jVsDOS7uMjG4oNvXY= -github.com/favadi/protoc-go-inject-tag v1.4.0/go.mod h1:AZ+PK+QDKUOLlBRG0rYiKkUX5Hw7+7GTFzlU99GFSbQ= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg= @@ -29,12 +27,12 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc= -golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= -golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 h1:Jvc7gsqn21cJHCmAWx0LiimpP18LZmUxkT5Mp7EZ1mI= -golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc= -golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= +golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 h1:MGwJjxBy0HJshjDNfLsYO8xppfqWlA5ZT9OhtUUhTNw= +golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc= +golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= diff --git a/wrappers/transit/go.mod b/wrappers/transit/go.mod index f1c6bc17..3b7d1f51 100644 --- a/wrappers/transit/go.mod +++ b/wrappers/transit/go.mod @@ -3,21 +3,23 @@ module github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 go 1.20 require ( - github.com/hashicorp/go-hclog v1.4.0 - github.com/hashicorp/go-kms-wrapping/v2 v2.0.9-0.20230410183110-7294f508d8d1 - github.com/hashicorp/vault/api v1.9.0 - github.com/stretchr/testify v1.8.2 + github.com/hashicorp/go-hclog v1.5.0 + github.com/hashicorp/go-kms-wrapping/v2 v2.0.11 + github.com/hashicorp/vault/api v1.9.2 + github.com/hashicorp/vault/api/auth/kubernetes v0.4.1 + github.com/stretchr/testify v1.8.4 ) require ( github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/fatih/color v1.15.0 // indirect + github.com/go-jose/go-jose/v3 v3.0.0 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect - github.com/hashicorp/go-retryablehttp v0.7.2 // indirect + github.com/hashicorp/go-retryablehttp v0.7.4 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect @@ -26,18 +28,17 @@ require ( github.com/hashicorp/hcl v1.0.0 // indirect github.com/kr/text v0.2.0 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.17 // indirect + github.com/mattn/go-isatty v0.0.19 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/rogpeppe/go-internal v1.9.0 // indirect + github.com/rogpeppe/go-internal v1.11.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect - golang.org/x/crypto v0.7.0 // indirect - golang.org/x/net v0.8.0 // indirect - golang.org/x/sys v0.6.0 // indirect - golang.org/x/text v0.8.0 // indirect + golang.org/x/crypto v0.11.0 // indirect + golang.org/x/net v0.12.0 // indirect + golang.org/x/sys v0.10.0 // indirect + golang.org/x/text v0.11.0 // indirect golang.org/x/time v0.3.0 // indirect - google.golang.org/protobuf v1.30.0 // indirect - gopkg.in/square/go-jose.v2 v2.6.0 // indirect + google.golang.org/protobuf v1.31.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/wrappers/transit/go.sum b/wrappers/transit/go.sum index e2d18000..b56901a8 100644 --- a/wrappers/transit/go.sum +++ b/wrappers/transit/go.sum @@ -1,5 +1,6 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= @@ -10,30 +11,37 @@ github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5Kwzbycv github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= +github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo= +github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= +github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= -github.com/hashicorp/go-hclog v1.4.0 h1:ctuWFGrhFha8BnnzxqeRGidlEcQkDyL5u8J8t5eA11I= -github.com/hashicorp/go-hclog v1.4.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.9-0.20230315135303-7bedb33a2280 h1:z6DejONsrp3SxXZQ9znFX0g7zf903zndM1NAvr27Sl8= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.9-0.20230315135303-7bedb33a2280/go.mod h1:VuJDBrF0EOt8JswgdKlvQbRpKu7KBKzmv6++A2vPW7c= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.9-0.20230410183110-7294f508d8d1 h1:BdP4AzOMgNfjy9kopYXbRU4yoOj4RAM0+gY0wceABpo= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.9-0.20230410183110-7294f508d8d1/go.mod h1:VuJDBrF0EOt8JswgdKlvQbRpKu7KBKzmv6++A2vPW7c= +github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c= +github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.11 h1:nKEURCh7MyBavPoNQzayY/kCnuHLz7prvyMAqJjajSQ= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.11/go.mod h1:NtMaPhqSlfQ72XWDD2g80o8HI8RKkowIB8/WZHMyPY4= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= -github.com/hashicorp/go-retryablehttp v0.7.2 h1:AcYqCvkpalPnPF2pn0KamgwamS42TqUDDYFRKq/RAd0= -github.com/hashicorp/go-retryablehttp v0.7.2/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8= +github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= +github.com/hashicorp/go-retryablehttp v0.7.4 h1:ZQgVdpTdAL7WpMIwLzCfbalOcSUdkDZnpUv3/+BxzFA= +github.com/hashicorp/go-retryablehttp v0.7.4/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= @@ -45,22 +53,28 @@ github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/C github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hashicorp/vault/api v1.9.0 h1:ab7dI6W8DuCY7yCU8blo0UCYl2oHre/dloCmzMWg9w8= -github.com/hashicorp/vault/api v1.9.0/go.mod h1:lloELQP4EyhjnCQhF8agKvWIVTmxbpEJj70b98959sM= +github.com/hashicorp/vault/api v1.9.2 h1:YjkZLJ7K3inKgMZ0wzCU9OHqc+UqMQyXsPXnf3Cl2as= +github.com/hashicorp/vault/api v1.9.2/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= +github.com/hashicorp/vault/api/auth/kubernetes v0.4.1 h1:amFWL1ZhwMWdmqvT51J9phXu835kY25wFfTrY/3yXd0= +github.com/hashicorp/vault/api/auth/kubernetes v0.4.1/go.mod h1:ikWDT8Adnfvm+8DzKez50vvLD9GWD/unZfJxeqP09sU= github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= -github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA= +github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= @@ -71,46 +85,78 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= -github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= -github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= -github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= -github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A= -golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ= -golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= +golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= +golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= +golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68= -golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= +golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= -gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= -gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/wrappers/transit/options.go b/wrappers/transit/options.go index cbe62bf3..44a77199 100644 --- a/wrappers/transit/options.go +++ b/wrappers/transit/options.go @@ -73,6 +73,14 @@ func getOpts(opt ...wrapping.Option) (*options, error) { if err != nil { return nil, err } + case "role_name": + opts.withRoleName = v + case "kubernetes_mount_path": + opts.withKubernetesMountPath = v + case "service_account_token_env": + opts.withServiceAccountTokenEnv = v + case "service_account_token_path": + opts.withServiceAccountTokenPath = v case "token": opts.withToken = v } @@ -99,18 +107,22 @@ type OptionFunc func(*options) error type options struct { *wrapping.Options - withMountPath string - withKeyName string - withDisableRenewal string - withNamespace string - withAddress string - withTlsCaCert string - withTlsCaPath string - withTlsClientCert string - withTlsClientKey string - withTlsServerName string - withTlsSkipVerify bool - withToken string + withMountPath string + withKeyName string + withDisableRenewal string + withNamespace string + withAddress string + withTlsCaCert string + withTlsCaPath string + withTlsClientCert string + withTlsClientKey string + withTlsServerName string + withTlsSkipVerify bool + withToken string + withRoleName string + withKubernetesMountPath string + withServiceAccountTokenEnv string + withServiceAccountTokenPath string withLogger hclog.Logger } @@ -248,3 +260,49 @@ func WithLogger(with hclog.Logger) wrapping.Option { }) } } + +// WithKubernetesMountPath in case of kubernetes auth is enabled in a different mount path +// in case not defined the default is: kubernetes +func WithKubernetesMountPath(with string) wrapping.Option { + return func() interface{} { + return OptionFunc(func(o *options) error { + o.withKubernetesMountPath = with + return nil + }) + } +} + +// WithRoleName provides a way to set the vault role name (for kubernetes auth) +// this role must bind to a kubernetes service account +func WithRoleName(with string) wrapping.Option { + return func() interface{} { + return OptionFunc(func(o *options) error { + o.withRoleName = with + return nil + }) + } +} + +// WithServiceAccountTokenEnv (Optional) provides a way to choose the service account token env +// if both WithServiceAccountTokenEnv and WithServiceAccountTokenPath are set, the path will be used +// if none of them are provided default points to the path /var/run/secrets/kubernetes.io/serviceaccount/token +func WithServiceAccountTokenEnv(with string) wrapping.Option { + return func() interface{} { + return OptionFunc(func(o *options) error { + o.withServiceAccountTokenEnv = with + return nil + }) + } +} + +// WithServiceAccountTokenPath (Optional) provides a way to choose the service account token path +// if both WithServiceAccountTokenEnv and WithServiceAccountTokenPath are set, the path will be used +// if none of them are provided default points to the path /var/run/secrets/kubernetes.io/serviceaccount/token +func WithServiceAccountTokenPath(with string) wrapping.Option { + return func() interface{} { + return OptionFunc(func(o *options) error { + o.withServiceAccountTokenPath = with + return nil + }) + } +} diff --git a/wrappers/transit/options_test.go b/wrappers/transit/options_test.go index de3582d6..d23f7071 100644 --- a/wrappers/transit/options_test.go +++ b/wrappers/transit/options_test.go @@ -212,7 +212,6 @@ func Test_GetOpts(t *testing.T) { require.NoError(err) testOpts, err := getOpts() require.NoError(err) - testOpts.withTlsServerName = "" assert.Equal(opts, testOpts) with := hclog.New(&hclog.LoggerOptions{ @@ -224,4 +223,64 @@ func Test_GetOpts(t *testing.T) { testOpts.withLogger = with assert.Equal(opts, testOpts) }) + t.Run("WithRoleName", func(t *testing.T) { + assert, require := assert.New(t), require.New(t) + // test default of 0 + opts, err := getOpts() + require.NoError(err) + testOpts, err := getOpts() + require.NoError(err) + assert.Equal(opts, testOpts) + + const with = "test-role-name" + opts, err = getOpts(WithRoleName(with)) + require.NoError(err) + testOpts.withRoleName = with + assert.Equal(opts, testOpts) + }) + t.Run("WithKubernetesMountPath", func(t *testing.T) { + assert, require := assert.New(t), require.New(t) + // test default of 0 + opts, err := getOpts() + require.NoError(err) + testOpts, err := getOpts() + require.NoError(err) + assert.Equal(opts, testOpts) + + const with = "/auth/kube-auth/" + opts, err = getOpts(WithKubernetesMountPath(with)) + require.NoError(err) + testOpts.withKubernetesMountPath = with + assert.Equal(opts, testOpts) + }) + t.Run("WithServiceAccountTokenEnv", func(t *testing.T) { + assert, require := assert.New(t), require.New(t) + // test default of 0 + opts, err := getOpts() + require.NoError(err) + testOpts, err := getOpts() + require.NoError(err) + assert.Equal(opts, testOpts) + + const with = "token-env-var" + opts, err = getOpts(WithServiceAccountTokenEnv(with)) + require.NoError(err) + testOpts.withServiceAccountTokenEnv = with + assert.Equal(opts, testOpts) + }) + t.Run("WithServiceAccountTokenPath", func(t *testing.T) { + assert, require := assert.New(t), require.New(t) + // test default of 0 + opts, err := getOpts() + require.NoError(err) + testOpts, err := getOpts() + require.NoError(err) + assert.Equal(opts, testOpts) + + const with = "/token/path/test" + opts, err = getOpts(WithServiceAccountTokenPath(with)) + require.NoError(err) + testOpts.withServiceAccountTokenPath = with + assert.Equal(opts, testOpts) + }) } diff --git a/wrappers/transit/set_transit_client.go b/wrappers/transit/set_transit_client.go new file mode 100644 index 00000000..4cebcd05 --- /dev/null +++ b/wrappers/transit/set_transit_client.go @@ -0,0 +1,325 @@ +package transit + +import ( + "context" + "fmt" + "github.com/hashicorp/go-hclog" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" + vault "github.com/hashicorp/vault/api" + k8sAuth "github.com/hashicorp/vault/api/auth/kubernetes" + "os" + "strconv" +) + +const ( + envTransitWrapperMountPath = "TRANSIT_WRAPPER_MOUNT_PATH" + envVaultTransitSealMountPath = "VAULT_TRANSIT_SEAL_MOUNT_PATH" + + envTransitWrapperKeyName = "TRANSIT_WRAPPER_KEY_NAME" + envVaultTransitSealKeyName = "VAULT_TRANSIT_SEAL_KEY_NAME" + + envTransitWrapperDisableRenewal = "TRANSIT_WRAPPER_DISABLE_RENEWAL" + envVaultTransitSealDisableRenewal = "VAULT_TRANSIT_SEAL_DISABLE_RENEWAL" + + envVaultRoleName = "VAULT_ROLE_NAME" +) + +func getTransitClient(logger hclog.Logger, opts *options) (*TransitClient, error) { + var err error + var mountPath, keyName string + + if mountPath, err = getMountPath(opts); err != nil { + return nil, err + } + if keyName, err = getKeyName(opts); err != nil { + return nil, err + } + + var apiConfig *vault.Config + if apiConfig, err = getApiConfig(opts); err != nil { + return nil, err + } + + vaultClient, err := vault.NewClient(apiConfig) + if err != nil { + return nil, err + } + if opts.withToken != "" { + vaultClient.SetToken(opts.withToken) + } + + if vaultClient.Token() == "" { + if logger != nil { + logger.Info("no token provided to transit auto-seal") + } + } + + client := &TransitClient{ + vaultClient: vaultClient, + mountPath: mountPath, + keyName: keyName, + } + + return client, nil +} + +func newWrapConfig(transitClient *TransitClient, namespace string) *wrapping.WrapperConfig { + var wrapConfig = new(wrapping.WrapperConfig) + + wrapConfig.Metadata = make(map[string]string) + wrapConfig.Metadata["address"] = transitClient.vaultClient.Address() + wrapConfig.Metadata["mount_path"] = transitClient.mountPath + wrapConfig.Metadata["key_name"] = transitClient.keyName + + if namespace != "" { + wrapConfig.Metadata["namespace"] = namespace + } + + return wrapConfig +} + +func getApiConfig(opts *options) (*vault.Config, error) { + var apiConfig = vault.DefaultConfig() + + if opts.withAddress != "" { + apiConfig.Address = opts.withAddress + } + if opts.withTlsCaCert != "" || + opts.withTlsCaPath != "" || + opts.withTlsClientCert != "" || + opts.withTlsClientKey != "" || + opts.withTlsServerName != "" || + opts.withTlsSkipVerify { + + tlsConfig := &vault.TLSConfig{ + CACert: opts.withTlsCaCert, + CAPath: opts.withTlsCaPath, + ClientCert: opts.withTlsClientCert, + ClientKey: opts.withTlsClientKey, + TLSServerName: opts.withTlsServerName, + Insecure: opts.withTlsSkipVerify, + } + if err := apiConfig.ConfigureTLS(tlsConfig); err != nil { + return nil, err + } + } + + return apiConfig, nil +} + +func getNamespace(opts *options) string { + var namespace string + + switch { + case os.Getenv("VAULT_NAMESPACE") != "" && !opts.Options.WithDisallowEnvVars: + namespace = os.Getenv("VAULT_NAMESPACE") + case opts.withNamespace != "": + namespace = opts.withNamespace + } + + return namespace +} + +func getDisableRenewal(opts *options) (bool, error) { + var err error + var disableRenewal bool + var disableRenewalRaw string + + switch { + case os.Getenv(envTransitWrapperDisableRenewal) != "" && !opts.Options.WithDisallowEnvVars: + disableRenewalRaw = os.Getenv(envTransitWrapperDisableRenewal) + case os.Getenv(envVaultTransitSealDisableRenewal) != "" && !opts.Options.WithDisallowEnvVars: + disableRenewalRaw = os.Getenv(envVaultTransitSealDisableRenewal) + case opts.withDisableRenewal != "": + disableRenewalRaw = opts.withDisableRenewal + } + if disableRenewalRaw != "" { + disableRenewal, err = strconv.ParseBool(disableRenewalRaw) + if err != nil { + return false, err + } + } + + return disableRenewal, nil +} + +func getKeyName(opts *options) (string, error) { + var keyName string + + switch { + case os.Getenv(envTransitWrapperKeyName) != "" && !opts.Options.WithDisallowEnvVars: + keyName = os.Getenv(envTransitWrapperKeyName) + case os.Getenv(envVaultTransitSealKeyName) != "" && !opts.Options.WithDisallowEnvVars: + keyName = os.Getenv(envVaultTransitSealKeyName) + case opts.withKeyName != "": + keyName = opts.withKeyName + default: + return "", fmt.Errorf("key_name is required") + } + + return keyName, nil +} + +func getMountPath(opts *options) (string, error) { + var mountPath string + + switch { + case os.Getenv(envTransitWrapperMountPath) != "" && !opts.Options.WithDisallowEnvVars: + mountPath = os.Getenv(envTransitWrapperMountPath) + case os.Getenv(envVaultTransitSealMountPath) != "" && !opts.Options.WithDisallowEnvVars: + mountPath = os.Getenv(envVaultTransitSealMountPath) + case opts.withMountPath != "": + mountPath = opts.withMountPath + default: + return "", fmt.Errorf("mount_path is required") + } + + return mountPath, nil +} + +func getVaultRoleName(opts *options) string { + switch { + case os.Getenv(envVaultRoleName) != "" && !opts.Options.WithDisallowEnvVars: + return os.Getenv(envVaultRoleName) + case opts.withRoleName != "": + return opts.withRoleName + default: + return "" + } +} + +func getServiceAccountTokenPath(opts *options) string { + switch { + case opts.withServiceAccountTokenPath != "": + return opts.withServiceAccountTokenPath + default: + return "" + } +} + +func getServiceAccountTokenEnv(opts *options) string { + switch { + case opts.withServiceAccountTokenEnv != "": + return opts.withServiceAccountTokenEnv + default: + return "" + } +} + +func getKubernetesMountPath(opts *options) string { + switch { + case opts.withKubernetesMountPath != "": + return opts.withKubernetesMountPath + default: + return "" + } +} + +func getKubernetesLoginOptions(opts *options) []k8sAuth.LoginOption { + var tokenPath = getServiceAccountTokenPath(opts) + var tokenEnv = getServiceAccountTokenEnv(opts) + var kubernetesMountPath = getKubernetesMountPath(opts) + var loginOption []k8sAuth.LoginOption + + switch { + case tokenPath != "": + loginOption = append(loginOption, k8sAuth.WithServiceAccountTokenPath(tokenPath)) + case tokenEnv != "": + loginOption = append(loginOption, k8sAuth.WithServiceAccountTokenEnv(tokenEnv)) + case kubernetesMountPath != "": + loginOption = append(loginOption, k8sAuth.WithMountPath(kubernetesMountPath)) + default: + loginOption = nil + } + + return loginOption +} + +func tokenRenew(transitClient *TransitClient, logger hclog.Logger) error { + // Renew the token immediately to get a secret to pass to lifetime watcher + secret, err := transitClient.vaultClient.Auth().Token().RenewTokenAsSelf(transitClient.vaultClient.Token(), 0) + // If we don't get an error renewing, set up a lifetime watcher. The token + // may not be renewable or not have permission to renew-self. + if err != nil { + if logger != nil { + logger.Info("unable to renew token, disabling renewal", "err", err) + } + return nil + } + + if err = setUpLifetimeWatcher(transitClient, secret, logger); err != nil { + return err + } + + return nil +} + +func setUpLifetimeWatcher(transitClient *TransitClient, secret *vault.Secret, logger hclog.Logger) error { + var err error + var lifetimeWatcher *vault.LifetimeWatcher + + if lifetimeWatcher, err = transitClient.vaultClient. + NewLifetimeWatcher(&vault.LifetimeWatcherInput{Secret: secret}); err != nil { + return err + } + + transitClient.lifetimeWatcher = lifetimeWatcher + go monitorLifetimeWatcher(lifetimeWatcher, logger) + go lifetimeWatcher.Start() + + return nil +} + +func monitorLifetimeWatcher(lifetimeWatcher *vault.LifetimeWatcher, logger hclog.Logger) { + for { + select { + case err := <-lifetimeWatcher.DoneCh(): + if logger != nil { + logger.Info("shutting down token renewal") + } + if err != nil { + if logger != nil { + logger.Error("error renewing token", "error", err) + } + } + return + case <-lifetimeWatcher.RenewCh(): + if logger != nil { + logger.Trace("successfully renewed token") + } + } + } +} + +func performK8sAuthentication(transitClient *TransitClient, roleName string, opts *options, logger hclog.Logger) error { + var err error + var auth *k8sAuth.KubernetesAuth + + var loginOptions = getKubernetesLoginOptions(opts) + if loginOptions != nil { + auth, err = k8sAuth.NewKubernetesAuth(roleName, loginOptions...) + } else { + auth, err = k8sAuth.NewKubernetesAuth(roleName) + } + + if err != nil { + if logger != nil { + logger.Error("error creating new kubernetes auth", "error", err) + } + return err + } + + secret, err := transitClient.vaultClient.Auth().Login(context.Background(), auth) + if err != nil { + if logger != nil { + logger.Error("error authenticating with kubernetes auth", "error", err) + } + return err + } + + if err = setUpLifetimeWatcher(transitClient, secret, logger); err != nil { + return err + } + + return err +} diff --git a/wrappers/transit/transit.go b/wrappers/transit/transit.go index 2f42bec7..536e7873 100644 --- a/wrappers/transit/transit.go +++ b/wrappers/transit/transit.go @@ -17,7 +17,7 @@ import ( // engine type Wrapper struct { logger hclog.Logger - client transitClientEncryptor + client TransitClientEncryptor currentKeyId *atomic.Value } @@ -110,6 +110,6 @@ func (s *Wrapper) Decrypt(_ context.Context, in *wrapping.BlobInfo, _ ...wrappin } // GetClient returns the transit Wrapper's transitClientEncryptor -func (s *Wrapper) GetClient() transitClientEncryptor { +func (s *Wrapper) GetClient() TransitClientEncryptor { return s.client } diff --git a/wrappers/transit/transit_client.go b/wrappers/transit/transit_client.go index 11920833..109bf2ac 100644 --- a/wrappers/transit/transit_client.go +++ b/wrappers/transit/transit_client.go @@ -7,188 +7,58 @@ import ( "encoding/base64" "errors" "fmt" - "os" - "path" - "strconv" - "github.com/hashicorp/go-hclog" wrapping "github.com/hashicorp/go-kms-wrapping/v2" - "github.com/hashicorp/vault/api" -) - -const ( - EnvTransitWrapperMountPath = "TRANSIT_WRAPPER_MOUNT_PATH" - EnvVaultTransitSealMountPath = "VAULT_TRANSIT_SEAL_MOUNT_PATH" - - EnvTransitWrapperKeyName = "TRANSIT_WRAPPER_KEY_NAME" - EnvVaultTransitSealKeyName = "VAULT_TRANSIT_SEAL_KEY_NAME" - - EnvTransitWrapperDisableRenewal = "TRANSIT_WRAPPER_DISABLE_RENEWAL" - EnvVaultTransitSealDisableRenewal = "VAULT_TRANSIT_SEAL_DISABLE_RENEWAL" + vault "github.com/hashicorp/vault/api" + "path" ) -type transitClientEncryptor interface { +type TransitClientEncryptor interface { Close() Encrypt(plaintext []byte) (ciphertext []byte, err error) Decrypt(ciphertext []byte) (plaintext []byte, err error) } type TransitClient struct { - client *api.Client - lifetimeWatcher *api.Renewer + vaultClient *vault.Client + lifetimeWatcher *vault.Renewer mountPath string keyName string } func newTransitClient(logger hclog.Logger, opts *options) (*TransitClient, *wrapping.WrapperConfig, error) { - var mountPath, keyName string - switch { - case os.Getenv(EnvTransitWrapperMountPath) != "" && !opts.Options.WithDisallowEnvVars: - mountPath = os.Getenv(EnvTransitWrapperMountPath) - case os.Getenv(EnvVaultTransitSealMountPath) != "" && !opts.Options.WithDisallowEnvVars: - mountPath = os.Getenv(EnvVaultTransitSealMountPath) - case opts.withMountPath != "": - mountPath = opts.withMountPath - default: - return nil, nil, fmt.Errorf("mount_path is required") - } - - switch { - case os.Getenv(EnvTransitWrapperKeyName) != "" && !opts.Options.WithDisallowEnvVars: - keyName = os.Getenv(EnvTransitWrapperKeyName) - case os.Getenv(EnvVaultTransitSealKeyName) != "" && !opts.Options.WithDisallowEnvVars: - keyName = os.Getenv(EnvVaultTransitSealKeyName) - case opts.withKeyName != "": - keyName = opts.withKeyName - default: - return nil, nil, fmt.Errorf("key_name is required") - } + var err error + var transitClient *TransitClient - var disableRenewal bool - var disableRenewalRaw string - switch { - case os.Getenv(EnvTransitWrapperDisableRenewal) != "" && !opts.Options.WithDisallowEnvVars: - disableRenewalRaw = os.Getenv(EnvTransitWrapperDisableRenewal) - case os.Getenv(EnvVaultTransitSealDisableRenewal) != "" && !opts.Options.WithDisallowEnvVars: - disableRenewalRaw = os.Getenv(EnvVaultTransitSealDisableRenewal) - case opts.withDisableRenewal != "": - disableRenewalRaw = opts.withDisableRenewal - } - if disableRenewalRaw != "" { - var err error - disableRenewal, err = strconv.ParseBool(disableRenewalRaw) - if err != nil { - return nil, nil, err - } + if transitClient, err = getTransitClient(logger, opts); err != nil { + return nil, nil, err } - var namespace string - switch { - case os.Getenv("VAULT_NAMESPACE") != "" && !opts.Options.WithDisallowEnvVars: - namespace = os.Getenv("VAULT_NAMESPACE") - case opts.withNamespace != "": - namespace = opts.withNamespace + var namespace = getNamespace(opts) + if namespace != "" { + transitClient.vaultClient.SetNamespace(namespace) } - apiConfig := api.DefaultConfig() - if opts.withAddress != "" { - apiConfig.Address = opts.withAddress + var disableRenewal bool + if disableRenewal, err = getDisableRenewal(opts); err != nil { + return nil, nil, err } - if opts.withTlsCaCert != "" || - opts.withTlsCaPath != "" || - opts.withTlsClientCert != "" || - opts.withTlsClientKey != "" || - opts.withTlsServerName != "" || - opts.withTlsSkipVerify { - tlsConfig := &api.TLSConfig{ - CACert: opts.withTlsCaCert, - CAPath: opts.withTlsCaPath, - ClientCert: opts.withTlsClientCert, - ClientKey: opts.withTlsClientKey, - TLSServerName: opts.withTlsServerName, - Insecure: opts.withTlsSkipVerify, - } - if err := apiConfig.ConfigureTLS(tlsConfig); err != nil { + var roleName = getVaultRoleName(opts) + if !disableRenewal && transitClient.vaultClient.Token() != "" { + if err = tokenRenew(transitClient, logger); err != nil { return nil, nil, err } - } - - apiClient, err := api.NewClient(apiConfig) - if err != nil { - return nil, nil, err - } - if opts.withToken != "" { - apiClient.SetToken(opts.withToken) - } - if namespace != "" { - apiClient.SetNamespace(namespace) - } - if apiClient.Token() == "" { - if logger != nil { - logger.Info("no token provided to transit auto-seal") - } - } - - client := &TransitClient{ - client: apiClient, - mountPath: mountPath, - keyName: keyName, - } - - if !disableRenewal && apiClient.Token() != "" { - // Renew the token immediately to get a secret to pass to lifetime watcher - secret, err := apiClient.Auth().Token().RenewTokenAsSelf(apiClient.Token(), 0) - // If we don't get an error renewing, set up a lifetime watcher. The token may not be renewable or not have - // permission to renew-self. - if err == nil { - lifetimeWatcher, err := apiClient.NewLifetimeWatcher(&api.LifetimeWatcherInput{ - Secret: secret, - }) - if err != nil { - return nil, nil, err - } - client.lifetimeWatcher = lifetimeWatcher - - go func() { - for { - select { - case err := <-lifetimeWatcher.DoneCh(): - if logger != nil { - logger.Info("shutting down token renewal") - } - if err != nil { - if logger != nil { - logger.Error("error renewing token", "error", err) - } - } - return - case <-lifetimeWatcher.RenewCh(): - if logger != nil { - logger.Trace("successfully renewed token") - } - } - } - }() - go lifetimeWatcher.Start() - } else { - if logger != nil { - logger.Info("unable to renew token, disabling renewal", "err", err) - } + } else if roleName != "" { + if err = performK8sAuthentication(transitClient, roleName, opts, logger); err != nil { + return nil, nil, err } } - wrapConfig := new(wrapping.WrapperConfig) - wrapConfig.Metadata = make(map[string]string) - wrapConfig.Metadata["address"] = apiClient.Address() - wrapConfig.Metadata["mount_path"] = mountPath - wrapConfig.Metadata["key_name"] = keyName - if namespace != "" { - wrapConfig.Metadata["namespace"] = namespace - } + var wrapConfig = newWrapConfig(transitClient, namespace) - return client, wrapConfig, nil + return transitClient, wrapConfig, nil } func (c *TransitClient) Close() { @@ -199,8 +69,8 @@ func (c *TransitClient) Close() { func (c *TransitClient) Encrypt(plaintext []byte) ([]byte, error) { encPlaintext := base64.StdEncoding.EncodeToString(plaintext) - path := path.Join(c.mountPath, "encrypt", c.keyName) - secret, err := c.client.Logical().Write(path, map[string]interface{}{ + encryptPath := path.Join(c.mountPath, "encrypt", c.keyName) + secret, err := c.vaultClient.Logical().Write(encryptPath, map[string]interface{}{ "plaintext": encPlaintext, }) if err != nil { @@ -225,8 +95,8 @@ func (c *TransitClient) Encrypt(plaintext []byte) ([]byte, error) { } func (c *TransitClient) Decrypt(ciphertext []byte) ([]byte, error) { - path := path.Join(c.mountPath, "decrypt", c.keyName) - secret, err := c.client.Logical().Write(path, map[string]interface{}{ + decryptPath := path.Join(c.mountPath, "decrypt", c.keyName) + secret, err := c.vaultClient.Logical().Write(decryptPath, map[string]interface{}{ "ciphertext": string(ciphertext), }) if err != nil { @@ -258,6 +128,6 @@ func (c *TransitClient) GetMountPath() string { return c.mountPath } -func (c *TransitClient) GetApiClient() *api.Client { - return c.client +func (c *TransitClient) GetApiClient() *vault.Client { + return c.vaultClient } diff --git a/wrappers/transit/transit_test.go b/wrappers/transit/transit_test.go index efaa1272..a7722996 100644 --- a/wrappers/transit/transit_test.go +++ b/wrappers/transit/transit_test.go @@ -121,8 +121,8 @@ func TestSetConfig(t *testing.T) { { name: "success-with-env-mount", setup: func(t *testing.T) { - require.NoError(t, os.Setenv(EnvTransitWrapperMountPath, testWithMountPath)) - t.Cleanup(func() { os.Unsetenv(EnvTransitWrapperMountPath) }) + require.NoError(t, os.Setenv(envTransitWrapperMountPath, testWithMountPath)) + t.Cleanup(func() { os.Unsetenv(envTransitWrapperMountPath) }) }, opts: []wrapping.Option{ WithAddress(testWithAddress), @@ -134,8 +134,8 @@ func TestSetConfig(t *testing.T) { { name: "success-with-env-mount-seal", setup: func(t *testing.T) { - require.NoError(t, os.Setenv(EnvVaultTransitSealMountPath, testWithMountPath)) - t.Cleanup(func() { os.Unsetenv(EnvVaultTransitSealMountPath) }) + require.NoError(t, os.Setenv(envVaultTransitSealMountPath, testWithMountPath)) + t.Cleanup(func() { os.Unsetenv(envVaultTransitSealMountPath) }) }, opts: []wrapping.Option{ WithAddress(testWithAddress), @@ -158,8 +158,8 @@ func TestSetConfig(t *testing.T) { { name: "success-with-env-key-name", setup: func(t *testing.T) { - require.NoError(t, os.Setenv(EnvTransitWrapperKeyName, testWithKeyName)) - t.Cleanup(func() { os.Unsetenv(EnvTransitWrapperKeyName) }) + require.NoError(t, os.Setenv(envTransitWrapperKeyName, testWithKeyName)) + t.Cleanup(func() { os.Unsetenv(envTransitWrapperKeyName) }) }, opts: []wrapping.Option{ WithAddress(testWithAddress), @@ -170,8 +170,8 @@ func TestSetConfig(t *testing.T) { { name: "success-with-env-key-name-seal", setup: func(t *testing.T) { - require.NoError(t, os.Setenv(EnvVaultTransitSealKeyName, testWithKeyName)) - t.Cleanup(func() { os.Unsetenv(EnvVaultTransitSealKeyName) }) + require.NoError(t, os.Setenv(envVaultTransitSealKeyName, testWithKeyName)) + t.Cleanup(func() { os.Unsetenv(envVaultTransitSealKeyName) }) }, opts: []wrapping.Option{ WithAddress(testWithAddress), @@ -183,8 +183,8 @@ func TestSetConfig(t *testing.T) { { name: "success-with-env-disable-renewal", setup: func(t *testing.T) { - require.NoError(t, os.Setenv(EnvTransitWrapperDisableRenewal, testWithDisableRenewal)) - t.Cleanup(func() { os.Unsetenv(EnvTransitWrapperDisableRenewal) }) + require.NoError(t, os.Setenv(envTransitWrapperDisableRenewal, testWithDisableRenewal)) + t.Cleanup(func() { os.Unsetenv(envTransitWrapperDisableRenewal) }) }, opts: []wrapping.Option{ WithAddress(testWithAddress), @@ -197,8 +197,8 @@ func TestSetConfig(t *testing.T) { { name: "success-with-env-disable-renewal-seal", setup: func(t *testing.T) { - require.NoError(t, os.Setenv(EnvVaultTransitSealDisableRenewal, testWithDisableRenewal)) - t.Cleanup(func() { os.Unsetenv(EnvVaultTransitSealDisableRenewal) }) + require.NoError(t, os.Setenv(envVaultTransitSealDisableRenewal, testWithDisableRenewal)) + t.Cleanup(func() { os.Unsetenv(envVaultTransitSealDisableRenewal) }) }, opts: []wrapping.Option{ WithAddress(testWithAddress), @@ -211,8 +211,8 @@ func TestSetConfig(t *testing.T) { { name: "error-invalid-env-disable-renewal", setup: func(t *testing.T) { - require.NoError(t, os.Setenv(EnvTransitWrapperDisableRenewal, "invalid-disable-renewal")) - t.Cleanup(func() { os.Unsetenv(EnvTransitWrapperDisableRenewal) }) + require.NoError(t, os.Setenv(envTransitWrapperDisableRenewal, "invalid-disable-renewal")) + t.Cleanup(func() { os.Unsetenv(envTransitWrapperDisableRenewal) }) }, opts: []wrapping.Option{ WithAddress(testWithAddress),