├── .codecov.yml ├── .dockerignore ├── .gitignore ├── .travis.yml ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── Dockerfile ├── LICENSE ├── Makefile ├── README.md ├── aws-ssm ├── Chart.yaml ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── deployment.yaml │ ├── rbac.yaml │ └── secret.yaml └── values.yaml ├── docker-compose.yml ├── environment.yaml ├── examples ├── 01-single-value.yaml ├── 02-securestring.yaml ├── 03-stringlist.yaml └── 04-directory.yaml ├── go.mod ├── go.sum ├── main.go ├── multi-secret.yaml ├── pkg ├── annotations │ └── annotations.go ├── config │ ├── config.go │ └── config_test.go ├── controller │ ├── client.go │ ├── client_test.go │ └── controller.go ├── provider │ ├── aws.go │ └── provider.go └── secret │ ├── secret.go │ └── secret_test.go └── scripts ├── add_license.sh └── go_test.sh /.codecov.yml: -------------------------------------------------------------------------------- 1 | ignore: 2 | - "scripts" 3 | - "build" 4 | - ".*_test.go" 5 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | *~ 3 | 4 | aws-ssm/** 5 | build/** 6 | examples/** 7 | scripts/** 8 | terraform/** 9 | 10 | CHANGELOG.md 11 | CODE_OF_CONDUCT.md 12 | coverage.txt 13 | 14 | docker-compose.yml 15 | environment.yaml 16 | example.yaml 17 | glide.yaml 18 | goss.yaml 19 | LICENSE 20 | Makefile 21 | README.md 22 | CODE_OF_CONDUCT.md 23 | Dockerfile 24 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | build/** 3 | coverage.txt 4 | 5 | profile.out 6 | vendor/ 7 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: go 2 | go: 3 | - '1.14' 4 | services: 5 | - docker 6 | before_install: 7 | - make test 8 | jobs: 9 | include: 10 | - stage: make-build 11 | script: 12 | - make build 13 | - stage: docker-latest 14 | script: 15 | - docker build -t cmattoon/aws-ssm:dev . 16 | - docker tag cmattoon/aws-ssm:dev cmattoon/aws-ssm:latest 17 | - make login 18 | - docker push cmattoon/aws-ssm:dev 19 | - docker push cmattoon/aws-ssm:latest 20 | - stage: docker-branch 21 | script: 22 | - docker build -t cmattoon/aws-ssm:$TRAVIS_BRANCH . 23 | - make login 24 | - docker push cmattoon/aws-ssm:$TRAVIS_BRANCH 25 | - stage: docker-pr 26 | script: 27 | - docker build -t cmattoon/aws-ssm:PR-$TRAVIS_PULL_REQUEST . 28 | - make login 29 | - docker push cmattoon/aws-ssm:PR-$TRAVIS_PULL_REQUEST 30 | branches: 31 | only: 32 | - master 33 | - "/^v.*$/" 34 | stages: 35 | - name: make-build 36 | - name: docker-latest 37 | if: branch = master AND type != pull_request 38 | - name: docker-branch 39 | if: branch != master AND type != pull_request 40 | - name: docker-pr 41 | if: type == pull_request 42 | after_success: 43 | - bash <(curl -s https://codecov.io/bash) 44 | deploy: 45 | provider: releases 46 | api_key: 47 | secure: LOwlKUR14QSuaf1g4m3NvIzIT8GxOPCosIDoUg8uCptp+sIIzalVnaLz7ulw+yyMzxvtPz5X7HezZ3vN84qWWdFezkc7pdgCHw2n9e6dLyWNTSLKi5MOrCcXEfhhd3odepvtQeFu+2vV5iJ/OTwdCdceV37gCreDLCm8V4bpBp8glSHafBaPNvJDPz4GnbC7a8Bj+IuyQe1heiFhbOe6kCqElfq/BJVxcRGB3qukyXQwUcj0Um+qMaMqRVMj973ZcahtzpWXNTu9jfE3mZKeeWfDd9sFJ8uCPPPJp9EwhIEeiG1TsCOR2vGpjeamQbI0f0f4n8dxFRDG+YtRwopSYJgGUnUEPxI+3V6lSN3f+dtMIwa1lbupbC1IW8U3s21NyEcEqBwXWYm+72G5X20RrKjKEUfKv9bzZbK61qztLx+D5i0vCv9oeIA1MF/tIybrHgCrw5VR4/SlxYZHYdFfNK/coZp/E6hICosMmuURmvPVAQ9h8IZVJWzOiXnUUszLPYwSmc+vih5JVJxqvHyu6H0cnCuiRPCeGCBD8Re95lCKYrB2vcw+mUZjcF9UYYh2Vf9BnduJE83M/O8pp6bc6CgadDXcDQ51vQzSl53cH8q+xPQN29JrKaNaOQ3F9zrWA70FGnyjecmgm+k5j9V/63jhUuRgoLFq9k/+b9GzYqo= 48 | file: build/aws-ssm 49 | on: 50 | tags: true 51 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | Changelog 2 | ========= 3 | 4 | [0.1.7] - 2019-04-13 5 | -------------------- 6 | ### Changed 7 | - SSL Mount paths are now configurable 8 | - 'make push-container' -> 'make push' 9 | 10 | ### Added 11 | - Shorter annotations 12 | - Lots of metadata/labels 13 | - Proper examples 14 | 15 | ### Fixed 16 | - Made alpine version explicit in Dockerfile (alpine:3.7) 17 | - Makefile cleanup 18 | 19 | ### Removed 20 | - Default values for AWS_SECRET_KEY, AWS_ACCESS_KEY 21 | 22 | [0.1.6] - 2019-03-04 23 | -------------------- 24 | ### Added 25 | - aws-iam-authenticator for AWS EKS Support [Issue #16] (@SalmaCodes) 26 | 27 | [0.1.5] - 2019-01-25 28 | -------------------- 29 | ### Fixed 30 | - Issue #9 - Now supports `SSM.GetParametersByPath`. Naming secrets like paths will allow storing multiple values per Secret. 31 | - Issue #14 - Changed `log.Fatalf` to `log.Errorf` when there's a permission error on `GetParameter`. The restricted value 32 | will simply be skipped instead of the Pod entering a crashloop. 33 | - AWS Environment vars now stored in a Secret (@signaleleven) 34 | 35 | [0.1.4] - 2018-09-11 36 | -------------------- 37 | ### Fixed 38 | - Add ca-certificates package to final alpine image [Issue #7] (@cmosetick) 39 | - Add Volume (Type=hostPath) for /etc/ssl/certs, to ensure AWS roots are available [Issue #7] 40 | 41 | [0.1.3] - 2018-07-24 42 | -------------------- 43 | ### Added 44 | - Docker multi-stage build (copies only the aws-ssm binary): 330MB -> 12MB 45 | 46 | [0.1.2] - 2018-07-23 47 | -------------------- 48 | ### Security 49 | - Removed a debug message that was dumping Secrets as %v. Plaintext values were logged 50 | as a series of byte values 51 | 52 | ### Added 53 | - Reasonable defaults for ENV in Dockerfile 54 | 55 | ### Other 56 | - Testing .travis.yml 57 | 58 | 59 | [0.1.1] - 2018-07-23 60 | -------------------- 61 | ### Added 62 | - Some basic tests 63 | 64 | ### Fixed 65 | - Set Go @ v1.10-alpine 66 | 67 | ### Removed [Security] 68 | - References to kubeconfig in Helm chart (still needed outside the cluster, though) 69 | 70 | 71 | [0.1.0] - 2018-07-22 72 | -------------------- 73 | - Initial Release 74 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. 6 | 7 | ## Our Standards 8 | 9 | Examples of behavior that contributes to creating a positive environment include: 10 | 11 | * Using welcoming and inclusive language 12 | * Being respectful of differing viewpoints and experiences 13 | * Gracefully accepting constructive criticism 14 | * Focusing on what is best for the community 15 | * Showing empathy towards other community members 16 | 17 | Examples of unacceptable behavior by participants include: 18 | 19 | * The use of sexualized language or imagery and unwelcome sexual attention or advances 20 | * Trolling, insulting/derogatory comments, and personal or political attacks 21 | * Public or private harassment 22 | * Publishing others' private information, such as a physical or electronic address, without explicit permission 23 | * Other conduct which could reasonably be considered inappropriate in a professional setting 24 | 25 | ## Our Responsibilities 26 | 27 | Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. 28 | 29 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. 30 | 31 | ## Scope 32 | 33 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. 34 | 35 | ## Enforcement 36 | 37 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at cmattoon@cmattoon.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. 38 | 39 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. 40 | 41 | ## Attribution 42 | 43 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] 44 | 45 | [homepage]: http://contributor-covenant.org 46 | [version]: http://contributor-covenant.org/version/1/4/ 47 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | ### 2 | ## Stage I - Build aws-ssm binary 3 | # 4 | FROM library/golang:1.16-alpine 5 | 6 | RUN apk add --update --no-cache git 7 | 8 | WORKDIR /go/src/github.com/cmattoon/aws-ssm 9 | 10 | COPY . . 11 | 12 | RUN go install -v ./... 13 | 14 | ### 15 | ## Stage II - Install aws-iam-authenticator 16 | # 17 | FROM library/alpine:3.14 18 | 19 | WORKDIR /tmp 20 | RUN wget https://amazon-eks.s3.us-west-2.amazonaws.com/1.21.2/2021-07-05/bin/linux/amd64/aws-iam-authenticator 21 | RUN chmod +x aws-iam-authenticator 22 | 23 | 24 | ### 25 | ## Stage III - Add ca-certificates, binaries 26 | # 27 | FROM library/alpine:3.14 28 | 29 | ENV AWS_REGION "" 30 | ENV AWS_ACCESS_KEY "" 31 | ENV AWS_SECRET_KEY "" 32 | ENV METRICS_URL "0.0.0.0:9999" 33 | 34 | # Only required if running outside the cluster 35 | ENV MASTER_URL "" 36 | ENV KUBE_CONFIG "" 37 | 38 | RUN apk add --update ca-certificates 39 | 40 | 41 | COPY --from=1 /tmp/aws-iam-authenticator /bin/aws-iam-authenticator 42 | COPY --from=0 /go/bin/aws-ssm /bin/aws-ssm 43 | 44 | ENTRYPOINT ["/bin/aws-ssm"] 45 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .DEFAULT_GOAL := help 2 | 3 | .PHONY: 4 | AWS_REGION ?= ap-southeast-2 5 | AWS_ACCESS_KEY ?= 6 | AWS_SECRET_KEY ?= 7 | 8 | RELEASE_NAME ?= aws-ssm 9 | RELEASE_NAMESPACE ?= kube-system 10 | 11 | DOCKER_REPO ?= cmattoon 12 | DOCKER_IMAGE ?= aws-ssm 13 | DOCKER_TAG ?= $(strip $(shell git describe --tags --always --dirty)) 14 | 15 | GIT_REPO ?= $(DOCKER_REPO) 16 | GIT_PROJECT ?= $(DOCKER_IMAGE) 17 | GIT_URL ?= https://github.com/$(GIT_REPO)/$(GIT_PROJECT) 18 | COMMIT ?= $(shell git log -1 --pretty=format:"%h") 19 | 20 | CURRENT_IMAGE = $(DOCKER_REPO)/$(DOCKER_IMAGE):$(DOCKER_TAG) 21 | LATEST_IMAGE = $(DOCKER_REPO)/$(DOCKER_IMAGE):latest 22 | 23 | DOCKERFILE_DIR = . 24 | DOCKERFILE = Dockerfile 25 | 26 | # Output file 27 | AWS_SSM_EXE = build/aws-ssm-$(DOCKER_TAG) 28 | 29 | CHART_DIR ?= $(DOCKER_IMAGE) 30 | RBAC_ENABLED ?= true 31 | HOST_SSL_DIR ?= 32 | ifeq ($(HOST_SSL_DIR),) 33 | MOUNT_SSL=false 34 | else 35 | MOUNT_SSL=true 36 | endif 37 | EXTRA_ARGS ?= 38 | 39 | BUILD_DATE ?= $(shell date +"%Y-%m-%dT%H:%M:%S") 40 | BUILD_FLAGS ?= -v 41 | LDFLAGS ?= -X github.com/cmattoon/aws-ssm/pkg/config.Version=$(DOCKER_TAG) -w -s 42 | 43 | .PHONY: test 44 | test: ## Runs Go tests 45 | ./scripts/go_test.sh 46 | 47 | .PHONY: dgoss 48 | dgoss: ## Runs dgoss container tests 49 | dgoss run $(CURRENT_IMAGE) 50 | 51 | build: ## Build the Go binary 52 | build: $(AWS_SSM_EXE) 53 | $(AWS_SSM_EXE): 54 | go build -o $(AWS_SSM_EXE) $(BUILD_FLAGS) -ldflags "$(LDFLAGS)" 55 | 56 | .PHONY: clean 57 | clean: ## Clean files 58 | clean: 59 | @rm build/* 60 | @find . -name '*~' -delete 61 | 62 | .PHONY: container 63 | container: ## Build the Docker image 64 | container: 65 | docker build \ 66 | --label org.label-schema.schema-version="1.0" \ 67 | --label org.label-schema.name="$(DOCKER_REPO)/$(DOCKER_IMAGE)" \ 68 | --label org.label-schema.description="Updates Kubernetes Secrets with AWS SSM Parameters" \ 69 | --label org.label-schema.vendor="$(DOCKER_REPO)" \ 70 | --label org.label-schema.build-date="$(BUILD_DATE)" \ 71 | --label org.label-schema.vcs-url="$(GIT_URL)" \ 72 | --label org.label-schema.vcs-ref="$(COMMIT)" \ 73 | --label org.label-schema.version="$(COMMIT)" \ 74 | -t $(CURRENT_IMAGE) $(DOCKERFILE_DIR) -f $(DOCKERFILE) 75 | docker tag $(CURRENT_IMAGE) $(LATEST_IMAGE) 76 | 77 | .PHONY: chart 78 | chart: ## Lint chart 79 | chart: 80 | helm lint aws-ssm 81 | 82 | .PHONY: push 83 | push: ## Docker push 84 | push: 85 | docker push $(CURRENT_IMAGE) 86 | 87 | .PHONY: install 88 | install: ## Install Helm Chart 89 | install: 90 | helm upgrade --install $(RELEASE_NAME) \ 91 | --namespace $(RELEASE_NAMESPACE) \ 92 | --set image.tag=$(DOCKER_TAG) \ 93 | --set aws.region=$(AWS_REGION) \ 94 | --set aws.access_key=$(AWS_ACCESS_KEY) \ 95 | --set aws.secret_key=$(AWS_SECRET_KEY) \ 96 | --set rbac.enabled=$(RBAC_ENABLED) \ 97 | --set ssl.mount_host=$(MOUNT_SSL) \ 98 | --set ssl.host_path=$(HOST_SSL_DIR) \ 99 | $(EXTRA_ARGS) $(CHART_DIR) 100 | 101 | .PHONY: purge 102 | purge: ## Purge Helm Chart 103 | purge: 104 | helm del --purge $(RELEASE_NAME) 105 | 106 | .PHONY: help 107 | help: ## Show this message 108 | help: 109 | @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' 110 | 111 | .PHONY: login 112 | login: ## Do a docker login 113 | login: 114 | env | grep -i DOCKER | cut -d '=' -f1 115 | # docker login --username "${DOCKER_USER}" --password "${DOCKER_PASSWD} 116 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | cmattoon/aws-ssm 2 | ================ 3 | 4 | [![Build Status](https://travis-ci.org/cmattoon/aws-ssm.svg?branch=master)](https://travis-ci.org/cmattoon/aws-ssm) 5 | ![GitHub tag](https://img.shields.io/github/tag/cmattoon/aws-ssm.svg) 6 | ![Docker Pulls](https://img.shields.io/docker/pulls/cmattoon/aws-ssm.svg) 7 | [![codecov](https://codecov.io/gh/cmattoon/aws-ssm/branch/master/graph/badge.svg)](https://codecov.io/gh/cmattoon/aws-ssm) 8 | [![Go Report Card](https://goreportcard.com/badge/github.com/cmattoon/aws-ssm)](https://goreportcard.com/report/github.com/cmattoon/aws-ssm) 9 | [![Maintainability](https://api.codeclimate.com/v1/badges/764dddb334f5dc9fb986/maintainability)](https://codeclimate.com/github/cmattoon/aws-ssm/maintainability) 10 | 11 | 12 | Updates Kubernetes `Secrets` with values from AWS Parameter Store 13 | 14 | Build Options 15 | ------------- 16 | 17 | * Helm Chart (recommended): `make {lint|install|purge}` 18 | * Go: `make test && make build` 19 | * Docker: `make container` 20 | 21 | 22 | Helm Chart 23 | ---------- 24 | 25 | ### Install Helm Chart 26 | 27 | First, export required variables, then run `make install`. 28 | 29 | export AWS_REGION= 30 | 31 | 32 | ### AWS Credentials 33 | 34 | Uses the [default credential provider chain](https://docs.aws.amazon.com/sdk-for-go/api/aws/credentials/#NewChainCredentials) 35 | 36 | 37 | ### Values 38 | 39 | The following chart values may be set. Only the required variables (AWS credentials) need provided by the user. Most of the time, the other 40 | defaults should work as-is. 41 | 42 | 43 | | Req'd | Value | Default | Example | Description | 44 | |-------|----------------|------------------|-----------------------------|------------------------------------------------------------------| 45 | | YES | aws.region | "" | us-west-2 | The AWS region in which the Pod is deployed | 46 | | NO | aws.access_key | "" | | REQUIRED when no other auth method available (e.g., IAM role) | 47 | | NO | aws.secret_key | "" | | REQUIRED when no other auth method available (e.g., IAM role) | 48 | | NO | kubeconfig64 | "" | | The output of `$(cat $KUBE_CONFIG \| base64)`. Stored as a Secret| 49 | | NO | metrics_port | 9999 | | Serve metrics/healthchecks on this port | 50 | | NO | image.name | cmattoon/aws-ssm | / | The Docker image to use for the Pod container | 51 | | NO | image.tag | latest | | The Docker tag for the image | 52 | | NO | resources | {} | | Kubernetes Resource Requests/Limits | 53 | | NO | rbac.enabled | true | | Whether or not to add Kubernetes RBAC stuff | 54 | | NO | ssl.mount_host | false | | Mounts {ssl.host_path} -> {ssl.mount_path} as hostVolume | 55 | | NO | ssl.host_path | /etc/ssl/certs | | The SSL certs dir on the host | 56 | | NO | ssl.mount_path | /etc/ssl/certs | | The SSL certs dir in the container (dev) | 57 | 58 | 59 | Configuration 60 | ------------- 61 | 62 | The following app config values can be provided via environment variables or CLI flags. 63 | CLI flags take precdence over environment variables. 64 | 65 | A KUBE_CONFIG and MASTER_URL are only necessary when running outside of the cluster (e.g., dev) 66 | 67 | | Environment | Flag | Default | Description | 68 | |-------------|--------------|----------------|----------------------------------| 69 | | AWS_REGION | -region | us-west-2 | The AWS Region | 70 | | METRICS_URL | -metrics-url | 0.0.0.0:9999 | Address for healthchecks/metrics | 71 | | KUBE_CONFIG | -kube-config | | The path to the kube config file | 72 | | MASTER_URL | -master-url | | The Kubernetes master API URL | 73 | | LOG_LEVEL | -log-level | info | The Logrus log level | 74 | 75 | 76 | Basic Usage 77 | ----------- 78 | 1. Create Parameter in AWS Parameter Store 79 | 80 | `my-db-password` = `foobar` 81 | 82 | 2. Create Kubernetes Secret with Annotations 83 | 84 | ``` 85 | apiVersion: v1 86 | kind: Secret 87 | metadata: 88 | name: my-secret 89 | annotations: 90 | aws-ssm/k8s-secret-name: my-secret 91 | aws-ssm/aws-param-name: my-db-password 92 | aws-ssm/aws-param-type: SecureString 93 | data: {} 94 | ``` 95 | 96 | 3. Run Binary 97 | 98 | 4. A key with the name `$ParameterType` should have been added to your Secret 99 | 100 | ``` 101 | apiVersion: v1 102 | kind: Secret 103 | metadata: 104 | name: my-secret 105 | annotations: 106 | aws-ssm/k8s-secret-name: my-secret 107 | aws-ssm/aws-param-name: my-db-password 108 | aws-ssm/aws-param-type: SecureString 109 | data: 110 | SecureString: Zm9vYmFyCg== 111 | ``` 112 | 113 | Annotations 114 | ----------- 115 | 116 | | Annotation | Description | Default | 117 | |----------------------------|--------------------------------------------------------|-----------------| 118 | | `aws-ssm/k8s-secret-name` | The name of the Kubernetes Secret to modify. | `` | 119 | | `aws-ssm/aws-param-name` | The name of the AWS SSM Parameter. May be a path. | `` | 120 | | `aws-ssm/aws-param-type` | Determines how values are parsed, if at all. | `String` | 121 | | `aws-ssm/aws-param-key` | Required if `aws-ssm/aws-param-type` is `SecureString` | `alias/aws/ssm` | 122 | 123 | 124 | ### AWS Parameter Types 125 | 126 | Values for `aws-ssm/aws-param-type` are: 127 | 128 | | Value | Behavior | AWS Value | K8S Value(s) | 129 | |----------------|--------------------------|-----------------------------|-----------------------------------------| 130 | | `String` | No parsing is performed | `foo` = `bar` | `foo: bar` | 131 | | `SecureString` | Requires `aws-param-key` | `foo` = `bar` | `foo: bar` | 132 | | `StringList` | Splits CSV mapping | `foo=bar,bar=baz,baz=bat` | `foo: bar`
`bar: baz`
`baz: bat` | 133 | | `Directory` | Get multiple values | `/path/to/values` | | 134 | 135 | 136 | 137 | Build 138 | ----- 139 | 140 | make # Build binary 141 | make container # Build Docker image 142 | make push # Push Docker image 143 | 144 | 145 | CA Certificates 146 | --------------- 147 | 148 | For ease of use, the `ca-certificates` package is installed on the final `library/alpine` image. If you're having SSL/TLS 149 | connection issues, `export HOST_SSL_DIR=/etc/ssl/certs` before running `make install`. This will mount the SSL cert directory 150 | on the EC2 instance. -------------------------------------------------------------------------------- /aws-ssm/Chart.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | description: Dynamic secret management for Kubernetes 4 | name: aws-ssm 5 | version: 0.1.8 6 | appVersion: 0.1.8 7 | keywords: 8 | - aws 9 | - secret 10 | sources: 11 | - https://github.com:cmattoon/aws-ssm.git 12 | maintainers: 13 | - name: Curtis Mattoon 14 | email: cmattoon@cmattoon.com 15 | url: https://github.com/cmattoon 16 | engine: gotpl 17 | 18 | -------------------------------------------------------------------------------- /aws-ssm/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | =============================================== 2 | ___ ______ ____ ____ __ __ 3 | / \ \ / / ___| / ___/ ___|| \/ | 4 | / _ \ \ /\ / /\___ \ ____\___ \___ \| |\/| | 5 | / ___ \ V V / ___) |_____|__) |__) | | | | 6 | /_/ \_\_/\_/ |____/ |____/____/|_| | | 7 | {{ .Chart.Version }} 8 | =============================================== 9 | ************************************************ 10 | **** SSL Host Path Deprecation Warning **** 11 | ************************************************ 12 | It looks like you {{ if ne .Values.host_ssl_dir "" }}are{{ else }}are NOT{{ end }} using "host_ssl_dir", 13 | which will be removed soon, in favor of: 14 | 15 | --set ssl.mount_host=true 16 | [--set ssl.host_path=/etc/ssl/certs] 17 | [--set ssl.mount_path=/etc/ssl/certs] 18 | 19 | ************************************************ 20 | 21 | Release : {{ .Release.Namespace }}/{{ .Release.Name }} 22 | Docker Image : {{ .Values.image.name }}:{{ .Values.image.tag }} 23 | AWS Region : {{ if eq .Values.aws.region "" }}- NO REGION DEFINED -{{ else }}{{ .Values.aws.region }}{{ end }} 24 | Master URL : {{ .Values.master_url }} 25 | RBAC Enabled : {{ .Values.rbac.enabled }} 26 | {{ if or (.Values.ssl.mount_host) (ne .Values.host_ssl_dir "") }} 27 | Mounted SSL Certs : {{ .Values.ssl.host_path }}:{{ .Values.ssl.mount_path }} 28 | {{ end }} 29 | 30 | List Pods: 31 | kubectl -n {{ .Release.Namespace }} get pods 32 | 33 | 34 | -------------------------------------------------------------------------------- /aws-ssm/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "ssm.name" -}} 2 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 3 | {{- end -}} 4 | 5 | {{- define "ssm.fullname" -}} 6 | {{- $name := default .Chart.Name .Values.nameOverride -}} 7 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 8 | {{- end -}} 9 | -------------------------------------------------------------------------------- /aws-ssm/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: {{ template "ssm.fullname" . }} 6 | labels: 7 | app: {{ template "ssm.name" . }} 8 | app.kubernetes.io/name: {{ template "ssm.name" . }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/version: {{ .Chart.AppVersion }} 12 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 13 | chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 14 | release: {{ .Release.Name }} 15 | heritage: {{ .Release.Service }} 16 | spec: 17 | replicas: 1 18 | strategy: 19 | type: RollingUpdate 20 | rollingUpdate: 21 | maxSurge: 1 22 | maxUnavailable: 0 23 | selector: 24 | matchLabels: 25 | app: {{ template "ssm.name" . }} 26 | release: {{ .Release.Name }} 27 | template: 28 | metadata: 29 | labels: 30 | app: {{ template "ssm.name" . }} 31 | release: {{ .Release.Name }} 32 | {{- with .Values.podAnnotations }} 33 | annotations: 34 | {{ . | toYaml | indent 8 }} 35 | {{- end }} 36 | spec: 37 | {{- if .Values.rbac.enabled }} 38 | serviceAccountName: {{ template "ssm.fullname" . }} 39 | {{- end }} 40 | containers: 41 | - name: {{ .Chart.Name }} 42 | image: {{ .Values.image.name }}:{{ .Values.image.tag }} 43 | ports: 44 | - name: http 45 | containerPort: {{ .Values.metrics_port }} 46 | livenessProbe: 47 | initialDelaySeconds: 30 48 | timeoutSeconds: 3 49 | httpGet: 50 | path: /healthz 51 | port: {{ .Values.metrics_port }} 52 | readinessProbe: 53 | initialDelaySeconds: 15 54 | periodSeconds: 5 55 | httpGet: 56 | path: /healthz 57 | port: {{ .Values.metrics_port }} 58 | {{ if and (ne .Values.aws.secret_key "") (ne .Values.aws.access_key "") -}} 59 | envFrom: 60 | - secretRef: 61 | name: aws-ssm-credentials 62 | {{ end -}} 63 | env: 64 | - name: METRICS_URL 65 | value: 0.0.0.0:{{ .Values.metrics_port }} 66 | 67 | - name: AWS_REGION 68 | value: "{{ .Values.aws.region }}" 69 | {{ if ne .Values.host_ssl_dir "" -}} 70 | volumeMounts: 71 | - mountPath: {{ .Values.ssl.mount_path }} 72 | name: aws-host-ca-certificates 73 | {{ end -}} 74 | resources: 75 | {{ toYaml .Values.resources | indent 12 }} 76 | {{- if .Values.nodeSelector }} 77 | nodeSelector: 78 | {{ toYaml .Values.nodeSelector | indent 8 }} 79 | {{- end }} 80 | {{ if or ( ne .Values.host_ssl_dir "") (.Values.ssl.mount_host) -}} 81 | volumes: 82 | - name: aws-host-ca-certificates 83 | hostPath: 84 | path: {{ .Values.ssl.host_path }} 85 | {{- end }} 86 | -------------------------------------------------------------------------------- /aws-ssm/templates/rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.enabled }} 2 | --- 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "ssm.fullname" . }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app.kubernetes.io/name: {{ template "ssm.name" . }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | app.kubernetes.io/version: {{ .Chart.AppVersion }} 13 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 14 | {{- with .Values.rbac.annotations }} 15 | annotations: 16 | {{ . | toYaml | indent 2 }} 17 | {{- end }} 18 | --- 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: ClusterRole 21 | metadata: 22 | name: {{ template "ssm.fullname" . }} 23 | namespace: {{ .Release.Namespace }} 24 | labels: 25 | app.kubernetes.io/name: {{ template "ssm.name" . }} 26 | app.kubernetes.io/managed-by: {{ .Release.Service }} 27 | app.kubernetes.io/instance: {{ .Release.Name }} 28 | app.kubernetes.io/version: {{ .Chart.AppVersion }} 29 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 30 | rules: 31 | - apiGroups: 32 | - "" 33 | resources: 34 | - configmaps 35 | - secrets 36 | verbs: 37 | - create 38 | - get 39 | - list 40 | - update 41 | - watch 42 | - apiGroups: 43 | - "" 44 | resources: 45 | - pods 46 | verbs: 47 | - list 48 | - get 49 | --- 50 | apiVersion: rbac.authorization.k8s.io/v1 51 | kind: ClusterRoleBinding 52 | metadata: 53 | name: {{ template "ssm.fullname" . }} 54 | namespace: {{ .Release.Namespace }} 55 | labels: 56 | app.kubernetes.io/name: {{ template "ssm.name" . }} 57 | app.kubernetes.io/managed-by: {{ .Release.Service }} 58 | app.kubernetes.io/instance: {{ .Release.Name }} 59 | app.kubernetes.io/version: {{ .Chart.AppVersion }} 60 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 61 | subjects: 62 | - name: {{ template "ssm.fullname" . }} 63 | namespace: {{ .Release.Namespace }} 64 | kind: ServiceAccount 65 | roleRef: 66 | name: {{ template "ssm.fullname" . }} 67 | kind: ClusterRole 68 | apiGroup: rbac.authorization.k8s.io 69 | {{- end }} 70 | -------------------------------------------------------------------------------- /aws-ssm/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{ if and (ne .Values.aws.secret_key "") (ne .Values.aws.access_key "") -}} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: aws-ssm-credentials 7 | labels: 8 | app.kubernetes.io/name: {{ template "ssm.name" . }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/version: {{ .Chart.AppVersion }} 12 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 13 | type: Opaque 14 | data: 15 | AWS_ACCESS_KEY: "{{ .Values.aws.access_key | b64enc }}" 16 | AWS_SECRET_KEY: "{{ .Values.aws.secret_key | b64enc }}" 17 | {{ end -}} 18 | -------------------------------------------------------------------------------- /aws-ssm/values.yaml: -------------------------------------------------------------------------------- 1 | ## AWS Settings 2 | aws: 3 | # AWS Region ('us-west-2') 4 | region: "" 5 | # AWS_SECRET_ACCESS_KEY_ID 6 | access_key: "" 7 | # AWS_SECRET_ACCESS_KEY 8 | secret_key: "" 9 | 10 | # Docker Image to use 11 | image: 12 | name: cmattoon/aws-ssm 13 | tag: v0.1.7 14 | 15 | ## RBAC 16 | rbac: 17 | enabled: true 18 | 19 | # Deprecated: host_ssl_dir. Use ssl.mount_host (below) 20 | host_ssl_dir: "" 21 | 22 | ## SSL Certs 23 | ssl: 24 | # If ssl.mount_host is true, SSL certs will be mounted from a hostVolume 25 | mount_host: false 26 | mount_path: /etc/ssl/certs 27 | host_path: /etc/ssl/certs 28 | 29 | ## Kubernetes Master API URL 30 | master_url: "" 31 | 32 | # Healthcheck port 33 | metrics_port: 9999 34 | 35 | # Pod Annotations 36 | podAnnotations: {} 37 | 38 | # Pod Resources 39 | resources: {} 40 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | services: 3 | aws_ssm: 4 | image: cmattoon/aws-ssm:latest 5 | build: 6 | context: . 7 | volumes: 8 | - /path/to/.kube:/.kube 9 | ports: 10 | - "9999:9999" 11 | environment: 12 | KUBE_CONFIG: "/.kube/config" 13 | AWS_REGION: "" 14 | AWS_ACCESS_KEY: "" 15 | AWS_SECRET_KEY: "" 16 | MASTER_URL: "" 17 | -------------------------------------------------------------------------------- /environment.yaml: -------------------------------------------------------------------------------- 1 | kms: 2 | key: "alias/aws/ssm" 3 | -------------------------------------------------------------------------------- /examples/01-single-value.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # aws ssm put-parameter --name my-password --type String --value FooBar 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: my-singlevalue-secret 7 | annotations: 8 | aws-ssm/aws-param-name: my-password 9 | aws-ssm/aws-param-type: String 10 | data: {} 11 | # String: Rm9vQmFy 12 | -------------------------------------------------------------------------------- /examples/02-securestring.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # aws ssm put-parameter --name SUPER_SECRET_KEY --type SecureString --value FooBar [--key-id=] 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: my-app-secrets 7 | annotations: 8 | aws-ssm/aws-param-name: SUPER_SECRET_KEY 9 | aws-ssm/aws-param-type: SecureString 10 | # aws-ssm/aws-param-key: alias/aws/ssm 11 | data: {} 12 | # SecureString: Rm9vQmFy 13 | -------------------------------------------------------------------------------- /examples/03-stringlist.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # aws ssm put-parameter --name my-param-list --type StringList --value "srv0=10.0.0.10,srv1=10.0.0.11,srv2=10.0.0.12" 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: my-param-list 7 | annotations: 8 | aws-ssm/aws-param-name: my-param-list 9 | aws-ssm/aws-param-type: StringList 10 | data: {} 11 | # StringList: c3J2MD0xMC4wLjAuMTAsc3J2MT0xMC4wLjAuMTEsc3J2Mj0xMC4wLjAuMTI= 12 | # srv0: MTAuMC4wLjEw 13 | # srv1: MTAuMC4wLjEx 14 | # srv2: MTAuMC4wLjEy 15 | 16 | -------------------------------------------------------------------------------- /examples/04-directory.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # aws ssm put-parameter --name /dev/db/user --type String --value root 3 | # aws ssm put-parameter --name /dev/db/host --type String --value 10.0.1.10 4 | # aws ssm put-parameter --name /dev/db/pass --type String --value password123 5 | # aws ssm put-parameter --name /dev/db/foo/bar --type String --value bar123 6 | # aws ssm put-parameter --name /dev/db/foo/baz --type String --value baz456 7 | # aws ssm put-parameter --name /dev/db/foo/bat --type String --value bat789 8 | apiVersion: v1 9 | kind: Secret 10 | metadata: 11 | name: my-directory-secret 12 | annotations: 13 | aws-ssm/aws-param-name: /dev/db 14 | aws-ssm/aws-param-type: Directory 15 | data: {} 16 | # bar: YmFyMTIz 17 | # bat: YmF0Nzg5 18 | # baz: YmF6NDU2 19 | # host: MTAuMC4xLjEw 20 | # pass: cGFzc3dvcmQxMjM= 21 | # user: cm9vdA== 22 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/cmattoon/aws-ssm 2 | 3 | go 1.16 4 | 5 | require ( 6 | github.com/aws/aws-sdk-go v1.40.37 7 | github.com/imdario/mergo v0.3.8 // indirect 8 | github.com/sirupsen/logrus v1.8.1 9 | github.com/stretchr/testify v1.7.0 10 | k8s.io/api v0.22.1 11 | k8s.io/apimachinery v0.22.1 12 | k8s.io/client-go v0.22.1 13 | ) 14 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 2 | cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 3 | cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= 4 | cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= 5 | cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= 6 | cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= 7 | cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= 8 | cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= 9 | cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= 10 | cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= 11 | cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= 12 | cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= 13 | cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= 14 | cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= 15 | cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= 16 | cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= 17 | cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= 18 | cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= 19 | cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= 20 | cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= 21 | cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= 22 | cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= 23 | dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= 24 | github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= 25 | github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= 26 | github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= 27 | github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= 28 | github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= 29 | github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= 30 | github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= 31 | github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= 32 | github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= 33 | github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= 34 | github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= 35 | github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= 36 | github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= 37 | github.com/aws/aws-sdk-go v1.40.37 h1:I+Q6cLctkFyMMrKukcDnj+i2kjrQ37LGiOM6xmsxC48= 38 | github.com/aws/aws-sdk-go v1.40.37/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= 39 | github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= 40 | github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= 41 | github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= 42 | github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= 43 | github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= 44 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 45 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 46 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 47 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 48 | github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= 49 | github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= 50 | github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= 51 | github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= 52 | github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= 53 | github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= 54 | github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= 55 | github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= 56 | github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= 57 | github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= 58 | github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= 59 | github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= 60 | github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= 61 | github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= 62 | github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc= 63 | github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= 64 | github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= 65 | github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= 66 | github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= 67 | github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= 68 | github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= 69 | github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= 70 | github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 71 | github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 72 | github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 73 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 74 | github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= 75 | github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= 76 | github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= 77 | github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= 78 | github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= 79 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 80 | github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 81 | github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 82 | github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= 83 | github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= 84 | github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= 85 | github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= 86 | github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= 87 | github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= 88 | github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= 89 | github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= 90 | github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= 91 | github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= 92 | github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= 93 | github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= 94 | github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= 95 | github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= 96 | github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= 97 | github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= 98 | github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 99 | github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 100 | github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 101 | github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= 102 | github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 103 | github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 104 | github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= 105 | github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 106 | github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= 107 | github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= 108 | github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= 109 | github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 110 | github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 111 | github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 112 | github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= 113 | github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 114 | github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 115 | github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= 116 | github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= 117 | github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= 118 | github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw= 119 | github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= 120 | github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= 121 | github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= 122 | github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= 123 | github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= 124 | github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= 125 | github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= 126 | github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= 127 | github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ= 128 | github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= 129 | github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= 130 | github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= 131 | github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= 132 | github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= 133 | github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= 134 | github.com/json-iterator/go v1.1.11 h1:uVUAXhF2To8cbw/3xN3pxj6kk7TYKs98NIrTqPlMWAQ= 135 | github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= 136 | github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= 137 | github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= 138 | github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= 139 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= 140 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= 141 | github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= 142 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 143 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 144 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 145 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 146 | github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= 147 | github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= 148 | github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= 149 | github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= 150 | github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 151 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= 152 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 153 | github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 154 | github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= 155 | github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 156 | github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= 157 | github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= 158 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= 159 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= 160 | github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= 161 | github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= 162 | github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= 163 | github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= 164 | github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= 165 | github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= 166 | github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= 167 | github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= 168 | github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= 169 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 170 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 171 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 172 | github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= 173 | github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= 174 | github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= 175 | github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= 176 | github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= 177 | github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= 178 | github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= 179 | github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= 180 | github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= 181 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 182 | github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= 183 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 184 | github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= 185 | github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= 186 | github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= 187 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 188 | github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 189 | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 190 | go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= 191 | go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= 192 | go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= 193 | go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= 194 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 195 | golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 196 | golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 197 | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 198 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 199 | golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 200 | golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= 201 | golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= 202 | golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= 203 | golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= 204 | golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= 205 | golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= 206 | golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= 207 | golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= 208 | golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= 209 | golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= 210 | golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= 211 | golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= 212 | golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= 213 | golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= 214 | golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= 215 | golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= 216 | golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 217 | golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 218 | golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 219 | golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 220 | golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= 221 | golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= 222 | golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= 223 | golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= 224 | golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= 225 | golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= 226 | golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= 227 | golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= 228 | golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= 229 | golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 230 | golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 231 | golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 232 | golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 233 | golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 234 | golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 235 | golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 236 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 237 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 238 | golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 239 | golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 240 | golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= 241 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 242 | golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 243 | golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 244 | golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 245 | golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 246 | golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 247 | golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 248 | golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 249 | golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 250 | golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 251 | golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 252 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 253 | golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= 254 | golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q= 255 | golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= 256 | golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= 257 | golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 258 | golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 259 | golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 260 | golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= 261 | golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 262 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 263 | golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 264 | golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 265 | golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 266 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 267 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 268 | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 269 | golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 270 | golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 271 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 272 | golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 273 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 274 | golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 275 | golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 276 | golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 277 | golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 278 | golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 279 | golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 280 | golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 281 | golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 282 | golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 283 | golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 284 | golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 285 | golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 286 | golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 287 | golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 288 | golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 289 | golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 290 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 291 | golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 292 | golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 293 | golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 294 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 295 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 296 | golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 297 | golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 h1:RqytpXGR1iVNX7psjB3ff8y7sNFinVFvkx1c8SjBkio= 298 | golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 299 | golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= 300 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 301 | golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE= 302 | golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 303 | golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 304 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 305 | golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 306 | golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= 307 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 308 | golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= 309 | golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 310 | golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 311 | golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 312 | golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 313 | golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs= 314 | golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 315 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 316 | golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 317 | golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= 318 | golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 319 | golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 320 | golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 321 | golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 322 | golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 323 | golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 324 | golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 325 | golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 326 | golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 327 | golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 328 | golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 329 | golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 330 | golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 331 | golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 332 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 333 | golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 334 | golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 335 | golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 336 | golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 337 | golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 338 | golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 339 | golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 340 | golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 341 | golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 342 | golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 343 | golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 344 | golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= 345 | golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 346 | golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 347 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 348 | golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 349 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 350 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= 351 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 352 | google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= 353 | google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= 354 | google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= 355 | google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= 356 | google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= 357 | google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= 358 | google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= 359 | google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 360 | google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 361 | google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 362 | google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= 363 | google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 364 | google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 365 | google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= 366 | google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM= 367 | google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 368 | google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= 369 | google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 370 | google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 371 | google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 372 | google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 373 | google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= 374 | google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= 375 | google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= 376 | google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 377 | google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 378 | google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 379 | google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 380 | google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 381 | google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 382 | google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= 383 | google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 384 | google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 385 | google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 386 | google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= 387 | google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 388 | google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= 389 | google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= 390 | google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= 391 | google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= 392 | google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 393 | google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 394 | google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 395 | google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= 396 | google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= 397 | google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= 398 | google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= 399 | google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= 400 | google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 401 | google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 402 | google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 403 | google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= 404 | google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= 405 | google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk= 406 | google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= 407 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 408 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 409 | gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 410 | gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= 411 | gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 412 | gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= 413 | gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= 414 | gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= 415 | gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= 416 | gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= 417 | gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 418 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 419 | gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 420 | gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 421 | gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 422 | gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= 423 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 424 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 425 | gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 426 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= 427 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 428 | honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 429 | honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 430 | honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 431 | honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 432 | honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= 433 | honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= 434 | k8s.io/api v0.22.1 h1:ISu3tD/jRhYfSW8jI/Q1e+lRxkR7w9UwQEZ7FgslrwY= 435 | k8s.io/api v0.22.1/go.mod h1:bh13rkTp3F1XEaLGykbyRD2QaTTzPm0e/BMd8ptFONY= 436 | k8s.io/apimachinery v0.22.1 h1:DTARnyzmdHMz7bFWFDDm22AM4pLWTQECMpRTFu2d2OM= 437 | k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= 438 | k8s.io/client-go v0.22.1 h1:jW0ZSHi8wW260FvcXHkIa0NLxFBQszTlhiAVsU5mopw= 439 | k8s.io/client-go v0.22.1/go.mod h1:BquC5A4UOo4qVDUtoc04/+Nxp1MeHcVc1HJm1KmG8kk= 440 | k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= 441 | k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= 442 | k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM= 443 | k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= 444 | k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= 445 | k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9 h1:imL9YgXQ9p7xmPzHFm/vVd/cF78jad+n4wK1ABwYtMM= 446 | k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= 447 | rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= 448 | rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= 449 | rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= 450 | sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= 451 | sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno= 452 | sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= 453 | sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= 454 | sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= 455 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Curtis Mattoon 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package main 17 | 18 | import ( 19 | "net/http" 20 | "os" 21 | "os/signal" 22 | "syscall" 23 | 24 | log "github.com/sirupsen/logrus" 25 | 26 | "github.com/cmattoon/aws-ssm/pkg/config" 27 | "github.com/cmattoon/aws-ssm/pkg/controller" 28 | ) 29 | 30 | func main() { 31 | cfg := config.DefaultConfig() 32 | if err := cfg.ParseFlags(); err != nil { 33 | log.Fatalf("Error parsing flags: %v", err) 34 | } 35 | log.Infof("Using config: %+v", cfg) 36 | 37 | stopChan := make(chan struct{}, 1) 38 | 39 | go doMetrics(cfg.MetricsListenAddress) 40 | go handleSigterm(stopChan) 41 | 42 | ctrl := controller.NewController(cfg) 43 | 44 | if cfg.EnableWatcher { 45 | go ctrl.Watch(stopChan) 46 | } 47 | ctrl.Run(stopChan) 48 | } 49 | 50 | func handleSigterm(stopChan chan struct{}) { 51 | signals := make(chan os.Signal, 1) 52 | signal.Notify(signals, syscall.SIGTERM) 53 | <-signals 54 | log.Info("Received SIGTERM. Terminating") 55 | close(stopChan) 56 | } 57 | 58 | func doMetrics(address string) { 59 | http.HandleFunc("/healthz", func(w http.ResponseWriter, _ *http.Request) { 60 | w.WriteHeader(http.StatusOK) 61 | w.Write([]byte("OK")) 62 | }) 63 | log.Fatal(http.ListenAndServe(address, nil)) 64 | } 65 | -------------------------------------------------------------------------------- /multi-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: multi-secret 5 | annotations: 6 | alpha.ssm.cmattoon.com/aws-param-type: Directory 7 | alpha.ssm.cmattoon.com/aws-param-name: /path/to/test 8 | alpha.ssm.cmattoon.com/aws-param-key: alias/aws/ssm 9 | -------------------------------------------------------------------------------- /pkg/annotations/annotations.go: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Curtis Mattoon 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package annotations 17 | 18 | const ( 19 | K8SSecretName = "alpha.ssm.cmattoon.com/k8s-secret-name" 20 | K8SSecretType = "alpha.ssm.cmattoon.com/k8s-secret-type" 21 | AWSParamName = "alpha.ssm.cmattoon.com/aws-param-name" 22 | AWSParamType = "alpha.ssm.cmattoon.com/aws-param-type" 23 | AWSParamKey = "alpha.ssm.cmattoon.com/aws-param-key" 24 | AWSRoleArn = "iam.amazonaws.com/role" 25 | 26 | V1ParamName = "aws-ssm/aws-param-name" 27 | V1ParamType = "aws-ssm/aws-param-type" 28 | V1ParamKey = "aws-ssm/aws-param-key" 29 | V1RoleArn = "aws-iam/role-arn" 30 | ) 31 | -------------------------------------------------------------------------------- /pkg/config/config.go: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Curtis Mattoon 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package config 17 | 18 | import ( 19 | "flag" 20 | "os" 21 | "strconv" 22 | 23 | log "github.com/sirupsen/logrus" 24 | ) 25 | 26 | var Version = "undefined" 27 | 28 | func getenv(key string, default_value string) string { 29 | value := os.Getenv(key) 30 | if len(value) == 0 { 31 | return default_value 32 | } 33 | return value 34 | } 35 | 36 | type Config struct { 37 | AWSRegion string 38 | // Frequency, in seconds, to poll for changes 39 | Interval int 40 | KubeConfig string 41 | KubeMaster string 42 | MetricsListenAddress string 43 | Provider string 44 | LabelSelector string 45 | EnableWatcher bool 46 | } 47 | 48 | func DefaultConfig() *Config { 49 | cfg := &Config{ 50 | AWSRegion: "us-west-2", 51 | Interval: 30, 52 | KubeConfig: "", 53 | KubeMaster: "", 54 | MetricsListenAddress: "0.0.0.0:9999", 55 | Provider: "aws", 56 | LabelSelector: "", 57 | EnableWatcher: false, 58 | } 59 | return cfg 60 | } 61 | 62 | func (cfg *Config) ParseFlags() error { 63 | kubeConfig := flag.String("kube-config", 64 | getenv("KUBE_CONFIG", ""), 65 | "Path to kube config (~/.kube/config)") 66 | 67 | kubeMaster := flag.String("master-url", 68 | getenv("MASTER_URL", ""), 69 | "Kubernetes Master URL (kubectl cluster-info)") 70 | 71 | metricAddr := flag.String("metrics-url", 72 | getenv("METRICS_URL", "0.0.0.0:9999"), 73 | "Address where metrics/healthz should be served (localhost:9999)") 74 | 75 | region := flag.String("region", 76 | getenv("AWS_REGION", "us-west-2"), 77 | "AWS Region (us-west-2)") 78 | 79 | logLevelStr := flag.String("log-level", 80 | getenv("LOG_LEVEL", "info"), 81 | "Logrus log level (info)") 82 | 83 | interval := flag.String("interval", 84 | getenv("SCAN_INTERVAL", "30"), 85 | "Polling interval") 86 | 87 | labelSelector := flag.String("label-selector", 88 | getenv("K8S_LABEL_SELECTOR", ""), 89 | "Label selector for secrets to fetch from k8s API", 90 | ) 91 | 92 | enableWatcher := flag.Bool("watch", false, "Turn on watcher which listens for k8s API events as well as polling") 93 | 94 | flag.Parse() 95 | 96 | i, err := strconv.Atoi(*interval) 97 | if err != nil { 98 | log.Error("Could not parse interval - defaulting to 30 seconds") 99 | i = 30 100 | } 101 | // Override config values from CLI 102 | cfg.AWSRegion = *region 103 | cfg.Interval = i 104 | cfg.KubeConfig = *kubeConfig 105 | cfg.KubeMaster = *kubeMaster 106 | cfg.MetricsListenAddress = *metricAddr 107 | cfg.Provider = "aws" 108 | cfg.LabelSelector = *labelSelector 109 | cfg.EnableWatcher = *enableWatcher 110 | 111 | logLevel, err := log.ParseLevel(*logLevelStr) 112 | json := getenv("LOG_FORMAT", "") 113 | if json == "json" { 114 | log.SetFormatter(&log.JSONFormatter{}) 115 | } 116 | if err != nil { 117 | log.Warnf("Improper log level provided: log-level=%s. Defaulting to log-level=info", *logLevelStr) 118 | logLevel = log.InfoLevel 119 | } 120 | log.SetLevel(logLevel) 121 | 122 | return nil 123 | } 124 | -------------------------------------------------------------------------------- /pkg/config/config_test.go: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Curtis Mattoon 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package config 17 | 18 | import ( 19 | "testing" 20 | ) 21 | 22 | func TestGetenvReturnsEnvironmentValueIfSet(t *testing.T) { 23 | // Hopefully PWD is set 24 | if "nope" == getenv("PWD", "nope") { 25 | t.Fail() 26 | } 27 | } 28 | 29 | func TestGetenvReturnsDefaultValueIfNotSet(t *testing.T) { 30 | val := getenv("SMALLPOX", "nobody has smallpox") 31 | if val != "nobody has smallpox" { 32 | t.Fail() 33 | } 34 | } 35 | 36 | func defaultsAreReasonable(cfg *Config) bool { 37 | return (cfg.KubeConfig == "" && cfg.KubeMaster == "" && cfg.MetricsListenAddress == "0.0.0.0:9999" && cfg.Provider == "aws") 38 | } 39 | 40 | func TestDefaultConfig(t *testing.T) { 41 | cfg := DefaultConfig() 42 | 43 | if !defaultsAreReasonable(cfg) { 44 | t.Fail() 45 | } 46 | } 47 | 48 | // // Calling with no args should get the default config 49 | // func TestParseFlags(t *testing.T) { 50 | 51 | // KUBE_CONFIG := "/path/to/kube/config" 52 | // KUBE_MASTER := "https://master.kubernetes.example.com" 53 | // METRICS_ADDR := "127.0.0.1:1234" 54 | // REGION := "us-west-2" 55 | 56 | // args := []string{ 57 | // fmt.Sprintf("-kube-config %s", KUBE_CONFIG), 58 | // fmt.Sprintf("-master-url %s", KUBE_MASTER), 59 | // fmt.Sprintf("-metrics-url %s", METRICS_ADDR), 60 | // fmt.Sprintf("-region %s", REGION), 61 | // } 62 | // argv := os.Args 63 | // os.Args = args 64 | 65 | // cfg := DefaultConfig() 66 | 67 | // if !defaultsAreReasonable(cfg) { 68 | // fmt.Println("Defaults are not reasonable") 69 | // t.Fail() 70 | // } 71 | 72 | // // No args shouldn't raise an error 73 | // if err := cfg.ParseFlags(); err != nil { 74 | // fmt.Printf("Error: %s\n", err.Error()) 75 | // t.Fail() 76 | // } 77 | 78 | // os.Args = argv 79 | 80 | // fmt.Printf("%v\n", *cfg) 81 | // if cfg.KubeConfig != KUBE_CONFIG { t.Fail() } 82 | // if cfg.KubeMaster != KUBE_MASTER { t.Fail() } 83 | // if cfg.MetricsListenAddress != METRICS_ADDR { t.Fail() } 84 | // if cfg.AWSRegion != REGION { t.Fail() } 85 | // } 86 | -------------------------------------------------------------------------------- /pkg/controller/client.go: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Curtis Mattoon 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package controller 17 | 18 | import ( 19 | log "github.com/sirupsen/logrus" 20 | "k8s.io/client-go/kubernetes" 21 | "k8s.io/client-go/tools/clientcmd" 22 | "sync" 23 | ) 24 | 25 | // ClientGenerator provides clients 26 | type ClientGenerator interface { 27 | KubeClient() (kubernetes.Interface, error) 28 | } 29 | 30 | // SingletonClientGenerator stores provider clients and guarantees that only one instance of client 31 | // will be generated 32 | type SingletonClientGenerator struct { 33 | KubeConfig string 34 | KubeMaster string 35 | client kubernetes.Interface 36 | sync.Once 37 | } 38 | 39 | // KubeClient generates a kube client if it was not created before 40 | func (p *SingletonClientGenerator) KubeClient() (kubernetes.Interface, error) { 41 | var err error 42 | p.Once.Do(func() { 43 | p.client, err = NewKubeClient(p.KubeConfig, p.KubeMaster) 44 | }) 45 | return p.client, err 46 | } 47 | 48 | // will fallback to restclient.InClusterConfig() if both kubeconfig/master_url == "" 49 | func NewKubeClient(kubeconfig string, master_url string) (*kubernetes.Clientset, error) { 50 | config, err := clientcmd.BuildConfigFromFlags(master_url, kubeconfig) 51 | if err != nil { 52 | return nil, err 53 | } 54 | 55 | client, err := kubernetes.NewForConfig(config) 56 | if err != nil { 57 | return nil, err 58 | } 59 | 60 | log.Infof("Connected to cluster at %s", config.Host) 61 | return client, nil 62 | } 63 | -------------------------------------------------------------------------------- /pkg/controller/client_test.go: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Curtis Mattoon 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package controller 17 | 18 | import ( 19 | "fmt" 20 | "testing" 21 | 22 | k8s "k8s.io/client-go/tools/clientcmd" 23 | ) 24 | 25 | func TestNewKubeClientFailsOnBadFile(t *testing.T) { 26 | _, err := NewKubeClient("kube-config", "master-url") 27 | if !(err != nil && err.Error() == "stat kube-config: no such file or directory") { 28 | t.Fail() 29 | } 30 | } 31 | 32 | func TestNewKubeClientReturnsInClusterConfig(t *testing.T) { 33 | _, err := NewKubeClient("", "") 34 | if err.Error() != fmt.Sprintf("invalid configuration: %s", k8s.ErrEmptyConfig.Error()) { 35 | t.Fail() 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /pkg/controller/controller.go: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Curtis Mattoon 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package controller 17 | 18 | import ( 19 | "context" 20 | "time" 21 | 22 | "github.com/cmattoon/aws-ssm/pkg/config" 23 | "github.com/cmattoon/aws-ssm/pkg/provider" 24 | "github.com/cmattoon/aws-ssm/pkg/secret" 25 | log "github.com/sirupsen/logrus" 26 | v1 "k8s.io/api/core/v1" 27 | "k8s.io/apimachinery/pkg/api/meta" 28 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 29 | "k8s.io/apimachinery/pkg/watch" 30 | "k8s.io/client-go/kubernetes" 31 | ) 32 | 33 | // Controller is our main struct 34 | type Controller struct { 35 | Interval time.Duration 36 | Provider provider.Provider 37 | KubeGen ClientGenerator 38 | Context context.Context 39 | LabelSelector string 40 | } 41 | 42 | // NewController initialises above struct 43 | func NewController(cfg *config.Config) *Controller { 44 | p, err := provider.NewProvider(cfg) 45 | if err != nil { 46 | log.Fatalf("Failed to create provider: %s", err) 47 | } 48 | 49 | scg := &SingletonClientGenerator{ 50 | KubeConfig: cfg.KubeConfig, 51 | KubeMaster: cfg.KubeMaster, 52 | } 53 | 54 | ctrl := &Controller{ 55 | Interval: time.Duration(cfg.Interval) * time.Second, 56 | Provider: p, 57 | KubeGen: scg, 58 | Context: context.Background(), 59 | LabelSelector: cfg.LabelSelector, 60 | } 61 | 62 | return ctrl 63 | } 64 | 65 | // HandleSecrets loops through all k8s api secrets 66 | func (c *Controller) HandleSecrets(cli kubernetes.Interface) error { 67 | secrets, err := cli.CoreV1().Secrets("").List(c.Context, metav1.ListOptions{LabelSelector: c.LabelSelector}) 68 | if err != nil { 69 | log.Fatalf("Error retrieving secrets: %s", err) 70 | } 71 | 72 | i, j, k := 0, 0, 0 73 | for _, sec := range secrets.Items { 74 | i++ 75 | 76 | obj, err := secret.FromKubernetesSecret(c.Context, c.Provider, sec) 77 | if err != nil { 78 | // Error: Irrelevant Secret 79 | continue 80 | } 81 | j++ 82 | 83 | _, err = obj.UpdateObject(cli) 84 | if err != nil { 85 | log.Warnf("Failed to update object %s/%s", obj.Namespace, obj.Name) 86 | log.Warn(err.Error()) 87 | continue 88 | } 89 | log.Debugf("Successfully updated %s/%s", obj.Namespace, obj.Name) 90 | k++ 91 | } 92 | 93 | log.Infof("Updated %v/%v secrets (of %v total secrets)", k, j, i) 94 | return err 95 | } 96 | 97 | // WatchSecrets listens for secrets that are created and processes them immediately 98 | func (c *Controller) WatchSecrets(cli kubernetes.Interface) error { 99 | for { 100 | select { 101 | case <-c.Context.Done(): 102 | log.Info("context finished processing") 103 | return nil 104 | default: 105 | // get newest secret to find resourceVersion 106 | rv := "0" 107 | secrets, err := cli.CoreV1().Secrets(v1.NamespaceAll).List(c.Context, metav1.ListOptions{LabelSelector: c.LabelSelector}) 108 | if err != nil { 109 | log.Errorf("Error listing secrets: %s", err) 110 | return err 111 | } 112 | isList := meta.IsListType(secrets) 113 | if isList { 114 | // the resourceVersion of list objects is ~now but won't return 115 | // an initial watch event 116 | rv, err = meta.NewAccessor().ResourceVersion(secrets) 117 | if err != nil { 118 | return err 119 | } 120 | } 121 | log.Infof("resourceVersion: %s", rv) 122 | watcher, err := cli.CoreV1().Secrets(v1.NamespaceAll).Watch(c.Context, metav1.ListOptions{LabelSelector: c.LabelSelector, ResourceVersion: rv}) 123 | if err != nil { 124 | log.Errorf("Error retrieving secrets: %s", err) 125 | return err 126 | } 127 | 128 | events := watcher.ResultChan() 129 | 130 | // fairly basic handling of nil beatdown. I believe it happens when the k8s service account token expires and the watch 131 | // cli doesn't update it. 132 | nilCounter := 0 133 | maxNils := 20 134 | 135 | // loop for new events 136 | for { 137 | event := <-events 138 | if event.Object == nil { 139 | log.Info("nil object from watch - skipping.") 140 | nilCounter++ 141 | if nilCounter > maxNils { 142 | break 143 | } 144 | continue // skip the input 145 | } 146 | sec := event.Object.(*v1.Secret) 147 | switch event.Type { 148 | case watch.Added: 149 | obj, err := secret.FromKubernetesSecret(c.Context, c.Provider, *sec) 150 | if err != nil { 151 | // Error: Irrelevant Secret 152 | continue 153 | } 154 | 155 | _, err = obj.UpdateObject(cli) 156 | if err != nil { 157 | log.Warnf("Watcher failed to update object %s/%s", obj.Namespace, obj.Name) 158 | log.Warn(err.Error()) 159 | continue 160 | } 161 | log.Infof("Watcher successfully updated %s/%s", obj.Namespace, obj.Name) 162 | default: // do nothing 163 | } 164 | } 165 | } 166 | } 167 | } 168 | 169 | func (c *Controller) runOnce() error { 170 | log.Debug("Running...") 171 | cli, err := c.KubeGen.KubeClient() 172 | if err != nil { 173 | log.Fatalf("Error with kubernetes client: %s", err) 174 | } 175 | return c.HandleSecrets(cli) 176 | } 177 | 178 | // Run starts the polling of the k8s API server 179 | func (c *Controller) Run(stopChan <-chan struct{}) { 180 | ticker := time.NewTicker(c.Interval) 181 | 182 | defer ticker.Stop() 183 | 184 | for { 185 | err := c.runOnce() 186 | if err != nil { 187 | log.Error(err) 188 | } 189 | 190 | select { 191 | case <-ticker.C: 192 | case <-stopChan: 193 | log.Info("Ending main controller loop") 194 | return 195 | } 196 | } 197 | } 198 | 199 | // Watch listens to secret create API events to create a secret 200 | func (c *Controller) Watch(stopChan <-chan struct{}) { 201 | cli, err := c.KubeGen.KubeClient() 202 | if err != nil { 203 | log.Fatalf("Error with kubernetes client: %s", err) 204 | } 205 | 206 | log.Info("My Watch begins...") 207 | err = c.WatchSecrets(cli) 208 | if err != nil { 209 | log.Fatalf("Error with WatchSecrets: %s", err) 210 | } 211 | 212 | for range stopChan { 213 | log.Info("Ending watch") 214 | return 215 | } 216 | } 217 | -------------------------------------------------------------------------------- /pkg/provider/aws.go: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Curtis Mattoon 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package provider 17 | 18 | import ( 19 | "path" 20 | 21 | "github.com/aws/aws-sdk-go/aws" 22 | "github.com/aws/aws-sdk-go/aws/credentials/stscreds" 23 | "github.com/aws/aws-sdk-go/aws/session" 24 | "github.com/aws/aws-sdk-go/service/ssm" 25 | "github.com/cmattoon/aws-ssm/pkg/config" 26 | log "github.com/sirupsen/logrus" 27 | ) 28 | 29 | type AWSProvider struct { 30 | Session *session.Session 31 | Service *ssm.SSM 32 | 33 | results map[string]string 34 | } 35 | 36 | func NewAWSProvider(cfg *config.Config) (Provider, error) { 37 | sess, err := session.NewSession(&aws.Config{ 38 | Region: aws.String(cfg.AWSRegion), 39 | }) 40 | 41 | if err != nil { 42 | log.Fatalf("%s", err) 43 | } 44 | 45 | return AWSProvider{ 46 | Session: sess, 47 | Service: ssm.New(sess), 48 | }, nil 49 | } 50 | 51 | func (p AWSProvider) GetParameterValue(name string, decrypt bool, roleArn string) (string, error) { 52 | if roleArn != "" { 53 | creds := stscreds.NewCredentials(p.Session, roleArn) 54 | p.Service = ssm.New(p.Session, &aws.Config{ 55 | Credentials: creds, 56 | Region: aws.String(*p.Session.Config.Region), 57 | }) 58 | } 59 | param, err := p.Service.GetParameter(&ssm.GetParameterInput{ 60 | Name: aws.String(name), 61 | WithDecryption: aws.Bool(decrypt), 62 | }) 63 | 64 | if err != nil { 65 | log.Errorf("Failed to GetParameterValue: %s. Error: %s", name, err) 66 | return "", err 67 | } 68 | 69 | return *param.Parameter.Value, nil 70 | } 71 | 72 | func (p AWSProvider) GetParameterDataByPath(ppath string, decrypt bool, roleArn string) (map[string]string, error) { 73 | p.results = make(map[string]string) 74 | 75 | if roleArn != "" { 76 | creds := stscreds.NewCredentials(p.Session, roleArn) 77 | p.Service = ssm.New(p.Session, &aws.Config{ 78 | Credentials: creds, 79 | Region: aws.String(*p.Session.Config.Region), 80 | }) 81 | } 82 | // ppath is something like /path/to/env 83 | params, err := p.Service.GetParametersByPath(&ssm.GetParametersByPathInput{ 84 | Path: aws.String(ppath), 85 | Recursive: aws.Bool(true), 86 | WithDecryption: aws.Bool(decrypt), 87 | }) 88 | 89 | if err != nil { 90 | log.Errorf("Failed to GetParameterDataByPath on path: %s. Error: %s", ppath, err) 91 | return nil, err 92 | } 93 | 94 | // '/path/to/env/foo' -> 'foo': *pa.Value 95 | for _, pa := range params.Parameters { 96 | _, basename := path.Split(*pa.Name) 97 | p.results[basename] = *pa.Value 98 | } 99 | 100 | if params.NextToken == nil { 101 | return p.results, nil 102 | } 103 | 104 | return p.getParameterDataByPath(ppath, decrypt, *params.NextToken) 105 | } 106 | 107 | func (p AWSProvider) getParameterDataByPath(ppath string, decrypt bool, nextToken string) (map[string]string, error) { 108 | params, err := p.Service.GetParametersByPath(&ssm.GetParametersByPathInput{ 109 | Path: aws.String(ppath), 110 | Recursive: aws.Bool(true), 111 | WithDecryption: aws.Bool(decrypt), 112 | NextToken: aws.String(nextToken), 113 | }) 114 | 115 | if err != nil { 116 | log.Errorf("Failed to GetParameterDataByPath on path: %s. Error: %s", ppath, err) 117 | return nil, err 118 | } 119 | 120 | for _, pa := range params.Parameters { 121 | _, basename := path.Split(*pa.Name) 122 | p.results[basename] = *pa.Value 123 | } 124 | 125 | if params.NextToken == nil { 126 | return p.results, nil 127 | } 128 | 129 | return p.getParameterDataByPath(ppath, decrypt, *params.NextToken) 130 | } 131 | -------------------------------------------------------------------------------- /pkg/provider/provider.go: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Curtis Mattoon 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package provider 17 | 18 | import ( 19 | "errors" 20 | //log "github.com/sirupsen/logrus" 21 | "github.com/cmattoon/aws-ssm/pkg/config" 22 | ) 23 | 24 | type Provider interface { 25 | GetParameterValue(string, bool, string) (string, error) 26 | GetParameterDataByPath(string, bool, string) (map[string]string, error) 27 | } 28 | 29 | func NewProvider(cfg *config.Config) (Provider, error) { 30 | p, err := NewAWSProvider(cfg) 31 | return p, err 32 | } 33 | 34 | // Mock an error with {"(error)", "error message"} 35 | type MockProvider struct { 36 | Value string 37 | DecryptedValue string 38 | DirectoryContents map[string]string 39 | } 40 | 41 | func (mp MockProvider) GetParameterValue(s string, b bool, r string) (string, error) { 42 | if mp.Value == "(error)" { 43 | return "", errors.New(mp.DecryptedValue) 44 | } 45 | 46 | if b { 47 | // Decrypt flag 48 | return mp.DecryptedValue, nil 49 | } 50 | return mp.Value, nil 51 | } 52 | 53 | func (mp MockProvider) GetParameterDataByPath(s string, b bool, r string) (map[string]string, error) { 54 | return mp.DirectoryContents, nil 55 | } 56 | -------------------------------------------------------------------------------- /pkg/secret/secret.go: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Curtis Mattoon 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package secret 17 | 18 | import ( 19 | "context" 20 | "errors" 21 | "fmt" 22 | "strings" 23 | 24 | log "github.com/sirupsen/logrus" 25 | 26 | anno "github.com/cmattoon/aws-ssm/pkg/annotations" 27 | "github.com/cmattoon/aws-ssm/pkg/provider" 28 | v1 "k8s.io/api/core/v1" 29 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 30 | "k8s.io/client-go/kubernetes" 31 | ) 32 | 33 | type Secret struct { 34 | Secret v1.Secret 35 | // Kubernetes Secret Name 36 | Name string 37 | // Kubernetes Namespace 38 | Namespace string 39 | // AWS Param Name 40 | ParamName string 41 | // AWS Param Type 42 | ParamType string 43 | // AWS Param Key (Default: "alias/aws/ssm") 44 | ParamKey string 45 | // AWS Param Value 46 | ParamValue string 47 | // The data to add to Kubernetes Secret Data 48 | Data map[string]string 49 | // Context for k8s API 50 | Context context.Context 51 | } 52 | 53 | func NewSecret(ctx context.Context, sec v1.Secret, p provider.Provider, secret_name string, secret_namespace string, param_name string, param_type string, param_key string, roleArn string) (*Secret, error) { 54 | 55 | s := &Secret{ 56 | Secret: sec, 57 | Name: secret_name, 58 | Namespace: secret_namespace, 59 | ParamName: param_name, 60 | ParamType: param_type, 61 | ParamKey: param_key, 62 | ParamValue: "", 63 | Data: map[string]string{}, 64 | Context: ctx, 65 | } 66 | 67 | log.Debugf("Getting value for '%s/%s'", s.Namespace, s.Name) 68 | 69 | decrypt := false 70 | if s.ParamKey != "" { 71 | decrypt = true 72 | } 73 | 74 | if s.ParamType == "String" || s.ParamType == "SecureString" { 75 | value, err := p.GetParameterValue(s.ParamName, decrypt, roleArn) 76 | if err != nil { 77 | return nil, err 78 | } 79 | s.ParamValue = value 80 | } else if s.ParamType == "StringList" { 81 | value, err := p.GetParameterValue(s.ParamName, decrypt, roleArn) 82 | if err != nil { 83 | return nil, err 84 | } 85 | s.ParamValue = value 86 | // StringList: Also set each key 87 | values := s.ParseStringList() 88 | for k, v := range values { 89 | s.Set(k, v) 90 | } 91 | } else if s.ParamType == "Directory" { 92 | // Directory: Set each sub-key 93 | all_params, err := p.GetParameterDataByPath(s.ParamName, decrypt, roleArn) 94 | if err != nil { 95 | return nil, err 96 | } 97 | 98 | for k, v := range all_params { 99 | s.Set(safeKeyName(k), v) 100 | } 101 | s.ParamValue = "true" // Reads "Directory": "true" 102 | return s, nil 103 | } 104 | 105 | // Always set the "$ParamType" key: 106 | // String: Value 107 | // SecureString: Value 108 | // StringList: Value 109 | // Directory: 110 | s.Set(s.ParamType, s.ParamValue) 111 | 112 | return s, nil 113 | } 114 | 115 | // FromKubernetesSecret returns an internal Secret struct, if the v1.Secret is properly annotated. 116 | func FromKubernetesSecret(ctx context.Context, p provider.Provider, secret v1.Secret) (*Secret, error) { 117 | param_name := "" 118 | param_type := "" 119 | param_key := "" 120 | role := "" 121 | 122 | for k, v := range secret.ObjectMeta.Annotations { 123 | switch k { 124 | case anno.AWSParamName, anno.V1ParamName: 125 | param_name = v 126 | case anno.AWSParamType, anno.V1ParamType: 127 | param_type = v 128 | case anno.AWSParamKey, anno.V1ParamKey: 129 | param_key = v 130 | case anno.AWSRoleArn, anno.V1RoleArn: 131 | role = v 132 | } 133 | } 134 | 135 | if param_name == "" || param_type == "" { 136 | return nil, errors.New("Irrelevant Secret") 137 | } 138 | 139 | if param_name != "" && param_type != "" { 140 | if param_type == "SecureString" && param_key == "" { 141 | log.Debug("No KMS key defined. Using default key 'alias/aws/ssm'") 142 | param_key = "alias/aws/ssm" 143 | } 144 | } 145 | 146 | s, err := NewSecret( 147 | ctx, 148 | secret, 149 | p, 150 | secret.ObjectMeta.Name, 151 | secret.ObjectMeta.Namespace, 152 | param_name, 153 | param_type, 154 | param_key, 155 | role) 156 | 157 | if err != nil { 158 | return nil, err 159 | } 160 | return s, nil 161 | } 162 | 163 | func (s *Secret) ParseStringList() (values map[string]string) { 164 | values = make(map[string]string) 165 | 166 | for _, pair := range strings.Split(strings.TrimSpace(s.ParamValue), ",") { 167 | pair = strings.TrimSpace(pair) 168 | key := pair 169 | val := "" 170 | 171 | if strings.Contains(pair, "=") { 172 | kv := strings.SplitN(pair, "=", 2) 173 | if len(kv) == 2 { 174 | if kv[0] != "" { 175 | key = kv[0] 176 | val = kv[1] 177 | } 178 | } 179 | } 180 | if key != "" { 181 | values[key] = val 182 | } 183 | } 184 | 185 | return 186 | } 187 | 188 | func (s *Secret) Set(key string, val string) (err error) { 189 | log.Debugf("Setting key=%s", key) 190 | if s.Secret.StringData == nil { 191 | s.Secret.StringData = make(map[string]string) 192 | } 193 | // StringData isn't populated initially, so check s.Data 194 | if _, ok := s.Data[key]; ok { 195 | // Refuse to overwite existing keys 196 | return fmt.Errorf("Key '%s' already exists for Secret %s/%s", key, s.Namespace, s.Name) 197 | } 198 | s.Secret.StringData[key] = val 199 | return 200 | } 201 | 202 | func (s *Secret) UpdateObject(cli kubernetes.Interface) (result *v1.Secret, err error) { 203 | log.Debug("Updating Kubernetes Secret...") 204 | return cli.CoreV1().Secrets(s.Namespace).Update(s.Context, &s.Secret, metav1.UpdateOptions{}) 205 | } 206 | 207 | func safeKeyName(key string) string { 208 | key = strings.TrimRight(key, "/") 209 | if strings.HasPrefix(key, "/") { 210 | key = strings.Replace(key, "/", "", 1) 211 | } 212 | return strings.Replace(key, "/", "_", -1) 213 | } 214 | -------------------------------------------------------------------------------- /pkg/secret/secret_test.go: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Curtis Mattoon 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package secret 17 | 18 | import ( 19 | //"reflect" 20 | "context" 21 | "testing" 22 | 23 | "github.com/cmattoon/aws-ssm/pkg/provider" 24 | "github.com/stretchr/testify/assert" 25 | "github.com/stretchr/testify/require" 26 | v1 "k8s.io/api/core/v1" 27 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 28 | ) 29 | 30 | func TestParseStringList(t *testing.T) { 31 | for _, tc := range []struct { 32 | title string 33 | pvalue string 34 | expected map[string]string 35 | }{ 36 | { 37 | title: "parse empty value", 38 | pvalue: "", 39 | expected: map[string]string{}, 40 | }, 41 | { 42 | title: "parse whitespace-only value", 43 | pvalue: " ", 44 | expected: map[string]string{}, 45 | }, 46 | { 47 | title: "parse some simple values", 48 | pvalue: "key1=val1,key2=val2,key3=val3,key4=val4", 49 | expected: map[string]string{ 50 | "key1": "val1", 51 | "key2": "val2", 52 | "key3": "val3", 53 | "key4": "val4", 54 | }, 55 | }, 56 | { 57 | title: "parse equal sign in value", 58 | pvalue: "key1=val1,key2=val2,key3=val3,key4=val4=true", 59 | expected: map[string]string{ 60 | "key1": "val1", 61 | "key2": "val2", 62 | "key3": "val3", 63 | "key4": "val4=true", 64 | }, 65 | }, 66 | { 67 | title: "parse non-list", 68 | pvalue: "key1", 69 | expected: map[string]string{ 70 | "key1": "", 71 | }, 72 | }, 73 | { 74 | title: "parse trailing comma", 75 | pvalue: "key1=value1,", 76 | expected: map[string]string{ 77 | "key1": "value1", 78 | }, 79 | }, 80 | { 81 | title: "parse leading/trailing comma", 82 | pvalue: ",key1=value1,key2=val2,key3=val3,", 83 | expected: map[string]string{ 84 | "key1": "value1", 85 | "key2": "val2", 86 | "key3": "val3", 87 | }, 88 | }, 89 | { 90 | title: "not a StringList", 91 | pvalue: "asdfjkl", 92 | expected: map[string]string{ 93 | "asdfjkl": "", 94 | }, 95 | }, 96 | { 97 | title: "fine i guess", 98 | pvalue: "ThIsMiGhTBeBaSe64==", 99 | expected: map[string]string{ 100 | "ThIsMiGhTBeBaSe64": "=", 101 | }, 102 | }, 103 | { 104 | title: "another StringList", 105 | pvalue: "123,456,789", 106 | expected: map[string]string{ 107 | "123": "", 108 | "456": "", 109 | "789": "", 110 | }, 111 | }, 112 | } { 113 | t.Run(tc.title, func(t *testing.T) { 114 | s := &Secret{ 115 | Name: "test_secret", 116 | Namespace: "test", 117 | ParamName: "FOO_PARAM", 118 | ParamType: "StringList", 119 | ParamKey: "some-string-list", 120 | ParamValue: tc.pvalue, 121 | Data: map[string]string{}, 122 | } 123 | data := s.ParseStringList() 124 | assert.Equal(t, tc.expected, data) 125 | }) 126 | } 127 | 128 | } 129 | 130 | // Should set the key/value pair 131 | func TestSet(t *testing.T) { 132 | s := &Secret{ 133 | Name: "test_secret", 134 | Namespace: "test", 135 | ParamName: "FOO_PARAM", 136 | ParamType: "StringList", 137 | ParamKey: "foo-param", 138 | ParamValue: "key1=val1,key2=val2,key3=val3,key4=val4=true", 139 | Data: map[string]string{}, 140 | } 141 | require.NoError(t, s.Set("foo", "bar")) 142 | assert.Equal(t, s.Secret.StringData["foo"], "bar") 143 | } 144 | 145 | func TestSetRefusesToOverwriteKey(t *testing.T) { 146 | s := &Secret{ 147 | Name: "test_secret", 148 | Namespace: "test", 149 | ParamName: "FOO_PARAM", 150 | ParamType: "StringList", 151 | ParamKey: "foo-param", 152 | ParamValue: "key1=val1,key2=val2,key3=val3,key4=val4=true", 153 | Data: map[string]string{ 154 | "foo": "bar", 155 | }, 156 | } 157 | require.Error(t, s.Set("foo", "baz")) 158 | 159 | assert.Equal(t, "bar", s.Data["foo"]) 160 | // "foo=bar" was specified initially, not via Set 161 | // so strictly speaking, it shouldn't be set here yet 162 | // (because s.Set() should fail) 163 | assert.Equal(t, "", s.Secret.StringData["foo"]) 164 | } 165 | 166 | func TestSetsValue(t *testing.T) { 167 | p := provider.MockProvider{"FooBar123", "PlaintextIsAnError", make(map[string]string)} 168 | s := v1.Secret{} 169 | ctx := context.TODO() 170 | testSecret, err := NewSecret(ctx, s, p, "foo-secret", "namespace", "foo-param", "String", "", "") 171 | 172 | assert.Equal(t, err, nil) 173 | assert.Equal(t, testSecret.ParamValue, "FooBar123") 174 | } 175 | 176 | // When the encryption key is defined, the decrypted value should be returned 177 | func TestNewSecretDecryptsIfKeyIsSet(t *testing.T) { 178 | p := provider.MockProvider{"$@#*$(@)*$", "FooBar123", make(map[string]string)} 179 | s := v1.Secret{} 180 | ctx := context.TODO() 181 | testSecret, err := NewSecret(ctx, s, p, "foo-secret", "namespace", "foo-param", "String", "my/test/key", "") 182 | assert.Equal(t, nil, err) 183 | assert.Equal(t, testSecret.ParamValue, p.DecryptedValue) 184 | } 185 | 186 | func TestNewSecretHandlesStringList(t *testing.T) { 187 | p := provider.MockProvider{"$@#*$(@)*$", "key1=val1,key2=val2,key3=val3", make(map[string]string)} 188 | s := v1.Secret{} 189 | ctx := context.TODO() 190 | ts, err := NewSecret(ctx, s, p, "foo-secret", "namespace", "foo-param", "StringList", "my/test/key", "") 191 | assert.True(t, err == nil) 192 | exp := map[string]string{ 193 | "key1": "val1", 194 | "key2": "val2", 195 | "key3": "val3", 196 | } 197 | 198 | for k, v := range exp { 199 | v3, ok := ts.Secret.StringData[k] 200 | assert.Equal(t, ok, true) 201 | assert.Equal(t, v, v3) 202 | } 203 | 204 | } 205 | 206 | func TestFromKubernetesSecretReturnsErrorIfIrrelevant(t *testing.T) { 207 | p := provider.MockProvider{"$@#*$(@)*$", "FooBar123", make(map[string]string)} 208 | s := v1.Secret{} // No annotations, so no params 209 | ctx := context.TODO() 210 | 211 | _, err := FromKubernetesSecret(ctx, p, s) 212 | if err.Error() != "Irrelevant Secret" { 213 | t.Fail() 214 | } 215 | } 216 | 217 | // If the parameter is of Type=SecureString, and no key is supplied, 218 | // attempt to use the default key. 219 | func TestFromKubernetesSecretUsesDefaultEncryptionKey(t *testing.T) { 220 | p := provider.MockProvider{"$@#*$(@)*$", "FooBar123", make(map[string]string)} 221 | 222 | s := v1.Secret{ 223 | ObjectMeta: metav1.ObjectMeta{ 224 | Annotations: map[string]string{ 225 | "alpha.ssm.cmattoon.com/aws-param-name": "foo-param", 226 | "alpha.ssm.cmattoon.com/aws-param-type": "SecureString", 227 | }, 228 | }, 229 | } 230 | 231 | ctx := context.TODO() 232 | 233 | ks, err := FromKubernetesSecret(ctx, p, s) 234 | 235 | if err != nil || ks.ParamKey != "alias/aws/ssm" || ks.ParamValue != "FooBar123" { 236 | t.Fail() 237 | } 238 | } 239 | 240 | func TestFromKubernetesSecretUsesSpecifiedEncryptionKey(t *testing.T) { 241 | p := provider.MockProvider{"$@#*$(@)*$", "FooBar123", make(map[string]string)} 242 | 243 | s := v1.Secret{ 244 | ObjectMeta: metav1.ObjectMeta{ 245 | Annotations: map[string]string{ 246 | "alpha.ssm.cmattoon.com/aws-param-name": "foo-param", 247 | "alpha.ssm.cmattoon.com/aws-param-type": "SecureString", 248 | "alpha.ssm.cmattoon.com/aws-param-key": "foo/bar/baz", 249 | }, 250 | }, 251 | } 252 | 253 | ctx := context.TODO() 254 | 255 | ks, err := FromKubernetesSecret(ctx, p, s) 256 | 257 | if err != nil || ks.ParamKey != "foo/bar/baz" || ks.ParamValue != "FooBar123" { 258 | t.Fail() 259 | } 260 | } 261 | 262 | func TestSafeKeyName(t *testing.T) { 263 | keys := map[string]string{ 264 | "/foo/bar": "foo_bar", 265 | "/foo/bar/": "foo_bar", 266 | "//foo/bar": "_foo_bar", 267 | "//foo/bar/": "_foo_bar", 268 | "/foo/bar/baz": "foo_bar_baz", 269 | } 270 | for path, exp := range keys { 271 | assert.Equal(t, safeKeyName(path), exp) 272 | } 273 | } 274 | -------------------------------------------------------------------------------- /scripts/add_license.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "You probably don't wanna run this again" 3 | exit; 4 | 5 | 6 | DIR=$(pwd) 7 | 8 | HEADERFILE=$(mktemp) 9 | cat < $HEADERFILE 10 | /** 11 | * Copyright $(date +"%Y") Curtis Mattoon 12 | * 13 | * Licensed under the Apache License, Version 2.0 (the "License"); 14 | * you may not use this file except in compliance with the License. 15 | * You may obtain a copy of the License at 16 | * 17 | * http://www.apache.org/licenses/LICENSE-2.0 18 | * 19 | * Unless required by applicable law or agreed to in writing, software 20 | * distributed under the License is distributed on an "AS IS" BASIS, 21 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 | * See the License for the specific language governing permissions and 23 | * limitations under the License. 24 | */ 25 | EOF 26 | 27 | for f in $(find . -name '*.go'); do 28 | echo ">> $f" 29 | tmp=$(mktemp) 30 | cat $HEADERFILE > $tmp; 31 | cat $f >> $tmp 32 | mv $tmp $f 33 | rm $tmp 34 | echo " [Done]" 35 | done 36 | rm $HEADERFILE 37 | -------------------------------------------------------------------------------- /scripts/go_test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | echo "" > coverage.txt 4 | 5 | for pkg in $(go list ./... | grep -v vendor); do 6 | go test -v -race -coverprofile=profile.out -covermode=atomic "$pkg" 7 | if [ -f profile.out ]; then 8 | cat profile.out >> coverage.txt 9 | rm profile.out 10 | fi 11 | done 12 | --------------------------------------------------------------------------------