boxboat / dockcmd Goto Github PK

Add support for TLS Cert Auth

Add support for assumed roles specified in .aws/config.

Add support for AWS Systems Manager Parameter Store

Sign dockcmd releases

On macOS Catalina, the binary cannot be executed until you Right Click Open from Finder.

We should update the build so that the binary is signed and can be trusted

For commands that process go templates (get-secrets commands). Add the ability to pass in values like the helm cli does with --set and --values. Values yaml files will be processed first and then --set will be merged down. Current --set functionality will remain unchanged but this will expand on that ability by mirroring the helm cli parameter passing. This will further enhance #21 use cases.

Add dockcmd gotpl to process text files containing go templates. Behavior is identical to get-secrets based commands except that it will not require access to a secrets backend.

Add support for the Helm toYaml function. This function is not in the standard Go template language nor the Sprig library.

toYaml is an extra function that Helm adds to its templating engine:
https://github.com/helm/helm/blob/master/pkg/engine/funcs.go#L52

dockcmd currently has a hard-coded list of credentials providers which doesn't support the WebIdentityRoleProvider needed for IRSA to work as expected.

https://github.com/boxboat/dockcmd/blob/master/cmd/aws/aws.go#L126

var creds = sess.Config.Credentials
	if o.useChainCredentials {
		creds = credentials.NewChainCredentials(
			[]credentials.Provider{
				&credentials.EnvProvider{},
				&credentials.SharedCredentialsProvider{
					Profile: o.profile,
				},
				&ec2rolecreds.EC2RoleProvider{
					Client: ec2metadata.New(sess),
				},
				&SessionProvider{
					Session: sess,
				},
			})
	} else {
		if o.accessKeyID == "" || o.secretAccessKey == "" {
			return nil, errors.New("no aws credentials provided")
		}
		creds = credentials.NewStaticCredentials(o.accessKeyID, o.secretAccessKey, "")
	}

I think the entire true section of the block that re-configures the chain of credentials providers can be removed so that it uses the SDK default chain, which already supports IRSA. I'm assuming there was a reason that the custom chain of credentials providers was originally added, but it's not clear what that reason is.

@boxboatmatt Can the custom credentials chain be removed when useChainCredentials is true?

Add jenkins parse-secrets

dockcmd vault get-secrets fails with Could not convert vault response [%s][%s] to string (code link) if the secret was created with KV V2 (versioned secret).

V2 secrets need to read values from data.data.key instead of data.key. Either allowing the user to specify the version type in the template, or even better, automatically attempting to parse a level deeper if it fails at the data.key check would allow users to read both v1 and v2 secrets

Update go version to 1.15

AWS Secrets Manager supports storing a text secret that is not json - add a new function awsText and alias awsJson=aws method

Add support for Azure Key vault

Change print message "Using config file: $HOME/.dockcmd.yaml" to debug only

A dockcmd release should be published for the arm64 architecture

Creating multi-arch docker images and publishing to Docker Hub would allow downstream docker multi-arch images to copy the correct binary in with:

FROM --platform=${TARGETPLATFORM} boxboat/dockcmd:latest as dockcmd
COPY --from dockcmd /bin/dockcmd /usr/local/bin/dockcmd

dockcmd aws get-secrets --edit-in-place for a list of files is not functioning properly in v1.6.0 and v1.7.0

Create a registry command that allows for cleaning up old images.

Allow the version to be specified for each of the secrets backends (except for vault v1 kv stores - due to no version support). If the secret name is suffixed with ?version=<version> retrieve that particular version from the secrets backend.

Update the secrets cache to store the whole secret not just the referenced key. For example:

foo:
{
"bravo": "secret-value",
"charlie": "secret-value"
}

{{ (aws "foo" "bravo") }} currently would only cache foo[bravo], should cache contents of foo instead

Add support for GCP Secrets Manager

Add the ability to also parse environment variables for the get-secrets functions. Something like:
{{ env <VAR_NAME> }}

Update dockcmd to use travis ci