Skip to content

Commit 5e6f76a

Browse files
ramiro-gamarraramiro-gamarra
authored
Adding Keyvault Shim (#1346)
* adding az sdk dependencies and tidying mod file * adding keyvault shim * example usage application for kv shim * adding tests, cleaning up * fixing linter errors * updating go mod
1 parent c3e709d commit 5e6f76a

File tree

7 files changed

+484
-40
lines changed

7 files changed

+484
-40
lines changed

go.mod

Lines changed: 38 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -3,22 +3,21 @@ module github.com/Azure/azure-container-networking
33
go 1.18
44

55
require (
6-
code.cloudfoundry.org/clock v1.0.0 // indirect
6+
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0
7+
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.7.1
78
github.com/Masterminds/semver v1.5.0
89
github.com/Microsoft/go-winio v0.4.17
910
github.com/Microsoft/hcsshim v0.8.23
11+
github.com/avast/retry-go/v3 v3.1.1
1012
github.com/billgraziano/dpapi v0.4.0
1113
github.com/containernetworking/cni v0.8.1
12-
github.com/docker/docker v20.10.8+incompatible // indirect
13-
github.com/docker/go-connections v0.4.0 // indirect
1414
github.com/docker/libnetwork v0.8.0-dev.2.0.20210525090646-64b7a4574d14
1515
github.com/golang/mock v1.6.0
1616
github.com/golang/protobuf v1.5.2
1717
github.com/google/go-cmp v0.5.8
1818
github.com/google/uuid v1.3.0
1919
github.com/gorilla/mux v1.8.0
2020
github.com/hashicorp/go-version v1.5.0
21-
github.com/ishidawataru/sctp v0.0.0-20210226210310-f2269e66cdee // indirect
2221
github.com/microsoft/ApplicationInsights-Go v0.4.4
2322
github.com/nxadm/tail v1.4.8
2423
github.com/onsi/ginkgo v1.16.5
@@ -30,45 +29,69 @@ require (
3029
github.com/spf13/pflag v1.0.5
3130
github.com/spf13/viper v1.12.0
3231
github.com/stretchr/testify v1.7.1
33-
github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f // indirect
32+
go.uber.org/zap v1.21.0
3433
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a
35-
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
3634
google.golang.org/grpc v1.46.2
3735
google.golang.org/protobuf v1.28.0
3836
k8s.io/api v0.24.1
3937
k8s.io/apiextensions-apiserver v0.24.1
4038
k8s.io/apimachinery v0.24.1
4139
k8s.io/client-go v0.24.1
4240
k8s.io/klog v1.0.0
41+
k8s.io/klog/v2 v2.60.1
4342
k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
4443
sigs.k8s.io/controller-runtime v0.12.1
4544
sigs.k8s.io/yaml v1.3.0
4645
)
4746

4847
require (
49-
github.com/avast/retry-go/v3 v3.1.1
48+
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
49+
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.5.0 // indirect
50+
)
51+
52+
require (
53+
code.cloudfoundry.org/clock v1.0.0 // indirect
54+
github.com/PuerkitoBio/purell v1.1.1 // indirect
55+
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
5056
github.com/beorn7/perks v1.0.1 // indirect
5157
github.com/cespare/xxhash/v2 v2.1.2 // indirect
5258
github.com/containerd/cgroups v1.0.1 // indirect
5359
github.com/davecgh/go-spew v1.1.1 // indirect
60+
github.com/docker/docker v20.10.8+incompatible // indirect
61+
github.com/docker/go-connections v0.4.0 // indirect
62+
github.com/emicklei/go-restful v2.9.5+incompatible // indirect
5463
github.com/evanphx/json-patch v4.12.0+incompatible // indirect
5564
github.com/fsnotify/fsnotify v1.5.4 // indirect
5665
github.com/go-logr/logr v1.2.0 // indirect
66+
github.com/go-openapi/jsonpointer v0.19.5 // indirect
67+
github.com/go-openapi/jsonreference v0.19.5 // indirect
68+
github.com/go-openapi/swag v0.19.14 // indirect
69+
github.com/gofrs/uuid v3.3.0+incompatible // indirect
5770
github.com/gogo/protobuf v1.3.2 // indirect
5871
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
72+
github.com/google/gnostic v0.5.7-v3refs // indirect
5973
github.com/google/gofuzz v1.2.0 // indirect
6074
github.com/hashicorp/hcl v1.0.0 // indirect
6175
github.com/hpcloud/tail v1.0.0 // indirect
6276
github.com/imdario/mergo v0.3.12 // indirect
6377
github.com/inconshreveable/mousetrap v1.0.0 // indirect
78+
github.com/ishidawataru/sctp v0.0.0-20210226210310-f2269e66cdee // indirect
79+
github.com/josharian/intern v1.0.0 // indirect
6480
github.com/json-iterator/go v1.1.12 // indirect
81+
github.com/labstack/echo/v4 v4.7.2
82+
github.com/labstack/gommon v0.3.1 // indirect
6583
github.com/magiconair/properties v1.8.6 // indirect
84+
github.com/mailru/easyjson v0.7.6 // indirect
85+
github.com/mattn/go-colorable v0.1.12 // indirect
86+
github.com/mattn/go-isatty v0.0.14 // indirect
6687
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
6788
github.com/mitchellh/mapstructure v1.5.0 // indirect
6889
github.com/moby/spdystream v0.2.0 // indirect
6990
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
7091
github.com/modern-go/reflect2 v1.0.2 // indirect
92+
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
7193
github.com/pelletier/go-toml v1.9.5 // indirect
94+
github.com/pelletier/go-toml/v2 v2.0.1 // indirect
7295
github.com/pmezard/go-difflib v1.0.0 // indirect
7396
github.com/prometheus/common v0.32.1 // indirect
7497
github.com/prometheus/procfs v0.7.3 // indirect
@@ -77,9 +100,16 @@ require (
77100
github.com/spf13/cast v1.5.0 // indirect
78101
github.com/spf13/jwalterweatherman v1.1.0 // indirect
79102
github.com/subosito/gotenv v1.3.0 // indirect
103+
github.com/valyala/bytebufferpool v1.0.0 // indirect
104+
github.com/valyala/fasttemplate v1.2.1 // indirect
105+
github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f // indirect
80106
go.opencensus.io v0.23.0 // indirect
107+
go.uber.org/atomic v1.9.0 // indirect
108+
go.uber.org/multierr v1.6.0 // indirect
109+
golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88
81110
golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2 // indirect
82111
golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
112+
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
83113
golang.org/x/text v0.3.7 // indirect
84114
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
85115
golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df // indirect
@@ -93,39 +123,9 @@ require (
93123
gopkg.in/yaml.v2 v2.4.0 // indirect
94124
gopkg.in/yaml.v3 v3.0.0 // indirect
95125
k8s.io/component-base v0.24.1 // indirect
96-
k8s.io/klog/v2 v2.60.1
97126
k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect
98-
sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
99-
)
100-
101-
require go.uber.org/zap v1.21.0
102-
103-
require (
104-
github.com/gofrs/uuid v3.3.0+incompatible // indirect
105-
go.uber.org/atomic v1.9.0 // indirect
106-
go.uber.org/multierr v1.6.0 // indirect
107-
)
108-
109-
require (
110-
github.com/PuerkitoBio/purell v1.1.1 // indirect
111-
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
112-
github.com/emicklei/go-restful v2.9.5+incompatible // indirect
113-
github.com/go-openapi/jsonpointer v0.19.5 // indirect
114-
github.com/go-openapi/jsonreference v0.19.5 // indirect
115-
github.com/go-openapi/swag v0.19.14 // indirect
116-
github.com/google/gnostic v0.5.7-v3refs // indirect
117-
github.com/josharian/intern v1.0.0 // indirect
118-
github.com/labstack/echo/v4 v4.7.2
119-
github.com/labstack/gommon v0.3.1 // indirect
120-
github.com/mailru/easyjson v0.7.6 // indirect
121-
github.com/mattn/go-colorable v0.1.12 // indirect
122-
github.com/mattn/go-isatty v0.0.14 // indirect
123-
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
124-
github.com/pelletier/go-toml/v2 v2.0.1 // indirect
125-
github.com/valyala/bytebufferpool v1.0.0 // indirect
126-
github.com/valyala/fasttemplate v1.2.1 // indirect
127-
golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect
128127
sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
128+
sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
129129
)
130130

131131
replace (

go.sum

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,17 @@ code.cloudfoundry.org/clock v0.0.0-20180518195852-02e53af36e6c/go.mod h1:QD9Lzhd
4444
code.cloudfoundry.org/clock v1.0.0 h1:kFXWQM4bxYvdBw2X8BbBeXwQNgfoWv1vqAk2ZZyBN2o=
4545
code.cloudfoundry.org/clock v1.0.0/go.mod h1:QD9Lzhd/ux6eNQVUDVRJX/RKTigpewimNYBi7ivZKY8=
4646
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
47+
github.com/Azure/azure-sdk-for-go v16.2.1+incompatible h1:KnPIugL51v3N3WwvaSmZbxukD1WuWXOiE9fRdu32f2I=
4748
github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
49+
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0 h1:sVPhtT2qjO86rTUaWMr4WoES4TkjGnzcioXcnHV9s5k=
50+
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
51+
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0 h1:Yoicul8bnVdQrhDMTHxdEckRGX01XvwXDHUT9zYZ3k0=
52+
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 h1:jp0dGvZ7ZK0mgqnTSClMxa5xuRL7NZgHameVYF6BurY=
53+
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
54+
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.7.1 h1:X7FHRMKr0u5YiPnD6L/nqG64XBOcK0IYavhAHBQEmms=
55+
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.7.1/go.mod h1:WcC2Tk6JyRlqjn2byvinNnZzgdXmZ1tOiIOWNh1u0uA=
56+
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.5.0 h1:9cn6ICCGiWFNA/slKnrkf+ENyvaCRKHtuoGtnLIAgao=
57+
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.5.0/go.mod h1:9V2j0jn9jDEkCkv8w/bKTNppX/d0FVA1ud77xCIP4KA=
4858
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
4959
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
5060
github.com/Azure/go-autorest v10.8.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
@@ -60,6 +70,7 @@ github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935
6070
github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
6171
github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
6272
github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
73+
github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0 h1:WVsrXCnHlDDX8ls+tootqRE87/hL9S/g4ewig9RsD/c=
6374
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
6475
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
6576
github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
@@ -259,6 +270,7 @@ github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11
259270
github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
260271
github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
261272
github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
273+
github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=
262274
github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
263275
github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY=
264276
github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
@@ -364,6 +376,7 @@ github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP
364376
github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
365377
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
366378
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
379+
github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
367380
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
368381
github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
369382
github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -550,6 +563,7 @@ github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
550563
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
551564
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
552565
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
566+
github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
553567
github.com/labstack/echo/v4 v4.7.2 h1:Kv2/p8OaQ+M6Ex4eGimg9b9e6icoxA42JSlOR3msKtI=
554568
github.com/labstack/echo/v4 v4.7.2/go.mod h1:xkCDAdFCIf8jsFQ5NnbK7oqaF/yU1A1X20Ltm0OvSks=
555569
github.com/labstack/gommon v0.3.1 h1:OomWaJXm7xR6L1HmEtGyQf26TEn7V6X88mktX9kee9o=
@@ -663,6 +677,7 @@ github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko
663677
github.com/pelletier/go-toml/v2 v2.0.1 h1:8e3L2cCQzLFi2CR4g7vGFuFxX7Jl1kKX8gW+iV0GUKU=
664678
github.com/pelletier/go-toml/v2 v2.0.1/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo=
665679
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
680+
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 h1:Qj1ukM4GlMWXNdMBuXcXfz/Kw9s1qm0CLY32QxuSImI=
666681
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
667682
github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
668683
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -898,8 +913,8 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm
898913
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
899914
golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
900915
golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
901-
golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 h1:kUhD7nTDoI3fVd9G4ORWrbV5NY0liEs/Jg2pv5f+bBA=
902-
golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
916+
golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 h1:Tgea0cVUD0ivh5ADBX4WwuI12DUd2to3nCYe2eayMIw=
917+
golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
903918
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
904919
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
905920
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=

keyvault/_example/main.go

Lines changed: 147 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,147 @@
1+
package main
2+
3+
import (
4+
"context"
5+
"crypto/tls"
6+
"crypto/x509"
7+
"flag"
8+
"fmt"
9+
"io"
10+
"net/http"
11+
"os"
12+
"time"
13+
14+
"github.com/Azure/azure-container-networking/keyvault"
15+
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
16+
"go.uber.org/zap"
17+
"go.uber.org/zap/zapcore"
18+
)
19+
20+
const serverAddr = "127.0.0.1:9005"
21+
22+
var logger *zap.Logger
23+
24+
func mustArgs() (kvURL string, kvCert string) {
25+
flag.StringVar(&kvURL, "keyvault-url", "", "keyvault url")
26+
flag.StringVar(&kvCert, "keyvault-cert-name", "", "keyvault certificate name")
27+
flag.Parse()
28+
if kvURL == "" || kvCert == "" {
29+
flag.Usage()
30+
os.Exit(1)
31+
}
32+
core := zapcore.NewCore(zapcore.NewConsoleEncoder(zap.NewDevelopmentEncoderConfig()), os.Stdout, zap.DebugLevel)
33+
logger = zap.New(core)
34+
return
35+
}
36+
37+
// you must be logged in via the az cli and have proper permissions to a keyvault to run this example
38+
func main() {
39+
kvURL, kvCert := mustArgs()
40+
cred, err := azidentity.NewDefaultAzureCredential(nil)
41+
if err != nil {
42+
logger.Fatal("could not create credentials", zap.Error(err))
43+
}
44+
45+
kvs, err := keyvault.NewShim(kvURL, cred)
46+
if err != nil {
47+
logger.Fatal("could not create keyvault client", zap.Error(err))
48+
}
49+
50+
tlsCert, err := kvs.GetLatestTLSCertificate(context.TODO(), kvCert)
51+
if err != nil {
52+
logger.Fatal("could not get tls cert from keyvault", zap.Error(err))
53+
}
54+
55+
clientTLSConfig, err := createClientTLSConfig(tlsCert)
56+
if err != nil {
57+
logger.Fatal("could not create client tls config", zap.Error(err))
58+
}
59+
60+
server := http.Server{
61+
Addr: serverAddr,
62+
Handler: http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
63+
_, _ = writer.Write([]byte("hello"))
64+
}),
65+
TLSConfig: &tls.Config{
66+
Certificates: []tls.Certificate{tlsCert},
67+
ClientCAs: clientTLSConfig.RootCAs,
68+
ClientAuth: tls.RequireAndVerifyClientCert,
69+
},
70+
}
71+
72+
go func() {
73+
if err := server.ListenAndServeTLS("", ""); err != nil {
74+
logger.Fatal("could not serve tls", zap.Error(err))
75+
}
76+
}()
77+
78+
// wait for a short time to allow server to start
79+
time.Sleep(time.Second)
80+
81+
client := http.Client{
82+
Transport: &http.Transport{
83+
TLSClientConfig: clientTLSConfig,
84+
},
85+
}
86+
87+
addr := fmt.Sprintf("https://%s", serverAddr)
88+
resp, err := client.Get(addr)
89+
if err != nil {
90+
logger.Fatal("could not get response", zap.String("host", addr), zap.Error(err))
91+
}
92+
93+
printTLSConnState(resp.TLS)
94+
95+
bs, _ := io.ReadAll(resp.Body)
96+
logger.Info("response from tls server", zap.String("body bytes", string(bs)))
97+
}
98+
99+
func createClientTLSConfig(tlsCert tls.Certificate) (*tls.Config, error) {
100+
certs := x509.NewCertPool()
101+
102+
if len(tlsCert.Certificate) == 1 { // self signed
103+
cer, err := x509.ParseCertificate(tlsCert.Certificate[0])
104+
if err != nil {
105+
return nil, err
106+
}
107+
certs.AddCert(cer)
108+
return &tls.Config{RootCAs: certs, ServerName: tlsCert.Leaf.Subject.CommonName}, nil
109+
}
110+
111+
for i, bytes := range tlsCert.Certificate {
112+
if i == 0 {
113+
continue // skip leaf
114+
}
115+
cer, err := x509.ParseCertificate(bytes)
116+
if err != nil {
117+
return nil, err
118+
}
119+
certs.AddCert(cer)
120+
}
121+
122+
return &tls.Config{Certificates: []tls.Certificate{tlsCert}, RootCAs: certs, ServerName: tlsCert.Leaf.Subject.CommonName}, nil
123+
}
124+
125+
func printTLSConnState(connState *tls.ConnectionState) {
126+
logger.Info("response tls connection state", zap.Object("conn state", loggableConnState(*connState)))
127+
128+
for i, cert := range connState.PeerCertificates {
129+
logger.Info(fmt.Sprintf("peer certificate %d:", i), zap.Stringer("subject", cert.Subject), zap.Stringer("issuer", cert.Issuer))
130+
}
131+
132+
for i, chain := range connState.VerifiedChains {
133+
for j, cert := range chain {
134+
logger.Info(fmt.Sprintf("chain %d, cert %d:", i, j), zap.Stringer("subject", cert.Subject), zap.Stringer("issuer", cert.Issuer))
135+
}
136+
}
137+
}
138+
139+
type loggableConnState tls.ConnectionState
140+
141+
func (l loggableConnState) MarshalLogObject(encoder zapcore.ObjectEncoder) error {
142+
encoder.AddString("server name", l.ServerName)
143+
encoder.AddBool("handshake complete", l.HandshakeComplete)
144+
encoder.AddInt("peer certificates", len(l.PeerCertificates))
145+
encoder.AddInt("verified certificates", len(l.VerifiedChains))
146+
return nil
147+
}

0 commit comments

Comments
 (0)