feat: add support for SPKI fingerprint generation and matching

This can be used to allow only specific certificates with TLS. Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
siderolabs · Nov 12, 2020 · 12a4897 · 12a4897
1 parent d0c3eef
commit 12a4897
Show file tree

Hide file tree

Showing 12 changed files with 448 additions and 47 deletions.
diff --git a/.conform.yaml b/.conform.yaml
@@ -0,0 +1,34 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2020-11-11T19:39:46Z by kres latest.
+
+policies:
+- type: commit
+  spec:
+    dco: true
+    gpg: false
+    spellcheck:
+      locale: US
+    maximumOfOneCommit: true
+    header:
+      length: 89
+      imperative: true
+      case: lower
+      invalidLastCharacters: .
+    body:
+      required: true
+    conventional:
+      types: ["chore","docs","perf","refactor","style","test","release"]
+      scopes: ["*"]
+- type: license
+  spec:
+    skipPaths:
+      - .git/
+    includeSuffixes:
+      - .go
+    excludeSuffixes:
+      - .pb.go
+    header: |
+      // This Source Code Form is subject to the terms of the Mozilla Public
+      // License, v. 2.0. If a copy of the MPL was not distributed with this
+      // file, You can obtain one at http://mozilla.org/MPL/2.0/.
diff --git a/.dockerignore b/.dockerignore
@@ -1,10 +1,12 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2020-08-17T13:49:58Z by kres 3d35a96-dirty.
+# Generated on 2020-11-11T19:39:46Z by kres latest.
 
 **
 !tls
 !x509
 !go.mod
 !go.sum
 !.golangci.yml
+!README.md
+!.markdownlint.json
diff --git a/.drone.yml b/.drone.yml
@@ -1,7 +1,7 @@
 ---
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2020-08-13T17:14:02Z by kres f4c4987.
+# Generated on 2020-11-11T19:40:41Z by kres latest.
 
 kind: pipeline
 type: kubernetes
@@ -29,10 +29,10 @@ steps:
     path: /var/outer-run
   - name: docker-socket
     path: /var/run
-  - name: ssh
-    path: /root/.ssh
   - name: buildx
     path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
 
 - name: base
   pull: always
@@ -44,29 +44,12 @@ steps:
     path: /var/outer-run
   - name: docker-socket
     path: /var/run
-  - name: ssh
-    path: /root/.ssh
   - name: buildx
     path: /root/.docker/buildx
-  depends_on:
-  - setup-ci
-
-- name: lint
-  pull: always
-  image: autonomy/build-container:latest
-  commands:
-  - make lint
-  volumes:
-  - name: outer-docker-socket
-    path: /var/outer-run
-  - name: docker-socket
-    path: /var/run
   - name: ssh
     path: /root/.ssh
-  - name: buildx
-    path: /root/.docker/buildx
   depends_on:
-  - base
+  - setup-ci
 
 - name: unit-tests
   pull: always
@@ -78,10 +61,10 @@ steps:
     path: /var/outer-run
   - name: docker-socket
     path: /var/run
-  - name: ssh
-    path: /root/.ssh
   - name: buildx
     path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
   depends_on:
   - base
 
@@ -95,10 +78,10 @@ steps:
     path: /var/outer-run
   - name: docker-socket
     path: /var/run
-  - name: ssh
-    path: /root/.ssh
   - name: buildx
     path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
   depends_on:
   - base
 
@@ -115,12 +98,29 @@ steps:
     path: /var/outer-run
   - name: docker-socket
     path: /var/run
+  - name: buildx
+    path: /root/.docker/buildx
   - name: ssh
     path: /root/.ssh
+  depends_on:
+  - unit-tests
+
+- name: lint
+  pull: always
+  image: autonomy/build-container:latest
+  commands:
+  - make lint
+  volumes:
+  - name: outer-docker-socket
+    path: /var/outer-run
+  - name: docker-socket
+    path: /var/run
   - name: buildx
     path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
   depends_on:
-  - unit-tests
+  - base
 
 services:
 - name: docker
@@ -132,17 +132,16 @@ services:
   - --dns=8.8.4.4
   - --mtu=1500
   - --log-level=error
-  - --insecure-registry=http://registry.ci.svc:5000
   privileged: true
   volumes:
   - name: outer-docker-socket
     path: /var/outer-run
   - name: docker-socket
     path: /var/run
-  - name: ssh
-    path: /root/.ssh
   - name: buildx
     path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
 
 volumes:
 - name: outer-docker-socket

diff --git a/.markdownlint.json b/.markdownlint.json
@@ -0,0 +1,9 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2020-11-11T19:39:46Z by kres latest.
+
+{
+    "MD013": false,
+    "MD033": false,
+    "default": true
+  }
diff --git a/Dockerfile b/Dockerfile
@@ -2,10 +2,19 @@
 
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2020-08-17T13:49:58Z by kres 3d35a96-dirty.
+# Generated on 2020-11-11T19:39:46Z by kres latest.
 
 ARG TOOLCHAIN
 
+# runs markdownlint
+FROM node:14.8.0-alpine AS lint-markdown
+RUN npm i -g markdownlint-cli@0.23.2
+RUN npm i sentences-per-line@0.2.1
+WORKDIR /src
+COPY .markdownlint.json .
+COPY ./README.md ./README.md
+RUN markdownlint --ignore "**/node_modules/**" --ignore '**/hack/chglog/**' --rules /node_modules/sentences-per-line/index.js .
+
 # base toolchain image
 FROM ${TOOLCHAIN} AS toolchain
 RUN apk --update --no-cache add bash curl build-base
@@ -14,6 +23,7 @@ RUN apk --update --no-cache add bash curl build-base
 FROM toolchain AS tools
 ENV GO111MODULE on
 ENV CGO_ENABLED 0
+ENV GOPATH /go
 RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b /bin v1.30.0
 ARG GOFUMPT_VERSION
 RUN cd $(mktemp -d) \
@@ -26,11 +36,11 @@ FROM tools AS base
 WORKDIR /src
 COPY ./go.mod .
 COPY ./go.sum .
-RUN go mod download
-RUN go mod verify
+RUN --mount=type=cache,target=/go/pkg go mod download
+RUN --mount=type=cache,target=/go/pkg go mod verify
 COPY ./tls ./tls
 COPY ./x509 ./x509
-RUN go list -mod=readonly all >/dev/null
+RUN --mount=type=cache,target=/go/pkg go list -mod=readonly all >/dev/null
 
 # runs gofumpt
 FROM base AS lint-gofumpt
@@ -41,17 +51,17 @@ RUN FILES="$(gofumports -l -local github.com/talos-systems/crypto .)" && test -z
 FROM base AS lint-golangci-lint
 COPY .golangci.yml .
 ENV GOGC 50
-RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/root/.cache/golangci-lint golangci-lint run --config .golangci.yml
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/root/.cache/golangci-lint --mount=type=cache,target=/go/pkg golangci-lint run --config .golangci.yml
 
 # runs unit-tests with race detector
 FROM base AS unit-tests-race
 ARG TESTPKGS
-RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/tmp CGO_ENABLED=1 go test -v -race -count 1 ${TESTPKGS}
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg --mount=type=cache,target=/tmp CGO_ENABLED=1 go test -v -race -count 1 ${TESTPKGS}
 
 # runs unit-tests
 FROM base AS unit-tests-run
 ARG TESTPKGS
-RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/tmp go test -v -covermode=atomic -coverprofile=coverage.txt -count 1 ${TESTPKGS}
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg --mount=type=cache,target=/tmp go test -v -covermode=atomic -coverprofile=coverage.txt -count 1 ${TESTPKGS}
 
 FROM scratch AS unit-tests
 COPY --from=unit-tests-run /src/coverage.txt /coverage.txt

diff --git a/Makefile b/Makefile
@@ -1,20 +1,20 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2020-08-13T17:14:02Z by kres f4c4987.
+# Generated on 2020-11-11T19:40:41Z by kres latest.
 
 # common variables
 
 SHA := $(shell git describe --match=none --always --abbrev=8 --dirty)
 TAG := $(shell git describe --tag --always --dirty)
 BRANCH := $(shell git rev-parse --abbrev-ref HEAD)
 ARTIFACTS := _out
-REGISTRY ?= docker.io
-USERNAME ?= autonomy
+REGISTRY ?= ghcr.io
+USERNAME ?= talos-systems
 REGISTRY_AND_USERNAME ?= $(REGISTRY)/$(USERNAME)
 GOFUMPT_VERSION ?= abc0db2c416aca0f60ea33c23c76665f6e7ba0b6
 GO_VERSION ?= 1.14
 TESTPKGS ?= ./...
-KRES_IMAGE ?= autonomy/kres:latest
+KRES_IMAGE ?= ghcr.io/talos-systems/kres:latest
 
 # docker build settings
 
@@ -34,7 +34,7 @@ COMMON_ARGS += --build-arg=USERNAME=$(USERNAME)
 COMMON_ARGS += --build-arg=TOOLCHAIN=$(TOOLCHAIN)
 COMMON_ARGS += --build-arg=GOFUMPT_VERSION=$(GOFUMPT_VERSION)
 COMMON_ARGS += --build-arg=TESTPKGS=$(TESTPKGS)
-TOOLCHAIN ?= docker.io/golang:1.14-alpine
+TOOLCHAIN ?= docker.io/golang:1.15-alpine
 
 # help menu
 
@@ -69,7 +69,7 @@ respectively.
 
 endef
 
-all: lint unit-tests
+all: unit-tests lint
 
 .PHONY: clean
 clean:  ## Cleans up all artifacts.
@@ -98,9 +98,6 @@ fmt:  ## Formats the source code
 base:  ## Prepare base toolchain
 	@$(MAKE) target-$@
 
-.PHONY: lint
-lint: lint-golangci-lint lint-gofumpt  ## Run all linters for the project.
-
 .PHONY: unit-tests
 unit-tests:  ## Performs unit tests
 	@$(MAKE) local-$@ DEST=$(ARTIFACTS)
@@ -113,10 +110,17 @@ unit-tests-race:  ## Performs unit tests with race detection enabled.
 coverage:  ## Upload coverage data to codecov.io.
 	bash -c "bash <(curl -s https://codecov.io/bash) -f $(ARTIFACTS)/coverage.txt -X fix"
 
+.PHONY: lint-markdown
+lint-markdown:  ## Runs markdownlint.
+	@$(MAKE) target-$@
+
+.PHONY: lint
+lint: lint-golangci-lint lint-gofumpt lint-markdown  ## Run all linters for the project.
+
 .PHONY: rekres
 rekres:
 	@docker pull $(KRES_IMAGE)
-	@docker run --rm -v $(PWD):/src -w /src $(KRES_IMAGE)
+	@docker run --rm -v $(PWD):/src -w /src -e GITHUB_TOKEN $(KRES_IMAGE)
 
 .PHONY: help
 help:  ## This help menu.

diff --git a/hack/git-chglog/CHANGELOG.tpl.md b/hack/git-chglog/CHANGELOG.tpl.md
@@ -0,0 +1,26 @@
+<!-- THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. -->
+<!--  -->
+<!-- Generated on 2020-11-11T19:39:46Z by kres latest. -->
+
+{{ range .Versions }}
+<a name="{{ .Tag.Name }}"></a>
+## {{ if .Tag.Previous }}[{{ .Tag.Name }}]({{ $.Info.RepositoryURL }}/compare/{{ .Tag.Previous.Name }}...{{ .Tag.Name }}){{ else }}{{ .Tag.Name }}{{ end }} ({{ datetime "2006-01-02" .Tag.Date }})
+
+{{ range .CommitGroups -}}
+### {{ .Title }}
+
+{{ range .Commits -}}
+* {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
+{{ end }}
+{{ end -}}
+
+{{- if .NoteGroups -}}
+{{ range .NoteGroups -}}
+### {{ .Title }}
+
+{{ range .Notes }}
+{{ .Body }}
+{{ end }}
+{{ end -}}
+{{ end -}}
+{{ end -}}
diff --git a/hack/git-chglog/config.yaml b/hack/git-chglog/config.yaml
@@ -0,0 +1,32 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2020-11-11T19:39:46Z by kres latest.
+
+style: github
+template: CHANGELOG.tpl.md
+info:
+  title: CHANGELOG
+  repository_url: https://github.com/talos-systems/crypto
+options:
+  commits:
+    # filters:
+    #   Type:
+    #     - feat
+    #     - fix
+    #     - perf
+    #     - refactor
+  commit_groups:
+    # title_maps:
+    #   feat: Features
+    #   fix: Bug Fixes
+    #   perf: Performance Improvements
+    #   refactor: Code Refactoring
+  header:
+    pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\-\\*\\s]*)\\))?\\:\\s(.*)$"
+    pattern_maps:
+      - Type
+      - Scope
+      - Subject
+  notes:
+    keywords:
+      - BREAKING CHANGE