Use docker-credential-helper to manage secrets (WIP)

Store service credentials securely in the stores supported by docker: - https://github.com/docker/docker-credential-helpers#available-programs Introduces a top-level config property, "secretStore" and additional command line arguments to manage the stored secrets. The value of secretStore is used to find a helper command, `docker-credential-<secretStore>`. The docker project currently provides 4 store helpers: - "osxkeychain" (OS X only) - "secretservice" (Linux only) - "wincred" (Windows only) - "pass" (any OS supporting pass, which uses gpg2) Docker-for-desktop installs the credential helpers above, as well as "desktop" (docker-credential-desktop). Generic installation instructions for the helpers: - https://github.com/docker/docker-credential-helpers#installation Users could provide additional helpers, the only requirement is that the helper implements the credential store protocol: - https://github.com/docker/docker-credential-helpers#development The credential protocol is open, and new credential stores can be implemented by any CLI satisfying the protocol: - https://github.com/docker/docker-credential-helpers#development The modifications to existing modules is not tested due to lack of API keys, but demonstrates the unobtrusive changes required to use the secret store.
2025-01-18 04:03:14 -08:00 · 2020-03-31 10:45:16 -07:00
parent cc8f5f76ba
commit b2982cc668
31 changed files with 484 additions and 1 deletions
--- a/modules/azuredevops/settings.go
+++ b/modules/azuredevops/settings.go
@@ -35,5 +35,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		projectName: ymlConfig.UString("projectName", os.Getenv("WTF_AZURE_DEVOPS_PROJECT_NAME")),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		settings.orgURL,
+		"",
+		&settings.projectName,
+		&settings.apiToken,
+	)
+
 	return &settings
 }
--- a/modules/bamboohr/settings.go
+++ b/modules/bamboohr/settings.go
@@ -27,5 +27,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		subdomain: ymlConfig.UString("subdomain", os.Getenv("WTF_BAMBOO_HR_SUBDOMAIN")),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"",
+		name,
+		&settings.subdomain,
+		&settings.apiKey,
+	)
+
 	return &settings
 }
--- a/modules/buildkite/settings.go
+++ b/modules/buildkite/settings.go
@@ -1,10 +1,11 @@
 package buildkite

 import (
+	"os"
+
 	"github.com/olebedev/config"
 	"github.com/wtfutil/wtf/cfg"
 	"github.com/wtfutil/wtf/utils"
-	"os"
 )

 const (
@@ -35,6 +36,14 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		pipelines: buildPipelineSettings(ymlConfig),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"",
+		name,
+		&settings.orgSlug,
+		&settings.apiKey,
+	)
+
 	return &settings
 }

--- a/modules/circleci/settings.go
+++ b/modules/circleci/settings.go
@@ -26,5 +26,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		apiKey: ymlConfig.UString("apiKey", ymlConfig.UString("apikey", os.Getenv("WTF_CIRCLE_API_KEY"))),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"",
+		name,
+		nil,
+		&settings.apiKey,
+	)
+
 	return &settings
 }
--- a/modules/datadog/settings.go
+++ b/modules/datadog/settings.go
@@ -30,5 +30,21 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		tags:           ymlConfig.UList("monitors.tags"),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"",
+		"datadog-api",
+		nil,
+		&settings.apiKey,
+	)
+
+	cfg.ConfigureSecret(
+		globalConfig,
+		"",
+		"datadog-app",
+		nil,
+		&settings.applicationKey,
+	)
+
 	return &settings
 }
--- a/modules/digitalocean/settings.go
+++ b/modules/digitalocean/settings.go
@@ -31,5 +31,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		dateFormat: ymlConfig.UString("dateFormat", wtf.DateFormat),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"",
+		name,
+		nil,
+		&settings.apiKey,
+	)
+
 	return &settings
 }
--- a/modules/football/settings.go
+++ b/modules/football/settings.go
@@ -33,5 +33,14 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		matchesTo:     ymlConfig.UInt("matchesTo", 5),
 		standingCount: ymlConfig.UInt("standingCount", 5),
 	}
+
+	cfg.ConfigureSecret(
+		globalConfig,
+		"",
+		name,
+		nil,
+		&settings.apiKey,
+	)
+
 	return &settings
 }
--- a/modules/gerrit/settings.go
+++ b/modules/gerrit/settings.go
@@ -41,6 +41,14 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		verifyServerCertificate: ymlConfig.UBool("verifyServerCertificate", true),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		settings.domain,
+		name,
+		nil, // Seems like it should be mandatory, but its optional above.
+		&settings.password,
+	)
+
 	settings.colors.rows.even = ymlConfig.UString("colors.rows.even", "white")
 	settings.colors.rows.odd = ymlConfig.UString("colors.rows.odd", "blue")

--- a/modules/github/settings.go
+++ b/modules/github/settings.go
@@ -17,6 +17,7 @@ type Settings struct {
 	common *cfg.Common

 	apiKey        string        `help:"Your GitHub API token."`
+	apiSecret     string        `help:"Secret store for your GitHub API token."`
 	baseURL       string        `help:"Your GitHub Enterprise API URL." optional:"true"`
 	customQueries []customQuery `help:"Custom queries allow you to filter pull requests and issues however you like. Give the query a title and a filter. Filters can be copied directly from GitHub’s UI." optional:"true"`
 	enableStatus  bool          `help:"Display pull request mergeability status (‘dirty’, ‘clean’, ‘unstable’, ‘blocked’)." optional:"true"`
@@ -45,6 +46,14 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 	settings.repositories = cfg.ParseAsMapOrList(ymlConfig, "repositories")
 	settings.customQueries = parseCustomQueries(ymlConfig)

+	cfg.ConfigureSecret(
+		globalConfig,
+		settings.baseURL,
+		name,
+		&settings.username,
+		&settings.apiKey,
+	)
+
 	return &settings
 }

--- a/modules/gitlab/settings.go
+++ b/modules/gitlab/settings.go
@@ -32,6 +32,14 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		username: ymlConfig.UString("username"),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		settings.domain,
+		name,
+		&settings.username,
+		&settings.apiKey,
+	)
+
 	settings.projects = cfg.ParseAsMapOrList(ymlConfig, "projects")

 	return &settings
--- a/modules/gitlabtodo/settings.go
+++ b/modules/gitlabtodo/settings.go
@@ -32,5 +32,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		showProject:   ymlConfig.UBool("showProject", true),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		settings.domain,
+		name,
+		nil,
+		&settings.apiKey,
+	)
+
 	return &settings
 }
--- a/modules/gitter/settings.go
+++ b/modules/gitter/settings.go
@@ -30,5 +30,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		roomURI:          ymlConfig.UString("roomUri", "wtfutil/Lobby"),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"https://api.gitter.im",
+		"",
+		&settings.apiToken,
+		nil,
+	)
+
 	return &settings
 }
--- a/modules/hibp/settings.go
+++ b/modules/hibp/settings.go
@@ -40,6 +40,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		since:    ymlConfig.UString("since", ""),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"https://haveibeenpwned.com/api",
+		"",
+		&settings.apiKey,
+		nil,
+	)
 	settings.colors.ok = ymlConfig.UString("colors.ok", "white")
 	settings.colors.pwned = ymlConfig.UString("colors.pwned", "red")

--- a/modules/jenkins/settings.go
+++ b/modules/jenkins/settings.go
@@ -36,5 +36,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		verifyServerCertificate: ymlConfig.UBool("verifyServerCertificate", true),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		settings.url,
+		"",
+		&settings.user,
+		&settings.apiKey,
+	)
+
 	return &settings
 }
--- a/modules/jira/settings.go
+++ b/modules/jira/settings.go
@@ -45,6 +45,14 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		verifyServerCertificate: ymlConfig.UBool("verifyServerCertificate", true),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		settings.domain,
+		"",
+		&settings.username,
+		&settings.apiKey,
+	)
+
 	settings.colors.rows.even = ymlConfig.UString("colors.even", "lightblue")
 	settings.colors.rows.odd = ymlConfig.UString("colors.odd", "white")

--- a/modules/newrelic/settings.go
+++ b/modules/newrelic/settings.go
@@ -30,5 +30,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		applicationIDs: ymlConfig.UList("applicationIDs"),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"newrelic.com",
+		"",
+		nil,
+		&settings.apiKey,
+	)
+
 	return &settings
 }
--- a/modules/opsgenie/settings.go
+++ b/modules/opsgenie/settings.go
@@ -33,6 +33,14 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		scheduleIdentifierType: ymlConfig.UString("scheduleIdentifierType", "id"),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"https://opsgenie.com",
+		"",
+		nil,
+		&settings.apiKey,
+	)
+
 	settings.schedule = settings.arrayifySchedules(ymlConfig, globalConfig)

 	return &settings
--- a/modules/pagerduty/settings.go
+++ b/modules/pagerduty/settings.go
@@ -37,5 +37,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		showSchedules:    ymlConfig.UBool("showSchedules", true),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"https://pagerduty.com",
+		"",
+		&settings.myName,
+		&settings.apiKey,
+	)
+
 	return &settings
 }
--- a/modules/pihole/settings.go
+++ b/modules/pihole/settings.go
@@ -34,5 +34,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		maxDomainWidth: ymlConfig.UInt("maxDomainWidth", 20),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		settings.apiUrl,
+		"",
+		nil,
+		&settings.token,
+	)
+
 	return &settings
 }
--- a/modules/pocket/settings.go
+++ b/modules/pocket/settings.go
@@ -23,5 +23,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		consumerKey: ymlConfig.UString("consumerKey"),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"https://pocket.com",
+		"",
+		nil,
+		&settings.consumerKey,
+	)
+
 	return &settings
 }
--- a/modules/rollbar/settings.go
+++ b/modules/rollbar/settings.go
@@ -34,5 +34,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		projectOwner:   ymlConfig.UString("projectOwner"),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"https://rollbar.com",
+		"",
+		nil,
+		&settings.accessToken,
+	)
+
 	return &settings
 }
--- a/modules/spotifyweb/settings.go
+++ b/modules/spotifyweb/settings.go
@@ -30,5 +30,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		secretKey:    ymlConfig.UString("secretKey", os.Getenv("SPOTIFY_SECRET")),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"https://spotify.com",
+		"",
+		&settings.clientID,
+		&settings.secretKey,
+	)
+
 	return &settings
 }
--- a/modules/todoist/settings.go
+++ b/modules/todoist/settings.go
@@ -30,5 +30,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		projects: utils.IntsToUints(utils.ToInts(ymlConfig.UList("projects"))),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"https://todoist.com",
+		"",
+		nil,
+		&settings.apiKey,
+	)
+
 	return &settings
 }
--- a/modules/travisci/settings.go
+++ b/modules/travisci/settings.go
@@ -35,5 +35,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		sort_by: ymlConfig.UString("sort_by", "id:desc"),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"https://travis.com",
+		"",
+		&settings.baseURL,
+		&settings.apiKey,
+	)
+
 	return &settings
 }
--- a/modules/trello/settings.go
+++ b/modules/trello/settings.go
@@ -32,6 +32,14 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		username:    ymlConfig.UString("username"),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"https://trello.com",
+		"",
+		&settings.accessToken,
+		&settings.apiKey,
+	)
+
 	settings.list = buildLists(ymlConfig, globalConfig)

 	return &settings
--- a/modules/victorops/settings.go
+++ b/modules/victorops/settings.go
@@ -29,5 +29,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		team:   ymlConfig.UString("team"),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"https://victorops.com",
+		"",
+		&settings.apiID,
+		&settings.apiKey,
+	)
+
 	return &settings
 }
--- a/modules/zendesk/settings.go
+++ b/modules/zendesk/settings.go
@@ -31,5 +31,13 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 		username:  ymlConfig.UString("username"),
 	}

+	cfg.ConfigureSecret(
+		globalConfig,
+		"https://zendesk.com",
+		"",
+		&settings.subdomain,
+		&settings.apiKey,
+	)
+
 	return &settings
 }