cmd/genbuilderkey: migrate secrets to secret manager
This change retrieves the master builder key from secret manager. It
is part of the project to store all secrets in a single location.
Updates golang/go#37171
Change-Id: I0c8b8fe8a3db5b9583008bfc105391eca69fba78
Reviewed-on: https://go-review.googlesource.com/c/build/+/222958
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
diff --git a/cmd/genbuilderkey/genbuilderkey.go b/cmd/genbuilderkey/genbuilderkey.go
index 751d90e..7751beb 100644
--- a/cmd/genbuilderkey/genbuilderkey.go
+++ b/cmd/genbuilderkey/genbuilderkey.go
@@ -8,6 +8,7 @@
import (
"bytes"
+ "context"
"crypto/hmac"
"crypto/md5"
"flag"
@@ -18,8 +19,9 @@
"os"
"path/filepath"
"strings"
+ "time"
- "cloud.google.com/go/compute/metadata"
+ "golang.org/x/build/internal/secret"
)
func main() {
@@ -37,7 +39,7 @@
}
func getMasterKey() []byte {
- v, err := metadata.ProjectAttributeValue("builder-master-key")
+ v, err := getMasterKeyFromSecretManager()
if err == nil {
return []byte(strings.TrimSpace(v))
}
@@ -48,3 +50,18 @@
log.Fatalf("no builder master key found")
panic("not reachable")
}
+
+// getMasterKeyFromSecretManager retrieves the master key from the secret
+// manager service.
+func getMasterKeyFromSecretManager() (string, error) {
+ sc, err := secret.NewClient()
+ if err != nil {
+ return "", err
+ }
+ defer sc.Close()
+
+ ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+ defer cancel()
+
+ return sc.Retrieve(ctx, secret.NameBuilderMasterKey)
+}
