cmd/gitmirror: migrate secrets to secret manager
This change retrieves the GitHub ssh key from secret manager. It
is part of the project to store all secrets in a sigle location.
Updates golang/go#37171
Change-Id: I2cf604975b6ac9998ee39370a1f0f794388a1a70
Reviewed-on: https://go-review.googlesource.com/c/build/+/219879
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
diff --git a/cmd/gitmirror/gitmirror.go b/cmd/gitmirror/gitmirror.go
index 5aeb265..6d6fc77 100644
--- a/cmd/gitmirror/gitmirror.go
+++ b/cmd/gitmirror/gitmirror.go
@@ -28,9 +28,9 @@
"sync"
"time"
- "cloud.google.com/go/compute/metadata"
"golang.org/x/build/gerrit"
"golang.org/x/build/internal/gitauth"
+ "golang.org/x/build/internal/secret"
"golang.org/x/build/maintner"
"golang.org/x/build/maintner/godata"
repospkg "golang.org/x/build/repos"
@@ -57,31 +57,38 @@
log.Printf("gitmirror running.")
+ sc := mustCreateSecretClient()
+ defer sc.Close()
+
go pollGerritAndTickle()
go subscribeToMaintnerAndTickleLoop()
- err := runGitMirror()
+ err := runGitMirror(sc)
log.Fatalf("gitmirror exiting after failure: %v", err)
}
// runGitMirror is a little wrapper so we can use defer and return to signal
// errors. It should only return a non-nil error.
-func runGitMirror() error {
+func runGitMirror(sc *secret.Client) error {
if *mirror {
sshDir := filepath.Join(homeDir(), ".ssh")
sshKey := filepath.Join(sshDir, "id_ed25519")
if _, err := os.Stat(sshKey); err == nil {
log.Printf("Using github ssh key at %v", sshKey)
} else {
- if privKey, err := metadata.ProjectAttributeValue("github-ssh"); err == nil && len(privKey) > 0 {
+
+ ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+ defer cancel()
+
+ if privKey, err := sc.Retrieve(ctx, secret.NameGitHubSSHKey); err == nil && len(privKey) > 0 {
if err := os.MkdirAll(sshDir, 0700); err != nil {
return err
}
if err := ioutil.WriteFile(sshKey, []byte(privKey+"\n"), 0600); err != nil {
return err
}
- log.Printf("Wrote %s from GCE metadata.", sshKey)
+ log.Printf("Wrote %s from GCP secret manager.", sshKey)
} else {
- return fmt.Errorf("Can't mirror to github without 'github-ssh' GCE metadata or file %v", sshKey)
+ return fmt.Errorf("Can't mirror to github without %q GCP secret manager or file %v", secret.NameGitHubSSHKey, sshKey)
}
}
}
@@ -762,3 +769,11 @@
fmt.Fprintf(w, "%s\n", kv)
}
}
+
+func mustCreateSecretClient() *secret.Client {
+ client, err := secret.NewClient()
+ if err != nil {
+ log.Fatalf("unable to create secret client %v", err)
+ }
+ return client
+}