Add vault sidecar to CR deployment

Author: joecorall

.dockerignore

@@ -2,3 +2,10 @@
 **.md
 Dockerfile
 docker-compose.yml
+.github
+.terraform
+.terraform.lock.hcl
+.git
+modules
+**.tf
+*.json

.github/workflows/deploy.yml

@@ -9,12 +9,12 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
         with:
           go-version: '>=1.23.4'
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6
+        uses: golangci/golangci-lint-action@051d91933864810ecd5e2ea2cfd98f6a5bca5347 # v6
         with:
           version: latest
 
@@ -123,6 +123,9 @@ jobs:
     runs-on: ubuntu-24.04
     env:
       TF_VAR_project: ${{ secrets.GCLOUD_PROJECT }}
+      TF_VAR_vault_addr: ${{ secrets.VAULT_ADDR }}
+      TF_VAR_gh_app_id: ${{ secrets.GH_APP_ID }}
+      TF_VAR_gh_install_id: ${{ secrets.GH_INSTALL_ID }}
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 

.github/workflows/validate-renovate.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4
         with:
           node-version: 20
 

.gitignore

@@ -1 +1,3 @@
 ghat
+.terraform
+.terraform.lock.hcl

Dockerfile

@@ -1,17 +1,19 @@
-FROM golang:1.23-alpine3.20@sha256:6a8532e5441593becc88664617107ed567cb6862cb8b2d87eb33b7ee750f653c
+FROM golang:1.24-alpine3.20@sha256:9fed4022a220fb64327baa90cddfd98607f3b816cb4f5769187500571f73072d
 
 WORKDIR /app
 
 RUN adduser -S -G nobody ghat
 
 COPY . ./
 
-RUN chown -R ghat:nobody /app
+RUN mkdir -p /vault/secrets && \
+  chown -R ghat:nobody /app /vault
 
-RUN go mod download && \
+RUN apk add --no-cache openssl bash && \
+  go mod download && \
   go build -o /app/ghat && \
   go clean -cache -modcache
 
 USER ghat
 
-ENTRYPOINT ["/app/ghat"]
+ENTRYPOINT ["/app/docker-entrypoint.sh"]

LICENSE

@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <https://unlicense.org>

README.md

@@ -1,5 +1,18 @@
 # ghat
+[![integration-test](https://github.com/libops/ghat/actions/workflows/deploy.yml/badge.svg)](https://github.com/libops/ghat/actions/workflows/deploy.yml)
+[![Go Report Card](https://goreportcard.com/badge/github.com/libops/ghat)](https://goreportcard.com/report/github.com/libops/ghat)
 
 GitHub App Token
 
 http service to allow receiving a scoped token from a GHA workflow.
+
+## Requirements
+
+The vault server that is configured in the sidecar needs the GitHub app private key
+
+```
+vault kv put \
+  -mount="secret" \
+  "libops-ghat/github-app-key" \
+  key="$(cat /path/to/private-key.pem | base64)"
+```

docker-entrypoint.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+echo "Starting GitHub App Token service"
+
+while [ ! -s "$GITHUB_APP_PRIVATE_KEY" ]; do
+  echo "Waiting for $GITHUB_APP_PRIVATE_KEY"
+  sleep 5
+done
+
+if !openssl pkey -in "$GITHUB_APP_PRIVATE_KEY" -check -noout 2>/dev/null; then
+  echo "ERROR: $GITHUB_APP_PRIVATE_KEY is not a valid private key (or unreadable)."
+  exit 1
+fi
+
+echo "GITHUB_APP_PRIVATE_KEY is ready"
+
+exec /app/ghat

go.mod

@@ -5,6 +5,7 @@ go 1.23.4
 require (
 	github.com/bradleyfalzon/ghinstallation/v2 v2.13.0
 	github.com/google/go-github/v68 v68.0.0
+	github.com/google/go-github/v69 v69.2.0
 	github.com/gorilla/mux v1.8.1
 	github.com/lestrrat-go/jwx/v2 v2.1.3
 )

go.sum

@@ -14,6 +14,7 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-github/v68 v68.0.0 h1:ZW57zeNZiXTdQ16qrDiZ0k6XucrxZ2CGmoTvcCyQG6s=
 github.com/google/go-github/v68 v68.0.0/go.mod h1:K9HAUBovM2sLwM408A18h+wd9vqdLOEqTUCbnRIcx68=
+github.com/google/go-github/v69 v69.2.0/go.mod h1:xne4jymxLR6Uj9b7J7PyTpkMYstEMMwGZa0Aehh1azM=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=

lib/handler/handler.go

@@ -35,7 +35,7 @@ func NewHandler() (*Handler, error) {
 	installationId := loadEnvInt64("GITHUB_INSTALL_ID")
 	privateKeyPath := loadEnv("GITHUB_APP_PRIVATE_KEY")
 	tr := http.DefaultTransport
-	itr, err := ghinstallation.NewKeyFromFile(tr, appId, installationId, privateKeyPath)
+	itr, err := ghinstallation.NewAppsTransportKeyFromFile(tr, appId, privateKeyPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create installation transport: %v", err)
 	}

lib/handler/middleware.go

@@ -15,7 +15,7 @@ import (
 
 type contextKey string
 
-const claimsKey contextKey = "claims"
+const claimsKey contextKey = "githubClaims"
 
 const githubKeysURL = "https://token.actions.githubusercontent.com/.well-known/jwks"
 
@@ -73,10 +73,12 @@ func JWTAuthMiddleware(next http.Handler) http.Handler {
 	})
 }
 
-func verifyJWT(tokenString string) (*GitHubClaims, error) {
+func verifyJWT(tokenString string) (GitHubClaims, error) {
+	var claims GitHubClaims
+
 	keySet, err := fetchJWKS()
 	if err != nil {
-		return nil, fmt.Errorf("Unable to fetch JWKS: %v", err)
+		return claims, fmt.Errorf("Unable to fetch JWKS: %v", err)
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
@@ -88,23 +90,22 @@ func verifyJWT(tokenString string) (*GitHubClaims, error) {
 		jwt.WithContext(ctx),
 		jwt.WithVerify(true))
 	if err != nil {
-		return nil, fmt.Errorf("Unable to parse token: %v", err)
+		return claims, fmt.Errorf("Unable to parse token: %v", err)
 	}
 
 	if err := validateClaims(token); err != nil {
-		return nil, fmt.Errorf("Unable to validate claims: %v", err)
+		return claims, fmt.Errorf("Unable to validate claims: %v", err)
 	}
 	rawClaims, err := json.Marshal(token)
 	if err != nil {
-		return nil, fmt.Errorf("failed to marshal claims: %v", err)
+		return claims, fmt.Errorf("failed to marshal claims: %v", err)
 	}
 
-	var claims GitHubClaims
 	if err := json.Unmarshal(rawClaims, &claims); err != nil {
-		return nil, fmt.Errorf("failed to unmarshal claims: %v", err)
+		return claims, fmt.Errorf("failed to unmarshal claims: %v", err)
 	}
 
-	return &claims, nil
+	return claims, nil
 }
 
 func fetchJWKS() (jwk.Set, error) {

lib/handler/registration_token.go renamed to lib/handler/repo_admin.go

@@ -4,32 +4,30 @@ import (
 	"encoding/json"
 	"log/slog"
 	"net/http"
+	"strings"
 
 	"github.com/google/go-github/v68/github"
 )
 
 func (h *Handler) RepoAdminToken(w http.ResponseWriter, r *http.Request) {
-	claims, ok := r.Context().Value(claimsKey).(GitHubClaims)
-	if !ok {
-		http.Error(w, "Unauthorized: missing claims in context", http.StatusUnauthorized)
-		return
-	}
+	claims := r.Context().Value(claimsKey).(GitHubClaims)
 	if claims.Repository == "" {
 		http.Error(w, "Invalid request: repository claim is empty", http.StatusBadRequest)
 		return
 	}
 
 	opts := &github.InstallationTokenOptions{
 		Repositories: []string{
-			claims.Repository,
+			strings.Split(claims.Repository, "/")[1],
 		},
 		Permissions: &github.InstallationPermissions{
 			Administration: github.Ptr("write"),
+			Secrets:        github.Ptr("write"),
 		},
 	}
 	token, _, err := h.githubClient.Apps.CreateInstallationToken(r.Context(), h.githubInstallationId, opts)
 	if err != nil {
-		slog.Error("Error fetching scoped token", "err", err, "claims", claims)
+		slog.Error("Error fetching scoped token", "err", err, "claims", claims, "opts", opts)
 		http.Error(w, "Internal error.", http.StatusInternalServerError)
 		return
 	}

main.go

@@ -17,17 +17,25 @@ func main() {
 	}
 
 	r := mux.NewRouter()
-	r.Use(handler.LoggingMiddleware)
-	r.Use(handler.JWTAuthMiddleware)
-	r.HandleFunc("/repo/admin", wh.RepoAdminToken).Methods("POST")
-	r.HandleFunc("/test", func(w http.ResponseWriter, r *http.Request) {
-		_, err := w.Write([]byte(`ok`))
+	r.HandleFunc("/healthcheck", func(w http.ResponseWriter, r *http.Request) {
+		_, err := w.Write([]byte("ok"))
 		if err != nil {
 			w.WriteHeader(http.StatusInternalServerError)
-			slog.Error("Unable to write for healthcheck")
+			slog.Error("Unable to write for healthcheck", "error", err)
 		}
 	}).Methods("GET")
 
+	authRouter := r.PathPrefix("/").Subrouter()
+	authRouter.Use(handler.LoggingMiddleware)
+	authRouter.Use(handler.JWTAuthMiddleware)
+	authRouter.HandleFunc("/repo/admin", wh.RepoAdminToken).Methods("GET")
+	authRouter.HandleFunc("/test", func(w http.ResponseWriter, r *http.Request) {
+		_, err := w.Write([]byte(`ok`))
+		if err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+			slog.Error("Unable to write for healthcheck", "error", err)
+		}
+	})
 	port := os.Getenv("PORT")
 	if port == "" {
 		port = "8080"