RubyGems - google-ssl-cert - Versions diffs - 0.1.0 → 0.2.0 - Mend

google-ssl-cert 0.1.0 → 0.2.0

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +5 -0
data/README.md +21 -30
data/google-ssl-cert.gemspec +1 -1
data/lib/google_ssl_cert/cli/create.rb +12 -9
data/lib/google_ssl_cert/cli/prune.rb +9 -1
data/lib/google_ssl_cert/cli.rb +10 -10
data/lib/google_ssl_cert/name.rb +9 -7
data/lib/google_ssl_cert/secret.rb +0 -17
data/lib/google_ssl_cert/version.rb +1 -1
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2b8d9e0628aac83d0eb66c15b5e2c711949e50ba2716f370151227c39065010e
-  data.tar.gz: 4dd9a50a62e9a658c537306f5530cdeefb96253fd64cdd47bfd574cf995bb6d8
+  metadata.gz: 1f56ae3e966d0cd58eb597d8321e74ca8f5131a00c0b0de0fff8b230760b0546
+  data.tar.gz: '0987b6b7ddeb9ce1b9e3a6b7979c29d6e665e271be82db0da8181ea4377284fc'
 SHA512:
-  metadata.gz: 3e081cf7944e0e37e2b58e2e4985c1374b58206ce50a54737bdec410c83f69d42c0a4049e7e0604cf8429c59962d11c2d09e1d8c4ddd0b5b6ca7202a83ff3005
-  data.tar.gz: bf7c86b74c5eb758d319f817fc6a5b5c79a9297d6db77d78c79c3cc169c2e8fad8f0d52171b2c4bb013e4d65907b5a94fd04a72840bd7da3f5ada8f604cbe48e
+  metadata.gz: 30dc68bef1c6d6590d4e8b691a2eb41e1719f053d6696ced2a848d9270ab2cfc4e4c794dfb69b1050e97bba1f30f59f864f89a7da830698d6be2904d922126fb
+  data.tar.gz: 2b0f8963a89952e71501171484c7ecffed8cd22c252d9e9e22b426b5fda74dcda83e89eb3ba9ee9aeb931ced7750876922bb68a20569a174bbd388df38704c09

data/CHANGELOG.md CHANGED Viewed

@@ -3,5 +3,10 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
+## [0.2.0] - 2021-10-31
+- [#1](https://github.com/boltops-tools/google-ssl-cert/pull/1) Cert name
+- require cert name in interface, conventionally name secret instead
+- validate google ssl cert name
 ## [0.1.0] - 2021-10-23
 - Initial release

data/README.md CHANGED Viewed

@@ -24,7 +24,7 @@ kind: Ingress
 metadata:
   name: web
   annotations:
-    ingress.gcp.kubernetes.io/pre-shared-cert: '<%= google_secret("cert_demo", base64: false) %>'
+    ingress.gcp.kubernetes.io/pre-shared-cert: '<%= google_secret("cert-app1", base64: false) %>'
 spec:
   defaultBackend:
     service:
@@ -48,49 +48,39 @@ Make sure you have the cert files in your current folder:
     $ ls
     private.key  certificate.crt
-When no cert name is provided, one will be generated for you:
+Command synopsys.
-    $ google-ssl-cert create --secret-name cert_demo
-    Global cert created: google-ssl-cert-global-20211021155725
-    Secret saved: name: cert_demo value: google-ssl-cert-global-20211021155725
+    $ google-ssl-cert create CERT_NAME
+    $ google-ssl-cert create cert-app1
+    Global cert created: cert-app1-global-20211021155725
+    Secret saved: name: cert-app1 value: cert-app1-global-20211021155725
+The secret conventionally is the same as the cert name. You can override it with `--secret-name`.
 Check that cert and secret was created on google cloud:
     % gcloud compute ssl-certificates list
-    NAME                                   TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS
-    google-ssl-cert-global-20211021155725  SELF_MANAGED  2021-10-21T08:57:26.005-07:00  2022-01-12T15:59:59.000-08:00
+    NAME                             TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS
+    cert-app1-global-20211021155725  SELF_MANAGED  2021-10-21T08:57:26.005-07:00  2022-01-12T15:59:59.000-08:00
     ~/environment/cert-files git:master aws:tung:us-west-2 gke:default
     %
-    $ gcloud secrets versions access latest --secret cert_demo
-    google-ssl-cert-global-20211021155725
+    $ gcloud secrets versions access latest --secret cert-app1
+    cert-app1-global-20211021155725
 ## Usage: Region Cert
 If you need to create a region cert instead, IE: for internal load balancers, specify the `--no-global` flag. Example:
-    $ google-ssl-cert create --secret-name cert_demo --no-global
-    Region cert created: google-ssl-cert-us-central1-20211021155852 in region: us-central1
-    Secret saved: name: cert_demo value: google-ssl-cert-us-central1-20211021155852
+    $ google-ssl-cert create --cert-name cert-app1 --no-global
+    Region cert created: cert-app1-us-central1-20211021155852 in region: us-central1
+    Secret saved: name: cert-app1 value: cert-app1-us-central1-20211021155852
 Check that cert and secret was created on google cloud:
     $ gcloud compute ssl-certificates list
-    NAME                                        TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS
-    google-ssl-cert-us-central1-20211021155852  SELF_MANAGED  2021-10-21T08:58:53.514-07:00  2022-01-12T15:59:59.000-08:00
-## Usage: Specifying the Cert Name
-You can also specify the cert name:
-    $ google-ssl-cert create --cert-name google-ssl-cert-v1 --no-timestamp --secret-name cert_demo
-    Global cert created: google-ssl-cert-v1
-    Secret saved: name: cert_demo value: google-ssl-cert-v1
-Check that cert was created on google cloud:
-    $ gcloud compute ssl-certificates list
-    NAME                TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS
-    google-ssl-cert-v1  SELF_MANAGED  2021-10-21T09:00:43.975-07:00  2022-01-12T15:59:59.000-08:00
+    NAME                                  TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS
+    cert-app1-us-central1-20211021155852  SELF_MANAGED  2021-10-21T08:58:53.514-07:00  2022-01-12T15:59:59.000-08:00
 ## Required Env Vars
@@ -98,7 +88,8 @@ These env vars should be set:
 Name | Description
 --- | ---
-GOOGLE\_APPLICATION_CREDENTIALS | A service account as must be set up with `GOOGLE_APPLICATION_CREDENTIALS`. IE: `export GOOGLE_APPLICATION_CREDENTIALS=~/.gcp/credentials.json`
+GOOGLE\_APPLICATION_CREDENTIALS or
+GOOGLE_CREDENTIALS | A service account as must be set up. `GOOGLE_APPLICATION_CREDENTIALS` is set to the path of the file. `GOOGLE_CREDENTIALS` is set as the full json data structure. IE: `export GOOGLE_APPLICATION_CREDENTIALS=~/.gcp/credentials.json`
 GOOGLE_PROJECT | The env var `GOOGLE_PROJECT` and must be set.
 GOOGLE_REGION | The env var `GOOGLE_REGION` and must be set when creating a region-based google ssl cert. So when using the `--no-global` flag
@@ -138,7 +129,7 @@ You can also specify the path to the certificate and private key explicitly:
 To prune or delete old google ssl certs after rotating:
-    google-ssl-cert prune
+    google-ssl-cert prune CERT_NAME
 ## Installation

data/google-ssl-cert.gemspec CHANGED Viewed

@@ -9,7 +9,7 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Tung Nguyen"]
   spec.email         = ["tongueroo@gmail.com"]
   spec.summary       = "Google SSL Cert Tool"
-  spec.homepage      = "https://github.com/boltopspro/google-ssl-cert"
+  spec.homepage      = "https://github.com/boltops-tools/google-ssl-cert"
   spec.license       = "Apache-2.0"
   spec.files         = File.directory?('.git') ? `git ls-files`.split($/) : Dir.glob("**/*")

data/lib/google_ssl_cert/cli/create.rb CHANGED Viewed

@@ -2,7 +2,8 @@ class GoogleSslCert::CLI
   class Create < Base
     def initialize(options={})
       super
-      @cert_name = GoogleSslCert::Name.new(@options).generate
+      @cert_name = GoogleSslCert::Name.new(@options)
+      @secret_name  = @options[:secret_name] || @cert_name.base_name
     end
     def run
@@ -14,7 +15,7 @@ class GoogleSslCert::CLI
     # Google API Docs:
     #    https://cloud.google.com/compute/docs/reference/rest/v1/sslCertificates/insert
     def create_cert
-      GoogleSslCert::Cert.new(@options.merge(cert_name: @cert_name)).create
+      GoogleSslCert::Cert.new(@options.merge(cert_name: @cert_name.generated_name)).create
     end
     # The secret name is expected to be static/predictable
@@ -32,9 +33,8 @@ class GoogleSslCert::CLI
     #   demo_ssl-cert-name  2021-10-13T23:10:06  automatic
     #
     def save_secret
-      secret_name  = @options[:secret_name]
-      secret_value = @cert_name # @cert_name the value because it will be referenced. the @cert_name or 'key' will be the same
-      secret.save(secret_name, secret_value)
+      secret_value = @cert_name.generated_name # @cert_name the value because it will be referenced. the @cert_name or 'key' will be the same
+      secret.save(@secret_name, secret_value)
     end
     def secret
@@ -54,14 +54,17 @@ class GoogleSslCert::CLI
       if !ENV['GOOGLE_REGION'] and !global?
         errors << "ERROR: The GOOGLE_REGION env var must be when creating a region cert."
       end
+      # extra validation early to prevent google ssl cert name error
+      #   An error has occurred when making a REST request: Invalid value for field 'resource.name': 'cert_app1-global-20211031234501'. Must be a match of regex '(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)' (Google::Cloud::InvalidArgumentError)
+      if @secret_name !~ /^[a-zA-Z\-0-9]+$/ # no underscore allowed
+        errors << "ERROR: CERT_NAME invalid format. Expected format: [a-zA-Z0-9]+" # Expected format taken from `gcloud secrets create`
+      end
       unless errors.empty?
         logger.error errors.join("\n")
         exit 1
       end
-      # Call here so validation happens at the beginning with the rest of validation
-      # want command to exit early and not even create a google ssl cert
-      secret.validate!
     end
   end
 end

data/lib/google_ssl_cert/cli/prune.rb CHANGED Viewed

@@ -8,7 +8,15 @@ class GoogleSslCert::CLI
       certs = ssl_certs[0..right] || [] # delete all except the last cert
       if certs.empty?
-        logger.info "No timestamped certs to prune with cert name: #{cert_base_name}"
+        unless ssl_certs.empty?
+          logger.info "Found certs:"
+          ssl_certs.each do |cert|
+            logger.info "  #{cert.name}"
+          end
+        end
+        cert_word = keep > 1 ? "certs" : "cert"
+        logger.info "Keeping #{keep} #{cert_word}."
+        logger.info "No certs to prune with base cert name: #{cert_base_name}"
         return
       end

data/lib/google_ssl_cert/cli.rb CHANGED Viewed

@@ -9,11 +9,11 @@ module GoogleSslCert
     global_option = Proc.new do
       option :global, type: :boolean, default: true, desc: "Flag to create global vs region cert"
     end
-    cert_name_option = Proc.new do
-      option :cert_name, desc: "Google SSL Cert name"
+    append_type_option = Proc.new do
+      option :append_type, type: :boolean, default: true, desc: "Append the cert type to name. IE: global, us-central1"
     end
-    desc "create", "Create Google SSL Certificate and save to Secrets Manager"
+    desc "create CERT_NAME", "Create Google SSL Certificate and save to Secrets Manager"
     long_desc Help.text(:create)
     option :private_key, desc: "private key path"
     option :certificate, desc: "certificate path"
@@ -21,21 +21,21 @@ module GoogleSslCert
     option :extra_certs, desc: "Additional certs to be added to the secret value"
     option :timestamp, type: :boolean, default: true, desc: "Auto-append timestamp to cert name. Appending a timestamp allows auto-pruning also"
     option :prune, type: :boolean, default: true, desc: "Auto-prune old certs based on timestamp"
-    cert_name_option.call
+    append_type_option.call
     secret_name_option.call
     global_option.call
-    def create
-      Create.new(options).run
+    def create(cert_name)
+      Create.new(options.merge(cert_name: cert_name)).run
     end
-    desc "prune", "prune Google SSL Certificate and save to Secrets Manager"
+    desc "prune CERT_NAME", "prune Google SSL Certificate and save to Secrets Manager"
     long_desc Help.text(:prune)
-    cert_name_option.call
+    append_type_option.call
     global_option.call
     option :yes, aliases: %w[y], type: :boolean, desc: "Skip 'are you sure' prompt"
     option :keep, type: :numeric, default: 1, desc: "Number of certs to keep"
-    def prune
-      Prune.new(options).run
+    def prune(cert_name)
+      Prune.new(options.merge(cert_name: cert_name)).run
     end
     desc "secret SUBCOMMAND", "secret subcommands"

data/lib/google_ssl_cert/name.rb CHANGED Viewed

@@ -1,19 +1,21 @@
 module GoogleSslCert
   class Name
-    attr_reader :base_name
+    extend Memoist
     def initialize(options={})
       @options = options
-      @base_name = @options[:cert_name] || default_cert_name
+      @append_type = @options[:append_type].nil? ? true : @options[:append_type]
     end
-    def generate
+    def generated_name
       ts = Time.now.strftime("%Y%m%d%H%M%S") unless @options[:timestamp] == false # nil defaults to true
-      [@base_name, ts].compact.join('-')
+      [base_name, ts].compact.join('-')
     end
+    memoize :generated_name
-    def default_cert_name
-      type = @options[:global] ? "global" : ENV['GOOGLE_REGION']
-      ["google-ssl-cert", type].join('-')
+    def base_name
+      type = @options[:global] ? "global" : ENV['GOOGLE_REGION'] if @append_type
+      [@options[:cert_name], type].compact.join('-')
     end
   end
 end

data/lib/google_ssl_cert/secret.rb CHANGED Viewed

@@ -15,7 +15,6 @@ module GoogleSslCert
     #   https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/addVersion
     #   https://cloud.google.com/secret-manager/docs/reference/rest/v1/SecretPayload
     def save(name, value)
-      validate!
       create_secret(name, value)
       url_path = "#{parent}/secrets/#{name}"
       secret_manager_service.add_secret_version(parent: url_path, payload: {data: value})
@@ -66,21 +65,5 @@ module GoogleSslCert
       logger.error e.message
       "NOT FOUND #{name}" # simple string so Kubernetes YAML is valid
     end
-    def validate!
-      errors = []
-      secret_name = @options[:secret_name]
-      if @options[:save_secret] && !secret_name
-        errors << "ERROR: --secret-name must be provided or --no-save-secret option must be used"
-      end
-      # extra validation early to prevent google ssl cert from being created but the secret not being stored
-      if secret_name && secret_name !~ /^[a-zA-Z_\-0-9]+$/
-        errors << "ERROR: --secret-name invalid format. Expected format: [a-zA-Z_0-9]+" # Expected format taken from `gcloud secrets create`
-      end
-      unless errors.empty?
-        logger.error errors.join("\n")
-        exit 1
-      end
-    end
   end
 end

data/lib/google_ssl_cert/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module GoogleSslCert
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: google-ssl-cert
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-10-23 00:00:00.000000000 Z
+date: 2021-10-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -243,11 +243,11 @@ files:
 - lib/google_ssl_cert/version.rb
 - spec/cli_spec.rb
 - spec/spec_helper.rb
-homepage: https://github.com/boltopspro/google-ssl-cert
+homepage: https://github.com/boltops-tools/google-ssl-cert
 licenses:
 - Apache-2.0
 metadata:
-  homepage_uri: https://github.com/boltopspro/google-ssl-cert
+  homepage_uri: https://github.com/boltops-tools/google-ssl-cert
 post_install_message:
 rdoc_options: []
 require_paths: