google-ssl-cert 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 2b8d9e0628aac83d0eb66c15b5e2c711949e50ba2716f370151227c39065010e
+  data.tar.gz: 4dd9a50a62e9a658c537306f5530cdeefb96253fd64cdd47bfd574cf995bb6d8
+SHA512:
+  metadata.gz: 3e081cf7944e0e37e2b58e2e4985c1374b58206ce50a54737bdec410c83f69d42c0a4049e7e0604cf8429c59962d11c2d09e1d8c4ddd0b5b6ca7202a83ff3005
+  data.tar.gz: bf7c86b74c5eb758d319f817fc6a5b5c79a9297d6db77d78c79c3cc169c2e8fad8f0d52171b2c4bb013e4d65907b5a94fd04a72840bd7da3f5ada8f604cbe48e

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+/.bundle
+/.config
+/.yardoc
+/_yardoc
+/coverage
+/doc/
+/Gemfile.lock
+/InstalledFiles
+/lib/bundler/man
+/pkg
+/rdoc
+/spec/reports
+/test/tmp
+/test/version_tmp
+/tmp

data/.rspec

@@ -0,0 +1,3 @@
+--require spec_helper
+--color
+--format documentation

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
+
+## [0.1.0] - 2021-10-23
+- Initial release

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+# Specify your gem dependencies in google-ssl-cert.gemspec
+gemspec
+
+gem "codeclimate-test-reporter", group: :test, require: nil

data/Guardfile

@@ -0,0 +1,19 @@
+guard "bundler", cmd: "bundle" do
+  watch("Gemfile")
+  watch(/^.+\.gemspec/)
+end
+
+guard :rspec, cmd: "bundle exec rspec" do
+  require "guard/rspec/dsl"
+  dsl = Guard::RSpec::Dsl.new(self)
+
+  # RSpec files
+  rspec = dsl.rspec
+  watch(rspec.spec_helper) { rspec.spec_dir }
+  watch(rspec.spec_support) { rspec.spec_dir }
+  watch(rspec.spec_files)
+
+  # Ruby files
+  ruby = dsl.ruby
+  dsl.watch_spec_files_for(ruby.lib_files)
+end

data/LICENSE.txt

@@ -0,0 +1 @@
+Proprietary, All rights reserved. For licensing and terms, please refer to https://www.boltops.com/terms

data/README.md

@@ -0,0 +1,153 @@
+# Google Ssl Cert Rotation Tool
+
+[![BoltOps Badge](https://img.boltops.com/boltops/badges/boltops-badge.png)](https://www.boltops.com)
+
+A Google SSL Cert rotation automation tool.
+
+## How Does It Work?
+
+You should run this tool in the folder with your cert files. The cert files can be inferred conventionally or explicitly specified. Tool can be used in conjuction with [Kubes](https://kubes.guru/) and the [google_secret](https://kubes.guru/docs/helpers/google/secrets/) helper. It can be used to automate the SSL cert rotation process.
+
+This is done by generating a new SSL cert and storing that name to Google secrets.  All the user needs to do is be in the folder with the cert private key and signed cert. These files are typically named: `private.key` and `certificate.crt`.  The key is that the Google Secret name itself does not change, only it's value.
+
+### Kubes Kuberbetes YAML
+
+Your Kuberbetes YAML files can be built with [Kubes](https://kubes.guru/) with the `google_secret` helper which references the cert name.
+
+Example `ingress.yaml` with an L7 external load balancer and global cert.
+
+.kubes/resources/web/ingress.yaml:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: web
+  annotations:
+    ingress.gcp.kubernetes.io/pre-shared-cert: '<%= google_secret("cert_demo", base64: false) %>'
+spec:
+  defaultBackend:
+    service:
+      name: web
+      port:
+        number: 80
+```
+
+The `.kubes/resources/web/ingress.yaml` code remains the same, but the generated/compiled ``.kubes/output/web/ingress.yaml`` will have the new Google SSL Cert name.  This triggers Kuberbetes to do a rolling deploy properly.
+
+## Summary of Steps
+
+1. Use the `google-ssl-cert create` command to create new SSL cert and save the name to Google Secrets.  The value in the Google Secret can be later referenced.
+2. Deploying your application to Kuberbetes and using the Kubes `google_secret` helper that references the new cert name.
+3. Pruning the old cert names with the `google-ssl-cert prune` command.
+
+## Usage: Quick Start
+
+Make sure you have the cert files in your current folder:
+
+    $ ls
+    private.key  certificate.crt
+
+When no cert name is provided, one will be generated for you:
+
+    $ google-ssl-cert create --secret-name cert_demo
+    Global cert created: google-ssl-cert-global-20211021155725
+    Secret saved: name: cert_demo value: google-ssl-cert-global-20211021155725
+
+Check that cert and secret was created on google cloud:
+
+    % gcloud compute ssl-certificates list
+    NAME                                   TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS
+    google-ssl-cert-global-20211021155725  SELF_MANAGED  2021-10-21T08:57:26.005-07:00  2022-01-12T15:59:59.000-08:00
+    ~/environment/cert-files git:master aws:tung:us-west-2 gke:default
+    %
+    $ gcloud secrets versions access latest --secret cert_demo
+    google-ssl-cert-global-20211021155725
+
+## Usage: Region Cert
+
+If you need to create a region cert instead, IE: for internal load balancers, specify the `--no-global` flag. Example:
+
+    $ google-ssl-cert create --secret-name cert_demo --no-global
+    Region cert created: google-ssl-cert-us-central1-20211021155852 in region: us-central1
+    Secret saved: name: cert_demo value: google-ssl-cert-us-central1-20211021155852
+
+Check that cert and secret was created on google cloud:
+
+    $ gcloud compute ssl-certificates list
+    NAME                                        TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS
+    google-ssl-cert-us-central1-20211021155852  SELF_MANAGED  2021-10-21T08:58:53.514-07:00  2022-01-12T15:59:59.000-08:00
+
+## Usage: Specifying the Cert Name
+
+You can also specify the cert name:
+
+    $ google-ssl-cert create --cert-name google-ssl-cert-v1 --no-timestamp --secret-name cert_demo
+    Global cert created: google-ssl-cert-v1
+    Secret saved: name: cert_demo value: google-ssl-cert-v1
+
+Check that cert was created on google cloud:
+
+    $ gcloud compute ssl-certificates list
+    NAME                TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS
+    google-ssl-cert-v1  SELF_MANAGED  2021-10-21T09:00:43.975-07:00  2022-01-12T15:59:59.000-08:00
+
+## Required Env Vars
+
+These env vars should be set:
+
+Name | Description
+--- | ---
+GOOGLE\_APPLICATION_CREDENTIALS | A service account as must be set up with `GOOGLE_APPLICATION_CREDENTIALS`. IE: `export GOOGLE_APPLICATION_CREDENTIALS=~/.gcp/credentials.json`
+GOOGLE_PROJECT | The env var `GOOGLE_PROJECT` and must be set.
+GOOGLE_REGION | The env var `GOOGLE_REGION` and must be set when creating a region-based google ssl cert. So when using the `--no-global` flag
+
+To check that `GOOGLE_APPLICATION_CREDENTIALS` is valid and is working you can use the [boltops-tools/google_check](https://github.com/boltops-tools/google_check) test script to check. Here are the summarized commands:
+
+    git clone https://github.com/boltops-tools/google_check
+    cd google_check
+    bundle
+    bundle exec ruby google_check.rb
+
+## Cert Files Conventions
+
+The tool will look in your current folder for these private keys in the following order:
+
+    private.key
+    server.key
+    key.pem
+
+And look for these certs:
+
+    certificate.crt
+    server.crt
+    cert.pem
+
+So, for example, if you name your cert files in your current folder conventionally like so:
+
+    private.key     # private key
+    certificate.crt # signed cert
+
+The tool is able to detect it and automatically use those files to create the cert.
+
+You can also specify the path to the certificate and private key explicitly:
+
+    google-ssl-cert create --private-key server.key --certificate server.crt
+
+## Prune
+
+To prune or delete old google ssl certs after rotating:
+
+    google-ssl-cert prune
+
+## Installation
+
+    gem install google-ssl-cert
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am "Add some feature"`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,14 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+task default: :spec
+
+RSpec::Core::RakeTask.new
+
+require_relative "lib/google-ssl-cert"
+require "cli_markdown"
+desc "Generates cli reference docs as markdown"
+task :docs do
+  mkdir_p "docs/_includes"
+  CliMarkdown::Creator.create_all(cli_class: GoogleSslCert::CLI, cli_name: "google-ssl-cert")
+end

data/docs/google-secrets-cheatsheet.md

@@ -0,0 +1,6 @@
+## Secrets Commands
+
+    gcloud secrets list
+    gcloud secrets create testsecret
+    gcloud secrets versions add testsecret --data-file="/tmp/testsecret.txt"
+    gcloud secrets versions access latest --secret testsecret

data/exe/google-ssl-cert

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+# Trap ^C
+Signal.trap("INT") {
+  puts "\nCtrl-C detected. Exiting..."
+  sleep 0.1
+  exit
+}
+
+$:.unshift(File.expand_path("../../lib", __FILE__))
+require "google-ssl-cert"
+require "google_ssl_cert/cli"
+
+GoogleSslCert::CLI.start(ARGV)

data/google-ssl-cert.gemspec

@@ -0,0 +1,43 @@
+# coding: utf-8
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "google_ssl_cert/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "google-ssl-cert"
+  spec.version       = GoogleSslCert::VERSION
+  spec.authors       = ["Tung Nguyen"]
+  spec.email         = ["tongueroo@gmail.com"]
+  spec.summary       = "Google SSL Cert Tool"
+  spec.homepage      = "https://github.com/boltopspro/google-ssl-cert"
+  spec.license       = "Apache-2.0"
+
+  spec.files         = File.directory?('.git') ? `git ls-files`.split($/) : Dir.glob("**/*")
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "activesupport"
+  spec.add_dependency "google-cloud-compute-v1"
+  spec.add_dependency "google-cloud-resource_manager"
+  spec.add_dependency "google-cloud-secret_manager"
+  spec.add_dependency "memoist"
+  spec.add_dependency "rainbow"
+  spec.add_dependency "thor"
+  spec.add_dependency "zeitwerk"
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "byebug"
+  spec.add_development_dependency "cli_markdown"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata["homepage_uri"] = spec.homepage
+  else
+    raise "RubyGems 2.0 or newer is required to protect against public gem pushes."
+  end
+end

data/lib/google-ssl-cert.rb

@@ -0,0 +1 @@
+require_relative "google_ssl_cert"

data/lib/google_ssl_cert/autoloader.rb

@@ -0,0 +1,22 @@
+require "zeitwerk"
+
+module GoogleSslCert
+  class Autoloader
+    class Inflector < Zeitwerk::Inflector
+      def camelize(basename, _abspath)
+        map = { cli: "CLI", version: "VERSION" }
+        map[basename.to_sym] || super
+      end
+    end
+
+    class << self
+      def setup
+        loader = Zeitwerk::Loader.new
+        loader.inflector = Inflector.new
+        loader.push_dir(File.dirname(__dir__)) # lib
+        loader.ignore("#{File.dirname(__dir__)}/google-ssl-cert.rb")
+        loader.setup
+      end
+    end
+  end
+end

data/lib/google_ssl_cert/base.rb

@@ -0,0 +1,14 @@
+module GoogleSslCert
+  class Base
+    include GoogleServices
+    include Logging
+    include Helpers::Global
+    include Helpers::ProjectNumber
+    extend Memoist
+
+    def initialize(options={})
+      @options = options
+    end
+  end
+end
+

data/lib/google_ssl_cert/cert.rb

@@ -0,0 +1,85 @@
+module GoogleSslCert
+  class Cert < Base
+    extend Memoist
+
+    def initialize(*)
+      super
+      @cert_name = @options[:cert_name]
+      @private_key = private_key
+      @certificate = certificate
+    end
+
+    def create
+      validate!
+      region = ENV['GOOGLE_REGION']
+      ssl_certificate_resource = {
+        name: @cert_name,
+        private_key: IO.read(@private_key),
+        certificate: IO.read(@certificate),
+      }
+
+      if global?
+        ssl_certificates.insert(
+          project: ENV['GOOGLE_PROJECT'],
+          ssl_certificate_resource: ssl_certificate_resource,
+        )
+        logger.info "Global cert created: #{@cert_name}"
+      else
+        region_ssl_certificates.insert(
+          project: ENV['GOOGLE_PROJECT'],
+          region: region,
+          ssl_certificate_resource: ssl_certificate_resource,
+        )
+        logger.info "Region cert created: #{@cert_name} in region: #{region}"
+      end
+    rescue Google::Cloud::AlreadyExistsError => e
+      logger.error "#{e.class}: #{e.message}"
+    end
+
+  private
+    def private_key
+      find_file(private_keys)
+    end
+
+    def private_keys
+      [@options[:private_key], "private.key", "server.key", "key.pem"].compact
+    end
+
+    # signed cert
+    def certificate
+      find_file(certificates)
+    end
+
+    def certificates
+      [@options[:certificate], "certificate.crt", "server.crt", "cert.pem"].compact
+    end
+
+    def find_file(*paths)
+      paths.flatten.find do |path|
+        File.exist?(path)
+      end
+    end
+
+    def validate!
+      errors = []
+      unless @private_key
+        errors << "ERROR: None of the private keys could be found: #{private_keys.join(' ')}"
+      end
+      unless @certificate
+        errors << "ERROR: None of the certificates could be found: #{certificates.join(' ')}"
+      end
+      unless errors.empty?
+        logger.error errors.join("\n")
+        logger.error <<~EOL
+
+          Are you sure that:
+
+              * You're in the right directory with the cert files?
+              * Or can specify the path to the cert files with options:
+              * --certificate and --private-key
+        EOL
+        exit 1
+      end
+    end
+  end
+end

data/lib/google_ssl_cert/cli/base.rb

@@ -0,0 +1,12 @@
+class GoogleSslCert::CLI
+  class Base
+    include GoogleSslCert::GoogleServices
+    include GoogleSslCert::Helpers::Global
+    include GoogleSslCert::Logging
+    extend Memoist
+
+    def initialize(options={})
+      @options = options
+    end
+  end
+end

data/lib/google_ssl_cert/cli/create.rb

@@ -0,0 +1,67 @@
+class GoogleSslCert::CLI
+  class Create < Base
+    def initialize(options={})
+      super
+      @cert_name = GoogleSslCert::Name.new(@options).generate
+    end
+
+    def run
+      validate!
+      create_cert
+      save_secret if @options[:save_secret]
+    end
+
+    # Google API Docs:
+    #    https://cloud.google.com/compute/docs/reference/rest/v1/sslCertificates/insert
+    def create_cert
+      GoogleSslCert::Cert.new(@options.merge(cert_name: @cert_name)).create
+    end
+
+    # The secret name is expected to be static/predictable
+    # The secret value is the changed/updated google ssl cert
+    #
+    # Example:
+    #   secret_name  = demo_ssl-cert-name
+    #   secret_value = google-ssl-cert-20211013231005
+    #
+    #   gcloud compute ssl-certificates list
+    #   NAME                            TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS
+    #   google-ssl-cert-20211013231005  SELF_MANAGED  2021-10-13T16:10:05.795-07:00  2022-10-12T17:22:01.000-07:00
+    #   gcloud secrets list
+    #   NAME                CREATED              REPLICATION_POLICY  LOCATIONS
+    #   demo_ssl-cert-name  2021-10-13T23:10:06  automatic
+    #
+    def save_secret
+      secret_name  = @options[:secret_name]
+      secret_value = @cert_name # @cert_name the value because it will be referenced. the @cert_name or 'key' will be the same
+      secret.save(secret_name, secret_value)
+    end
+
+    def secret
+      GoogleSslCert::Secret.new(@options)
+    end
+    memoize :secret
+
+  private
+    def validate!
+      errors = []
+      unless ENV['GOOGLE_APPLICATION_CREDENTIALS']
+        errors << "ERROR: The GOOGLE_APPLICATION_CREDENTIALS env var must be set."
+      end
+      unless ENV['GOOGLE_PROJECT']
+        errors << "ERROR: The GOOGLE_PROJECT env var must be set."
+      end
+      if !ENV['GOOGLE_REGION'] and !global?
+        errors << "ERROR: The GOOGLE_REGION env var must be when creating a region cert."
+      end
+      unless errors.empty?
+        logger.error errors.join("\n")
+        exit 1
+      end
+
+      # Call here so validation happens at the beginning with the rest of validation
+      # want command to exit early and not even create a google ssl cert
+      secret.validate!
+    end
+  end
+end

data/lib/google_ssl_cert/cli/help/completion.md

@@ -0,0 +1,20 @@
+## Examples
+
+    google-ssl-cert completion
+
+Prints words for TAB auto-completion.
+
+    google-ssl-cert completion
+    google-ssl-cert completion hello
+    google-ssl-cert completion hello name
+
+To enable, TAB auto-completion add the following to your profile:
+
+    eval $(google-ssl-cert completion_script)
+
+Auto-completion example usage:
+
+    google-ssl-cert [TAB]
+    google-ssl-cert hello [TAB]
+    google-ssl-cert hello name [TAB]
+    google-ssl-cert hello name --[TAB]

data/lib/google_ssl_cert/cli/help/completion_script.md

@@ -0,0 +1,3 @@
+To use, add the following to your `~/.bashrc` or `~/.profile`
+
+    eval $(google-ssl-cert completion_script)

data/lib/google_ssl_cert/cli/help/create.md

@@ -0,0 +1,31 @@
+## Examples
+
+When no cert name is provided, one will be generated for you:
+
+    $ google-ssl-cert create
+    Google SSL Cert Created: google-ssl-cert-20211013203211
+
+Check that cert was created on google cloud:
+
+    $ gcloud compute ssl-certificates list
+    NAME                            TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS
+    google-ssl-cert-20211013203211  SELF_MANAGED  2021-10-13T13:16:28.304-07:00  2022-10-12T17:22:01.000-07:00
+
+You can also specify the cert name:
+
+    $ google-ssl-cert create --cert-name google-ssl-cert-1 --no-timestamp
+    Google SSL Cert Created: google-ssl-cert-1
+
+Check that cert was created on google cloud:
+
+    $ gcloud compute ssl-certificates list
+    NAME                            TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS
+    google-ssl-cert-1               SELF_MANAGED  2021-10-13T13:17:04.192-07:00  2022-10-12T17:22:01.000-07:00
+
+## More Examples
+
+    google-ssl-cert create
+    google-ssl-cert create --private-key /path/to/key/server.key
+    google-ssl-cert create --certificate /path/to/certificate/server.crt
+    google-ssl-cert create --no-save-secret
+    google-ssl-cert create --secret-name secret-name

data/lib/google_ssl_cert/cli/help/prune.md

@@ -0,0 +1,30 @@
+Prune only deletes google ssl cert resources if the cert name has a timestamp at the end with 14 digits as the format.  Example:
+
+    google-ssl-cert-20211014221403
+
+## Examples
+
+Lets say there are 3 certs:
+
+    $ gcloud compute ssl-certificates list
+    NAME                            TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS
+    google-ssl-cert-20211014221406  SELF_MANAGED  2021-10-14T15:14:06.592-07:00  2022-01-12T15:59:59.000-08:00
+    google-ssl-cert-20211014221546  SELF_MANAGED  2021-10-14T15:15:46.400-07:00  2022-01-12T15:59:59.000-08:00
+    google-ssl-cert-20211014221549  SELF_MANAGED  2021-10-14T15:15:49.624-07:00  2022-01-12T15:59:59.000-08:00
+
+Running prune will delete the 2 oldest certs.
+
+    $ google-ssl-cert prune
+    Will delete the following global certs:
+      google-ssl-cert-20211014221406
+      google-ssl-cert-20211014221546
+    Are you sure? (y/N) y
+    Deleted global cert: google-ssl-cert-20211014221406
+    Deleted global cert: google-ssl-cert-20211014221546
+
+Confirm that only 1 cert is kept.
+
+    $ gcloud compute ssl-certificates list
+    NAME                            TYPE          CREATION_TIMESTAMP             EXPIRE_TIME                    MANAGED_STATUS
+    google-ssl-cert-20211014221549  SELF_MANAGED  2021-10-14T15:15:49.624-07:00  2022-01-12T15:59:59.000-08:00
+    $

data/lib/google_ssl_cert/cli/help/secret/get.md

@@ -0,0 +1,4 @@
+## Examples
+
+    $ google-ssl-cert secret get testsecret
+    Secret name: testsecret value testvalue

data/lib/google_ssl_cert/cli/help/secret/save.md

@@ -0,0 +1,4 @@
+## Examples
+
+    $ google-ssl-cert secret save testsecret testvalue
+    Secret saved: name: testsecret value: testvalue

data/lib/google_ssl_cert/cli/help.rb

@@ -0,0 +1,11 @@
+class GoogleSslCert::CLI
+  module Help
+    class << self
+      def text(namespaced_command)
+        path = namespaced_command.to_s.gsub(':','/')
+        path = File.expand_path("../help/#{path}.md", __FILE__)
+        IO.read(path) if File.exist?(path)
+      end
+    end
+  end
+end