From 42d34c595fb0bc8595fe69430391fe50bb52757c Mon Sep 17 00:00:00 2001 From: Martin Saporiti Date: Tue, 30 Jul 2024 16:06:12 -0300 Subject: [PATCH] chore: improve makefile --- .env-issuer.sample | 2 +- Dockerfile-kms-importer | 31 +++++++++++------------ Makefile | 38 +++++++++++++++++++++-------- cmd/kms_priv_key_importer/main.go | 6 ++--- cmd/kms_priv_key_importer/readme.md | 8 +++--- 5 files changed, 52 insertions(+), 33 deletions(-) diff --git a/.env-issuer.sample b/.env-issuer.sample index 58d32443a..eb0e4e6c0 100644 --- a/.env-issuer.sample +++ b/.env-issuer.sample @@ -22,7 +22,7 @@ ISSUER_KMS_BJJ_PROVIDER=vault ISSUER_KMS_ETH_PROVIDER=vault # if the plugin is localstorage, you can specify the file path (default path is current directory) -ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH= +ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH=./localstoragekeys # If the plugin is AWS for ETH keys you need to specify the key id and secret key ISSUER_KMS_ETH_PLUGIN_AWS_ACCESS_KEY=XXX diff --git a/Dockerfile-kms-importer b/Dockerfile-kms-importer index 647e25786..6003c5bb1 100644 --- a/Dockerfile-kms-importer +++ b/Dockerfile-kms-importer @@ -1,9 +1,9 @@ FROM golang:1.21 as base ARG VERSION -ARG ISSUER_KMS_ETH_PLUGIN_AWS_ACCESS_KEY -ARG ISSUER_KMS_ETH_PLUGIN_AWS_SECRET_KEY -ARG ISSUER_KMS_ETH_PLUGIN_AWS_REGION +ARG ISSUER_KMS_ETH_PROVIDER_AWS_ACCESS_KEY +ARG ISSUER_KMS_ETH_PROVIDER_AWS_SECRET_KEY +ARG ISSUER_KMS_ETH_PROVIDER_AWS_REGION WORKDIR /service ENV GOBIN /service/bin @@ -15,12 +15,13 @@ COPY ./internal ./internal COPY ./pkg ./pkg + RUN go install -buildvcs=false -ldflags "-X main.build=${VERSION}" ./cmd/... FROM alpine:latest -ARG ISSUER_KMS_ETH_PLUGIN_AWS_ACCESS_KEY -ARG ISSUER_KMS_ETH_PLUGIN_AWS_SECRET_KEY -ARG ISSUER_KMS_ETH_PLUGIN_AWS_REGION +ARG ISSUER_KMS_ETH_PROVIDER_AWS_ACCESS_KEY +ARG ISSUER_KMS_ETH_PROVIDER_AWS_SECRET_KEY +ARG ISSUER_KMS_ETH_PROVIDER_AWS_REGION RUN apk add --no-cache libstdc++ gcompat libgomp RUN apk add --update busybox>1.3.1-r0 @@ -38,20 +39,20 @@ COPY --from=base ./service/bin/* ./ COPY --from=base ./service/cmd/kms_priv_key_importer/aws_kms_material_key_importer.sh ./aws_kms_material_key_importer.sh RUN chmod +x ./aws_kms_material_key_importer.sh -RUN if [ -n "$ISSUER_KMS_ETH_PLUGIN_AWS_ACCESS_KEY" ]; then \ - aws configure set aws_access_key_id ${ISSUER_KMS_ETH_PLUGIN_AWS_ACCESS_KEY} --profile privadoid; \ +RUN if [ -n "$ISSUER_KMS_ETH_PROVIDER_AWS_ACCESS_KEY" ]; then \ + aws configure set aws_access_key_id ${ISSUER_KMS_ETH_PROVIDER_AWS_ACCESS_KEY} --profile privadoid; \ else \ - echo "ISSUER_KMS_ETH_PLUGIN_AWS_ACCESS_KEY is not set"; \ + echo "ISSUER_KMS_ETH_PROVIDER_AWS_ACCESS_KEY is not set"; \ fi -RUN if [ -n "$ISSUER_KMS_ETH_PLUGIN_AWS_SECRET_KEY" ]; then \ - aws configure set aws_secret_access_key ${ISSUER_KMS_ETH_PLUGIN_AWS_SECRET_KEY} --profile privadoid; \ +RUN if [ -n "$ISSUER_KMS_ETH_PROVIDER_AWS_SECRET_KEY" ]; then \ + aws configure set aws_secret_access_key ${ISSUER_KMS_ETH_PROVIDER_AWS_SECRET_KEY} --profile privadoid; \ else \ - echo "ISSUER_KMS_ETH_PLUGIN_AWS_SECRET_KEY is not set"; \ + echo "ISSUER_KMS_ETH_PROVIDER_AWS_SECRET_KEY is not set"; \ fi -RUN if [ -n "$ISSUER_KMS_ETH_PLUGIN_AWS_REGION" ]; then \ - aws configure set region ${ISSUER_KMS_ETH_PLUGIN_AWS_REGION} --profile privadoid; \ +RUN if [ -n "$ISSUER_KMS_ETH_PROVIDER_AWS_REGION" ]; then \ + aws configure set region ${ISSUER_KMS_ETH_PROVIDER_AWS_REGION} --profile privadoid; \ else \ - echo "ISSUER_KMS_ETH_PLUGIN_AWS_REGION is not set"; \ + echo "ISSUER_KMS_ETH_PROVIDER_AWS_REGION is not set"; \ fi diff --git a/Makefile b/Makefile index 0d17e6fb6..ea011254e 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,5 @@ include .env-api +include .env-issuer BIN := $(shell pwd)/bin VERSION ?= $(shell git rev-parse --short HEAD) GO?=$(shell which go) @@ -14,6 +15,8 @@ DOCKER_COMPOSE_CMD := docker compose -p issuer -f $(DOCKER_COMPOSE_FILE) DOCKER_COMPOSE_INFRA_CMD := docker compose -p issuer -f $(DOCKER_COMPOSE_FILE_INFRA) ENVIRONMENT := ${ISSUER_API_ENVIRONMENT} +ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH := ${ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH} +ISSUER_KMS_ETH_PROVIDER := ${ISSUER_KMS_ETH_PROVIDER} # Local environment overrides via godotenv DOTENV_CMD = $(BIN)/godotenv @@ -159,22 +162,37 @@ add-private-key: docker exec issuer-vault-1 \ vault write iden3/import/pbkey key_type=ethereum private_key=$(private_key) -# >>> usage: make private_key=xxx import-private-key-to-kms -# If you want to import your private key to the local storage be sure to have the -# file ${ISSUER_KMS_PLUGIN_LOCAL_STORAGE_FILE_PATH}/kms_localstorage_keys.json, otherwise change the mapped volume. -# If you want to import private key to vault running with docker compose make sure ISSUER_KEY_STORE_ADDRESS=http://vault:8200 in .env-issuer -# >>> Don't use this command if you want to import private key to aws kms, for that see cmd/kms_priv_key_importer/readme.md +## Usage: +## AWS: make private_key=XXX aws_access_key=YYY aws_secret_key=ZZZ aws_region=your-region import-private-key-to-kms +## localstorage and vault: make private_key=XXX import-private-key-to-kms .PHONY: import-private-key-to-kms import-private-key-to-kms: - docker build -t privadoid-kms-importer -f Dockerfile-kms-importer . - docker run -it -v ./.env-issuer:/.env-issuer --network issuer-network \ - -v ./localstoragekeys/kms_localstorage_keys.json:/localstoragekeys/kms_localstorage_keys.json \ - privadoid-kms-importer ./kms_priv_key_importer --privateKey=$(private_key) +ifeq ($(ISSUER_KMS_ETH_PROVIDER), aws) + docker build --build-arg ISSUER_KMS_ETH_PROVIDER_AWS_ACCESS_KEY=$(aws_access_key) \ + --build-arg ISSUER_KMS_ETH_PROVIDER_AWS_SECRET_KEY=$(aws_secret_key) \ + --build-arg ISSUER_KMS_ETH_PROVIDER_AWS_REGION=$(aws_region) -t privadoid-kms-importer -f ./Dockerfile-kms-importer . + $(eval result = $(shell docker run -it -v ./.env-issuer:/.env-issuer -v $(ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH)/kms_localstorage_keys.json:/localstoragekeys/kms_localstorage_keys.json \ + --network issuer-network \ + privadoid-kms-importer ./kms_priv_key_importer --privateKey=$(private_key))) + @echo "result: $(result)" + $(eval keyID = $(shell echo $(result) | grep "key created keyId=" | sed 's/.*keyId=//')) + @if [ -n "$(keyID)" ]; then \ + docker run -it --rm -v ./.env-issuer:/.env-issuer --network issuer-network \ + privadoid-kms-importer sh ./aws_kms_material_key_importer.sh $(private_key) $(keyID) privadoid; \ + else \ + echo "something went wrong because keyID is empty"; \ + fi +else + docker build -t privadoid-kms-importer -f ./Dockerfile-kms-importer . + docker run --rm -it -v ./.env-issuer:/.env-issuer -v $(ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH)/kms_localstorage_keys.json:/localstoragekeys/kms_localstorage_keys.json \ + --network issuer-network \ + privadoid-kms-importer ./kms_priv_key_importer --privateKey=$(private_key) +endif .PHONY: print-vault-token print-vault-token: $(eval TOKEN = $(shell docker logs issuer-vault-1 2>&1 | grep " .hvs" | awk '{print $$2}' | tail -1 )) - @echo $(TOKEN) + echo $(TOKEN) .PHONY: add-vault-token add-vault-token: diff --git a/cmd/kms_priv_key_importer/main.go b/cmd/kms_priv_key_importer/main.go index a02182132..04faad446 100644 --- a/cmd/kms_priv_key_importer/main.go +++ b/cmd/kms_priv_key_importer/main.go @@ -26,9 +26,9 @@ import ( ) const ( - issuerKMSETHPlugin = "ISSUER_KMS_ETH_PLUGIN" + issuerKMSETHPlugin = "ISSUER_KMS_ETH_PROVIDER" issuerPublishKeyPath = "ISSUER_PUBLISH_KEY_PATH" - issuerKmsPluginLocalStorageFilePath = "ISSUER_KMS_PLUGIN_LOCAL_STORAGE_FILE_PATH" + issuerKmsPluginLocalStorageFilePath = "ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH" issuerKeyStoreToken = "ISSUER_KEY_STORE_TOKEN" issuerKeyStoreAddress = "ISSUER_KEY_STORE_ADDRESS" issuerKeyStorePluginIden3MountPath = "ISSUER_KEY_STORE_PLUGIN_IDEN3_MOUNT_PATH" @@ -79,7 +79,7 @@ func main() { issuerKmsPluginLocalStorageFilePath := os.Getenv(issuerKmsPluginLocalStorageFilePath) if issuerKMSEthPluginVar != config.LocalStorage && issuerKMSEthPluginVar != config.Vault && issuerKMSEthPluginVar != config.AWS { - log.Error(ctx, "issuer kms eth plugin is not set or is not local storage or vault or aws", "plugin: ", issuerKMSEthPluginVar) + log.Error(ctx, "issuer kms eth provider is not set or is not localstorage or vault or aws", "plugin: ", issuerKMSEthPluginVar) return } diff --git a/cmd/kms_priv_key_importer/readme.md b/cmd/kms_priv_key_importer/readme.md index 0abbaf054..a7d02e09e 100644 --- a/cmd/kms_priv_key_importer/readme.md +++ b/cmd/kms_priv_key_importer/readme.md @@ -12,7 +12,7 @@ ISSUER_KMS_ETH_PROVIDER=aws # if the plugin is localstorage, you can specify the file path (default path is current directory) # Important!!!: this path must be the same as the one used by the issuer node (defined in .env-issuer file) -ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH= +ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH=./localstoragekeys # If the plugin is AWS for ETH keys you need to specify the key id and secret key ISSUER_KMS_ETH_PLUGIN_AWS_ACCESS_KEY=XXX @@ -81,9 +81,9 @@ if you get `Key material successfully imported!!!` message, then your private ke In the root project folder run: ```shell -docker build --build-arg ISSUER_KMS_ETH_PLUGIN_AWS_ACCESS_KEY=XXXX \ - --build-arg ISSUER_KMS_ETH_PLUGIN_AWS_SECRET_KEY=YYYY \ - --build-arg ISSUER_KMS_ETH_PLUGIN_AWS_REGION=eu-west-1 -t privadoid-kms-importer -f ./Dockerfile-kms-importer . +docker build --build-arg ISSUER_KMS_ETH_PROVIDER_AWS_ACCESS_KEY=XXXX \ + --build-arg ISSUER_KMS_ETH_PROVIDER_AWS_SECRET_KEY=YYYY \ + --build-arg ISSUER_KMS_ETH_PROVIDER_AWS_REGION=ZZZZ -t privadoid-kms-importer -f ./Dockerfile-kms-importer . ``` after the docker image is created run the following command (make sure you have the .env-issuer with your env vars):