algolia · jjacque · Jun 11, 2024 · Jun 9, 2024 · Jun 9, 2024 · Jun 9, 2024
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -0,0 +1,76 @@
+version: 2.1
+
+executors:
+  golang:
+    docker:
+      - image: cimg/go:1.21
+
+jobs:
+  lint:
+    executor: golang
+    steps:
+      - checkout
+      # Download and cache dependencies
+      - restore_cache: &restore-cache
+          keys:
+            - go-mod-{{ checksum "go.sum" }}
+      - run:
+          name: Install dependencies
+          command: |
+            go mod download
+            # This a crappy fix as https://github.com/hashicorp/go-secure-stdlib/pull/125 has not been merged
+            CPVER="$(go list -m -json "github.com/hashicorp/go-secure-stdlib/plugincontainer"| jq -r '.Version')"
+            if [ "${CPVER}" = "v0.3.0" ]
+            then
+              CPDIR="$(go list -m -json "github.com/hashicorp/go-secure-stdlib/plugincontainer"| jq -r '.Dir')"
+              sudo sed -i 's@types\.Container@container.@g' "${CPDIR}/container_runner.go"
+            fi
+      - run:
+          name: Go fmt
+          command: |
+            RES="$(gofmt -s -l .)"
+            if [ -n "${RES}" ]
+            then
+              echo "${RES}"
+              exit 1
+            fi
+      - run:
+          name: Install golangci-lint
+          command: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.54.2
+      - run:
+          name: GolangCI Lint
+          command: golangci-lint run --timeout 300s
+      - save_cache: &save-cache
+          paths:
+            - /home/circleci/go/pkg/mod
+          key: go-mod-{{ checksum "go.sum" }}
+  test:
+    executor: golang
+    steps:
+      - checkout
+      - restore_cache:
+          <<: *restore-cache
+      - run:
+          name: Install dependencies
+          command: |
+            go mod download
+            CPVER="$(go list -m -json "github.com/hashicorp/go-secure-stdlib/plugincontainer"| jq -r '.Version')"
+            if [ "${CPVER}" = "v0.3.0" ]
+            then
+              CPDIR="$(go list -m -json "github.com/hashicorp/go-secure-stdlib/plugincontainer"| jq -r '.Dir')"
+              sudo sed -i 's@types\.Container@container.@g' "${CPDIR}/container_runner.go"
+            fi
+      - run:
+          name: Test
+          command: |
+            make test
+      - save_cache:
+          <<: *save-cache
+
+workflows:
+  lint_test:
+    jobs:
+      - lint
+      - test:
+          requires:
+            - lint
diff --git a/.codacy.yml b/.codacy.yml
@@ -0,0 +1,3 @@
+---
+exclude_paths:
+  - "internal/*test.go"
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,5 @@
+CODEOWNERS
+LICENSE
+Makefile
+README.md
+deploy
diff --git a/.gitignore b/.gitignore
@@ -3,5 +3,6 @@ vendor/**/
 nginx/**/
 static/.well-known
 *.pem
-sup3rS3cretMes5age
+*.key
+/sup3rS3cretMes5age
 .DS_Store
diff --git a/Makefile b/Makefile
@@ -4,28 +4,42 @@ TARGET_OS ?= linux
 # When developing locally, change this to whatever fqdn you are using for 127.0.0.1
 DOMAIN ?= localhost
 
+COMPOSE_OPTS := -f deploy/docker-compose.yml
+DOCKER_OPS := -f deploy/Dockerfile
+
+TAG=$(shell git describe --tags --abbrev=0)
+VERSION=$(shell echo "$(TAG)" | sed -e 's/^v//')
+COMMIT=$(shell git rev-parse --short HEAD)
 
 test:
 	go test ./... -v
 
+image:
+	docker build \
+		--build-arg VERSION=${VERSION} \
+		-t algolia/supersecretmessage:${VERSION} \
+		-t algolia/supersecretmessage:${COMMIT} \
+		-t algolia/supersecretmessage:latest \
+		$(DOCKER_OPS) .
+
 build: 
-	@docker-compose build
+	@docker compose $(COMPOSE_OPTS) build
 
 clean:
-	@docker-compose rm -fv
+	@docker compose $(COMPOSE_OPTS) rm -fv
 
 run-local: clean
         @DOMAIN=$(DOMAIN) \
-        docker-compose up --build -d
+	docker compose $(COMPOSE_OPTS) up --build -d
 
 run: 
 	@DOMAIN=$(DOMAIN) \
-        docker-compose up --build -d
+        docker compose $(COMPOSE_OPTS) up --build -d
 
 logs:
-	@docker-compose logs -f
+	@docker compose $(COMPOSE_OPTS) logs -f
 
 stop:
-	@docker-compose stop
+	@docker compose $(COMPOSE_OPTS) stop
 
-.PHONY: test build clean run-local run logs stop
+.PHONY: test image build clean run-local run logs stop
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# sup3rS3cretMes5age!
+# sup3rS3cretMes5age
 
 A simple, secure self-destructing message service, using HashiCorp Vault product as a backend.
 
@@ -12,30 +12,32 @@ Now using [Let's Encrypt](https://letsencrypt.org/) for simple and free SSL cert
 
 ### Testing it locally
 
-You can just run `docker-compose up --build`: it will build the Docker image and then run it alongside a standalone Vault server.
+You can just run `docker-compose up -f deploy/docker-compose.yml --build` or run `make build`: it will build the Docker image and then run it alongside a standalone Vault server.
 
-By default, the `docker-compose.yml` is configured to run the webapp on port 8082 in cleartext HTTP (so you can access it on [http://localhost:8082](http://localhost:8082)).
+By default, the `deploy/docker-compose.yml` is configured to run the webapp on port 8082 in cleartext HTTP (so you can access it on [http://localhost:8082](http://localhost:8082)).
 
-Optionally, you can modify the `docker-compose.yml` and tweak the options (enable HTTPS, disable HTTP or enable redirection to HTTPS, etc.). See [Configuration options](#configuration-options).
+Optionally, you can modify the `deploy/docker-compose.yml` and tweak the options (enable HTTPS, disable HTTP or enable redirection to HTTPS, etc.). See [Configuration options](#configuration-options).
 
 ### Production Deployment
 
 We recommend deploying the project via **Docker** and a **container orchestration tool**:
-* Build the Docker image using the provided `Dockerfile`
+
+* Build the Docker image using the provided `Dockerfile` or run `make image`
 * Host it in a Docker registry ([Docker Hub](https://hub.docker.com/), [AWS ECR](https://aws.amazon.com/ecr/), etc.)
 * Deploy the image (alongside with a standalone Vault server) using a container orchestration tool ([Kubernetes](https://kubernetes.io/), [Docker Swarm](https://docs.docker.com/engine/swarm/), [AWS ECS](https://aws.amazon.com/ecs/), etc.)
 
 You can read the [configuration examples](#configuration-examples) below.
 
-### Security notice!
+### Security notice
 
 Whatever deployment method you choose, **you should always run this behind SSL/TLS**, otherwise secrets will be sent _unencrypted_!
 
 Depending on your infrastructure/deployment, you can have **TLS termination** either _inside the container_ (see [Configuration examples - TLS](#tls)), or _before_ e.g. at a load balancer/reverse proxy in front of the service.
 It is interesting to have TLS termination before the container so you don't have to manage the certificate/key there, but **make sure the network** between your TLS termination point and your container **is secure**.
 
 ## Helm
-For full documentation for this chart, please see the [README](https://github.com/algolia/sup3rS3cretMes5age/blob/master/charts/README.md)
+
+For full documentation for this chart, please see the [README](https://github.com/algolia/sup3rS3cretMes5age/blob/master/deployments/charts/README.md)
 
 ## Configuration options
 
@@ -49,7 +51,8 @@ For full documentation for this chart, please see the [README](https://github.co
 * `SUPERSECRETMESSAGE_TLS_CERT_KEY_FILEPATH`: certificate key filepath to use for "manual" TLS.
 * `SUPERSECRETMESSAGE_VAULT_PREFIX`: vault prefix for secrets (default `cubbyhole/`)
 
-## Configuration example
+## Configuration examples
+
 Here is an example of a functionnal docker-compose.yml file
 ```yaml
 version: '3.2'
@@ -86,6 +89,7 @@ services:
 ### Configuration types
 
 #### Plain HTTP
+
 ```bash
 VAULT_ADDR=http://vault:8200
 VAULT_TOKEN=root
@@ -96,6 +100,7 @@ SUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS=:80
 #### TLS
 
 ##### Auto TLS
+
 ```bash
 VAULT_ADDR=http://vault:8200
 VAULT_TOKEN=root
@@ -105,6 +110,7 @@ SUPERSECRETMESSAGE_TLS_AUTO_DOMAIN=secrets.example.com
 ```
 
 ##### Auto TLS with HTTP > HTTPS redirection
+
 ```bash
 VAULT_ADDR=http://vault:8200
 VAULT_TOKEN=root
@@ -116,6 +122,7 @@ SUPERSECRETMESSAGE_TLS_AUTO_DOMAIN=secrets.example.com
 ```
 
 ##### Manual TLS
+
 ```bash
 VAULT_ADDR=http://vault:8200
 VAULT_TOKEN=root
@@ -127,15 +134,15 @@ SUPERSECRETMESSAGE_TLS_CERT_KEY_FILEPATH=/mnt/ssl/key_secrets.example.com.pem
 
 ## Screenshot
 
-<img width="610" alt="secretmsg" src="https://user-images.githubusercontent.com/357094/29357449-e9268adc-8277-11e7-8fef-b1eabfe62444.png">
+![supersecretmsg](https://user-images.githubusercontent.com/357094/29357449-e9268adc-8277-11e7-8fef-b1eabfe62444.png)
 
 ## Contributing
 
 Pull requests are very welcome!
 Please consider that they will be reviewed by our team at Algolia.
 
 
-## Thanks!
+## Thanks
 
 This project is heavaily depandent on the amazing work of the [Echo Go Web Framework](https://github.com/labstack/echo) and Hashicorp Vault. 
 

diff --git a/cmd/sup3rS3cretMes5age/main.go b/cmd/sup3rS3cretMes5age/main.go
@@ -0,0 +1,23 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+
+	"github.com/algolia/sup3rS3cretMes5age/internal"
+)
+
+var version = ""
+
+func main() {
+	versionFlag := flag.Bool("version", false, "Print version")
+	flag.Parse()
+	if *versionFlag {
+		fmt.Println(version)
+		os.Exit(0)
+	}
+
+	conf := internal.LoadConfig()
+	internal.Serve(conf)
+}
diff --git a/Dockerfile → deploy/Dockerfile b/Dockerfile → deploy/Dockerfile
@@ -1,15 +1,21 @@
-FROM golang:1.18 AS builder
+FROM golang:1.21 AS builder
 
 WORKDIR /go/src/github.com/algolia/sup3rS3cretMes5age
 
-ADD . .
+ARG VERSION
 
+COPY . .
 RUN go mod download
-RUN CGO_ENABLED=0 GOOS=linux go build -o sup3rS3cretMes5age .
+RUN CGO_ENABLED=0 GOOS=linux go build -trimpath -a -ldflags "-X main.version=${VERSION} -s -w -extldflags '-static'" -o /tmp/sup3rS3cretMes5age cmd/sup3rS3cretMes5age/main.go
 
 
 FROM alpine:latest
 
+WORKDIR /opt/supersecret
+
+COPY --from=builder /tmp/sup3rS3cretMes5age .
+COPY web/static/ /opt/supersecret/static/
+
 ENV \
     VAULT_ADDR \
     VAULT_TOKEN \
@@ -21,13 +27,7 @@ ENV \
     SUPERSECRETMESSAGE_TLS_CERT_KEY_FILEPATH \
     SUPERSECRETMESSAGE_VAULT_PREFIX
 
-RUN \
-    apk add --no-cache ca-certificates ;\
-    mkdir -p /opt/supersecret/static
-
-WORKDIR /opt/supersecret
+RUN apk add --no-cache ca-certificates
 
-COPY --from=builder /go/src/github.com/algolia/sup3rS3cretMes5age/sup3rS3cretMes5age .
-COPY static /opt/supersecret/static
 
-CMD [ "./sup3rS3cretMes5age" ]
+CMD ["./sup3rS3cretMes5age" ]
diff --git a/charts/README.md → deploy/charts/README.md b/charts/README.md → deploy/charts/README.md
@@ -11,12 +11,11 @@ Kubernetes cluster.
 
 The versions required are:
 
-  * **Helm 3.6+**
-  * **Vault 1.10+**
-  * **Kubernetes 1.22+** - This is the earliest version of Kubernetes tested.
-    It is possible that this chart works with earlier versions but it is
-    untested.
-
+* **Helm 3.6+**
+* **Vault 1.10+**
+* **Kubernetes 1.22+** - This is the earliest version of Kubernetes tested.
+  It is possible that this chart works with earlier versions but it is
+  untested.
 
 > :warning: **Please note**: Setting up Kubernetes, Helm and Vault is outside the scope of
 this README. Please refer to the [Kubernetes](https://kubernetes.io/docs/home/), [Helm](https://helm.sh/docs/intro/install/) and [Vault](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide) documentation. You can install the last one as a [Chart](https://developer.hashicorp.com/vault/docs/platform/k8s/helm).
diff --git a/charts/supersecretmessage/.helmignore → deploy/charts/supersecretmessage/.helmignore b/charts/supersecretmessage/.helmignore → deploy/charts/supersecretmessage/.helmignore
diff --git a/charts/supersecretmessage/Chart.yaml → deploy/charts/supersecretmessage/Chart.yaml b/charts/supersecretmessage/Chart.yaml → deploy/charts/supersecretmessage/Chart.yaml
diff --git a/...ts/supersecretmessage/templates/NOTES.txt → ...ts/supersecretmessage/templates/NOTES.txt b/...ts/supersecretmessage/templates/NOTES.txt → ...ts/supersecretmessage/templates/NOTES.txt
diff --git a/...supersecretmessage/templates/_helpers.tpl → ...supersecretmessage/templates/_helpers.tpl b/...supersecretmessage/templates/_helpers.tpl → ...supersecretmessage/templates/_helpers.tpl
diff --git a/...ersecretmessage/templates/deployment.yaml → ...ersecretmessage/templates/deployment.yaml b/...ersecretmessage/templates/deployment.yaml → ...ersecretmessage/templates/deployment.yaml
diff --git a/charts/supersecretmessage/templates/hpa.yaml → ...rts/supersecretmessage/templates/hpa.yaml b/charts/supersecretmessage/templates/hpa.yaml → ...rts/supersecretmessage/templates/hpa.yaml
diff --git a/...supersecretmessage/templates/ingress.yaml → ...supersecretmessage/templates/ingress.yaml b/...supersecretmessage/templates/ingress.yaml → ...supersecretmessage/templates/ingress.yaml
diff --git a/...supersecretmessage/templates/service.yaml → ...supersecretmessage/templates/service.yaml b/...supersecretmessage/templates/service.yaml → ...supersecretmessage/templates/service.yaml
diff --git a/...cretmessage/templates/serviceaccount.yaml → ...cretmessage/templates/serviceaccount.yaml b/...cretmessage/templates/serviceaccount.yaml → ...cretmessage/templates/serviceaccount.yaml
diff --git a/charts/supersecretmessage/values.yaml → deploy/charts/supersecretmessage/values.yaml b/charts/supersecretmessage/values.yaml → deploy/charts/supersecretmessage/values.yaml
@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  repository: zeusal/supersecretmessage
+  repository: algolia/supersecretmessage
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
   tag: "0.2.5"

diff --git a/docker-compose.yml → deploy/docker-compose.yml b/docker-compose.yml → deploy/docker-compose.yml
@@ -2,23 +2,30 @@ version: '3.2'
 
 services:
   vault:
-    image: vault:latest
+    image: hashicorp/vault:latest
     container_name: vault
     environment:
       VAULT_DEV_ROOT_TOKEN_ID: supersecret
     cap_add:
       - IPC_LOCK
+    security_opt:
+      - no-new-privileges:true
     expose:
       - 8200
 
   supersecret:
-    build: ./
+    build:
+      context: ../
+      dockerfile: deploy/Dockerfile
     image: algolia/supersecretmessage:latest
     container_name: supersecret
     environment:
       VAULT_ADDR: http://vault:8200
       VAULT_TOKEN: supersecret
       SUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS: ":8082"
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
     ports:
       - "8082:8082"
     depends_on: