Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Jul 2021 08:50:22 GMT
From:      "Tobias C. Berner" <tcberner@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: 291bf5665200 - main - security/certmgr: new port
Message-ID:  <202107140850.16E8oMva006729@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch main has been updated by tcberner:

URL: https://cgit.FreeBSD.org/ports/commit/?id=291bf5665200779fb18d026c418de8a1b1633569

commit 291bf5665200779fb18d026c418de8a1b1633569
Author:     Robert Clausecker <fuz@fuz.su>
AuthorDate: 2021-07-04 21:36:21 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2021-07-14 08:43:50 +0000

    security/certmgr: new port
    
    certmgr is a tool for managing certificates using CFSSL. It does the
    following:
    
     - Ensures certificates are present.
     - Renews certificates before they expire.
     - Triggering a service reload or restart on certificate updates.
    
    It operates on certificate specs, which are JSON files containing the
    information needed to generate a certificate.
    
    WWW: https://github.com/cloudflare/certmgr
    
    PR:             256992
---
 security/Makefile                                  |  1 +
 security/certmgr/Makefile                          | 64 ++++++++++++++++++++++
 security/certmgr/distinfo                          | 63 +++++++++++++++++++++
 security/certmgr/files/certmgr.yaml.sample.in      | 47 ++++++++++++++++
 security/certmgr/files/patch-README.md             | 18 ++++++
 .../certmgr/files/patch-certmgr_cmd_genconfig.go   | 15 +++++
 security/certmgr/files/patch-certmgr_cmd_root.go   | 20 +++++++
 security/certmgr/files/pkg-message.in              |  3 +
 security/certmgr/pkg-descr                         | 11 ++++
 security/certmgr/pkg-plist                         |  5 ++
 10 files changed, 247 insertions(+)

diff --git a/security/Makefile b/security/Makefile
index ee872ea21ec1..10de3f733ad4 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -68,6 +68,7 @@
     SUBDIR += cargo-audit
     SUBDIR += ccrypt
     SUBDIR += ccsrch
+    SUBDIR += certmgr
     SUBDIR += cfs
     SUBDIR += cfssl
     SUBDIR += chaosreader
diff --git a/security/certmgr/Makefile b/security/certmgr/Makefile
new file mode 100644
index 000000000000..17677ae8e0dc
--- /dev/null
+++ b/security/certmgr/Makefile
@@ -0,0 +1,64 @@
+PORTNAME=	certmgr
+DISTVERSIONPREFIX=	v
+DISTVERSION=	3.0.3
+CATEGORIES=	security net
+
+MAINTAINER=	fuz@fuz.su
+COMMENT=	Automated certificate management using a CFSSL CA
+
+LICENSE=	BSD2CLAUSE
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+RUN_DEPENDS=	bash:shells/bash
+
+USES=		go:modules
+USE_GITHUB=	yes
+GH_ACCOUNT=	cloudflare
+GH_TUPLE=	beorn7:perks:v1.0.0:beorn7_perks/vendor/github.com/beorn7/perks \
+		cenkalti:backoff:v2.2.1:cenkalti_backoff/vendor/github.com/cenkalti/backoff \
+		cloudflare:backoff:647f3cdfc87a:cloudflare_backoff/vendor/github.com/cloudflare/backoff \
+		cloudflare:cfssl:2001f384ec4f:cloudflare_cfssl/vendor/github.com/cloudflare/cfssl \
+		fsnotify:fsnotify:v1.4.7:fsnotify_fsnotify/vendor/github.com/fsnotify/fsnotify \
+		go-yaml:yaml:v2.2.2:go_yaml_yaml/vendor/gopkg.in/yaml.v2 \
+		golang:crypto:5c40567a22f8:golang_crypto/vendor/golang.org/x/crypto \
+		golang:protobuf:v1.3.1:golang_protobuf/vendor/github.com/golang/protobuf \
+		golang:sys:5ed2794edfdc:golang_sys/vendor/golang.org/x/sys \
+		golang:text:v0.3.2:golang_text/vendor/golang.org/x/text \
+		google:certificate-transparency-go:v1.0.21:google_certificate_transparency_go/vendor/github.com/google/certificate-transparency-go \
+		hashicorp:hcl:v1.0.0:hashicorp_hcl/vendor/github.com/hashicorp/hcl \
+		inconshreveable:mousetrap:v1.0.0:inconshreveable_mousetrap/vendor/github.com/inconshreveable/mousetrap \
+		konsorten:go-windows-terminal-sequences:v1.0.2:konsorten_go_windows_terminal_sequences/vendor/github.com/konsorten/go-windows-terminal-sequences \
+		magiconair:properties:v1.8.1:magiconair_properties/vendor/github.com/magiconair/properties \
+		matttproud:golang_protobuf_extensions:v1.0.1:matttproud_golang_protobuf_extensions/vendor/github.com/matttproud/golang_protobuf_extensions \
+		mitchellh:mapstructure:v1.1.2:mitchellh_mapstructure/vendor/github.com/mitchellh/mapstructure \
+		pelletier:go-toml:v1.4.0:pelletier_go_toml/vendor/github.com/pelletier/go-toml \
+		pkg:errors:7f95ac13edff:pkg_errors/vendor/github.com/pkg/errors \
+		prometheus:client_golang:v0.9.4:prometheus_client_golang/vendor/github.com/prometheus/client_golang \
+		prometheus:client_model:fd36f4220a90:prometheus_client_model/vendor/github.com/prometheus/client_model \
+		prometheus:common:v0.4.1:prometheus_common/vendor/github.com/prometheus/common \
+		prometheus:procfs:v0.0.2:prometheus_procfs/vendor/github.com/prometheus/procfs \
+		sirupsen:logrus:v1.4.2:sirupsen_logrus/vendor/github.com/sirupsen/logrus \
+		spf13:afero:v1.2.2:spf13_afero/vendor/github.com/spf13/afero \
+		spf13:cast:v1.3.0:spf13_cast/vendor/github.com/spf13/cast \
+		spf13:cobra:v0.0.5:spf13_cobra/vendor/github.com/spf13/cobra \
+		spf13:jwalterweatherman:v1.1.0:spf13_jwalterweatherman/vendor/github.com/spf13/jwalterweatherman \
+		spf13:pflag:v1.0.3:spf13_pflag/vendor/github.com/spf13/pflag \
+		spf13:viper:v1.4.0:spf13_viper/vendor/github.com/spf13/viper
+
+GO_TARGET=	./certmgr
+SUB_FILES=	certmgr.yaml.sample pkg-message
+
+post-patch:
+	${REINPLACE_CMD} -e 's,%%ETCDIR%%,${ETCDIR},' \
+	    ${WRKSRC}/certmgr/cmd/genconfig.go \
+	    ${WRKSRC}/certmgr/cmd/root.go \
+	    ${WRKSRC}/README.md
+
+post-install:
+	${MKDIR} ${STAGEDIR}${ETCDIR}
+	${MKDIR} ${STAGEDIR}${ETCDIR}.d
+	${MKDIR} ${STAGEDIR}${DOCSDIR}
+	${INSTALL_MAN} ${WRKSRC}/README.md ${WRKSRC}/SPEC.rst ${STAGEDIR}${DOCSDIR}/
+	${INSTALL_DATA} ${WRKDIR}/certmgr.yaml.sample ${STAGEDIR}${ETCDIR}/
+
+.include <bsd.port.mk>
diff --git a/security/certmgr/distinfo b/security/certmgr/distinfo
new file mode 100644
index 000000000000..4fb2c7f0e4c9
--- /dev/null
+++ b/security/certmgr/distinfo
@@ -0,0 +1,63 @@
+TIMESTAMP = 1625430800
+SHA256 (cloudflare-certmgr-v3.0.3_GH0.tar.gz) = 61c1b23cd11224eab8f1f11b96a3b5753019b515a5fc0a0ae668145a616129d8
+SIZE (cloudflare-certmgr-v3.0.3_GH0.tar.gz) = 2633953
+SHA256 (beorn7-perks-v1.0.0_GH0.tar.gz) = b69d92e2e84b7d510dfa6110d3ac4ada0096a6c81190c5e174aa888bfe475cbc
+SIZE (beorn7-perks-v1.0.0_GH0.tar.gz) = 10866
+SHA256 (cenkalti-backoff-v2.2.1_GH0.tar.gz) = a2c29d0184e7afc415975cf2689723028d2686ffbb67fe0999ab1d691e6d16db
+SIZE (cenkalti-backoff-v2.2.1_GH0.tar.gz) = 8623
+SHA256 (cloudflare-backoff-647f3cdfc87a_GH0.tar.gz) = d2162141b0a093de7b43434b3ce1013d0e88f1149c52b1a26b94a5e95f313c04
+SIZE (cloudflare-backoff-647f3cdfc87a_GH0.tar.gz) = 4752
+SHA256 (cloudflare-cfssl-2001f384ec4f_GH0.tar.gz) = f2d349d3c06496766368eba907cea298432aa711f38eea70383fa896001277e2
+SIZE (cloudflare-cfssl-2001f384ec4f_GH0.tar.gz) = 5007843
+SHA256 (fsnotify-fsnotify-v1.4.7_GH0.tar.gz) = b7530d973d0ab0e58ad8ce1b9a4b963d6f57b3d72f2f9e13d49846976361b1cd
+SIZE (fsnotify-fsnotify-v1.4.7_GH0.tar.gz) = 31139
+SHA256 (go-yaml-yaml-v2.2.2_GH0.tar.gz) = 42c3e4ef9eca2860d22b3c6c5582c6c13fb4b417e5ebc1acc56ee5e2c4ddcaff
+SIZE (go-yaml-yaml-v2.2.2_GH0.tar.gz) = 70656
+SHA256 (golang-crypto-5c40567a22f8_GH0.tar.gz) = d6ca43aa1a344adee0c1f45ad31172e0d195b6e17ea269dfd212c2c203a58cf0
+SIZE (golang-crypto-5c40567a22f8_GH0.tar.gz) = 1690710
+SHA256 (golang-protobuf-v1.3.1_GH0.tar.gz) = 3f3a6123054a9847093c119895f1660612f301fe95358f3a6a1a33fd0933e6cf
+SIZE (golang-protobuf-v1.3.1_GH0.tar.gz) = 310884
+SHA256 (golang-sys-5ed2794edfdc_GH0.tar.gz) = c442f47a1bc5d4bf384d1f1389652035fab6ee03485038c2e58af39269c0c0f9
+SIZE (golang-sys-5ed2794edfdc_GH0.tar.gz) = 1434109
+SHA256 (golang-text-v0.3.2_GH0.tar.gz) = 0b9309698f5708531c5377ab1e29b423a6d9e20c55a8d386c3b8283428212f22
+SIZE (golang-text-v0.3.2_GH0.tar.gz) = 7168069
+SHA256 (google-certificate-transparency-go-v1.0.21_GH0.tar.gz) = 6f9f8b67f19ee6be7b0261342cbd69db13559f40945441a9dfe2db5bf0eae25b
+SIZE (google-certificate-transparency-go-v1.0.21_GH0.tar.gz) = 4401179
+SHA256 (hashicorp-hcl-v1.0.0_GH0.tar.gz) = 50632428210503070fd2fde748c88b7414bf84a6a0eadebf9d8e596a033bead2
+SIZE (hashicorp-hcl-v1.0.0_GH0.tar.gz) = 70658
+SHA256 (inconshreveable-mousetrap-v1.0.0_GH0.tar.gz) = 5edc7731c819c305623568e317aa253d342be3447def97f1fa9e10eb5ad819f6
+SIZE (inconshreveable-mousetrap-v1.0.0_GH0.tar.gz) = 2290
+SHA256 (konsorten-go-windows-terminal-sequences-v1.0.2_GH0.tar.gz) = e61f6422c7d1222c4c642b9134e5a4576a89ff651ef947487faa8ef33b6b4cfe
+SIZE (konsorten-go-windows-terminal-sequences-v1.0.2_GH0.tar.gz) = 1987
+SHA256 (magiconair-properties-v1.8.1_GH0.tar.gz) = 4449df3d2be86608bfc997228f66f1cff57bf620cc5bf9ba44339c7e4c5612dd
+SIZE (magiconair-properties-v1.8.1_GH0.tar.gz) = 29735
+SHA256 (matttproud-golang_protobuf_extensions-v1.0.1_GH0.tar.gz) = 2def0ee6f6b12b1efc0e3007d89f598608a072610e805c3655ea9d13c3ead49b
+SIZE (matttproud-golang_protobuf_extensions-v1.0.1_GH0.tar.gz) = 37184
+SHA256 (mitchellh-mapstructure-v1.1.2_GH0.tar.gz) = 53fbc06b125ff1c9c73a4eb1764346932671a29c67a45a92e2ebc6855635069b
+SIZE (mitchellh-mapstructure-v1.1.2_GH0.tar.gz) = 20980
+SHA256 (pelletier-go-toml-v1.4.0_GH0.tar.gz) = 04fb4855a64495c0c055c83b8a3446cabc6bfa4830eb458816370db38c0e67b0
+SIZE (pelletier-go-toml-v1.4.0_GH0.tar.gz) = 73274
+SHA256 (pkg-errors-7f95ac13edff_GH0.tar.gz) = 4e9ca579db7a8aae95f9e696d8e9bcb76e8cbf6ae57803b647096cebdca39d6a
+SIZE (pkg-errors-7f95ac13edff_GH0.tar.gz) = 12515
+SHA256 (prometheus-client_golang-v0.9.4_GH0.tar.gz) = d2a5856d9c43fcbf757d6ecd6e3a88312b90d2c9fec63647ee597eb09f120044
+SIZE (prometheus-client_golang-v0.9.4_GH0.tar.gz) = 142795
+SHA256 (prometheus-client_model-fd36f4220a90_GH0.tar.gz) = 17571c708bab9a1ba18d9dd0c9bfe96dff3f1b84c63e7d8d4c3489ef5c34ee40
+SIZE (prometheus-client_model-fd36f4220a90_GH0.tar.gz) = 57491
+SHA256 (prometheus-common-v0.4.1_GH0.tar.gz) = 99229ef4b100e55d1e6496995f1a1af6813426b8820521bc041340eb077985b9
+SIZE (prometheus-common-v0.4.1_GH0.tar.gz) = 98631
+SHA256 (prometheus-procfs-v0.0.2_GH0.tar.gz) = ad1d1f1328a1c394b30225b939ed39482ba54de7be70d439c0555d68857457d5
+SIZE (prometheus-procfs-v0.0.2_GH0.tar.gz) = 78550
+SHA256 (sirupsen-logrus-v1.4.2_GH0.tar.gz) = 67f2ddf467b7e63d2d2529d227946a331e245aeef7e2e4521ae82647b5ef84d9
+SIZE (sirupsen-logrus-v1.4.2_GH0.tar.gz) = 41373
+SHA256 (spf13-afero-v1.2.2_GH0.tar.gz) = b577afca7e9839aa7cf0ddd712af553aec671b74f97fe0c88c63f911d1020570
+SIZE (spf13-afero-v1.2.2_GH0.tar.gz) = 46157
+SHA256 (spf13-cast-v1.3.0_GH0.tar.gz) = e685282ea33f89e9354d148ad1886f532bcebe86b0b60a167988f7c6d081085f
+SIZE (spf13-cast-v1.3.0_GH0.tar.gz) = 11085
+SHA256 (spf13-cobra-v0.0.5_GH0.tar.gz) = 79226ce00e2b91306277e679d024eea6d17d0c02fc671555fd25df0c3ea07423
+SIZE (spf13-cobra-v0.0.5_GH0.tar.gz) = 111126
+SHA256 (spf13-jwalterweatherman-v1.1.0_GH0.tar.gz) = 4fd850a792c5738954c4801cf549d8d0bf53edd17139cd39d179aa5abf7ec68d
+SIZE (spf13-jwalterweatherman-v1.1.0_GH0.tar.gz) = 6871
+SHA256 (spf13-pflag-v1.0.3_GH0.tar.gz) = 9e57f86f493f04d9077fccd04e7139ebf243dd544e917ab83d35729b3e54a124
+SIZE (spf13-pflag-v1.0.3_GH0.tar.gz) = 46002
+SHA256 (spf13-viper-v1.4.0_GH0.tar.gz) = ee522a00960a36db8f83c820a85fce99a177db2b022697e5c1881cd852d9c4c0
+SIZE (spf13-viper-v1.4.0_GH0.tar.gz) = 44183
diff --git a/security/certmgr/files/certmgr.yaml.sample.in b/security/certmgr/files/certmgr.yaml.sample.in
new file mode 100644
index 000000000000..61d5e7964380
--- /dev/null
+++ b/security/certmgr/files/certmgr.yaml.sample.in
@@ -0,0 +1,47 @@
+# directory containing the certificate specs
+dir: %%ETCDIR%%.d
+
+# this specifies the service manager to use for restarting or reloading
+# services. This can be systemd (using systemctl), sysv (using service),
+# circus (using circusctl), openrc (using rc-service), dummy (no
+# restart/reload behavior), or command (see the command svcmgr section
+# for details of how to use this).
+svcmgr: sysv
+
+# optional: this is the default duration before a certificate expiry
+# that certmgr starts attempting to renew PKI. This defaults to
+# 72 hours.
+# before: 72h
+
+# optional: this is the default for how often certmgr will check
+# certificate expirations and update PKI material on disk upon any
+# changes (if necessary). This defaults to one hour.
+# interval: 60m
+
+# optional: this is used to vary the interval period. A random time
+# between 0 and this value is added to interval if specified. This
+# defaults to 0.
+# interval_splay: 0
+
+# if specified, a random sleep period between 0 and this value is used
+# for the initial sleep after startup of a spec. This provides a way to
+# ensure that if a fleet of certmgr are restarted at the same time,
+# their period of wakeup is randomized to avoid said fleet waking up and
+# doing interval checks at the same time for a given spec. This defaults
+# to 0.
+# initial_splay: 0
+
+# specifies the address for the Prometheus HTTP endpoint.
+metrics_address: localhost
+
+# specifies the port for the Prometheus HTTP endpoint.
+metrics_port: 8080
+
+# boolean, if true, only fire a spec's action if the service is actually
+# running. If this is set to false (the default for historical reasons),
+# this can lead to certmgr starting a downed service when PKI expiry
+# occurs.
+take_actions_only_if_running: false
+
+default_remote: ca.example.net:8888
+
diff --git a/security/certmgr/files/patch-README.md b/security/certmgr/files/patch-README.md
new file mode 100644
index 000000000000..e27163e0647d
--- /dev/null
+++ b/security/certmgr/files/patch-README.md
@@ -0,0 +1,18 @@
+--- README.md.orig	2021-07-04 21:06:24 UTC
++++ README.md
+@@ -39,13 +39,13 @@ Prometheus is used to collect some useful `certmgr` me
+ ## certmgr.yaml
+ 
+ The configuration file must be a YAML file; it is expected to be in
+-`/etc/certmgr/certmgr.yaml`. The location can be changed using the
++`%%ETCDIR%%/certmgr.yaml`. The location can be changed using the
+ `-f` flag.
+ 
+ An example `certmgr.yaml` file is:
+ 
+ ```
+-dir: /etc/certmgr.d
++dir: %%ETCDIR%%.d
+ default_remote: ca.example.net:8888
+ svcmgr: systemd
+ before: 72h
diff --git a/security/certmgr/files/patch-certmgr_cmd_genconfig.go b/security/certmgr/files/patch-certmgr_cmd_genconfig.go
new file mode 100644
index 000000000000..337c73cd2f16
--- /dev/null
+++ b/security/certmgr/files/patch-certmgr_cmd_genconfig.go
@@ -0,0 +1,15 @@
+--- certmgr/cmd/genconfig.go.orig	2021-07-04 20:59:28 UTC
++++ certmgr/cmd/genconfig.go
+@@ -15,9 +15,9 @@ import (
+ var force bool
+ 
+ const (
+-	defaultConfigFile     = "/etc/certmgr/certmgr.yaml"
+-	defaultDir            = "/etc/certmgr.d"
+-	defaultServiceManager = "systemd"
++	defaultConfigFile     = "%%ETCDIR%%/certmgr.yaml"
++	defaultDir            = "%%ETCDIR%%.d"
++	defaultServiceManager = "sysv"
+ 	defaultBefore         = "72h"
+ 	defaultInterval       = "1h"
+ 	defaultMetricsAddr    = "localhost"
diff --git a/security/certmgr/files/patch-certmgr_cmd_root.go b/security/certmgr/files/patch-certmgr_cmd_root.go
new file mode 100644
index 000000000000..6201a1f4e08b
--- /dev/null
+++ b/security/certmgr/files/patch-certmgr_cmd_root.go
@@ -0,0 +1,20 @@
+--- certmgr/cmd/root.go.orig	2021-07-05 13:42:49 UTC
++++ certmgr/cmd/root.go
+@@ -133,7 +133,7 @@ func Execute() {
+ func init() {
+ 	cobra.OnInitialize(initConfig)
+ 
+-	RootCmd.PersistentFlags().StringVarP(&cfgFile, "config", "f", "", "config file (default is /etc/certmgr/certmgr.yaml)")
++	RootCmd.PersistentFlags().StringVarP(&cfgFile, "config", "f", "", "config file (default is %%ETCDIR%%/certmgr.yaml)")
+ 	RootCmd.PersistentFlags().StringP("dir", "d", "", "either the directory containing certificate specs, or the path to the spec file you wish to operate on")
+ 	RootCmd.PersistentFlags().StringP("svcmgr", "m", "", fmt.Sprintf("service manager, must be one of: %s", strings.Join(storage.SupportedServiceBackends, ", ")))
+ 	RootCmd.PersistentFlags().DurationP("before", "t", cert.DefaultBefore, "how long before certificates expire to start renewing (in duration format)")
+@@ -161,7 +161,7 @@ func initConfig() {
+ 		viper.SetConfigFile(cfgFile)
+ 	} else {
+ 		viper.SetConfigName("certmgr")      // name of config file (without extension)
+-		viper.AddConfigPath("/etc/certmgr") // adding home directory as first search path
++		viper.AddConfigPath("%%ETCDIR%%") // adding home directory as first search path
+ 	}
+ 
+ 	viper.SetEnvPrefix("CERTMGR")
diff --git a/security/certmgr/files/pkg-message.in b/security/certmgr/files/pkg-message.in
new file mode 100644
index 000000000000..ee0dde24da27
--- /dev/null
+++ b/security/certmgr/files/pkg-message.in
@@ -0,0 +1,3 @@
+certmgr has been installed.  Please copy %%ETCDIR%%/certmgr.yaml.sample
+to %%ETCDIR%%/certmgr.yaml and edit the file as appropriate for your
+setup before using the program.
diff --git a/security/certmgr/pkg-descr b/security/certmgr/pkg-descr
new file mode 100644
index 000000000000..487f66dcb353
--- /dev/null
+++ b/security/certmgr/pkg-descr
@@ -0,0 +1,11 @@
+certmgr is a tool for managing certificates using CFSSL. It does the
+following:
+
+ - Ensures certificates are present.
+ - Renews certificates before they expire.
+ - Triggering a service reload or restart on certificate updates.
+
+It operates on certificate specs, which are JSON files containing the
+information needed to generate a certificate.
+
+WWW: https://github.com/cloudflare/certmgr
diff --git a/security/certmgr/pkg-plist b/security/certmgr/pkg-plist
new file mode 100644
index 000000000000..9f4415e43f0e
--- /dev/null
+++ b/security/certmgr/pkg-plist
@@ -0,0 +1,5 @@
+bin/certmgr
+%%ETCDIR%%/certmgr.yaml.sample
+@dir %%ETCDIR%%.d
+%%DOCSDIR%%/README.md
+%%DOCSDIR%%/SPEC.rst



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202107140850.16E8oMva006729>