Date: Wed, 14 Jul 2021 08:50:22 GMT From: "Tobias C. Berner" <tcberner@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 291bf5665200 - main - security/certmgr: new port Message-ID: <202107140850.16E8oMva006729@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by tcberner: URL: https://cgit.FreeBSD.org/ports/commit/?id=291bf5665200779fb18d026c418de8a1b1633569 commit 291bf5665200779fb18d026c418de8a1b1633569 Author: Robert Clausecker <fuz@fuz.su> AuthorDate: 2021-07-04 21:36:21 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-07-14 08:43:50 +0000 security/certmgr: new port certmgr is a tool for managing certificates using CFSSL. It does the following: - Ensures certificates are present. - Renews certificates before they expire. - Triggering a service reload or restart on certificate updates. It operates on certificate specs, which are JSON files containing the information needed to generate a certificate. WWW: https://github.com/cloudflare/certmgr PR: 256992 --- security/Makefile | 1 + security/certmgr/Makefile | 64 ++++++++++++++++++++++ security/certmgr/distinfo | 63 +++++++++++++++++++++ security/certmgr/files/certmgr.yaml.sample.in | 47 ++++++++++++++++ security/certmgr/files/patch-README.md | 18 ++++++ .../certmgr/files/patch-certmgr_cmd_genconfig.go | 15 +++++ security/certmgr/files/patch-certmgr_cmd_root.go | 20 +++++++ security/certmgr/files/pkg-message.in | 3 + security/certmgr/pkg-descr | 11 ++++ security/certmgr/pkg-plist | 5 ++ 10 files changed, 247 insertions(+) diff --git a/security/Makefile b/security/Makefile index ee872ea21ec1..10de3f733ad4 100644 --- a/security/Makefile +++ b/security/Makefile @@ -68,6 +68,7 @@ SUBDIR += cargo-audit SUBDIR += ccrypt SUBDIR += ccsrch + SUBDIR += certmgr SUBDIR += cfs SUBDIR += cfssl SUBDIR += chaosreader diff --git a/security/certmgr/Makefile b/security/certmgr/Makefile new file mode 100644 index 000000000000..17677ae8e0dc --- /dev/null +++ b/security/certmgr/Makefile @@ -0,0 +1,64 @@ +PORTNAME= certmgr +DISTVERSIONPREFIX= v +DISTVERSION= 3.0.3 +CATEGORIES= security net + +MAINTAINER= fuz@fuz.su +COMMENT= Automated certificate management using a CFSSL CA + +LICENSE= BSD2CLAUSE +LICENSE_FILE= ${WRKSRC}/LICENSE + +RUN_DEPENDS= bash:shells/bash + +USES= go:modules +USE_GITHUB= yes +GH_ACCOUNT= cloudflare +GH_TUPLE= beorn7:perks:v1.0.0:beorn7_perks/vendor/github.com/beorn7/perks \ + cenkalti:backoff:v2.2.1:cenkalti_backoff/vendor/github.com/cenkalti/backoff \ + cloudflare:backoff:647f3cdfc87a:cloudflare_backoff/vendor/github.com/cloudflare/backoff \ + cloudflare:cfssl:2001f384ec4f:cloudflare_cfssl/vendor/github.com/cloudflare/cfssl \ + fsnotify:fsnotify:v1.4.7:fsnotify_fsnotify/vendor/github.com/fsnotify/fsnotify \ + go-yaml:yaml:v2.2.2:go_yaml_yaml/vendor/gopkg.in/yaml.v2 \ + golang:crypto:5c40567a22f8:golang_crypto/vendor/golang.org/x/crypto \ + golang:protobuf:v1.3.1:golang_protobuf/vendor/github.com/golang/protobuf \ + golang:sys:5ed2794edfdc:golang_sys/vendor/golang.org/x/sys \ + golang:text:v0.3.2:golang_text/vendor/golang.org/x/text \ + google:certificate-transparency-go:v1.0.21:google_certificate_transparency_go/vendor/github.com/google/certificate-transparency-go \ + hashicorp:hcl:v1.0.0:hashicorp_hcl/vendor/github.com/hashicorp/hcl \ + inconshreveable:mousetrap:v1.0.0:inconshreveable_mousetrap/vendor/github.com/inconshreveable/mousetrap \ + konsorten:go-windows-terminal-sequences:v1.0.2:konsorten_go_windows_terminal_sequences/vendor/github.com/konsorten/go-windows-terminal-sequences \ + magiconair:properties:v1.8.1:magiconair_properties/vendor/github.com/magiconair/properties \ + matttproud:golang_protobuf_extensions:v1.0.1:matttproud_golang_protobuf_extensions/vendor/github.com/matttproud/golang_protobuf_extensions \ + mitchellh:mapstructure:v1.1.2:mitchellh_mapstructure/vendor/github.com/mitchellh/mapstructure \ + pelletier:go-toml:v1.4.0:pelletier_go_toml/vendor/github.com/pelletier/go-toml \ + pkg:errors:7f95ac13edff:pkg_errors/vendor/github.com/pkg/errors \ + prometheus:client_golang:v0.9.4:prometheus_client_golang/vendor/github.com/prometheus/client_golang \ + prometheus:client_model:fd36f4220a90:prometheus_client_model/vendor/github.com/prometheus/client_model \ + prometheus:common:v0.4.1:prometheus_common/vendor/github.com/prometheus/common \ + prometheus:procfs:v0.0.2:prometheus_procfs/vendor/github.com/prometheus/procfs \ + sirupsen:logrus:v1.4.2:sirupsen_logrus/vendor/github.com/sirupsen/logrus \ + spf13:afero:v1.2.2:spf13_afero/vendor/github.com/spf13/afero \ + spf13:cast:v1.3.0:spf13_cast/vendor/github.com/spf13/cast \ + spf13:cobra:v0.0.5:spf13_cobra/vendor/github.com/spf13/cobra \ + spf13:jwalterweatherman:v1.1.0:spf13_jwalterweatherman/vendor/github.com/spf13/jwalterweatherman \ + spf13:pflag:v1.0.3:spf13_pflag/vendor/github.com/spf13/pflag \ + spf13:viper:v1.4.0:spf13_viper/vendor/github.com/spf13/viper + +GO_TARGET= ./certmgr +SUB_FILES= certmgr.yaml.sample pkg-message + +post-patch: + ${REINPLACE_CMD} -e 's,%%ETCDIR%%,${ETCDIR},' \ + ${WRKSRC}/certmgr/cmd/genconfig.go \ + ${WRKSRC}/certmgr/cmd/root.go \ + ${WRKSRC}/README.md + +post-install: + ${MKDIR} ${STAGEDIR}${ETCDIR} + ${MKDIR} ${STAGEDIR}${ETCDIR}.d + ${MKDIR} ${STAGEDIR}${DOCSDIR} + ${INSTALL_MAN} ${WRKSRC}/README.md ${WRKSRC}/SPEC.rst ${STAGEDIR}${DOCSDIR}/ + ${INSTALL_DATA} ${WRKDIR}/certmgr.yaml.sample ${STAGEDIR}${ETCDIR}/ + +.include <bsd.port.mk> diff --git a/security/certmgr/distinfo b/security/certmgr/distinfo new file mode 100644 index 000000000000..4fb2c7f0e4c9 --- /dev/null +++ b/security/certmgr/distinfo @@ -0,0 +1,63 @@ +TIMESTAMP = 1625430800 +SHA256 (cloudflare-certmgr-v3.0.3_GH0.tar.gz) = 61c1b23cd11224eab8f1f11b96a3b5753019b515a5fc0a0ae668145a616129d8 +SIZE (cloudflare-certmgr-v3.0.3_GH0.tar.gz) = 2633953 +SHA256 (beorn7-perks-v1.0.0_GH0.tar.gz) = b69d92e2e84b7d510dfa6110d3ac4ada0096a6c81190c5e174aa888bfe475cbc +SIZE (beorn7-perks-v1.0.0_GH0.tar.gz) = 10866 +SHA256 (cenkalti-backoff-v2.2.1_GH0.tar.gz) = a2c29d0184e7afc415975cf2689723028d2686ffbb67fe0999ab1d691e6d16db +SIZE (cenkalti-backoff-v2.2.1_GH0.tar.gz) = 8623 +SHA256 (cloudflare-backoff-647f3cdfc87a_GH0.tar.gz) = d2162141b0a093de7b43434b3ce1013d0e88f1149c52b1a26b94a5e95f313c04 +SIZE (cloudflare-backoff-647f3cdfc87a_GH0.tar.gz) = 4752 +SHA256 (cloudflare-cfssl-2001f384ec4f_GH0.tar.gz) = f2d349d3c06496766368eba907cea298432aa711f38eea70383fa896001277e2 +SIZE (cloudflare-cfssl-2001f384ec4f_GH0.tar.gz) = 5007843 +SHA256 (fsnotify-fsnotify-v1.4.7_GH0.tar.gz) = b7530d973d0ab0e58ad8ce1b9a4b963d6f57b3d72f2f9e13d49846976361b1cd +SIZE (fsnotify-fsnotify-v1.4.7_GH0.tar.gz) = 31139 +SHA256 (go-yaml-yaml-v2.2.2_GH0.tar.gz) = 42c3e4ef9eca2860d22b3c6c5582c6c13fb4b417e5ebc1acc56ee5e2c4ddcaff +SIZE (go-yaml-yaml-v2.2.2_GH0.tar.gz) = 70656 +SHA256 (golang-crypto-5c40567a22f8_GH0.tar.gz) = d6ca43aa1a344adee0c1f45ad31172e0d195b6e17ea269dfd212c2c203a58cf0 +SIZE (golang-crypto-5c40567a22f8_GH0.tar.gz) = 1690710 +SHA256 (golang-protobuf-v1.3.1_GH0.tar.gz) = 3f3a6123054a9847093c119895f1660612f301fe95358f3a6a1a33fd0933e6cf +SIZE (golang-protobuf-v1.3.1_GH0.tar.gz) = 310884 +SHA256 (golang-sys-5ed2794edfdc_GH0.tar.gz) = c442f47a1bc5d4bf384d1f1389652035fab6ee03485038c2e58af39269c0c0f9 +SIZE (golang-sys-5ed2794edfdc_GH0.tar.gz) = 1434109 +SHA256 (golang-text-v0.3.2_GH0.tar.gz) = 0b9309698f5708531c5377ab1e29b423a6d9e20c55a8d386c3b8283428212f22 +SIZE (golang-text-v0.3.2_GH0.tar.gz) = 7168069 +SHA256 (google-certificate-transparency-go-v1.0.21_GH0.tar.gz) = 6f9f8b67f19ee6be7b0261342cbd69db13559f40945441a9dfe2db5bf0eae25b +SIZE (google-certificate-transparency-go-v1.0.21_GH0.tar.gz) = 4401179 +SHA256 (hashicorp-hcl-v1.0.0_GH0.tar.gz) = 50632428210503070fd2fde748c88b7414bf84a6a0eadebf9d8e596a033bead2 +SIZE (hashicorp-hcl-v1.0.0_GH0.tar.gz) = 70658 +SHA256 (inconshreveable-mousetrap-v1.0.0_GH0.tar.gz) = 5edc7731c819c305623568e317aa253d342be3447def97f1fa9e10eb5ad819f6 +SIZE (inconshreveable-mousetrap-v1.0.0_GH0.tar.gz) = 2290 +SHA256 (konsorten-go-windows-terminal-sequences-v1.0.2_GH0.tar.gz) = e61f6422c7d1222c4c642b9134e5a4576a89ff651ef947487faa8ef33b6b4cfe +SIZE (konsorten-go-windows-terminal-sequences-v1.0.2_GH0.tar.gz) = 1987 +SHA256 (magiconair-properties-v1.8.1_GH0.tar.gz) = 4449df3d2be86608bfc997228f66f1cff57bf620cc5bf9ba44339c7e4c5612dd +SIZE (magiconair-properties-v1.8.1_GH0.tar.gz) = 29735 +SHA256 (matttproud-golang_protobuf_extensions-v1.0.1_GH0.tar.gz) = 2def0ee6f6b12b1efc0e3007d89f598608a072610e805c3655ea9d13c3ead49b +SIZE (matttproud-golang_protobuf_extensions-v1.0.1_GH0.tar.gz) = 37184 +SHA256 (mitchellh-mapstructure-v1.1.2_GH0.tar.gz) = 53fbc06b125ff1c9c73a4eb1764346932671a29c67a45a92e2ebc6855635069b +SIZE (mitchellh-mapstructure-v1.1.2_GH0.tar.gz) = 20980 +SHA256 (pelletier-go-toml-v1.4.0_GH0.tar.gz) = 04fb4855a64495c0c055c83b8a3446cabc6bfa4830eb458816370db38c0e67b0 +SIZE (pelletier-go-toml-v1.4.0_GH0.tar.gz) = 73274 +SHA256 (pkg-errors-7f95ac13edff_GH0.tar.gz) = 4e9ca579db7a8aae95f9e696d8e9bcb76e8cbf6ae57803b647096cebdca39d6a +SIZE (pkg-errors-7f95ac13edff_GH0.tar.gz) = 12515 +SHA256 (prometheus-client_golang-v0.9.4_GH0.tar.gz) = d2a5856d9c43fcbf757d6ecd6e3a88312b90d2c9fec63647ee597eb09f120044 +SIZE (prometheus-client_golang-v0.9.4_GH0.tar.gz) = 142795 +SHA256 (prometheus-client_model-fd36f4220a90_GH0.tar.gz) = 17571c708bab9a1ba18d9dd0c9bfe96dff3f1b84c63e7d8d4c3489ef5c34ee40 +SIZE (prometheus-client_model-fd36f4220a90_GH0.tar.gz) = 57491 +SHA256 (prometheus-common-v0.4.1_GH0.tar.gz) = 99229ef4b100e55d1e6496995f1a1af6813426b8820521bc041340eb077985b9 +SIZE (prometheus-common-v0.4.1_GH0.tar.gz) = 98631 +SHA256 (prometheus-procfs-v0.0.2_GH0.tar.gz) = ad1d1f1328a1c394b30225b939ed39482ba54de7be70d439c0555d68857457d5 +SIZE (prometheus-procfs-v0.0.2_GH0.tar.gz) = 78550 +SHA256 (sirupsen-logrus-v1.4.2_GH0.tar.gz) = 67f2ddf467b7e63d2d2529d227946a331e245aeef7e2e4521ae82647b5ef84d9 +SIZE (sirupsen-logrus-v1.4.2_GH0.tar.gz) = 41373 +SHA256 (spf13-afero-v1.2.2_GH0.tar.gz) = b577afca7e9839aa7cf0ddd712af553aec671b74f97fe0c88c63f911d1020570 +SIZE (spf13-afero-v1.2.2_GH0.tar.gz) = 46157 +SHA256 (spf13-cast-v1.3.0_GH0.tar.gz) = e685282ea33f89e9354d148ad1886f532bcebe86b0b60a167988f7c6d081085f +SIZE (spf13-cast-v1.3.0_GH0.tar.gz) = 11085 +SHA256 (spf13-cobra-v0.0.5_GH0.tar.gz) = 79226ce00e2b91306277e679d024eea6d17d0c02fc671555fd25df0c3ea07423 +SIZE (spf13-cobra-v0.0.5_GH0.tar.gz) = 111126 +SHA256 (spf13-jwalterweatherman-v1.1.0_GH0.tar.gz) = 4fd850a792c5738954c4801cf549d8d0bf53edd17139cd39d179aa5abf7ec68d +SIZE (spf13-jwalterweatherman-v1.1.0_GH0.tar.gz) = 6871 +SHA256 (spf13-pflag-v1.0.3_GH0.tar.gz) = 9e57f86f493f04d9077fccd04e7139ebf243dd544e917ab83d35729b3e54a124 +SIZE (spf13-pflag-v1.0.3_GH0.tar.gz) = 46002 +SHA256 (spf13-viper-v1.4.0_GH0.tar.gz) = ee522a00960a36db8f83c820a85fce99a177db2b022697e5c1881cd852d9c4c0 +SIZE (spf13-viper-v1.4.0_GH0.tar.gz) = 44183 diff --git a/security/certmgr/files/certmgr.yaml.sample.in b/security/certmgr/files/certmgr.yaml.sample.in new file mode 100644 index 000000000000..61d5e7964380 --- /dev/null +++ b/security/certmgr/files/certmgr.yaml.sample.in @@ -0,0 +1,47 @@ +# directory containing the certificate specs +dir: %%ETCDIR%%.d + +# this specifies the service manager to use for restarting or reloading +# services. This can be systemd (using systemctl), sysv (using service), +# circus (using circusctl), openrc (using rc-service), dummy (no +# restart/reload behavior), or command (see the command svcmgr section +# for details of how to use this). +svcmgr: sysv + +# optional: this is the default duration before a certificate expiry +# that certmgr starts attempting to renew PKI. This defaults to +# 72 hours. +# before: 72h + +# optional: this is the default for how often certmgr will check +# certificate expirations and update PKI material on disk upon any +# changes (if necessary). This defaults to one hour. +# interval: 60m + +# optional: this is used to vary the interval period. A random time +# between 0 and this value is added to interval if specified. This +# defaults to 0. +# interval_splay: 0 + +# if specified, a random sleep period between 0 and this value is used +# for the initial sleep after startup of a spec. This provides a way to +# ensure that if a fleet of certmgr are restarted at the same time, +# their period of wakeup is randomized to avoid said fleet waking up and +# doing interval checks at the same time for a given spec. This defaults +# to 0. +# initial_splay: 0 + +# specifies the address for the Prometheus HTTP endpoint. +metrics_address: localhost + +# specifies the port for the Prometheus HTTP endpoint. +metrics_port: 8080 + +# boolean, if true, only fire a spec's action if the service is actually +# running. If this is set to false (the default for historical reasons), +# this can lead to certmgr starting a downed service when PKI expiry +# occurs. +take_actions_only_if_running: false + +default_remote: ca.example.net:8888 + diff --git a/security/certmgr/files/patch-README.md b/security/certmgr/files/patch-README.md new file mode 100644 index 000000000000..e27163e0647d --- /dev/null +++ b/security/certmgr/files/patch-README.md @@ -0,0 +1,18 @@ +--- README.md.orig 2021-07-04 21:06:24 UTC ++++ README.md +@@ -39,13 +39,13 @@ Prometheus is used to collect some useful `certmgr` me + ## certmgr.yaml + + The configuration file must be a YAML file; it is expected to be in +-`/etc/certmgr/certmgr.yaml`. The location can be changed using the ++`%%ETCDIR%%/certmgr.yaml`. The location can be changed using the + `-f` flag. + + An example `certmgr.yaml` file is: + + ``` +-dir: /etc/certmgr.d ++dir: %%ETCDIR%%.d + default_remote: ca.example.net:8888 + svcmgr: systemd + before: 72h diff --git a/security/certmgr/files/patch-certmgr_cmd_genconfig.go b/security/certmgr/files/patch-certmgr_cmd_genconfig.go new file mode 100644 index 000000000000..337c73cd2f16 --- /dev/null +++ b/security/certmgr/files/patch-certmgr_cmd_genconfig.go @@ -0,0 +1,15 @@ +--- certmgr/cmd/genconfig.go.orig 2021-07-04 20:59:28 UTC ++++ certmgr/cmd/genconfig.go +@@ -15,9 +15,9 @@ import ( + var force bool + + const ( +- defaultConfigFile = "/etc/certmgr/certmgr.yaml" +- defaultDir = "/etc/certmgr.d" +- defaultServiceManager = "systemd" ++ defaultConfigFile = "%%ETCDIR%%/certmgr.yaml" ++ defaultDir = "%%ETCDIR%%.d" ++ defaultServiceManager = "sysv" + defaultBefore = "72h" + defaultInterval = "1h" + defaultMetricsAddr = "localhost" diff --git a/security/certmgr/files/patch-certmgr_cmd_root.go b/security/certmgr/files/patch-certmgr_cmd_root.go new file mode 100644 index 000000000000..6201a1f4e08b --- /dev/null +++ b/security/certmgr/files/patch-certmgr_cmd_root.go @@ -0,0 +1,20 @@ +--- certmgr/cmd/root.go.orig 2021-07-05 13:42:49 UTC ++++ certmgr/cmd/root.go +@@ -133,7 +133,7 @@ func Execute() { + func init() { + cobra.OnInitialize(initConfig) + +- RootCmd.PersistentFlags().StringVarP(&cfgFile, "config", "f", "", "config file (default is /etc/certmgr/certmgr.yaml)") ++ RootCmd.PersistentFlags().StringVarP(&cfgFile, "config", "f", "", "config file (default is %%ETCDIR%%/certmgr.yaml)") + RootCmd.PersistentFlags().StringP("dir", "d", "", "either the directory containing certificate specs, or the path to the spec file you wish to operate on") + RootCmd.PersistentFlags().StringP("svcmgr", "m", "", fmt.Sprintf("service manager, must be one of: %s", strings.Join(storage.SupportedServiceBackends, ", "))) + RootCmd.PersistentFlags().DurationP("before", "t", cert.DefaultBefore, "how long before certificates expire to start renewing (in duration format)") +@@ -161,7 +161,7 @@ func initConfig() { + viper.SetConfigFile(cfgFile) + } else { + viper.SetConfigName("certmgr") // name of config file (without extension) +- viper.AddConfigPath("/etc/certmgr") // adding home directory as first search path ++ viper.AddConfigPath("%%ETCDIR%%") // adding home directory as first search path + } + + viper.SetEnvPrefix("CERTMGR") diff --git a/security/certmgr/files/pkg-message.in b/security/certmgr/files/pkg-message.in new file mode 100644 index 000000000000..ee0dde24da27 --- /dev/null +++ b/security/certmgr/files/pkg-message.in @@ -0,0 +1,3 @@ +certmgr has been installed. Please copy %%ETCDIR%%/certmgr.yaml.sample +to %%ETCDIR%%/certmgr.yaml and edit the file as appropriate for your +setup before using the program. diff --git a/security/certmgr/pkg-descr b/security/certmgr/pkg-descr new file mode 100644 index 000000000000..487f66dcb353 --- /dev/null +++ b/security/certmgr/pkg-descr @@ -0,0 +1,11 @@ +certmgr is a tool for managing certificates using CFSSL. It does the +following: + + - Ensures certificates are present. + - Renews certificates before they expire. + - Triggering a service reload or restart on certificate updates. + +It operates on certificate specs, which are JSON files containing the +information needed to generate a certificate. + +WWW: https://github.com/cloudflare/certmgr diff --git a/security/certmgr/pkg-plist b/security/certmgr/pkg-plist new file mode 100644 index 000000000000..9f4415e43f0e --- /dev/null +++ b/security/certmgr/pkg-plist @@ -0,0 +1,5 @@ +bin/certmgr +%%ETCDIR%%/certmgr.yaml.sample +@dir %%ETCDIR%%.d +%%DOCSDIR%%/README.md +%%DOCSDIR%%/SPEC.rst
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202107140850.16E8oMva006729>