Your commit is writing checks your merge can't cash.

.gitea/workflows/build.yml

@@ -33,19 +33,8 @@ jobs:
       - name: 🐳 🔨 Build Backend Container
         uses: docker/build-push-action@v6
         with:
-          provenance: true
+          platforms: linux/amd64,linux/arm64
-          sbom: true
           push: true
           context: .
           dockerfile: Dockerfile
           tags: siteworxpro/aws-iam-anywhere:${{ gitea.ref_name }}
-
-      - name: 🐳 🔨 Build Backend Container - Latest Tag
-        uses: docker/build-push-action@v6
-        with:
-          provenance: true
-          sbom: true
-          push: true
-          context: .
-          dockerfile: Dockerfile
-          tags: siteworxpro/aws-iam-anywhere:latest

.gitea/workflows/tests.yml

@@ -33,7 +33,7 @@ jobs:
       - name: 🐳 🔨 Build Backend Container
         uses: docker/build-push-action@v6
         with:
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           context: .
           dockerfile: Dockerfile
           tags: siteworxpro/aws-iam-anywhere:${{ gitea.ref_name }}

Dockerfile

@@ -8,17 +8,13 @@ ENV GOPRIVATE=git.siteworxpro.com
 
 RUN go mod download && go build -o aws-iam-anywhere-refresher .
 
-FROM ubuntu:latest AS runtime
+FROM alpine:latest AS runtime
-
-RUN apt update && apt install -yq ca-certificates curl
-RUN curl -Ls https://siteworxpro.com/hosted/Siteworx+Root+CA.pem -o /usr/local/share/ca-certificates/sw.crt \
-    && update-ca-certificates
 
 WORKDIR /app
 
-COPY --from=build /app/aws-iam-anywhere-refresher /app/aws-iam-anywhere-refresher
+COPY --from=build /app/aws-iam-anywhere-refresher aws-iam-anywhere-refresher
 
-RUN useradd -b /app iam && \
+RUN adduser -D -H iam && \
     chown iam:iam /app/aws-iam-anywhere-refresher
 USER iam
 

README.md

@@ -28,7 +28,6 @@ This image runs in a kubernetes cronjob and will create and save new IAM credent
 - `TRUSTED_ANCHOR_ARN` ***required*** : the trusted anchor arn
 - `PRIVATE_KEY` ***required*** : iam private key base64 encoded
 - `CERTIFICATE` ***required*** : iam certificate base64 encoded
-- `CA_CHAIN` : the certificate chain bundle if needed
 
 ```yaml
 

aws_signing_helper/pkcs8_utils.go

@@ -30,10 +30,13 @@ import (
 
 	"errors"
 	"fmt"
+	"hash"
+	"log"
+	"os"
+	"strings"
+
 	"golang.org/x/crypto/pbkdf2"
 	"golang.org/x/crypto/scrypt"
-	"hash"
-	"os"
 )
 
 // as defined in https://datatracker.ietf.org/doc/html/rfc8018#appendix-A.4
@@ -236,6 +239,9 @@ func readPKCS8PrivateKey(privateKeyId string) (crypto.PrivateKey, error) {
 func readPKCS8EncryptedPrivateKey(privateKeyId string, pkcs8Password []byte) (crypto.PrivateKey, error) {
 	block, err := parseDERFromPEMForPKCS8(privateKeyId, encryptedBlockType)
 	if err != nil {
+		if Debug && strings.Contains(err.Error(), `The block type detected is PRIVATE KEY`) {
+			log.Println("PKCS#8 password provided but block type indicates that one isn't required.")
+		}
 		return nil, errors.New("could not parse PEM data")
 	}
 

aws_signing_helper/signer.go

@@ -612,11 +612,14 @@ func encodeDer(der []byte) (string, error) {
 }
 
 func parseDERFromPEM(pemDataId string, blockType string) (*pem.Block, error) {
-	b := []byte(pemDataId)
+	bts, err := os.ReadFile(pemDataId)
+	if err != nil {
+		return nil, err
+	}
 
 	var block *pem.Block
-	for len(b) > 0 {
+	for len(bts) > 0 {
-		block, b = pem.Decode(b)
+		block, bts = pem.Decode(bts)
 		if block == nil {
 			return nil, errors.New("unable to parse PEM data")
 		}
@@ -628,18 +631,25 @@ func parseDERFromPEM(pemDataId string, blockType string) (*pem.Block, error) {
 }
 
 func ReadCertificateBundleData(certificateBundleId string) ([]*x509.Certificate, error) {
+	bts, err := os.ReadFile(certificateBundleId)
+	if err != nil {
+		return nil, err
+	}
 
 	var derBytes []byte
 	var block *pem.Block
-	block, _ = pem.Decode([]byte(certificateBundleId))
+	for len(bts) > 0 {
-
+		block, bts = pem.Decode(bts)
-	if block.Type != "CERTIFICATE" {
+		if block == nil {
-		return nil, errors.New("invalid certificate chain")
+			break
+		}
+		if block.Type != "CERTIFICATE" {
+			return nil, errors.New("invalid certificate chain")
+		}
+		blockBytes := block.Bytes
+		derBytes = append(derBytes, blockBytes...)
 	}
 
-	blockBytes := block.Bytes
-	derBytes = append(derBytes, blockBytes...)
-
 	return x509.ParseCertificates(derBytes)
 }
 

config/config.go

@@ -1,11 +1,6 @@
 package config
 
-import (
+import "git.siteworxpro.com/packages/go/utilities/Env"
-	"encoding/base64"
-	"fmt"
-	"git.siteworxpro.com/packages/go/utilities/Env"
-	"regexp"
-)
 
 const (
 	namespace          Env.EnvironmentVariable = "NAMESPACE"
@@ -15,10 +10,8 @@ const (
 	trustedAnchorArn   Env.EnvironmentVariable = "TRUSTED_ANCHOR_ARN"
 	privateKey         Env.EnvironmentVariable = "PRIVATE_KEY"
 	certificate        Env.EnvironmentVariable = "CERTIFICATE"
-	bundleId           Env.EnvironmentVariable = "CA_CHAIN"
 	sessionDuration    Env.EnvironmentVariable = "SESSION_DURATION"
 	restartDeployments Env.EnvironmentVariable = "RESTART_DEPLOYMENTS"
-	fetchOnly          Env.EnvironmentVariable = "FETCH_ONLY"
 )
 
 type Config struct{}
@@ -27,59 +20,6 @@ func NewConfig() *Config {
 	return &Config{}
 }
 
-func (c Config) Valid() error {
-	// Certificate Required
-	if c.Certificate() == "" {
-		return fmt.Errorf("certificate is required")
-	}
-
-	// Private Key Required
-	if c.PrivateKey() == "" {
-		return fmt.Errorf("private Key is required")
-	}
-
-	// Role ARN Required
-	if c.RoleArn() == "" {
-		return fmt.Errorf("role ARN is required")
-	}
-
-	if !regexp.MustCompile(`^arn:aws:iam::[0-9]{10,13}:role/[\w\D]*$`).MatchString(c.RoleArn()) {
-		return fmt.Errorf("role ARN %s is invalid", c.RoleArn())
-	}
-
-	if c.ProfileArn() == "" {
-		return fmt.Errorf("profile ARN is required")
-	}
-
-	if !regexp.MustCompile(`^arn:aws:rolesanywhere:[\w-]*:\d{10,12}:profile/[\w\D]*$`).MatchString(c.ProfileArn()) {
-		return fmt.Errorf("profile ARN %s is invalid", c.ProfileArn())
-	}
-
-	// Trusted Anchor ARN Required
-	if c.TrustedAnchor() == "" {
-		return fmt.Errorf("trusted anchor ARN is required")
-	}
-
-	if !regexp.MustCompile(`^arn:aws:rolesanywhere:[\w-]*:\d{10,12}:trust-anchor/[\w\D]*$`).MatchString(c.TrustedAnchor()) {
-		return fmt.Errorf("trusted anchor %s ARN is invalid", c.TrustedAnchor())
-	}
-
-	return nil
-}
-
-func (Config) BundleId() string {
-	v, err := base64.StdEncoding.DecodeString(bundleId.GetEnvString(""))
-	if err != nil {
-		return ""
-	}
-
-	return string(v)
-}
-
-func (Config) FetchOnly() bool {
-	return fetchOnly.GetEnvBool(false)
-}
-
 func (Config) Namespace() string {
 	return namespace.GetEnvString("")
 }
@@ -101,21 +41,11 @@ func (Config) TrustedAnchor() string {
 }
 
 func (Config) PrivateKey() string {
-	v, err := base64.StdEncoding.DecodeString(privateKey.GetEnvString(""))
+	return privateKey.GetEnvString("")
-	if err != nil {
-		return ""
-	}
-
-	return string(v)
 }
 
 func (Config) Certificate() string {
-	v, err := base64.StdEncoding.DecodeString(certificate.GetEnvString(""))
+	return certificate.GetEnvString("")
-	if err != nil {
-		return ""
-	}
-
-	return string(v)
 }
 
 func (Config) SessionDuration() int64 {

main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"encoding/base64"
 	helper "gitea.siteworxpro.com/Siteworxpro/aws-iam-anywhere-refresher/aws_signing_helper"
 	"gitea.siteworxpro.com/Siteworxpro/aws-iam-anywhere-refresher/cmd"
 	appConfig "gitea.siteworxpro.com/Siteworxpro/aws-iam-anywhere-refresher/config"
@@ -17,25 +18,39 @@ func main() {
 		ReportTimestamp: true,
 		TimeFormat:      time.RFC3339,
 	})
-
 	l.Info("Starting credentials refresh")
 
+	client, err := kube_client.NewKubeClient()
+	if err != nil {
+		l.Error("Failed to create kubernetes client", "error", err)
+
+		os.Exit(1)
+	}
+
 	c := appConfig.NewConfig()
 
-	err := c.Valid()
+	privateKey, err := base64.StdEncoding.DecodeString(c.PrivateKey())
 	if err != nil {
-		l.Error("Invalid configuration", "error", err)
+		l.Error("Failed to decode private key", "error", err)
+		os.Exit(1)
+	}
+
+	certificate, err := base64.StdEncoding.DecodeString(c.Certificate())
+	if err != nil {
+		l.Error("Failed to decode certificate", "error", err)
 		os.Exit(1)
 	}
 
 	credentials, err := cmd.Run(&helper.CredentialsOpts{
-		PrivateKeyId:        c.PrivateKey(),
+		PrivateKeyId:  string(privateKey),
-		CertificateId:       c.Certificate(),
+		CertificateId: string(certificate),
-		CertificateBundleId: c.BundleId(),
+		CertIdentifier: helper.CertIdentifier{
-		RoleArn:             c.RoleArn(),
+			SystemStoreName: "MY",
-		ProfileArnStr:       c.ProfileArn(),
+		},
-		TrustAnchorArnStr:   c.TrustedAnchor(),
+		RoleArn:           c.RoleArn(),
-		SessionDuration:     int(c.SessionDuration()),
+		ProfileArnStr:     c.ProfileArn(),
+		TrustAnchorArnStr: c.TrustedAnchor(),
+		SessionDuration:   int(c.SessionDuration()),
 	})
 
 	if err != nil {
@@ -46,22 +61,6 @@ func main() {
 
 	l.Info("Credentials refreshed")
 
-	if c.FetchOnly() {
-		l.Info("Fetch only mode, skipping secret update")
-
-		l.Info("AccessKeyId", "access-key-id", credentials.AccessKeyId)
-		l.Info("SecretAccessKey", "secret-access-key", credentials.SecretAccessKey)
-		l.Info("SessionToken", "session-token", credentials.SessionToken)
-		os.Exit(0)
-	}
-
-	client, err := kube_client.NewKubeClient()
-	if err != nil {
-		l.Error("Failed to create kubernetes client", "error", err)
-
-		os.Exit(1)
-	}
-
 	_, err = client.GetSecret(c.Namespace(), c.Secret())
 	if err != nil {
 		l.Error("Failed to get secret", "error", err)