Your commit is writing checks your merge can't cash.

.gitea/workflows/build.yml

@@ -34,20 +34,7 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           platforms: linux/amd64,linux/arm64
-          provenance: true
-          sbom: true
           push: true
           context: .
           dockerfile: Dockerfile
           tags: siteworxpro/aws-iam-anywhere:${{ gitea.ref_name }}
-
-      - name: 🐳 🔨 Build Backend Container - Latest Tag
-        uses: docker/build-push-action@v6
-        with:
-          platforms: linux/amd64,linux/arm64
-          provenance: true
-          sbom: true
-          push: true
-          context: .
-          dockerfile: Dockerfile
-          tags: siteworxpro/aws-iam-anywhere:latest

.gitea/workflows/tests.yml

@@ -0,0 +1,39 @@
+on:
+  push:
+    branches:
+      - "*"
+
+name: 🏗️✨ Test Build Workflow
+
+jobs:
+  Build:
+    name: 🖥️ 🔨 Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: 🛡️ 🔒 Add Siteworx CA Certificates
+        run: |
+          apt update && apt install -yq ca-certificates curl
+          curl -Ls https://siteworxpro.com/hosted/Siteworx+Root+CA.pem -o /usr/local/share/ca-certificates/sw.crt
+          update-ca-certificates
+
+      - name: 📖 🔍 Checkout Repository Code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 1
+
+      - name: 🔑 🔐 Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: 🏗️ 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: 🐳 🔨 Build Backend Container
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          context: .
+          dockerfile: Dockerfile
+          tags: siteworxpro/aws-iam-anywhere:${{ gitea.ref_name }}

Dockerfile

@@ -1,4 +1,4 @@
-FROM siteworxpro/golang:1.24.6 AS build
+FROM siteworxpro/golang:1.24.3 AS build
 
 WORKDIR /app
 
@@ -6,17 +6,15 @@ ADD . .
 
 ENV GOPRIVATE=git.siteworxpro.com
 
-RUN go mod tidy && go build -o aws-iam-anywhere-refresher .
+RUN go mod download && go build -o aws-iam-anywhere-refresher .
 
-FROM siteworxpro/alpine:3.21.4 AS runtime
+FROM alpine:latest AS runtime
 
 WORKDIR /app
 
-COPY --from=build /app/aws-iam-anywhere-refresher /app/aws-iam-anywhere-refresher
+COPY --from=build /app/aws-iam-anywhere-refresher aws-iam-anywhere-refresher
 
-RUN apk add --no-cache gcompat
-
-RUN adduser -Dh /app iam && \
+RUN adduser -D -H iam && \
     chown iam:iam /app/aws-iam-anywhere-refresher
 USER iam
 

README.md

@@ -28,7 +28,6 @@ This image runs in a kubernetes cronjob and will create and save new IAM credent
 - `TRUSTED_ANCHOR_ARN` ***required*** : the trusted anchor arn
 - `PRIVATE_KEY` ***required*** : iam private key base64 encoded
 - `CERTIFICATE` ***required*** : iam certificate base64 encoded
-- `CA_CHAIN` : the certificate chain bundle if needed
 
 ```yaml
 

aws_signing_helper/pkcs8_utils.go

@@ -30,10 +30,13 @@ import (
 
 	"errors"
 	"fmt"
+	"hash"
+	"log"
+	"os"
+	"strings"
+
 	"golang.org/x/crypto/pbkdf2"
 	"golang.org/x/crypto/scrypt"
-	"hash"
-	"os"
 )
 
 // as defined in https://datatracker.ietf.org/doc/html/rfc8018#appendix-A.4
@@ -236,6 +239,9 @@ func readPKCS8PrivateKey(privateKeyId string) (crypto.PrivateKey, error) {
 func readPKCS8EncryptedPrivateKey(privateKeyId string, pkcs8Password []byte) (crypto.PrivateKey, error) {
 	block, err := parseDERFromPEMForPKCS8(privateKeyId, encryptedBlockType)
 	if err != nil {
+		if Debug && strings.Contains(err.Error(), `The block type detected is PRIVATE KEY`) {
+			log.Println("PKCS#8 password provided but block type indicates that one isn't required.")
+		}
 		return nil, errors.New("could not parse PEM data")
 	}
 

aws_signing_helper/signer.go

@@ -612,11 +612,14 @@ func encodeDer(der []byte) (string, error) {
 }
 
 func parseDERFromPEM(pemDataId string, blockType string) (*pem.Block, error) {
-	b := []byte(pemDataId)
+	bts, err := os.ReadFile(pemDataId)
+	if err != nil {
+		return nil, err
+	}
 
 	var block *pem.Block
-	for len(b) > 0 {
-		block, b = pem.Decode(b)
+	for len(bts) > 0 {
+		block, bts = pem.Decode(bts)
 		if block == nil {
 			return nil, errors.New("unable to parse PEM data")
 		}
@@ -628,18 +631,25 @@ func parseDERFromPEM(pemDataId string, blockType string) (*pem.Block, error) {
 }
 
 func ReadCertificateBundleData(certificateBundleId string) ([]*x509.Certificate, error) {
+	bts, err := os.ReadFile(certificateBundleId)
+	if err != nil {
+		return nil, err
+	}
 
 	var derBytes []byte
 	var block *pem.Block
-	block, _ = pem.Decode([]byte(certificateBundleId))
-
-	if block.Type != "CERTIFICATE" {
-		return nil, errors.New("invalid certificate chain")
+	for len(bts) > 0 {
+		block, bts = pem.Decode(bts)
+		if block == nil {
+			break
+		}
+		if block.Type != "CERTIFICATE" {
+			return nil, errors.New("invalid certificate chain")
+		}
+		blockBytes := block.Bytes
+		derBytes = append(derBytes, blockBytes...)
 	}
 
-	blockBytes := block.Bytes
-	derBytes = append(derBytes, blockBytes...)
-
 	return x509.ParseCertificates(derBytes)
 }
 

config/config.go

@@ -1,11 +1,6 @@
 package config
 
-import (
-	"encoding/base64"
-	"fmt"
-	"gitea.siteworxpro.com/golang-packages/utilities/Env"
-	"regexp"
-)
+import "git.siteworxpro.com/packages/go/utilities/Env"
 
 const (
 	namespace          Env.EnvironmentVariable = "NAMESPACE"
@@ -15,10 +10,8 @@ const (
 	trustedAnchorArn   Env.EnvironmentVariable = "TRUSTED_ANCHOR_ARN"
 	privateKey         Env.EnvironmentVariable = "PRIVATE_KEY"
 	certificate        Env.EnvironmentVariable = "CERTIFICATE"
-	bundleId           Env.EnvironmentVariable = "CA_CHAIN"
 	sessionDuration    Env.EnvironmentVariable = "SESSION_DURATION"
 	restartDeployments Env.EnvironmentVariable = "RESTART_DEPLOYMENTS"
-	fetchOnly          Env.EnvironmentVariable = "FETCH_ONLY"
 )
 
 type Config struct{}
@@ -27,59 +20,6 @@ func NewConfig() *Config {
 	return &Config{}
 }
 
-func (c Config) Valid() error {
-	// Certificate Required
-	if c.Certificate() == "" {
-		return fmt.Errorf("certificate is required")
-	}
-
-	// Private Key Required
-	if c.PrivateKey() == "" {
-		return fmt.Errorf("private Key is required")
-	}
-
-	// Role ARN Required
-	if c.RoleArn() == "" {
-		return fmt.Errorf("role ARN is required")
-	}
-
-	if !regexp.MustCompile(`^arn:aws:iam::[0-9]{10,13}:role/[\w\D]*$`).MatchString(c.RoleArn()) {
-		return fmt.Errorf("role ARN %s is invalid", c.RoleArn())
-	}
-
-	if c.ProfileArn() == "" {
-		return fmt.Errorf("profile ARN is required")
-	}
-
-	if !regexp.MustCompile(`^arn:aws:rolesanywhere:[\w-]*:\d{10,12}:profile/[\w\D]*$`).MatchString(c.ProfileArn()) {
-		return fmt.Errorf("profile ARN %s is invalid", c.ProfileArn())
-	}
-
-	// Trusted Anchor ARN Required
-	if c.TrustedAnchor() == "" {
-		return fmt.Errorf("trusted anchor ARN is required")
-	}
-
-	if !regexp.MustCompile(`^arn:aws:rolesanywhere:[\w-]*:\d{10,12}:trust-anchor/[\w\D]*$`).MatchString(c.TrustedAnchor()) {
-		return fmt.Errorf("trusted anchor %s ARN is invalid", c.TrustedAnchor())
-	}
-
-	return nil
-}
-
-func (Config) BundleId() string {
-	v, err := base64.StdEncoding.DecodeString(bundleId.GetEnvString(""))
-	if err != nil {
-		return ""
-	}
-
-	return string(v)
-}
-
-func (Config) FetchOnly() bool {
-	return fetchOnly.GetEnvBool(false)
-}
-
 func (Config) Namespace() string {
 	return namespace.GetEnvString("")
 }
@@ -101,21 +41,11 @@ func (Config) TrustedAnchor() string {
 }
 
 func (Config) PrivateKey() string {
-	v, err := base64.StdEncoding.DecodeString(privateKey.GetEnvString(""))
-	if err != nil {
-		return ""
-	}
-
-	return string(v)
+	return privateKey.GetEnvString("")
 }
 
 func (Config) Certificate() string {
-	v, err := base64.StdEncoding.DecodeString(certificate.GetEnvString(""))
-	if err != nil {
-		return ""
-	}
-
-	return string(v)
+	return certificate.GetEnvString("")
 }
 
 func (Config) SessionDuration() int64 {

go.mod

@@ -1,9 +1,9 @@
 module gitea.siteworxpro.com/Siteworxpro/aws-iam-anywhere-refresher
 
-go 1.24.6
+go 1.24.3
 
 require (
-	gitea.siteworxpro.com/golang-packages/utilities v1.0.0
+	git.siteworxpro.com/packages/go/utilities v1.3.0
 	github.com/aws/aws-sdk-go v1.55.7
 	github.com/aws/aws-sdk-go-v2 v1.36.3
 	github.com/aws/aws-sdk-go-v2/config v1.29.14

go.sum

@@ -1,6 +1,6 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-gitea.siteworxpro.com/golang-packages/utilities v1.0.0 h1:f5JqAeZWBn/HBO9k5dzg0Wm91a69uwU5UC2P9ebQ9J0=
-gitea.siteworxpro.com/golang-packages/utilities v1.0.0/go.mod h1:QNqclnfv/BT2D5tbXgsGm7uhhe2Baovi5F6j0pVvMGc=
+git.siteworxpro.com/packages/go/utilities v1.3.0 h1:931q66COBJATgIQksPDSZlWMIwENJhhfC/GVf22ER5s=
+git.siteworxpro.com/packages/go/utilities v1.3.0/go.mod h1:iWhICNrMnB03PY9dM9eCNs9uQPEsPwae5pJDG+HHUPI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=

main.go

@@ -1,14 +1,14 @@
 package main
 
 import (
-	"os"
-	"time"
-
+	"encoding/base64"
 	helper "gitea.siteworxpro.com/Siteworxpro/aws-iam-anywhere-refresher/aws_signing_helper"
 	"gitea.siteworxpro.com/Siteworxpro/aws-iam-anywhere-refresher/cmd"
 	appConfig "gitea.siteworxpro.com/Siteworxpro/aws-iam-anywhere-refresher/config"
 	"gitea.siteworxpro.com/Siteworxpro/aws-iam-anywhere-refresher/kube_client"
 	"github.com/charmbracelet/log"
+	"os"
+	"time"
 )
 
 func main() {
@@ -18,25 +18,39 @@ func main() {
 		ReportTimestamp: true,
 		TimeFormat:      time.RFC3339,
 	})
-
 	l.Info("Starting credentials refresh")
 
+	client, err := kube_client.NewKubeClient()
+	if err != nil {
+		l.Error("Failed to create kubernetes client", "error", err)
+
+		os.Exit(1)
+	}
+
 	c := appConfig.NewConfig()
 
-	err := c.Valid()
+	privateKey, err := base64.StdEncoding.DecodeString(c.PrivateKey())
 	if err != nil {
-		l.Error("Invalid configuration", "error", err)
+		l.Error("Failed to decode private key", "error", err)
+		os.Exit(1)
+	}
+
+	certificate, err := base64.StdEncoding.DecodeString(c.Certificate())
+	if err != nil {
+		l.Error("Failed to decode certificate", "error", err)
 		os.Exit(1)
 	}
 
 	credentials, err := cmd.Run(&helper.CredentialsOpts{
-		PrivateKeyId:        c.PrivateKey(),
-		CertificateId:       c.Certificate(),
-		CertificateBundleId: c.BundleId(),
-		RoleArn:             c.RoleArn(),
-		ProfileArnStr:       c.ProfileArn(),
-		TrustAnchorArnStr:   c.TrustedAnchor(),
-		SessionDuration:     int(c.SessionDuration()),
+		PrivateKeyId:  string(privateKey),
+		CertificateId: string(certificate),
+		CertIdentifier: helper.CertIdentifier{
+			SystemStoreName: "MY",
+		},
+		RoleArn:           c.RoleArn(),
+		ProfileArnStr:     c.ProfileArn(),
+		TrustAnchorArnStr: c.TrustedAnchor(),
+		SessionDuration:   int(c.SessionDuration()),
 	})
 
 	if err != nil {
@@ -47,22 +61,6 @@ func main() {
 
 	l.Info("Credentials refreshed")
 
-	if c.FetchOnly() {
-		l.Info("Fetch only mode, skipping secret update")
-
-		l.Info("AccessKeyId", "access-key-id", credentials.AccessKeyId)
-		l.Info("SecretAccessKey", "secret-access-key", credentials.SecretAccessKey)
-		l.Info("SessionToken", "session-token", credentials.SessionToken)
-		os.Exit(0)
-	}
-
-	client, err := kube_client.NewKubeClient()
-	if err != nil {
-		l.Error("Failed to create kubernetes client", "error", err)
-
-		os.Exit(1)
-	}
-
 	_, err = client.GetSecret(c.Namespace(), c.Secret())
 	if err != nil {
 		l.Error("Failed to get secret", "error", err)