profile
viewpoint
Seth Vargo sethvargo @Google Pittsburgh, PA https://www.sethvargo.com Engineer @google

googlecodelabs/tools 2129

Codelabs management & hosting tools

GoogleCloudPlatform/berglas 925

A tool for managing secrets on Google Cloud

google-github-actions/setup-gcloud 863

A collection of GitHub Actions for interfacing with Google Cloud Platform.

dgageot/demoit 706

Live coding demos without Context Switching

google/oauth2l 377

oauth2l ("oauth tool") is a simple CLI for interacting with Google API authentication.

kelseyhightower/vault-on-google-kubernetes-engine 369

How to guide on running HashiCorp's Vault on Google Kubernetes Engine

sethvargo/bootstrap_forms 256

Bootstrap Forms makes Twitter's Bootstrap on Rails easy!

hashicorp/waypoint-examples 239

Example Apps that can be deployed with Waypoint

Pull request review commentgoogle/exposure-notifications-verification-server

add SMS signing keys at the DB layer

+// Copyright 2021 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+//      http://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++package database++import (+	"fmt"+	"time"++	"github.com/jinzhu/gorm"+)++var _ ManagedKey = (*SMSSigningKey)(nil)++// SMSSigningKey represents a reference to a KMS backed signing key+// version for SMS payload signing.+type SMSSigningKey struct {+	gorm.Model+	Errorable++	// A signing key belongs to exactly one realm.+	RealmID uint `gorm:"index:realm"`++	// Reference to an exact version of a key in the KMS+	KeyID  string+	Active bool+}++// GetKID returns the 'kid' field value to use in signing JWTs.+func (s *SMSSigningKey) GetKID() string {+	return fmt.Sprintf("r%dv%d", s.RealmID, s.ID)

SMSSigningKeyID is the KMS key - this is the KID for public consumption

mikehelmick

comment created time in 4 minutes

Pull request review commentgoogle/exposure-notifications-verification-server

add SMS signing keys at the DB layer

 func (r *Realm) SigningKeyID() string { 	return fmt.Sprintf("realm-%d", r.ID) } +func (r *Realm) SMSSigningKeyID() string {+	return fmt.Sprintf("realm-sms-%d", r.ID)+}+ // CreateSigningKeyVersion creates a new signing key version on the key manager // and saves a reference to the new key version in the database. If creating the // key in the key manager fails, the database is not updated. However, if // updating the signing key in the database fails, the key is NOT deleted from // the key manager. func (r *Realm) CreateSigningKeyVersion(ctx context.Context, db *Database) (string, error) {+	newKey := &SigningKey{}+	return r.createdManagedSigningKey(ctx, db, r.SigningKeyID(), "signing_keys", "certificate", newKey)+}++// CreateSMSSigningKeyVersion creates a new SMS signing key versino on the key manager+// and saves a reference to the new key version in the database.+func (r *Realm) CreateSMSSigningKeyVersion(ctx context.Context, db *Database) (string, error) {+	newKey := &SMSSigningKey{}+	return r.createdManagedSigningKey(ctx, db, r.SMSSigningKeyID(), "sms_signing_keys", "SMS", newKey)+}++func (r *Realm) createdManagedSigningKey(ctx context.Context, db *Database, keyID, table, purpose string, signingKey ManagedKey) (string, error) {

I moved Table() and Purpose() to methods on the ManagedKey interface.

mikehelmick

comment created time in 10 minutes

Pull request review commentgoogle/exposure-notifications-verification-server

add SMS signing keys at the DB layer

 func (db *Database) Migrations(ctx context.Context) []*gormigrate.Migration { 				return nil 			}, 		},+		{+			ID: "00090-AddSMSSigningKeys",+			Migrate: func(tx *gorm.DB) error {+				return multiExec(tx,+					`CREATE TABLE sms_signing_keys (+						id BIGSERIAL,+						created_at TIMESTAMP WITH TIME ZONE,+						updated_at TIMESTAMP WITH TIME ZONE,+						deleted_at TIMESTAMP WITH TIME ZONE,+						realm_id INTEGER,+						key_id TEXT,+						active BOOLEAN,

please double check my index statement

mikehelmick

comment created time in 25 minutes

Pull request review commentgoogle/exposure-notifications-verification-server

add SMS signing keys at the DB layer

+// Copyright 2021 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+//      http://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++package database++// ManagedKey is an interface that allows for a realm to manage signing keys+// for different purposes.+type ManagedKey interface {+	// GetKID returns the public key version string+	GetKID() string+	// ManagedKeyID returns the reference to the key ID in the KMS.+	ManagedKeyID() string+	// IsActive() returns true if this key is active+	IsActive() bool++	SetRealmID(id uint)

Introduced RealmManagedKey - moved SetRealmID there.

this opens up extending ManagedKey to token signing keys in a follow up.

mikehelmick

comment created time in 30 minutes

pull request commentgoogle/exposure-notifications-verification-server

Implement first pass at SMS signature algorithm

@sethvargo: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
pull-en-server-release-unit a4ca05acbd39bcf1a25e91928f3a12d568e701d0 link /test pull-en-server-release-unit

<details>

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. </details> <!-- test report -->

sethvargo

comment created time in 12 minutes

pull request commentgoogle/exposure-notifications-verification-server

Implement first pass at SMS signature algorithm

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: <a href="https://github.com/google/exposure-notifications-verification-server/pull/1650#" title="Author self-approved">sethvargo</a>

The full list of commands accepted by this bot can be found here.

The pull request process is described here

<details > Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment </details> <!-- META={"approvers":[]} -->

sethvargo

comment created time in 15 minutes

PR closed sethvargo/vault-init

Add Support for encrypting Shares, Recovery Keys and Root Token with GPG

When using auto-unseal it could be useful to encrypt the Recovery Keys and the Root Token with GPG to make it easier to then distribute the encrypted shares to the key holders.

Encrypting the Root Token and the Standard shares , while less useful, can still be enabled based on the specific needs.

+86 -5

0 comment

2 changed files

primeroz

pr closed time in 2 hours

push eventgoogle/exposure-notifications-verification-server

Yuchen Ying

commit sha d35953fcccf6e026bf2742099dce08e9c0208f04

Condition should contain a unit. (#1647) * Condition should contain a unit. * Use 1/s instead of Hz to avoid confusion.

view details

push time in 2 hours

issue closedgoogle/exposure-notifications-verification-server

Error creating AlertPolicy: googleapi: Error 400

Error creating AlertPolicy: googleapi: Error 400

Ignoring units for operation '>', which is combining two values, the first with
unit '1/s' and the second with no units. Units need to be given for neither or
both of the inputs to '>'. Units can be added to the second argument by the
`cast_units` function (example `cast_units(<expression>, "By/s")`) or, for
literals, by annotation (example `3.3 "GiBy"`).  Units can be removed by 
`cast_units(<expression>, "")`.

/assign @yegle

closed time in 2 hours

sethvargo

pull request commentgoogle/exposure-notifications-verification-server

Condition should contain a unit.

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: <a href="https://github.com/google/exposure-notifications-verification-server/pull/1647#pullrequestreview-573419865" title="LGTM">sethvargo</a>, <a href="https://github.com/google/exposure-notifications-verification-server/pull/1647#" title="Author self-approved">yegle</a>

The full list of commands accepted by this bot can be found here.

The pull request process is described here

<details > Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment </details> <!-- META={"approvers":[]} -->

yegle

comment created time in 2 hours

startedsethvargo/vault-on-gke

started time in 3 hours

startedsethvargo/vault-kubernetes-workshop

started time in 3 hours

pull request commenthashicorp/vault-plugin-secrets-gcp

Refactor roleset into utils mk II

Hey @kalafut sorry to prod you again. Could this be looked at please?

lawliet89

comment created time in 15 hours

Pull request review commentgoogle/exposure-notifications-verification-server

Condition should contain a unit.

 resource "google_monitoring_alert_policy" "UpstreamUserRecreates" {       generic_task :: custom.googleapis.com/opencensus/en-verification-server/user/upstream_user_recreate_count       | align rate(5m)       | every 1m-      | group_by [], [val: aggregate(value.upstream_user_recreate_count)]-      | condition val > 5+      | group_by [], [val: sum(value.upstream_user_recreate_count)]+      | condition val > 5 'Hz'

Hz is an alias of 1/s. But agree this is a bit confusing.

yegle

comment created time in 16 hours

pull request commentgoogle/exposure-notifications-verification-server

add SMS signing keys at the DB layer

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: <a href="https://github.com/google/exposure-notifications-verification-server/pull/1649#" title="Author self-approved">mikehelmick</a>

The full list of commands accepted by this bot can be found here.

The pull request process is described here

<details > Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment </details> <!-- META={"approvers":[]} -->

mikehelmick

comment created time in 16 hours

PR opened google/exposure-notifications-verification-server

add SMS signing keys at the DB layer

towards #1640

Proposed Changes

  • Add new SMSSiginingKey model
  • Create ManagedKey interface
  • Refactor realm key management to work on multiple type of managed keys

Release Note

Add database model for managed keys for signing SMS messages.
+340 -33

0 comment

6 changed files

pr created time in 16 hours

push eventgoogle/exposure-notifications-server

Seth Vargo

commit sha b91b7ba5df9aef2ff7d6070a5e5702cdf6952307

Update docs for jwks rename (#1302)

view details

push time in 17 hours

delete branch google/exposure-notifications-server

delete branch : sethvargo/clean

delete time in 17 hours

PR merged google/exposure-notifications-server

Reviewers
Update docs for jwks rename approved cla: yes lgtm size/XS

Release Note

<!-- Enter your extended release note in the below block. If the PR requires additional action from users switching to the new release, include the string "action required". If no release note is required, write "NONE". -->

NONE

/assign @mikehelmick

+1 -1

2 comments

1 changed file

sethvargo

pr closed time in 17 hours

pull request commentgoogle/exposure-notifications-server

Update docs for jwks rename

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: <a href="https://github.com/google/exposure-notifications-server/pull/1302#pullrequestreview-572796139" title="Approved">mikehelmick</a>, <a href="https://github.com/google/exposure-notifications-server/pull/1302#" title="Author self-approved">sethvargo</a>

The full list of commands accepted by this bot can be found here.

The pull request process is described here

<details > Needs approval from an approver in each of these files:

  • OWNERS [mikehelmick,sethvargo]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment </details> <!-- META={"approvers":[]} -->

sethvargo

comment created time in 17 hours

push eventgoogle/exposure-notifications-server

Seth Vargo

commit sha 4c34c2b8282055cc34123ace2590a5c4fd4bea2e

Switch 30d to hours (#1303) d is not a valid Go duration suffix

view details

push time in 18 hours

delete branch google/exposure-notifications-server

delete branch : sethvargo/doh

delete time in 18 hours

PR merged google/exposure-notifications-server

Reviewers
Switch 30d to hours approved cla: yes lgtm size/XS

d is not a valid Go duration suffix

Release Note

<!-- Enter your extended release note in the below block. If the PR requires additional action from users switching to the new release, include the string "action required". If no release note is required, write "NONE". -->

Switch 30d to 720h
+1 -1

1 comment

1 changed file

sethvargo

pr closed time in 18 hours

pull request commentgoogle/exposure-notifications-server

Switch 30d to hours

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: <a href="https://github.com/google/exposure-notifications-server/pull/1303#pullrequestreview-572770747" title="Approved">mikehelmick</a>, <a href="https://github.com/google/exposure-notifications-server/pull/1303#" title="Author self-approved">sethvargo</a>

The full list of commands accepted by this bot can be found here.

The pull request process is described here

<details > Needs approval from an approver in each of these files:

  • OWNERS [mikehelmick,sethvargo]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment </details> <!-- META={"approvers":[]} -->

sethvargo

comment created time in 18 hours

pull request commentgoogle/exposure-notifications-server

Switch 30d to hours

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: <a href="https://github.com/google/exposure-notifications-server/pull/1303#" title="Author self-approved">sethvargo</a>

The full list of commands accepted by this bot can be found here.

The pull request process is described here

<details > Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment </details> <!-- META={"approvers":[]} -->

sethvargo

comment created time in 18 hours

pull request commentgoogle/exposure-notifications-server

Update docs for jwks rename

@sethvargo: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
pull-en-server-release-unit 0a75091f1ac41c6bcaac33c30bc746d8ddf38c8d link /test pull-en-server-release-unit

<details>

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. </details> <!-- test report -->

sethvargo

comment created time in 18 hours

pull request commentgoogle/exposure-notifications-server

Update docs for jwks rename

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: <a href="https://github.com/google/exposure-notifications-server/pull/1302#" title="Author self-approved">sethvargo</a>

The full list of commands accepted by this bot can be found here.

The pull request process is described here

<details > Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment </details> <!-- META={"approvers":[]} -->

sethvargo

comment created time in 18 hours

push eventgoogle/exposure-notifications-server

Seth Vargo

commit sha 9b131563bf9bbdea166246186f8e1a78ee2a7fc4

Build all binaries at once (faster build) (#1301)

view details

push time in 18 hours

delete branch google/exposure-notifications-server

delete branch : sethvargo/faster

delete time in 18 hours

more