[WIP] add age crypto to github backend

.golangci.yml

@@ -1,6 +1,8 @@
+# yaml-language-server: $schema=https://golangci-lint.run/jsonschema/golangci.jsonschema.json
+version: "2"
 run:
   timeout: 10m
-  go: "1.22"
+  go: "1.24"
   allow-parallel-runners: true
 
 linters:
@@ -16,16 +18,13 @@ linters:
     - durationcheck
     - errcheck
     - errchkjson
-    - gci
     - ginkgolinter
     - goconst
     - gocritic
     - godot
-    - gofmt
-    - goimports
     - goprintffuncname
     - gosec
-    - gosimple
+#    - gosimple
     - govet
     - importas
     - ineffassign
@@ -43,81 +42,87 @@ linters:
     # - revive
     - rowserrcheck
     - staticcheck
-    - stylecheck
-    - tenv
-    - typecheck
     - unconvert
     - unparam
     - unused
     - usestdlibvars
     - whitespace
 
-linters-settings:
-  gci:
-    sections:
-      - standard # Standard section: captures all standard packages.
-      - default # Default section: contains all imports that could not be matched to another section type.
-      - prefix(capi-bootstrap) # Custom section: groups all imports with the specified Prefix.
-  gocritic:
-    enabled-tags:
-      - diagnostic
-      - experimental
-      - performance
-    disabled-checks:
-      - appendAssign
-      - dupImport # https://github.com/go-critic/go-critic/issues/845
-      - evalOrder
-      - ifElseChain
-      - octalLiteral
-      - regexpSimplify
-      - sloppyReassign
-      - truncateCmp
-      - typeDefFirst
-      - unnamedResult
-      - unnecessaryDefer
-      - whyNoLint
-      - wrapperFunc
-      - rangeValCopy
-      - hugeParam
-  revive:
-    rules:
-      # The following rules are recommended https://github.com/mgechev/revive#recommended-configuration
-      - name: blank-imports
-      - name: context-as-argument
-      - name: context-keys-type
-      - name: dot-imports
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: exported
-      - name: if-return
-      - name: increment-decrement
-      - name: var-naming
-      - name: var-declaration
-      - name: package-comments
-      - name: range
-      - name: receiver-naming
-      - name: time-naming
-      - name: unexported-return
-      - name: indent-error-flow
-      - name: errorf
-      - name: empty-block
-      - name: superfluous-else
-      - name: unused-parameter
-      - name: unreachable-code
-      - name: redefines-builtin-id
-      #
-      # Rules in addition to the recommended configuration above.
-      #
-      - name: bool-literal-in-expr
-      - name: constant-logical-expr
-  gosec:
-    excludes:
-      - G306 # Poor file permissions used when writing to a new file
-  goimports:
-    # put imports beginning with prefix after 3rd-party packages;
-    # it's a comma-separated list of prefixes
-    local-prefixes: capi-bootstrap
+  settings:
+    gocritic:
+      enabled-tags:
+        - diagnostic
+        - experimental
+        - performance
+      disabled-checks:
+        - appendAssign
+        - dupImport # https://github.com/go-critic/go-critic/issues/845
+        - evalOrder
+        - ifElseChain
+        - octalLiteral
+        - regexpSimplify
+        - sloppyReassign
+        - truncateCmp
+        - typeDefFirst
+        - unnamedResult
+        - unnecessaryDefer
+        - whyNoLint
+        - wrapperFunc
+        - rangeValCopy
+        - hugeParam
+    revive:
+      rules:
+        # The following rules are recommended https://github.com/mgechev/revive#recommended-configuration
+        - name: blank-imports
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: dot-imports
+        - name: error-return
+        - name: error-strings
+        - name: error-naming
+        - name: exported
+        - name: if-return
+        - name: increment-decrement
+        - name: var-naming
+        - name: var-declaration
+        - name: package-comments
+        - name: range
+        - name: receiver-naming
+        - name: time-naming
+        - name: unexported-return
+        - name: indent-error-flow
+        - name: errorf
+        - name: empty-block
+        - name: superfluous-else
+        - name: unused-parameter
+        - name: unreachable-code
+        - name: redefines-builtin-id
+        #
+        # Rules in addition to the recommended configuration above.
+        #
+        - name: bool-literal-in-expr
+        - name: constant-logical-expr
+    gosec:
+      excludes:
+        - G306 # Poor file permissions used when writing to a new file
+
+formatters:
+  enable:
+    - gci
+    - goimports
+    - gofmt
+    - goimports
+  settings:
+    gci:
+      sections:
+        - standard # Standard section: captures all standard packages.
+        - default # Default section: contains all imports that could not be matched to another section type.
+        - prefix(capi-bootstrap) # Custom section: groups all imports with the specified Prefix.
+    goimports:
+      # put imports beginning with prefix after 3rd-party packages;
+      # it's a comma-separated list of prefixes
+      local-prefixes:
+        - capi-bootstrap
 issues:
   max-same-issues: 0
   max-issues-per-linter: 0

Makefile

@@ -1,7 +1,7 @@
 BUILD_DIR ?= bin
 BUILD_TARGET ?= $(BUILD_DIR)/clusterctl-bootstrap
 
-GOLANGCI_LINT_VERSION ?= v1.60.1
+GOLANGCI_LINT_VERSION ?= v2.10.1
 MOCKGEN_VERSION ?= v0.4.0
 GOLANGCI_LINT ?= $(LOCALBIN)/golangci-lint-$(GOLANGCI_LINT_VERSION)
 MOCKGEN ?= $(LOCALBIN)/mockgen-$(MOCKGEN_VERSION)
@@ -59,7 +59,7 @@ lint: golangci-lint
 .PHONY: golangci-lint
 golangci-lint: $(GOLANGCI_LINT)
 $(GOLANGCI_LINT): $(LOCALBIN)
-	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,${GOLANGCI_LINT_VERSION})
+	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/v2/cmd/golangci-lint,${GOLANGCI_LINT_VERSION})
 
 .PHONY: mockgen
 mockgen: $(MOCKGEN)

README.md

@@ -6,6 +6,8 @@ Note: Using devbox will install necessary requirements to build/run this project
   * Golang
   * clusterctl
   * kubectl
+  * (optional) [age](https://github.com/FiloSottile/age)
+    * required if using cluster state encryption feature
 
 ## Getting started
 Note: if you are using devbox, enter into a shell using `devbox shell` before running these commands to use its integration.
@@ -33,7 +35,51 @@ Note: if you are using devbox, enter into a shell using `devbox shell` before ru
     # I0603 10:12:53.447277   70482 cluster.go:165] Created Linode Instance: test-cluster-bootstrap
     # I0603 10:12:53.644074   70482 cluster.go:185] Created NodeBalancer Node: test-cluster-bootstrap
     # I0603 10:12:53.644124   70482 cluster.go:186] Bootstrap Node IP: <bootstrap IP>
+    ``` 
+   a. If you have enabled the cluster state encryption feature, your output will also include an age key
+    ```shell
+    # copy the age key
+
+    # initialize it locally (insecure)
+    CLUSTER_NAME=ross10
+    echo -n 'AGE-SECRET-KEY-PQ-...' > "$HOME/.capi-bootstrap/$CLUSTER_NAME/cluster.age"
+
+    # initialize it in a password management tool (secure)
+    # 1pass, vault, etc.
+    export CLUSTER_NAME=ross10
+    export CLUSTER_AGE_KEYFILE="/tmp/${CLUSTER_NAME}.age"
+    echo -n 'AGE-SECRET-KEY-PQ-<>' > "${CLUSTER_AGE_KEYFILE}"
+
+   # 1pass example
+    op item create --vault="Private" \
+    --category='Password' \
+    --title="${CLUSTER_NAME} Encryption Key" \
+    --tags="capi-bootstrap" \
+    'cluster-name[text]'="${CLUSTER_NAME}" \
+    'encryption-key[password]'="$(cat ${CLUSTER_AGE_KEYFILE})"
+
+    ID:          <>
+    Title:       ross10 Encryption Key
+    Vault:       Private (<>)
+    Created:     now
+    Updated:     now
+    Favorite:    false
+    Tags:        capi-bootstrap
+    Version:     1
+    Category:    PASSWORD
+    Fields:
+    cluster-name:      ross10
+    encryption-key:    [use 'op item get <> --reveal' to reveal]
+
+    # cleanup the temporary key file
+    rm -f "${CLUSTER_AGE_KEYFILE}"
+
+    # use the key with capi-bootstrap
+    CLUSTER_AGE_KEY=$(op read -n 'op://Private/ross10 Encryption Key/encryption-key')
+    export CLUSTER_AGE_KEY
+
     ```
+
 4. Get kubeconfig for cluster
     ```shell
     clusterctl bootstrap get kubeconfig $CLUSTER_NAME --backend s3 > test-kubeconfig
@@ -62,6 +108,7 @@ Note: if you are using devbox, enter into a shell using `devbox shell` before ru
     # I0603 10:42:35.730360   73227 delete.go:110]   Deleted NodeBalancer test-cluster
     ```
 ## Supported providers
+
 ### Infrastructure Providers
 * [Linode](https://linode.github.io/cluster-api-provider-linode/)
     * Identifying Resources - Resources used to identify the infrastructure provider from the parsed manifests.
@@ -75,12 +122,14 @@ Note: if you are using devbox, enter into a shell using `devbox shell` before ru
     # used for connecting to machines directly for debug steps
     export AUTHORIZED_KEYS=$YOUR_PUBLIC_KEY
     ```
+
 ### ControlPlane Providers
 * [K3s](https://github.com/k3s-io/cluster-api-k3s/tree/main)
   * Identifying resources - Resources used to identify the Controlplane provider from the parsed manifests.
     * `KthreesControlPlane`
   * Supported Versions - Supported provider versions for parsing manifests
     * `v1beta1`
+
 ### Backend Providers
 * S3 
   * Environment Variables - Required and optional environment variables used to bootstrap a cluster