Use file based signer now that Rekor supports it.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
sigstore · Sep 16, 2022 · e5b651d · e5b651d
1 parent ad36e1a
commit e5b651d
Show file tree

Hide file tree

Showing 5 changed files with 142 additions and 54 deletions.
diff --git a/README.md b/README.md
@@ -27,21 +27,19 @@ stack on GCP using Terraform, we also got you [covered there](./terraform/).
 
 # Background
 
-Currently in various e2e tests we (the community) do not exercise all the
-components of the Sigstore when running tests. This results in us skipping
-some validation tests (for example, but not limited to, –insecure-skip-verify
-flag), or using public instances for some of the tests. Part of the reason is
-that there are currently some manual steps or some assumptions baked in some
-places that make this trickier than is strictly necessary. This repository is
-meant to make it easier to test projects that utilize sigstore by making it easy
-to spin up a whole sigstore stack in a k8s cluster so that you can do proper
-integration testing.
+This repository is meant to make it easier to test projects that utilize
+sigstore by making it easy to spin up a whole sigstore stack in a k8s cluster so
+that you can do proper integration testing. With the provided `action` it's easy
+also to add this capability to your GitHub Action testing.
 
 If you are interested in figuring out the nitty/gritty manual way of standing
 up a sigstore stack, a wonderful very detailed document for standing all the
 pieces from scratch is given in Luke Hinds’
 “[Sigstore the hard way](https://github.com/lukehinds/sigstore-the-hard-way)”
 
+If you are interested in standing up a stack on your local machine, a great
+documentation for all of them are provided by Thomas Strömberg
+"[sigstore-the-local-way](https://github.com/tstromberg/sigstore-the-local-way)"
 
 # Overview
 
@@ -107,6 +105,22 @@ rekor-system and the ConfigMap that is created by ‘**createtree**’ Job, we c
 have the following (some stuff omitted for readability) in our Rekor Deployment
 to ensure that Rekor will not start prior to TreeID having been properly
 provisioned.
+Rekor also needs a Signing Key that it will use, and we create one with
+[CreateSecret](./cmd/rekor/createsecret/main.go). It will create two secrets,
+one holding the Private Signing key as well as the password used to encrypt it
+with. By default the secret is named `rekor-signing-secret` and contains two
+keys:
+
+ * signing-secret - Holds the encrypted private key for signing
+ * signing-secret-password - Holds the password used to encrypt the key above.
+
+That secret then gets mounted / used by Rekor as demonstrated below.
+
+ Also a secret holding the Rekor public key is created, which by default is
+ named `rekor-pub-key` and contains one key that we need to construct a proper
+ tuf root later on.
+
+  * public - Rekor public key
 
 
 ```
@@ -128,16 +142,24 @@ spec:
             configMapKeyRef:
               name: rekor-config
               key: treeID
-
+          - name: SECRET_SIGNING_PWD
+            valueFrom:
+              secretKeyRef:
+                name: rekor-secrets
+                key: signing-secret-password
+        volumeMounts:
+        - name: rekor-secrets
+          mountPath: "/var/run/rekor-secrets"
+          readOnly: true
+      volumes:
+      - name: rekor-secrets
+        secret:
+          secretName: rekor-signing-secret
+          items:
+          - key: signing-secret
+            path: signing-secret
 ```
 
-In addition to creating a tree, we will also create a secret holding the
-public key of the Rekor client that we'll need to be able to construct a proper
-tuf root later on. This is handled by a rekor createsecret job and it creates
-a `rekor-pub-key` secret in the `rekor-system` namespace holding a single
-entry in it called `public` that holds the public key for the Rekor.
-
-
 ## [CTLog](https://github.com/google/certificate-transparency-go)
 
 CTLog is the first piece in the puzzle that requires a bit more wrangling

diff --git a/cmd/rekor/createsecret/main.go b/cmd/rekor/createsecret/main.go
@@ -15,11 +15,15 @@
 package main
 
 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
 	"flag"
 	"log"
 	"os"
 
-	"github.com/sigstore/rekor/pkg/client"
 	"github.com/sigstore/scaffolding/pkg/secret"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
@@ -28,9 +32,18 @@ import (
 	"sigs.k8s.io/release-utils/version"
 )
 
+const (
+	// Key created in the secret holding the encrypted private key.
+	signingKeySecretKey = "signing-secret"
+	// Key created in the secret holding the encrypt private key passord.
+	signingKeySecretPasswordKey = "signing-secret-password"
+)
+
 var (
-	rekorURL   = flag.String("rekor_url", "http://rekor.rekor-system.svc", "Address of the Rekor server")
-	secretName = flag.String("secret", "rekor-pub-key", "Secret to create the rekor public key in.")
+	signingSecretName  = flag.String("signing-secret", "rekor-signing-secret", "Secret to create the signing secret that Rekor will use.")
+	signingKeyPassword = flag.String("signing-secret-pwd", "scaffoldtest", "Password to encrypt the signing secret with.")
+	rekorURL           = flag.String("rekor_url", "http://rekor.rekor-system.svc", "Address of the Rekor server")
+	secretName         = flag.String("secret", "rekor-pub-key", "Secret to create the rekor public key in.")
 )
 
 func main() {
@@ -57,20 +70,52 @@ func main() {
 	}
 	nsSecrets := clientset.CoreV1().Secrets(ns)
 
-	c, err := client.GetRekorClient(*rekorURL)
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		logging.FromContext(ctx).Fatalf("Failed to generate private key: %v", err)
+	}
+	// Encode private key to PKCS #8 ASN.1 PEM.
+	marshalledPrivKey, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	if err != nil {
+		logging.FromContext(ctx).Fatalf("Failed to marshal private key: %v", err)
+	}
+	block := &pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: marshalledPrivKey,
+	}
+	// Encrypt the pem
+	encryptedBlock, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, []byte(*signingKeyPassword), x509.PEMCipherAES256) // nolint
 	if err != nil {
-		logging.FromContext(ctx).Fatalf("Failed to construct rekor client", err)
+		logging.FromContext(ctx).Fatalf("Failed to encrypt private key: %v", err)
 	}
-	// Create a secret holding our public key for OOB consumption of it.
-	// I know it's little bit fake because we call into it but at least we
-	// create it here so at least it's available for OOB.
-	rekorKey, err := c.Pubkey.GetPublicKey(nil)
+
+	privPEM := pem.EncodeToMemory(encryptedBlock)
+	if privPEM == nil {
+		logging.FromContext(ctx).Fatalf("Failed to encode encrypted private key: %v", err)
+	}
+
+	marshalledPubKey, err := x509.MarshalPKIXPublicKey(privateKey.Public())
 	if err != nil {
-		logging.FromContext(ctx).Fatalf("Unable to fetch rekor key: %v", err)
+		logging.FromContext(ctx).Panicf("Failed to marshal the public key: %v", err)
+	}
+	pubPEM := pem.EncodeToMemory(
+		&pem.Block{
+			Type:  "PUBLIC KEY",
+			Bytes: marshalledPubKey,
+		},
+	)
+
+	signingSecretData := map[string][]byte{
+		signingKeySecretKey:         privPEM,
+		signingKeySecretPasswordKey: []byte(*signingKeyPassword),
+	}
+
+	if err := secret.ReconcileSecret(ctx, *signingSecretName, ns, signingSecretData, nsSecrets); err != nil {
+		logging.FromContext(ctx).Fatalf("Unable to reconcile secret %s: %v", *signingSecretName, err)
 	}
 
-	data := map[string][]byte{"public": []byte(rekorKey.Payload)}
-	if err := secret.ReconcileSecret(ctx, *secretName, ns, data, nsSecrets); err != nil {
-		logging.FromContext(ctx).Fatalf("Unable to reconcile secret: %v", err)
+	publicKeyData := map[string][]byte{"public": pubPEM}
+	if err := secret.ReconcileSecret(ctx, *secretName, ns, publicKeyData, nsSecrets); err != nil {
+		logging.FromContext(ctx).Fatalf("Unable to reconcile secret %s: %v", *secretName, err)
 	}
 }
diff --git a/config/rekor/rekor/300-rekor.yaml b/config/rekor/rekor/300-rekor.yaml
@@ -19,7 +19,11 @@ spec:
       serviceAccountName: rekor
       containers:
       - name: rekor
-        image: gcr.io/projectsigstore/rekor-server@sha256:af91aee88c6d8efb3175b441420a4c61691ec5d6a72303c8ef47750c1dfd2325 # v0.11.0
+        # This has been built from here to pick up the file based signer change:
+        # https://github.com/sigstore/rekor/actions/runs/3061668501/jobs/4941722492
+        # Which contains this change that we need.
+        # https://github.com/sigstore/rekor/pull/1049
+        image: gcr.io/projectsigstore/rekor/ci/rekor/rekor-server@sha256:91a6fa93804e1c0b48942a6a0e38b30b851a9f281a65e84a05cd85c138450d7f
         ports:
         - containerPort: 3000
         args: [
@@ -32,7 +36,8 @@ spec:
           "--enable_retrieve_api=true",
           "--trillian_log_server.tlog_id=$(TREE_ID)",
           "--log_type=prod",
-          "--rekor_server.signer=memory",
+          "--rekor_server.signer=/var/run/rekor-secrets/signing-secret",
+          "--rekor_server.signer-pwd=$(SECRET_SIGNING_PWD)",
           "--enable_attestation_storage=true",
           "--attestation_storage_bucket=file:///tmp/",
 #          "--rekor_server.timestamp_chain=$(TIMESTAMP_CHAIN)"
@@ -43,3 +48,19 @@ spec:
             configMapKeyRef:
               name: rekor-config
               key: treeID
+        - name: SECRET_SIGNING_PWD
+          valueFrom:
+            secretKeyRef:
+              name: rekor-secrets
+              key: signing-secret-password
+        volumeMounts:
+        - name: rekor-secrets
+          mountPath: "/var/run/rekor-secrets"
+          readOnly: true
+      volumes:
+      - name: rekor-secrets
+        secret:
+          secretName: rekor-signing-secret
+          items:
+          - key: signing-secret
+            path: signing-secret
diff --git a/go.mod b/go.mod
@@ -17,8 +17,8 @@ require (
 	github.com/prometheus/client_golang v1.13.0
 	github.com/sigstore/cosign v1.11.1
 	github.com/sigstore/fulcio v0.5.3
-	github.com/sigstore/rekor v0.12.0
-	github.com/sigstore/sigstore v1.4.1-0.20220908184735-abe183b160e9
+	github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2
+	github.com/sigstore/sigstore v1.4.1
 	github.com/theupdateframework/go-tuf v0.5.0
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
 	golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90
@@ -44,7 +44,7 @@ require (
 	contrib.go.opencensus.io/exporter/stackdriver v0.13.12 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
-	github.com/aws/aws-sdk-go v1.44.93 // indirect
+	github.com/aws/aws-sdk-go v1.44.96 // indirect
 	github.com/benbjohnson/clock v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/speakeasy v0.1.0 // indirect
@@ -57,7 +57,7 @@ require (
 	github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect
-	github.com/coreos/go-oidc/v3 v3.3.0 // indirect
+	github.com/coreos/go-oidc/v3 v3.4.0 // indirect
 	github.com/coreos/go-semver v0.3.0 // indirect
 	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
@@ -130,7 +130,7 @@ require (
 	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
@@ -152,10 +152,10 @@ require (
 	github.com/spf13/cobra v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.12.0 // indirect
+	github.com/spf13/viper v1.13.0 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.1.1 // indirect
 	github.com/stretchr/testify v1.8.0 // indirect
-	github.com/subosito/gotenv v1.3.0 // indirect
+	github.com/subosito/gotenv v1.4.1 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect

diff --git a/go.sum b/go.sum
@@ -181,8 +181,8 @@ github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi
 github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.36.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
-github.com/aws/aws-sdk-go v1.44.93 h1:hAgd9fuaptBatSft27/5eBMdcA8+cIMqo96/tZ6rKl8=
-github.com/aws/aws-sdk-go v1.44.93/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go v1.44.96 h1:S9paaqnJ0AJ95t5AB+iK8RM6YNZN0W0Lek1gOVJsEr8=
+github.com/aws/aws-sdk-go v1.44.96/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
@@ -262,8 +262,8 @@ github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkE
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-oidc/v3 v3.3.0 h1:Y1LV3mP+QT3MEycATZpAiwfyN+uxZLqVbAHJUuOJEe4=
-github.com/coreos/go-oidc/v3 v3.3.0/go.mod h1:eHUXhZtXPQLgEaDrOVTgwbgmz1xGOkJNye6h3zkD2Pw=
+github.com/coreos/go-oidc/v3 v3.4.0 h1:xz7elHb/LDwm/ERpwHd+5nb7wFHL32rsr6bBOgaeu6g=
+github.com/coreos/go-oidc/v3 v3.4.0/go.mod h1:eHUXhZtXPQLgEaDrOVTgwbgmz1xGOkJNye6h3zkD2Pw=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@@ -1050,8 +1050,8 @@ github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko
 github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pelletier/go-toml/v2 v2.0.1 h1:8e3L2cCQzLFi2CR4g7vGFuFxX7Jl1kKX8gW+iV0GUKU=
-github.com/pelletier/go-toml/v2 v2.0.1/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo=
+github.com/pelletier/go-toml/v2 v2.0.5 h1:ipoSadvV8oGUjnUbMub59IDPPwfxF694nG/jwbMiyQg=
+github.com/pelletier/go-toml/v2 v2.0.5/go.mod h1:OMHamSCAODeSsVrwwvcJOaoN0LIUIaFVNZzmWyNfXas=
 github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d/go.mod h1:3OzsM7FXDQlpCiw2j81fOmAwQLnZnLGXVKUzeKQXIAw=
@@ -1183,10 +1183,10 @@ github.com/sigstore/cosign v1.11.1 h1:y9IlANx0kTe5bt4wVkauJkfgWjMwmFId1H2y782hXm
 github.com/sigstore/cosign v1.11.1/go.mod h1:PURIOXUUu1KmXTJ1x11DHH/X9CyaoYpa9AxRphagu+s=
 github.com/sigstore/fulcio v0.5.3 h1:fwdl2BHv1RjL3GJJ44T+tPsvmQ028zv54psxVhSwUGA=
 github.com/sigstore/fulcio v0.5.3/go.mod h1:4yzMqOao6r9Nul1Dgt4LL7loKdkkgbDemLYrXUuAc+Y=
-github.com/sigstore/rekor v0.12.0 h1:WjZ2/ayd4A4A05P5hVnrX0ceB/asgQhxl8szF28dNQI=
-github.com/sigstore/rekor v0.12.0/go.mod h1:a86yBaT/qbHgBTAx0eP3Je+K5NQktx5KHlQPypdyYY8=
-github.com/sigstore/sigstore v1.4.1-0.20220908184735-abe183b160e9 h1:yvNMALJQjiRSjOB3bHWE1bfyhwoKYEq/nJ2fetXd2kM=
-github.com/sigstore/sigstore v1.4.1-0.20220908184735-abe183b160e9/go.mod h1:dZodsbajYeE3w4kyKpv2V18mZo29lb7zVY/oDn8UHIU=
+github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2 h1:LD8LcwygdD2DxaINWwbkaUEBAknr205wmn66/N05s7c=
+github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2/go.mod h1:C/jZ3EZywl/Kew48fGMWQoh+1LxOMk0BkP3DHmtB+8M=
+github.com/sigstore/sigstore v1.4.1 h1:e/tfXseQRymIjgiykskciGrp75AZVCfYokZ2r9tg5vw=
+github.com/sigstore/sigstore v1.4.1/go.mod h1:4+s4d6oTDdoQkf5lwpZBoOlWWV+hXhur1my9WdN5PjU=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
@@ -1244,8 +1244,8 @@ github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/y
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
 github.com/spf13/viper v1.9.0/go.mod h1:+i6ajR7OX2XaiBkrcZJFK21htRk7eDeLg7+O6bhUPP4=
-github.com/spf13/viper v1.12.0 h1:CZ7eSOd3kZoaYDLbXnmzgQI5RlciuXBMA+18HwHRfZQ=
-github.com/spf13/viper v1.12.0/go.mod h1:b6COn30jlNxbm/V2IqWiNWkJ+vZNiMNksliPCiuKtSI=
+github.com/spf13/viper v1.13.0 h1:BWSJ/M+f+3nmdz9bxB+bWX28kkALN2ok11D0rSo8EJU=
+github.com/spf13/viper v1.13.0/go.mod h1:Icm2xNL3/8uyh/wFuB1jI7TiTNKp8632Nwegu+zgdYw=
 github.com/spiffe/go-spiffe/v2 v2.1.1 h1:RT9kM8MZLZIsPTH+HKQEP5yaAk3yd/VBzlINaRjXs8k=
 github.com/spiffe/go-spiffe/v2 v2.1.1/go.mod h1:5qg6rpqlwIub0JAiF1UK9IMD6BpPTmvG6yfSgDBs5lg=
 github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=
@@ -1272,8 +1272,8 @@ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1F
 github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
-github.com/subosito/gotenv v1.3.0 h1:mjC+YW8QpAdXibNi+vNWgzmgBH4+5l5dCXv8cNysBLI=
-github.com/subosito/gotenv v1.3.0/go.mod h1:YzJjq/33h7nrwdY+iHMhEOEEbW0ovIz0tB6t6PwAXzs=
+github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
+github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
 github.com/sylvia7788/contextcheck v1.0.4/go.mod h1:vuPKJMQ7MQ91ZTqfdyreNKwZjyUg6KO+IebVyQDedZQ=
 github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs=
 github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48=
@@ -1473,8 +1473,8 @@ go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
 go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
-go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA=
 go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
+go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
 go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=