Documentation ¶
Overview ¶
Package configuration is the FTL configuration and secret management API.
The full design is documented here.
A Manager is the high-level interface to storing, listing, and retrieving secrets and configuration. A [Resolver] is the next layer, mapping names to a storage location key such as environment variables, keychain, etc. The Provider is the final layer, responsible for actually storing and retrieving values in concrete storage.
A constructed Manager and its providers are parametric on either secrets or configuration and thus cannot be used interchangeably.
Index ¶
- Variables
- func ConfigFromEnvironment() []string
- func ContextWithConfig(ctx context.Context, configManager *Manager[Configuration]) context.Context
- func ContextWithSecrets(ctx context.Context, secretsManager *Manager[Secrets]) context.Context
- func ProviderKeyForAccessor(accessor *url.URL) string
- type ASM
- func (a *ASM) Delete(ctx context.Context, ref Ref) error
- func (ASM) Key() string
- func (ASM) Role() Secrets
- func (a *ASM) Store(ctx context.Context, ref Ref, value []byte) (*url.URL, error)
- func (a *ASM) Sync(ctx context.Context, entries []Entry, values *xsync.MapOf[Ref, SyncedValue]) error
- func (a *ASM) SyncInterval() time.Duration
- type AsynchronousProvider
- type Configuration
- type DBConfigProvider
- func (d DBConfigProvider) Delete(ctx context.Context, ref Ref) error
- func (DBConfigProvider) Key() string
- func (d DBConfigProvider) Load(ctx context.Context, ref Ref, key *url.URL) ([]byte, error)
- func (DBConfigProvider) Role() Configuration
- func (d DBConfigProvider) Store(ctx context.Context, ref Ref, value []byte) (*url.URL, error)
- type DBConfigProviderDAL
- type DBConfigResolver
- func (d DBConfigResolver) Get(ctx context.Context, ref Ref) (*url.URL, error)
- func (d DBConfigResolver) List(ctx context.Context) ([]Entry, error)
- func (d DBConfigResolver) Role() Configuration
- func (d DBConfigResolver) Set(ctx context.Context, ref Ref, key *url.URL) error
- func (d DBConfigResolver) Unset(ctx context.Context, ref Ref) error
- type DBConfigResolverDAL
- type DBSecretResolver
- func (d DBSecretResolver) Get(ctx context.Context, ref Ref) (*url.URL, error)
- func (d DBSecretResolver) List(ctx context.Context) ([]Entry, error)
- func (d DBSecretResolver) Role() Secrets
- func (d DBSecretResolver) Set(ctx context.Context, ref Ref, key *url.URL) error
- func (d DBSecretResolver) Unset(ctx context.Context, ref Ref) error
- type DBSecretResolverDAL
- type Entry
- type EnvarProvider
- func (e EnvarProvider[R]) Delete(ctx context.Context, ref Ref) error
- func (EnvarProvider[R]) Key() string
- func (e EnvarProvider[R]) Load(ctx context.Context, ref Ref, key *url.URL) ([]byte, error)
- func (EnvarProvider[R]) Role() R
- func (e EnvarProvider[R]) Store(ctx context.Context, ref Ref, value []byte) (*url.URL, error)
- type InlineProvider
- func (InlineProvider[R]) Delete(ctx context.Context, ref Ref) error
- func (InlineProvider[R]) Key() string
- func (InlineProvider[R]) Load(ctx context.Context, ref Ref, key *url.URL) ([]byte, error)
- func (InlineProvider[R]) Role() R
- func (InlineProvider[R]) Store(ctx context.Context, ref Ref, value []byte) (*url.URL, error)
- type KeychainProvider
- func (k KeychainProvider) Delete(ctx context.Context, ref Ref) error
- func (k KeychainProvider) Key() string
- func (k KeychainProvider) Load(ctx context.Context, ref Ref, key *url.URL) ([]byte, error)
- func (KeychainProvider) Role() Secrets
- func (k KeychainProvider) Store(ctx context.Context, ref Ref, value []byte) (*url.URL, error)
- type Manager
- func ConfigFromContext(ctx context.Context) *Manager[Configuration]
- func New[R Role](ctx context.Context, router Router[R], providers []Provider[R]) (*Manager[R], error)
- func NewConfigurationManager(ctx context.Context, router Router[Configuration]) (*Manager[Configuration], error)
- func NewDefaultConfigurationManagerFromConfig(ctx context.Context, config string) (*Manager[Configuration], error)
- func NewDefaultSecretsManagerFromConfig(ctx context.Context, config string, opVault string) (*Manager[Secrets], error)
- func NewSecretsManager(ctx context.Context, router Router[Secrets], opVault string, config string) (*Manager[Secrets], error)
- func SecretsFromContext(ctx context.Context) *Manager[Secrets]
- func (m *Manager[R]) Get(ctx context.Context, ref Ref, value any) error
- func (m *Manager[R]) List(ctx context.Context) ([]Entry, error)
- func (m *Manager[R]) MapForModule(ctx context.Context, module string) (map[string][]byte, error)
- func (m *Manager[R]) Set(ctx context.Context, pkey string, ref Ref, value any) error
- func (m *Manager[R]) SetJSON(ctx context.Context, pkey string, ref Ref, value json.RawMessage) error
- func (m *Manager[R]) Unset(ctx context.Context, pkey string, ref Ref) error
- type ManualSyncProvider
- func (a *ManualSyncProvider[R]) Delete(ctx context.Context, ref Ref) error
- func (a *ManualSyncProvider[R]) Key() string
- func (a *ManualSyncProvider[R]) Role() R
- func (a *ManualSyncProvider[R]) Store(ctx context.Context, ref Ref, value []byte) (*url.URL, error)
- func (a *ManualSyncProvider[R]) Sync(ctx context.Context, entries []Entry, values *xsync.MapOf[Ref, SyncedValue]) error
- func (a *ManualSyncProvider[R]) SyncAndWait() error
- func (a *ManualSyncProvider[R]) SyncInterval() time.Duration
- type Obfuscator
- type ObfuscatorProvider
- type OnePasswordProvider
- func (o OnePasswordProvider) Delete(ctx context.Context, ref Ref) error
- func (o OnePasswordProvider) Key() string
- func (OnePasswordProvider) Role() Secrets
- func (o OnePasswordProvider) Store(ctx context.Context, ref Ref, value []byte) (*url.URL, error)
- func (o OnePasswordProvider) Sync(ctx context.Context, entries []Entry, values *xsync.MapOf[Ref, SyncedValue]) error
- func (o OnePasswordProvider) SyncInterval() time.Duration
- type ProjectConfigResolver
- func (p ProjectConfigResolver[R]) Get(ctx context.Context, ref Ref) (*url.URL, error)
- func (p ProjectConfigResolver[R]) List(ctx context.Context) ([]Entry, error)
- func (p ProjectConfigResolver[R]) Role() R
- func (p ProjectConfigResolver[R]) Set(ctx context.Context, ref Ref, key *url.URL) error
- func (p ProjectConfigResolver[From]) Unset(ctx context.Context, ref Ref) error
- type Provider
- type Ref
- type Role
- type Router
- type Secrets
- type SyncedValue
- type SynchronousProvider
- type VersionToken
Constants ¶
This section is empty.
Variables ¶
var ErrNotFound = errors.New("not found")
ErrNotFound is returned when a configuration entry is not found or cannot be resolved.
Functions ¶
func ConfigFromEnvironment ¶ added in v0.201.0
func ConfigFromEnvironment() []string
func ContextWithConfig ¶ added in v0.138.0
ContextWithConfig adds a configuration manager to the given context.
func ContextWithSecrets ¶ added in v0.138.0
ContextWithSecrets adds a secrets manager to the given context.
func ProviderKeyForAccessor ¶ added in v0.281.0
Types ¶
type ASM ¶ added in v0.236.0
type ASM struct {
// contains filtered or unexported fields
}
ASM implements a Provider for AWS Secrets Manager (ASM). Only supports loading "string" secrets, not binary secrets.
One controller is elected as the leader and is responsible for syncing the cache of secrets from ASM (see asmLeader). Others get secrets from the leader via AdminService (see asmFollower).
func (*ASM) SyncInterval ¶ added in v0.290.0
type AsynchronousProvider ¶ added in v0.290.0
type AsynchronousProvider[R Role] interface { Provider[R] SyncInterval() time.Duration // Sync is called periodically to update the cache with the latest values. // // SyncInterval() provides the expected time between syncs. // If Sync() returns an error, sync will be retried with an exponential backoff. // // Values should be updated by Sync(). // An array of known entries from the router is provided in case it is helpful, but the provider can store any values it wants. Sync(ctx context.Context, entries []Entry, values *xsync.MapOf[Ref, SyncedValue]) error }
AsynchronousProvider is an interface for providers that support syncing values. This is recommended if the provider allows batch access, or is expensive to load.
type Configuration ¶ added in v0.138.0
type Configuration struct{}
func (Configuration) String ¶ added in v0.145.0
func (Configuration) String() string
type DBConfigProvider ¶ added in v0.231.0
type DBConfigProvider struct {
// contains filtered or unexported fields
}
DBConfigProvider is a configuration provider that stores configuration in its key.
func NewDBConfigProvider ¶ added in v0.231.0
func NewDBConfigProvider(dal DBConfigProviderDAL) DBConfigProvider
func (DBConfigProvider) Delete ¶ added in v0.231.0
func (d DBConfigProvider) Delete(ctx context.Context, ref Ref) error
func (DBConfigProvider) Key ¶ added in v0.231.0
func (DBConfigProvider) Key() string
func (DBConfigProvider) Role ¶ added in v0.231.0
func (DBConfigProvider) Role() Configuration
type DBConfigProviderDAL ¶ added in v0.231.0
type DBConfigProviderDAL interface { GetModuleConfiguration(ctx context.Context, module optional.Option[string], name string) ([]byte, error) SetModuleConfiguration(ctx context.Context, module optional.Option[string], name string, value []byte) error UnsetModuleConfiguration(ctx context.Context, module optional.Option[string], name string) error }
type DBConfigResolver ¶ added in v0.231.0
type DBConfigResolver struct {
// contains filtered or unexported fields
}
DBConfigResolver loads values a project's configuration from the given database.
func NewDBConfigResolver ¶ added in v0.231.0
func NewDBConfigResolver(db DBConfigResolverDAL) DBConfigResolver
func (DBConfigResolver) List ¶ added in v0.231.0
func (d DBConfigResolver) List(ctx context.Context) ([]Entry, error)
func (DBConfigResolver) Role ¶ added in v0.231.0
func (d DBConfigResolver) Role() Configuration
type DBConfigResolverDAL ¶ added in v0.231.0
type DBConfigResolverDAL interface {
ListModuleConfiguration(ctx context.Context) ([]sql.ModuleConfiguration, error)
}
type DBSecretResolver ¶ added in v0.276.5
type DBSecretResolver struct {
// contains filtered or unexported fields
}
DBSecretResolver loads values a project's secrets from the given database.
func NewDBSecretResolver ¶ added in v0.276.5
func NewDBSecretResolver(db DBSecretResolverDAL) DBSecretResolver
func (DBSecretResolver) List ¶ added in v0.276.5
func (d DBSecretResolver) List(ctx context.Context) ([]Entry, error)
func (DBSecretResolver) Role ¶ added in v0.276.5
func (d DBSecretResolver) Role() Secrets
type DBSecretResolverDAL ¶ added in v0.276.5
type DBSecretResolverDAL interface { GetModuleSecretURL(ctx context.Context, module optional.Option[string], name string) (string, error) ListModuleSecrets(ctx context.Context) ([]dal.ModuleSecret, error) SetModuleSecretURL(ctx context.Context, module optional.Option[string], name string, url string) error UnsetModuleSecret(ctx context.Context, module optional.Option[string], name string) error }
type EnvarProvider ¶
type EnvarProvider[R Role] struct{}
EnvarProvider is a configuration provider that reads secrets or configuration from environment variables.
func (EnvarProvider[R]) Delete ¶
func (e EnvarProvider[R]) Delete(ctx context.Context, ref Ref) error
func (EnvarProvider[R]) Key ¶
func (EnvarProvider[R]) Key() string
func (EnvarProvider[R]) Role ¶ added in v0.145.0
func (EnvarProvider[R]) Role() R
type InlineProvider ¶
type InlineProvider[R Role] struct{}
InlineProvider is a configuration provider that stores configuration in its key.
func (InlineProvider[R]) Delete ¶
func (InlineProvider[R]) Delete(ctx context.Context, ref Ref) error
func (InlineProvider[R]) Key ¶
func (InlineProvider[R]) Key() string
func (InlineProvider[R]) Role ¶ added in v0.145.0
func (InlineProvider[R]) Role() R
type KeychainProvider ¶
type KeychainProvider struct{}
func (KeychainProvider) Delete ¶
func (k KeychainProvider) Delete(ctx context.Context, ref Ref) error
func (KeychainProvider) Key ¶
func (k KeychainProvider) Key() string
func (KeychainProvider) Role ¶ added in v0.145.0
func (KeychainProvider) Role() Secrets
type Manager ¶
type Manager[R Role] struct { // contains filtered or unexported fields }
Manager is a high-level configuration manager that abstracts the details of the Router and Provider interfaces.
func ConfigFromContext ¶ added in v0.138.0
func ConfigFromContext(ctx context.Context) *Manager[Configuration]
ConfigFromContext retrieves the configuration.Manager previously added to the context with ContextWithConfig.
func New ¶
func New[R Role](ctx context.Context, router Router[R], providers []Provider[R]) (*Manager[R], error)
New configuration manager.
func NewConfigurationManager ¶ added in v0.138.0
func NewConfigurationManager(ctx context.Context, router Router[Configuration]) (*Manager[Configuration], error)
NewConfigurationManager creates a new configuration manager with the default configuration providers.
func NewDefaultConfigurationManagerFromConfig ¶ added in v0.201.0
func NewDefaultConfigurationManagerFromConfig(ctx context.Context, config string) (*Manager[Configuration], error)
NewDefaultConfigurationManagerFromConfig creates a new configuration manager from the project config found in the config paths.
func NewDefaultSecretsManagerFromConfig ¶ added in v0.201.0
func NewDefaultSecretsManagerFromConfig(ctx context.Context, config string, opVault string) (*Manager[Secrets], error)
NewDefaultSecretsManagerFromConfig creates a new secrets manager from the project config found in the config paths.
func NewSecretsManager ¶ added in v0.138.0
func NewSecretsManager(ctx context.Context, router Router[Secrets], opVault string, config string) (*Manager[Secrets], error)
NewSecretsManager creates a new secrets manager with the default secret providers.
func SecretsFromContext ¶ added in v0.138.0
SecretsFromContext retrieves the secrets configuration.Manager previously added to the context with ContextWithConfig.
func (*Manager[R]) Get ¶
Get a configuration value from the active providers.
"value" must be a pointer to a Go type that can be unmarshalled from JSON.
func (*Manager[R]) MapForModule ¶ added in v0.184.2
MapForModule combines all configuration values visible to the module. Local values take precedence.
type ManualSyncProvider ¶ added in v0.296.6
type ManualSyncProvider[R Role] struct { // contains filtered or unexported fields }
ManualSyncProvider prevents normal syncs by returning a very high sync interval when syncAndWait() is called, it starts returning a 0 sync interval and then then blocks until sync completes. See why we didn't use mock clocks to schedule syncs here: https://github.com/TBD54566975/ftl/issues/2092
func NewManualSyncProvider ¶ added in v0.296.6
func NewManualSyncProvider[R Role](provider AsynchronousProvider[R]) *ManualSyncProvider[R]
func (*ManualSyncProvider[R]) Delete ¶ added in v0.296.6
func (a *ManualSyncProvider[R]) Delete(ctx context.Context, ref Ref) error
func (*ManualSyncProvider[R]) Key ¶ added in v0.296.6
func (a *ManualSyncProvider[R]) Key() string
func (*ManualSyncProvider[R]) Role ¶ added in v0.296.6
func (a *ManualSyncProvider[R]) Role() R
func (*ManualSyncProvider[R]) Sync ¶ added in v0.296.6
func (a *ManualSyncProvider[R]) Sync(ctx context.Context, entries []Entry, values *xsync.MapOf[Ref, SyncedValue]) error
func (*ManualSyncProvider[R]) SyncAndWait ¶ added in v0.296.6
func (a *ManualSyncProvider[R]) SyncAndWait() error
func (*ManualSyncProvider[R]) SyncInterval ¶ added in v0.296.6
func (a *ManualSyncProvider[R]) SyncInterval() time.Duration
type Obfuscator ¶ added in v0.277.0
type Obfuscator struct {
// contains filtered or unexported fields
}
Obfuscator hides and reveals a value, but does not provide real security instead the aim of this Obfuscator is to make values not easily human readable
Obfuscation is done by XOR-ing the input with the AES key. Length of key must be 16, 24 or 32 bytes (corresponding to AES-128, AES-192 or AES-256 keys).
type ObfuscatorProvider ¶ added in v0.277.0
type ObfuscatorProvider interface {
// contains filtered or unexported methods
}
type OnePasswordProvider ¶
OnePasswordProvider is a configuration provider that reads passwords from 1Password vaults via the "op" command line tool.
func (OnePasswordProvider) Delete ¶
func (o OnePasswordProvider) Delete(ctx context.Context, ref Ref) error
func (OnePasswordProvider) Key ¶
func (o OnePasswordProvider) Key() string
func (OnePasswordProvider) Role ¶ added in v0.145.0
func (OnePasswordProvider) Role() Secrets
func (OnePasswordProvider) Store ¶
Store will save the given secret in 1Password via the `op` command.
op does not support "create or update" as a single command. Neither does it support specifying an ID on create. Because of this, we need check if the item exists before creating it, and update it if it does.
func (OnePasswordProvider) Sync ¶ added in v0.290.0
func (o OnePasswordProvider) Sync(ctx context.Context, entries []Entry, values *xsync.MapOf[Ref, SyncedValue]) error
Sync will fetch all secrets from the 1Password vault and store them in the values map. Do not just sync the o.Vault, instead find all vaults found in entries and sync them.
func (OnePasswordProvider) SyncInterval ¶ added in v0.290.0
func (o OnePasswordProvider) SyncInterval() time.Duration
type ProjectConfigResolver ¶
type ProjectConfigResolver[R Role] struct { Config string `` /* 126-byte string literal not displayed */ }
ProjectConfigResolver is parametric Resolver that loads values from either a project's configuration or secrets maps based on the type parameter.
See the projectconfig package for details on the configuration file format.
func (ProjectConfigResolver[R]) List ¶
func (p ProjectConfigResolver[R]) List(ctx context.Context) ([]Entry, error)
func (ProjectConfigResolver[R]) Role ¶ added in v0.145.0
func (p ProjectConfigResolver[R]) Role() R
type Provider ¶
type Provider[R Role] interface { Role() R Key() string // Store a configuration value and return its key. Store(ctx context.Context, ref Ref, value []byte) (*url.URL, error) // Delete a configuration value. Delete(ctx context.Context, ref Ref) error }
Provider is a generic interface for storing and retrieving configuration and secrets.
type Ref ¶
A Ref is a reference to a configuration value.
func NewRef ¶
NewRef creates a new Ref.
If [module] is empty, the Ref is considered to be a global configuration value.
func (*Ref) UnmarshalText ¶
type Role ¶ added in v0.138.0
type Role interface { Secrets | Configuration }
Role of Manager, either Secrets or Configuration.
type Router ¶ added in v0.271.4
type Router[R Role] interface { Role() R Get(ctx context.Context, ref Ref) (key *url.URL, err error) Set(ctx context.Context, ref Ref, key *url.URL) error Unset(ctx context.Context, ref Ref) error List(ctx context.Context) ([]Entry, error) }
A Router resolves configuration names to keys that are then used to load values from a Provider.
This indirection allows for the storage of configuration values to be abstracted from the configuration itself. For example, the ftl-project.toml file contains per-module and global configuration maps, but the secrets themselves may be stored in a separate secret store such as a system keychain.
type SyncedValue ¶ added in v0.290.0
type SyncedValue struct { Value []byte // VersionToken is a way of storing a version provided by the source of truth (eg: lastModified) // it is nil when: // - the owner of the cache is not using version tokens // - the cache is updated after writing VersionToken optional.Option[VersionToken] }
type SynchronousProvider ¶ added in v0.290.0
type SynchronousProvider[R Role] interface { Provider[R] Load(ctx context.Context, ref Ref, key *url.URL) ([]byte, error) }
SynchronousProvider is an interface for providers that can load values on-demand. This is recommended if the provider allows inexpensive loading of values.
type VersionToken ¶ added in v0.290.0
type VersionToken any
Source Files ¶
- 1password_provider.go
- api.go
- asm.go
- asm_follower.go
- asm_leader.go
- cache.go
- comments.go
- context.go
- db_config_provider.go
- db_config_resolver.go
- db_secret_resolver.go
- defaults.go
- envar_provider.go
- inline_provider.go
- keychain_provider.go
- manager.go
- manual_sync_utils.go
- obfuscator.go
- projectconfig_resolver.go