provider

package
v0.0.0-...-be94dd0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 23, 2024 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Overview

* Package responsible for fetching secrets from the service. * * This package defines the abstract interface used to fetch secrets, a factory * to supply the concrete implementation for a given secret type, and the * various implementations. *

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewSecretDescriptorList 

func NewSecretDescriptorList(mountDir, translate, objectSpec string, regions []string) (
	desc map[SecretType][]*SecretDescriptor,
	e error,
)

Group requested objects by secret type and return a map (keyed by secret type) of slices of requests.

This function will parse the objects array specified in the SecretProviderClass passed on the mount request. All entries will be validated. The object will be grouped into slices based on GetSecretType() and returned in a map keyed by secret type. This is to allow batching of requests.

Types

type FailoverObjectEntry 

type FailoverObjectEntry struct {
	// Optional name of the failover secret
	ObjectName string `json:"objectName"`

	// Optional version id of the secret (default to latest).
	ObjectVersion string `json:"objectVersion"`

	// Optional version/stage label of the secret (defaults to latest).
	ObjectVersionLabel string `json:"objectVersionLabel"`
}

An individual json key value pair to mount

type JMESPathEntry 

type JMESPathEntry struct {
	//JMES path to use for retrieval
	Path string `json:"path"`

	//File name in which to store the secret in.
	ObjectAlias string `json:"objectAlias"`
}

An individual json key value pair to mount

type ParameterStoreClient 

type ParameterStoreClient struct {
	IsFailover bool
	Region     string
	Client     ssmiface.SSMAPI
}

Parameterstore client with region

type ParameterStoreProvider 

type ParameterStoreProvider struct {
	// contains filtered or unexported fields
}

Implements the provider interface for SSM Parameter Store.

Unlike the SecretsManagerProvider, this implementation is optimized to reduce API call rates rather than latency in order to avoid request throttling (which would result in higher latency).

This implementation reduces API calls by batching multiple parameter requests together using the GetParameters call.

func NewParameterStoreProvider 

func NewParameterStoreProvider(awsSessions []*session.Session, regions []string) *ParameterStoreProvider

func NewParameterStoreProviderWithClients 

func NewParameterStoreProviderWithClients(clients ...ParameterStoreClient) *ParameterStoreProvider

Factory methods to build a new ParameterStoreProvider

func (*ParameterStoreProvider) GetSecretValues 

func (p *ParameterStoreProvider) GetSecretValues(
	ctx context.Context,
	descriptors []*SecretDescriptor,
	curMap map[string]*v1alpha1.ObjectVersion,
) (v []*SecretValue, e error)

Get the secret from Parameter Store.

This method iterates over the requested secrets build up batches of requests and fetching them. As each batch is fetched, the results are saved and the current version map (curMap) is updated with the current version information.

type ProviderFactoryFactory 

type ProviderFactoryFactory func(session []*session.Session, reigons []string) (factory *SecretProviderFactory)

The prototype for the provider factory fatory

type SecretDescriptor 

type SecretDescriptor struct {

	// Name of the secret
	ObjectName string `json:"objectName"`

	// Optional base file name in which to store the secret (use ObjectName if nil).
	ObjectAlias string `json:"objectAlias"`

	// Optional version id of the secret (default to latest).
	ObjectVersion string `json:"objectVersion"`

	// Optional version/stage label of the secret (defaults to latest).
	ObjectVersionLabel string `json:"objectVersionLabel"`

	// One of secretsmanager or ssmparameter (not required when using full secrets manager ARN).
	ObjectType string `json:"objectType"`

	// Optional array to specify what json key value pairs to extract from a secret and mount as individual secrets
	JMESPath []JMESPathEntry `json:"jmesPath"`

	// Optional failover object
	FailoverObject FailoverObjectEntry `json:"failoverObject"`
	// contains filtered or unexported fields
}

An individual record from the mount request indicating the secret to be fetched and mounted.

func (*SecretDescriptor) GetFileName 

func (p *SecretDescriptor) GetFileName() (path string)

Returns the file name where the secrets are to be written.

Uses either the ObjectName or ObjectAlias to construct the file name.

func (*SecretDescriptor) GetMountDir 

func (p *SecretDescriptor) GetMountDir() string

Return the mount point directory

Return the mount point directory pass in by the driver in the mount request.

func (*SecretDescriptor) GetMountPath 

func (p *SecretDescriptor) GetMountPath() string

Get the full path name (mount point + file) of the file where the seret is stored.

Returns a path name composed of the mount point and the file name.

func (*SecretDescriptor) GetObjectVersion 

func (p *SecretDescriptor) GetObjectVersion(useFailoverRegion bool) (secretName string)

Return the ObjectVersion

func (*SecretDescriptor) GetObjectVersionLabel 

func (p *SecretDescriptor) GetObjectVersionLabel(useFailoverRegion bool) (secretName string)

Return the ObjectVersionLabel

func (*SecretDescriptor) GetSecretName 

func (p *SecretDescriptor) GetSecretName(useFailoverRegion bool) (secretName string)

Returns the secret name for the current descriptor.

The current secret name will resolve to the ObjectName if not in failover, 

and will resolve the the backup ARN if in failover.

func (*SecretDescriptor) GetSecretType 

func (p *SecretDescriptor) GetSecretType() (stype SecretType)

Returns the secret type (ssmparameter or secretsmanager).

If the ObjectType is not specified, a full ARN must be present in the ObjectName so this method pulls the type from the ARN when ObjectType is not specified.

type SecretProvider 

type SecretProvider interface {
	GetSecretValues(ctx context.Context, descriptor []*SecretDescriptor, curMap map[string]*v1alpha1.ObjectVersion) (secret []*SecretValue, e error)
}

Generic interface for the different secret providers.

type SecretProviderFactory 

type SecretProviderFactory struct {
	Providers map[SecretType]SecretProvider // Maps secret type to the provider.
}

Factory class to return singltons based on secret type (secretsmanager or ssmparameter).

func NewSecretProviderFactory 

func NewSecretProviderFactory(sessions []*session.Session, regions []string) (factory *SecretProviderFactory)

Creates the provider factory.

This factory catagorizes the request and returns the correct concrete provider implementation using the secret type.

func (SecretProviderFactory) GetSecretProvider 

func (p SecretProviderFactory) GetSecretProvider(secretType SecretType) (prov SecretProvider)

Factory method to get the correct secret provider for the request type.

This factory method uses the secret type to return the previously created provider implementation.

type SecretType 

type SecretType int

Enum of supported secret types 

const (
	SSMParameter SecretType = iota
	SecretsManager
)

func (SecretType) String 

func (sType SecretType) String() string

type SecretValue 

type SecretValue struct {
	Value      []byte
	Descriptor SecretDescriptor
}

Contains the actual contents of the secret fetched from either Secrete Manager or SSM Parameter Store along with the original descriptor.

func (*SecretValue) String 

func (p *SecretValue) String() string

type SecretsManagerClient 

type SecretsManagerClient struct {
	Region     string
	Client     secretsmanageriface.SecretsManagerAPI
	IsFailover bool
}

SecretsManager client with region

type SecretsManagerProvider 

type SecretsManagerProvider struct {
	// contains filtered or unexported fields
}

Implements the provider interface for Secrets Manager.

Unlike the ParameterStoreProvider, this implementation is optimized for latency and not reduced API call rates becuase Secrets Manager provides higher API limits.

When there are no existing versions of the secret (first mount), this provider will just call GetSecretValue, update the current version map (curMap), and return the secret in the results. When there are existing versions (rotation reconciler case), this implementation will use the lower latency DescribeSecret call to first determine if the secret has been updated.

func NewSecretsManagerProvider 

func NewSecretsManagerProvider(awsSessions []*session.Session, regions []string) *SecretsManagerProvider

func NewSecretsManagerProviderWithClients 

func NewSecretsManagerProviderWithClients(clients ...SecretsManagerClient) *SecretsManagerProvider

Factory methods to build a new SecretsManagerProvider

func (*SecretsManagerProvider) GetSecretValues 

func (p *SecretsManagerProvider) GetSecretValues(
	ctx context.Context,
	descriptors []*SecretDescriptor,
	curMap map[string]*v1alpha1.ObjectVersion,
) (v []*SecretValue, errs error)

Get the secret from SecretsManager.

This method iterates over all descriptors and requests a fetch. When sucessfully fetched, then it continues until all descriptors have been fetched. Once an error happens, it immediately returns the error.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.