Documentation
¶
Index ¶
- Variables
- func Register(store SecretStore, backend *SecretStoreSpec)
- type LocalStore
- type Query
- type SecretQuery
- type SecretRef
- type SecretSource
- type SecretStore
- type SecretStoreSpec
- type StoreClient
- type StoreReader
- type StoreWriter
- type SyncAction
- type SyncJob
- type SyncTarget
- type SyncTemplate
- type VaultStore
Constants ¶
This section is empty.
Variables ¶
var DefaultSyncJobAuditLogPath = filepath.Join(os.TempDir(), "sync-audit.log")
var ErrKeyNotFound = errors.New("secret key not found")
Functions ¶
func Register ¶
func Register(store SecretStore, backend *SecretStoreSpec)
Register a SecretStore for a given backend. Panics if a given backend is already registered.
Types ¶
type LocalStore ¶
type LocalStore struct {
StorePath string `json:"storePath"`
}
LocalStore uses OS dir and files as a backend.
type Query ¶
type Query struct {
// Uses regexp matching
Regexp string `json:"regexp,omitempty"`
}
Query defines how to match string-value data.
type SecretQuery ¶
type SecretQuery struct {
// A root path to start the query operations.
// Optional
Path *string `json:"path,omitempty"`
// Finds SecretRef based on key query.
// Required
Key Query `json:"key,omitempty"`
}
SecretQuery defines how to query SecretStore to obtain SecretRef(s). TODO: Add support for version TODO: Add support for map field selector TODO: Add support for encoding
type SecretRef ¶
type SecretRef struct {
// Key points to a specific key in store.
// Format "path/to/key"
// Required
Key string `json:"key,omitempty"`
// Version points to specific key version.
// Optional
Version *string `json:"version,omitempty"`
}
SecretRef defines SecretStore reference key. TODO: Add support for version TODO: Add support for map field selector TODO: Add support for encoding
type SecretSource ¶
type SecretSource struct {
// Used to define unique name for templating.
// Required
Name string `json:"name,omitempty"`
// FromRef selects a secret from a reference.
// Optional, but SecretQuery must be provided
FromRef *SecretRef `json:"secretRef,omitempty"`
// FromQuery selects secret(s) from a query.
// Optional, but SecretRef must be provided
FromQuery *SecretQuery `json:"secretQuery,omitempty"`
}
SecretSource defines named secret source. This enables named usage in SyncTemplate given as: a) when using FromRef, enables {{ .Data.<refName> }} b) when using FromQuery, enables {{ .Data.<refQuery>.<secretKey> }}
type SecretStore ¶
type SecretStore interface {
// NewClient creates a new secret StoreClient for provided backend.
NewClient(ctx context.Context, backend SecretStoreSpec) (StoreClient, error)
// Validate checks if the provided backend is valid.
Validate(backend SecretStoreSpec) error
}
SecretStore defines methods to manage interaction with secret store.
func GetSecretStore ¶
func GetSecretStore(backend *SecretStoreSpec) (SecretStore, error)
GetSecretStore returns the SecretStore for given SecretStoreSpec.
type SecretStoreSpec ¶
type SecretStoreSpec struct {
Vault *VaultStore `json:"vault,omitempty"`
Local *LocalStore `json:"local,omitempty"`
}
SecretStoreSpec defines the which backend should be used for SecretStore. Only one can be specified.
type StoreClient ¶
type StoreClient interface {
StoreReader
StoreWriter
}
StoreClient unifies read and write ops for a specific secret backend.
type StoreReader ¶
type StoreReader interface {
// GetSecret returns a single secret fetched from secret store.
GetSecret(ctx context.Context, key SecretRef) ([]byte, error)
// ListSecretKeys lists all keys matching the query from secret store.
ListSecretKeys(ctx context.Context, query SecretQuery) ([]SecretRef, error)
}
StoreReader implements read ops for a secret backend. Must support concurrent calls.
type StoreWriter ¶
type StoreWriter interface {
// SetSecret writes data to a key in a secret store.
SetSecret(ctx context.Context, key SecretRef, value []byte) error
}
StoreWriter implements write ops for a secret backend. Must support concurrent calls.
type SyncAction ¶
type SyncAction struct {
// FromRef selects a secret from a reference.
// If SyncTarget.Key is nil, it will sync under referenced key.
// If SyncTarget.Key is not-nil, it will sync under targeted key.
FromRef *SecretRef `json:"secretRef,omitempty"`
// FromQuery selects secret(s) from a query.
// To sync one secret, SyncTarget.Key and Template must be specified.
// To sync all secrets, SyncTarget.KeyPrefix must be specified.
FromQuery *SecretQuery `json:"secretQuery,omitempty"`
// FromSources select secret(s) from a multiple sources.
// SyncTarget.Key and Template must be specified.
FromSources []SecretSource `json:"secretSources,omitempty"`
// Target defines where the key(s) from sources will be synced on target.
// SyncTarget.Key means that only one secret will be synced.
// SyncTarget.KeyPrefix means that multiple secrets will be synced.
Target SyncTarget `json:"target,omitempty"`
// Flatten indicates secrets FromQuery will be synced to a single SyncTarget.Key.
Flatten *bool `json:"flatten,omitempty"`
// Template defines how the fetched key(s) will be transformed to create a new
// SecretRef that will be synced to target.
// When using FromRef, {{ .Data }} defines given secrets raw value.
// When using FromQuery and SyncTarget.Key, specific <KEY> raw values can be accessed via {{ .Data.<KEY> }}.
// When using FromQuery and SyncTarget.KeyPrefix, {{ .Data }} defines raw values of query iterator.
// When using FromSources, specific <NAMED SOURCE> secret data can be accessed via {{ .Data.<NAMED SOURCE> }}.
Template *SyncTemplate `json:"template,omitempty"`
}
SyncAction defines how to fetch, transform, and sync SecretRef(s) from source to target. Only one of FromRef, FromQuery, FromSources can be specified.
type SyncJob ¶
type SyncJob struct {
// Points to a file where all sync logs should be saved to.
// Defaults to DefaultSyncJobAuditLogPath
// Optional
AuditLogPath string `json:"auditLogPath,omitempty"`
// Used to configure schedule for synchronization.
// The schedule is in Cron format, see https://en.wikipedia.org/wiki/Cron
// Defaults to @hourly
// Optional
Schedule string `json:"schedule,omitempty"`
// Used to specify the strategy for secrets sync.
// Required
Sync []SyncAction `json:"sync,omitempty"`
}
SyncJob defines overall source-to-target sync strategy. TODO: Add support for auditing.
func (*SyncJob) GetAuditLogPath ¶
func (*SyncJob) GetSchedule ¶
type SyncTarget ¶
type SyncTarget struct {
// Key indicates that a single SecretRef will be synced to target.
Key *string `json:"key,omitempty"`
// KeyPrefix indicates that multiple SecretRef will be synced to target.
KeyPrefix *string `json:"keyPrefix,omitempty"`
}
SyncTarget defines where the secret(s) will be synced to.
type SyncTemplate ¶
type SyncTemplate struct {
// Used to define the resulting secret (raw) value. Supports templating.
// Optional, but Data must be provided
RawData *string `json:"rawData,omitempty"`
// Used to define the resulting secret (map) value. Supports templating.
// Optional, but RawData must be provided
Data map[string]string `json:"data,omitempty"`
}
SyncTemplate defines how to obtain SecretRef using template.
Source Files