v1alpha1

package

v0.1.5 Latest Latest Go to latest Published: Dec 15, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/bank-vaults/secret-sync

Documentation ¶

Constants ¶

This section is empty.

Variables ¶

View Source

var DefaultSyncJobAuditLogPath = filepath.Join(os.TempDir(), "sync-audit.log")

View Source

var ErrKeyNotFound = errors.New("secret key not found")

Functions ¶

func Register ¶

func Register(store SecretStore, backend *SecretStoreSpec)

Register a SecretStore for a given backend. Panics if a given backend is already registered.

Types ¶

type LocalStore ¶

type LocalStore struct {
	StorePath string `json:"storePath"`
}

LocalStore uses OS dir and files as a backend.

type Query ¶

type Query struct {
	// Uses regexp matching
	Regexp string `json:"regexp,omitempty"`
}

Query defines how to match string-value data.

type SecretQuery ¶

type SecretQuery struct {
	// A root path to start the query operations.
	// Optional
	Path *string `json:"path,omitempty"`

	// Finds SecretRef based on key query.
	// Required
	Key Query `json:"key,omitempty"`
}

SecretQuery defines how to query SecretStore to obtain SecretRef(s). TODO: Add support for version TODO: Add support for map field selector TODO: Add support for encoding

type SecretRef ¶

type SecretRef struct {
	// Key points to a specific key in store.
	// Format "path/to/key"
	// Required
	Key string `json:"key,omitempty"`

	// Version points to specific key version.
	// Optional
	Version *string `json:"version,omitempty"`
}

SecretRef defines SecretStore reference key. TODO: Add support for version TODO: Add support for map field selector TODO: Add support for encoding

func (*SecretRef) GetName ¶

func (key *SecretRef) GetName() string

GetName returns (domain) name pointed by Key, e.g. GetName("/path/to/key") returns "key"

func (*SecretRef) GetPath ¶

func (key *SecretRef) GetPath() []string

GetPath returns path pointed by Key, e.g. GetPath("/path/to/key") returns ["path", "to"]

type SecretSource ¶

type SecretSource struct {
	// Used to define unique name for templating.
	// Required
	Name string `json:"name,omitempty"`

	// FromRef selects a secret from a reference.
	// Optional, but SecretQuery must be provided
	FromRef *SecretRef `json:"secretRef,omitempty"`

	// FromQuery selects secret(s) from a query.
	// Optional, but SecretRef must be provided
	FromQuery *SecretQuery `json:"secretQuery,omitempty"`
}

SecretSource defines named secret source. This enables named usage in SyncTemplate given as: a) when using FromRef, enables {{ .Data.<refName> }} b) when using FromQuery, enables {{ .Data.<refQuery>.<secretKey> }}

type SecretStore ¶

type SecretStore interface {
	// NewClient creates a new secret StoreClient for provided backend.
	NewClient(ctx context.Context, backend SecretStoreSpec) (StoreClient, error)

	// Validate checks if the provided backend is valid.
	Validate(backend SecretStoreSpec) error
}

SecretStore defines methods to manage interaction with secret store.

func GetSecretStore ¶

func GetSecretStore(backend *SecretStoreSpec) (SecretStore, error)

GetSecretStore returns the SecretStore for given SecretStoreSpec.

type SecretStoreSpec ¶

type SecretStoreSpec struct {
	Vault *VaultStore `json:"vault,omitempty"`

	Local *LocalStore `json:"local,omitempty"`
}

SecretStoreSpec defines the which backend should be used for SecretStore. Only one can be specified.

type StoreClient ¶

type StoreClient interface {
	StoreReader
	StoreWriter
}

StoreClient unifies read and write ops for a specific secret backend.

type StoreReader ¶

type StoreReader interface {
	// GetSecret returns a single secret fetched from secret store.
	GetSecret(ctx context.Context, key SecretRef) ([]byte, error)

	// ListSecretKeys lists all keys matching the query from secret store.
	ListSecretKeys(ctx context.Context, query SecretQuery) ([]SecretRef, error)
}

StoreReader implements read ops for a secret backend. Must support concurrent calls.

type StoreWriter ¶

type StoreWriter interface {
	// SetSecret writes data to a key in a secret store.
	SetSecret(ctx context.Context, key SecretRef, value []byte) error
}

StoreWriter implements write ops for a secret backend. Must support concurrent calls.

type SyncAction ¶

type SyncAction struct {
	// FromRef selects a secret from a reference.
	// If SyncTarget.Key is nil, it will sync under referenced key.
	// If SyncTarget.Key is not-nil, it will sync under targeted key.
	FromRef *SecretRef `json:"secretRef,omitempty"`

	// FromQuery selects secret(s) from a query.
	// To sync one secret, SyncTarget.Key and Template must be specified.
	// To sync all secrets, SyncTarget.KeyPrefix must be specified.
	FromQuery *SecretQuery `json:"secretQuery,omitempty"`

	// FromSources select secret(s) from a multiple sources.
	// SyncTarget.Key and Template must be specified.
	FromSources []SecretSource `json:"secretSources,omitempty"`

	// Target defines where the key(s) from sources will be synced on target.
	// SyncTarget.Key means that only one secret will be synced.
	// SyncTarget.KeyPrefix means that multiple secrets will be synced.
	Target SyncTarget `json:"target,omitempty"`

	// Flatten indicates secrets FromQuery will be synced to a single SyncTarget.Key.
	Flatten *bool `json:"flatten,omitempty"`

	// Template defines how the fetched key(s) will be transformed to create a new
	// SecretRef that will be synced to target.
	// When using FromRef, {{ .Data }} defines given secrets raw value.
	// When using FromQuery and SyncTarget.Key, specific <KEY> raw values can be accessed via {{ .Data.<KEY> }}.
	// When using FromQuery and SyncTarget.KeyPrefix, {{ .Data }} defines raw values of query iterator.
	// When using FromSources, specific <NAMED SOURCE> secret data can be accessed via {{ .Data.<NAMED SOURCE> }}.
	Template *SyncTemplate `json:"template,omitempty"`
}

SyncAction defines how to fetch, transform, and sync SecretRef(s) from source to target. Only one of FromRef, FromQuery, FromSources can be specified.

type SyncPlan ¶ added in v0.1.4

type SyncPlan struct {
	// Points to a file where all sync logs should be saved to.
	// Defaults to DefaultSyncJobAuditLogPath
	// Optional
	AuditLogPath string `json:"auditLogPath,omitempty"`

	// Used to specify the strategy for secrets sync.
	// Required
	SyncAction []SyncAction `json:"sync,omitempty"`
}

SyncPlan defines overall source-to-target sync strategy. TODO: Add support for auditing.

func (*SyncPlan) GetAuditLogPath ¶ added in v0.1.4

func (spec *SyncPlan) GetAuditLogPath() string

type SyncTarget ¶

type SyncTarget struct {
	// Key indicates that a single SecretRef will be synced to target.
	Key *string `json:"key,omitempty"`

	// KeyPrefix indicates that multiple SecretRef will be synced to target.
	KeyPrefix *string `json:"keyPrefix,omitempty"`
}

SyncTarget defines where the secret(s) will be synced to.

type SyncTemplate ¶

type SyncTemplate struct {
	// Used to define the resulting secret (raw) value. Supports templating.
	// Optional, but Data must be provided
	RawData *string `json:"rawData,omitempty"`

	// Used to define the resulting secret (map) value. Supports templating.
	// Optional, but RawData must be provided
	Data map[string]string `json:"data,omitempty"`
}

SyncTemplate defines how to obtain SecretRef using template.

type VaultStore ¶

type VaultStore struct {
	Address   string `json:"address"`
	StorePath string `json:"storePath"`
	Role      string `json:"role"`
	AuthPath  string `json:"authPath"`
	TokenPath string `json:"tokenPath"`
	Token     string `json:"token"`
}

VaultStore uses Hashicorp Vault as a backend.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL