secrets

Documentation

Index

• type Client
  • func NewClient(ctx context.Context, config Config) (Client, error)
• type Config
• type Required
  • func ReduceRequired(required ...Required) Required
• type Secret

Types

type Client

type Client interface {
	Decrypt(secret Secret) ([]byte, error)
	Encrypt(secret []byte) (*Secret, error)
	Secret(domain, kind string) ([]byte, error)
	SecretFromFile(pathToFile string) (*Secret, error)
	DownloadAndDecryptAndCache(ctx context.Context, bucket, dir string, required Required) error
}

Client interface for secrets

func NewClient

func NewClient(ctx context.Context, config Config) (Client, error)

NewClient returns an implementation of the client interface that allows secret management

type Config

type Config struct {
	Env             string
	GcpProjectId    string
	CloudkmsKeyRing string
	CloudkmsKey     string
}

type Required

type Required map[string][]string

Required secrets map, where the key is the domain of the secret and the values are the types of secrets

This should map to the naming scheme of the encrypted secret file, e.g.:

• Secret file naming should be "secret_domain-secret_type-cloudkms_env.json"
• If a required secret is from some api, it is a key, the domain is "some_api" and the type "key"
• If the file was encrypted using cloudkms in a "dev" env, the file name is "some_api-key-cloudkms_dev.json"

func ReduceRequired

func ReduceRequired(required ...Required) Required

ReduceRequired secrets into one set

type Secret

type Secret struct {
	Name       string `json:"name,omitempty"`
	Ciphertext string `json:"ciphertext,omitempty"`
}

Secret data model, a subset of properties of a cloudkms secret