secrets

package
v1.13.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 12, 2022 License: Apache-2.0 Imports: 15 Imported by: 6

Documentation

Overview

Package secrets defines a minimum abstract interface for a secret manager. Allows for a different implementation to be bound within the ServeEnv.

Although exported, this package is non intended for general consumption. It is a shared dependency between multiple exposure notifications projects. We cannot guarantee that there won't be breaking changes in the future.

Index

Constants

View Source
const (
	// SecretPrefix is the prefix, that if the value of an env var starts with
	// will be resolved through the configured secret store.
	SecretPrefix = "secret://"

	// FileSuffix is the suffix to use, if this secret path should be written to a file.
	// only interpreted on environment variable values that start w/ secret://.
	FileSuffix = "?target=file"
)

Variables

This section is empty.

Functions

func RegisterManager added in v0.22.0

func RegisterManager(name string, fn SecretManagerFunc)

RegisterManager registers a new secret manager with the given name. If a manager is already registered with the given name, it panics. Managers are usually registered via an init function.

func RegisteredManagers added in v0.22.0

func RegisteredManagers() []string

RegisteredManagers returns the list of the names of the registered secret managers.

func Resolver

func Resolver(sm SecretManager, config *Config) envconfig.MutatorFunc

Resolver returns a function that fetches secrets from the secret manager. If the provided secret manager is nil, the function is nil, Otherwise, it looks for values prefixed with secret:// and resolves them as secrets. For slice functions, values separated by commas are processed as individual secrets.

Types

type Cacher

type Cacher struct {
	// contains filtered or unexported fields
}

Cacher is a secret manager implementation that wraps another secret manager and caches secret values.

func (*Cacher) GetSecretValue

func (sm *Cacher) GetSecretValue(ctx context.Context, name string) (string, error)

GetSecretValue implements the SecretManager interface, but caches values and retrieves them from the cache.

type Config

type Config struct {
	Type            string        `env:"SECRET_MANAGER, default=IN_MEMORY"`
	SecretsDir      string        `env:"SECRETS_DIR, default=/var/run/secrets"`
	SecretCacheTTL  time.Duration `env:"SECRET_CACHE_TTL, default=5m"`
	SecretExpansion bool          `env:"SECRET_EXPANSION, default=false"`

	// FilesystemRoot is the root path where secrets are managed on the filesystem.
	FilesystemRoot string `env:"SECRET_FILESYSTEM_ROOT"`
}

Config represents the config for a secret manager.

type Filesystem added in v0.26.0

type Filesystem struct {
	// contains filtered or unexported fields
}

Filesystem is a local filesystem based secret manager, primarily used for local development and testing.

func (*Filesystem) CreateSecretVersion added in v0.26.0

func (sm *Filesystem) CreateSecretVersion(ctx context.Context, parent string, data []byte) (string, error)

CreateSecretVersion creates a new secret version on the given parent with the provided data. It returns a reference to the created version.

func (*Filesystem) DestroySecretVersion added in v0.26.0

func (sm *Filesystem) DestroySecretVersion(ctx context.Context, name string) error

DestroySecretVersion destroys the secret version with the given name. If the version does not exist, no action is taken.

func (*Filesystem) GetSecretValue added in v0.26.0

func (sm *Filesystem) GetSecretValue(ctx context.Context, name string) (string, error)

GetSecretValue returns the secret if it exists, otherwise an error.

type InMemory

type InMemory struct {
	// contains filtered or unexported fields
}

InMemory is an in-memory secret manager, primarily used for testing.

func (*InMemory) CreateSecretVersion added in v0.26.0

func (sm *InMemory) CreateSecretVersion(ctx context.Context, parent string, data []byte) (string, error)

CreateSecretVersion creates a new secret version on the given parent with the provided data. It returns a reference to the created version.

func (*InMemory) DestroySecretVersion added in v0.26.0

func (sm *InMemory) DestroySecretVersion(ctx context.Context, k string) error

DestroySecretVersion destroys the secret version with the given name. If the version does not exist, no action is taken.

func (*InMemory) GetSecretValue

func (sm *InMemory) GetSecretValue(_ context.Context, k string) (string, error)

GetSecretValue returns the secret if it exists, otherwise an error.

type JSONExpander

type JSONExpander struct {
	// contains filtered or unexported fields
}

func (*JSONExpander) GetSecretValue

func (sm *JSONExpander) GetSecretValue(ctx context.Context, name string) (string, error)

GetSecretValue implements the SecretManager interface, but allows for json-expansion of the secret-value. If the secret name contains a period, the secret value is expected to be json. The secret name is assumed to come before the period, while the map-key is expected to follow.

For example: If a secret with a name of "psqlcreds" has a value of `{"username":"gandalf", "password":"abc"}` When GetSecretValue(ctx, "psqlcreds") is called, the raw json value will be returned. When GetSecretValue(ctx, "psql.username") is called, only "gandalf" (without quotes) will be returned.

type SecretManager

type SecretManager interface {
	GetSecretValue(ctx context.Context, name string) (string, error)
}

SecretManager defines the minimum shared functionality for a secret manager used by this application.

func NewFilesystem added in v0.26.0

func NewFilesystem(ctx context.Context, cfg *Config) (SecretManager, error)

NewFilesystem creates a new filesystem-based secret manager.

func NewInMemory

func NewInMemory(ctx context.Context, _ *Config) (SecretManager, error)

NewInMemory creates a new in-memory secret manager.

func NewInMemoryFromMap

func NewInMemoryFromMap(ctx context.Context, m map[string]string) (SecretManager, error)

NewInMemoryFromMap creates a new in-memory secret manager from the map.

func SecretManagerFor

func SecretManagerFor(ctx context.Context, cfg *Config) (SecretManager, error)

SecretManagerFor returns the secret manager with the given name, or an error if one does not exist.

func WrapCacher

func WrapCacher(ctx context.Context, sm SecretManager, ttl time.Duration) (SecretManager, error)

WrapCacher wraps an existing SecretManager with caching.

func WrapJSONExpander

func WrapJSONExpander(ctx context.Context, sm SecretManager) (SecretManager, error)

WrapJSONExpander wraps an existing SecretManager with json-expansion logic.

type SecretManagerFunc

type SecretManagerFunc func(context.Context, *Config) (SecretManager, error)

SecretManagerFunc is a func that returns a secret manager or error.

type SecretVersionManager added in v0.26.0

type SecretVersionManager interface {
	SecretManager

	CreateSecretVersion(ctx context.Context, parent string, data []byte) (string, error)
	DestroySecretVersion(ctx context.Context, name string) error
}

SecretVersionManager is a secret manager that can manage secret versions.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL