Documentation
¶
Index ¶
- Variables
- func GetSecret(name string, storage map[string]SecretStorage) (string, error)
- func GetSecretRaw(name string, storage map[string]SecretStorage) ([]byte, error)
- func Seal(key *SymmetricKey, plain []byte) ([]byte, error)
- func SealRaw(key *SymmetricKey, plain []byte) ([]byte, error)
- func SetSecret(name, value string, storage map[string]SecretStorage) error
- func Unseal(key *SymmetricKey, encoded []byte) ([]byte, error)
- func UnsealRaw(key *SymmetricKey, encrypted []byte) ([]byte, error)
- type AWSConfig
- type AWSKMSConfig
- type AWSKMSSecretProvider
- type AWSSSM
- type AWSSSMConfig
- type AWSSecretsManager
- type AWSSecretsManagerConfig
- type EnvSecretProvider
- type FileConfig
- type FileSecretProvider
- type GenericConfig
- type KubernetesConfig
- type KubernetesSecretProvider
- type NativeSecretProvider
- type PlainSecretProvider
- type SecretStorage
- type SymmetricKey
- type SymmetricKeyProvider
- type VaultConfig
- type VaultSecretProvider
- func (v *VaultSecretProvider) DecryptDataKey(rootKeyID string, keyData []byte) (*SymmetricKey, error)
- func (v *VaultSecretProvider) GenerateDataKey(rootKeyID string) (*SymmetricKey, error)
- func (v *VaultSecretProvider) GetSecret(name string) ([]byte, error)
- func (v *VaultSecretProvider) RemoteDecrypt(keyID string, encrypted []byte) (plain []byte, err error)
- func (v *VaultSecretProvider) RemoteEncrypt(keyID string, plain []byte) (encrypted []byte, err error)
- func (v *VaultSecretProvider) SetSecret(name string, secret []byte) error
Constants ¶
This section is empty.
Variables ¶
View Source
var AlgorithmAESGCM = "aesgcm"
View Source
var DefaultVaultAlgorithm = "aes256-gcm96"
View Source
var ErrNotFound = fmt.Errorf("secret not found")
View Source
var ErrNotImplemented = errors.New("not implemented")
View Source
var SecretStorageProviderKinds = []string{
"vault",
"awsssm",
"awssecretsmanager",
"kubernetes",
"env",
"file",
"plaintext",
}
View Source
var SymmetricKeyProviderKinds = []string{
"vault",
"awskms",
"native",
}
Functions ¶
func GetSecret ¶ added in v0.5.8
func GetSecret(name string, storage map[string]SecretStorage) (string, error)
GetSecret implements the secret definition scheme for Infra. eg plaintext:pass123, or kubernetes:infra-okta/clientSecret it's an abstraction around all secret providers
func GetSecretRaw ¶ added in v0.5.8
func GetSecretRaw(name string, storage map[string]SecretStorage) ([]byte, error)
func Seal ¶
func Seal(key *SymmetricKey, plain []byte) ([]byte, error)
Seal encrypts plaintext with a decrypted data key and returns it in base64
func SealRaw ¶ added in v0.5.0
func SealRaw(key *SymmetricKey, plain []byte) ([]byte, error)
SealRaw encrypts plaintext with a decrypted data key and returns it in a raw binary format
func SetSecret ¶ added in v0.5.8
func SetSecret(name, value string, storage map[string]SecretStorage) error
Types ¶
type AWSKMSConfig ¶ added in v0.4.0
func NewAWSKMSConfig ¶ added in v0.4.0
func NewAWSKMSConfig() AWSKMSConfig
type AWSKMSSecretProvider ¶
type AWSKMSSecretProvider struct {
AWSKMSConfig
// contains filtered or unexported fields
}
func NewAWSKMSSecretProvider ¶
func NewAWSKMSSecretProvider(kmssvc kmsiface.KMSAPI) (*AWSKMSSecretProvider, error)
func NewAWSKMSSecretProviderFromConfig ¶ added in v0.4.0
func NewAWSKMSSecretProviderFromConfig(cfg AWSKMSConfig) (*AWSKMSSecretProvider, error)
func (*AWSKMSSecretProvider) DecryptDataKey ¶
func (k *AWSKMSSecretProvider) DecryptDataKey(rootKeyID string, keyData []byte) (*SymmetricKey, error)
func (*AWSKMSSecretProvider) GenerateDataKey ¶
func (k *AWSKMSSecretProvider) GenerateDataKey(rootKeyID string) (*SymmetricKey, error)
type AWSSSM ¶ added in v0.4.0
type AWSSSM struct {
AWSSSMConfig
// contains filtered or unexported fields
}
AWSSSM is the AWS System Manager Parameter Store (aka SSM PS)
func NewAWSSSMSecretProviderFromConfig ¶ added in v0.4.0
func NewAWSSSMSecretProviderFromConfig(cfg AWSSSMConfig) (*AWSSSM, error)
func (*AWSSSM) GetSecret ¶ added in v0.4.0
GetSecret must have permission secretsmanager:GetSecretValue kms:Decrypt - required only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret
type AWSSSMConfig ¶ added in v0.4.0
type AWSSecretsManager ¶ added in v0.3.5
type AWSSecretsManager struct {
AWSSecretsManagerConfig
// contains filtered or unexported fields
}
func NewAWSSecretsManager ¶ added in v0.3.5
func NewAWSSecretsManager(client *secretsmanager.SecretsManager) *AWSSecretsManager
func NewAWSSecretsManagerFromConfig ¶ added in v0.4.0
func NewAWSSecretsManagerFromConfig(cfg AWSSecretsManagerConfig) (*AWSSecretsManager, error)
func (*AWSSecretsManager) GetSecret ¶ added in v0.3.5
func (s *AWSSecretsManager) GetSecret(name string) (secret []byte, err error)
GetSecret must have permission secretsmanager:GetSecretValue kms:Decrypt - required only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret
func (*AWSSecretsManager) SetSecret ¶ added in v0.3.5
func (s *AWSSecretsManager) SetSecret(name string, secret []byte) error
SetSecret must have the secretsmanager:CreateSecret permission if using tags, must have secretsmanager:TagResource if using kms customer-managed keys, also need: - kms:GenerateDataKey - kms:Decrypt
type AWSSecretsManagerConfig ¶ added in v0.4.0
type EnvSecretProvider ¶ added in v0.4.0
type EnvSecretProvider struct {
GenericConfig
}
func NewEnvSecretProviderFromConfig ¶ added in v0.4.0
func NewEnvSecretProviderFromConfig(cfg GenericConfig) *EnvSecretProvider
type FileConfig ¶ added in v0.4.0
type FileConfig struct {
GenericConfig
Path string `yaml:"path" validate:"required"`
}
type FileSecretProvider ¶ added in v0.4.0
type FileSecretProvider struct {
FileConfig
}
func NewFileSecretProviderFromConfig ¶ added in v0.4.0
func NewFileSecretProviderFromConfig(cfg FileConfig) *FileSecretProvider
type GenericConfig ¶ added in v0.4.0
type KubernetesConfig ¶ added in v0.4.0
type KubernetesConfig struct {
Namespace string `yaml:"namespace"`
}
func NewKubernetesConfig ¶ added in v0.4.3
func NewKubernetesConfig() KubernetesConfig
type KubernetesSecretProvider ¶
type KubernetesSecretProvider struct {
KubernetesConfig
// contains filtered or unexported fields
}
func NewKubernetesSecretProvider ¶
func NewKubernetesSecretProvider(client *kubernetes.Clientset, namespace string) *KubernetesSecretProvider
func NewKubernetesSecretProviderFromConfig ¶ added in v0.4.0
func NewKubernetesSecretProviderFromConfig(cfg KubernetesConfig) (*KubernetesSecretProvider, error)
type NativeSecretProvider ¶ added in v0.5.0
type NativeSecretProvider struct {
SecretStorage SecretStorage
}
func NewNativeSecretProvider ¶ added in v0.5.0
func NewNativeSecretProvider(storage SecretStorage) *NativeSecretProvider
func (*NativeSecretProvider) DecryptDataKey ¶ added in v0.5.0
func (n *NativeSecretProvider) DecryptDataKey(rootKeyID string, keyData []byte) (*SymmetricKey, error)
func (*NativeSecretProvider) GenerateDataKey ¶ added in v0.5.0
func (n *NativeSecretProvider) GenerateDataKey(rootKeyID string) (*SymmetricKey, error)
type PlainSecretProvider ¶ added in v0.4.0
type PlainSecretProvider struct {
GenericConfig
}
func NewPlainSecretProviderFromConfig ¶ added in v0.4.0
func NewPlainSecretProviderFromConfig(cfg GenericConfig) *PlainSecretProvider
type SecretStorage ¶
type SecretStorage interface {
// Use secrets when you don't want to store the underlying data, eg secret tokens
SetSecret(name string, secret []byte) error
GetSecret(name string) (secret []byte, err error)
}
SecretStorage is implemented by a provider if the provider gives a mechanism for storing arbitrary secrets.
type SymmetricKey ¶
type SymmetricKey struct {
Encrypted []byte `json:"key"` // the encrypted data key. To be stored by caller.
Algorithm string `json:"alg"` // Algorithm key used for encryption. To be stored by caller.
RootKeyID string `json:"rkid"` // ID of the root key used to encrypt the data key on the provider. To be stored by caller.
// contains filtered or unexported fields
}
type SymmetricKeyProvider ¶ added in v0.5.0
type SymmetricKeyProvider interface {
// GenerateDataKey makes a data key from a root key id: if "", a root key is created. It is okay to generate many data keys.
GenerateDataKey(rootKeyID string) (*SymmetricKey, error)
// DecryptDataKey decrypts the encrypted data key on the provider given a root key id
DecryptDataKey(rootKeyID string, keyData []byte) (*SymmetricKey, error)
}
SymmetricKeyProvider is implemented by a provider that provides encryption-as-a-service. Its use is opinionated about the provider in the following ways: - A root key will be created or referenced and never leaves the provider - the root key will be used to encrypt a "data key" - the data key is given to the client (us) for encrypting data - the client shall store only the encrypted data key - the client shall remove the plaintext data key from memory as soon as it is no longer needed - the client will request the data key be decrypted by the provider if it is needed subsequently. In this way the encryption-as-a-service provider scales to unlimited data sizes without needing to transfer the data to the remote service for symmetric encryption/decryption. To rotate root keys, generate new ones periodically and reencrypt data you touch with the new root. This can either be done all at once or gradually over time. Old root keys are out of circulation when no data exists that points to them.
type VaultConfig ¶ added in v0.4.0
type VaultConfig struct {
TransitMount string `yaml:"transitMount"` // mounting point. defaults to /transit
SecretMount string `yaml:"secretMount"` // mounting point. defaults to /secret
Token string `yaml:"token" validate:"required"` // vault token... should authenticate as machine to vault instead?
Namespace string `yaml:"namespace"`
Address string `yaml:"address" validate:"required"`
}
func NewVaultConfig ¶ added in v0.4.0
func NewVaultConfig() VaultConfig
type VaultSecretProvider ¶
type VaultSecretProvider struct {
VaultConfig
// contains filtered or unexported fields
}
func NewVaultSecretProvider ¶
func NewVaultSecretProvider(address, token, namespace string) (*VaultSecretProvider, error)
func NewVaultSecretProviderFromConfig ¶ added in v0.4.0
func NewVaultSecretProviderFromConfig(cfg VaultConfig) (*VaultSecretProvider, error)
func (*VaultSecretProvider) DecryptDataKey ¶
func (v *VaultSecretProvider) DecryptDataKey(rootKeyID string, keyData []byte) (*SymmetricKey, error)
func (*VaultSecretProvider) GenerateDataKey ¶
func (v *VaultSecretProvider) GenerateDataKey(rootKeyID string) (*SymmetricKey, error)
func (*VaultSecretProvider) GetSecret ¶
func (v *VaultSecretProvider) GetSecret(name string) ([]byte, error)
func (*VaultSecretProvider) RemoteDecrypt ¶
func (v *VaultSecretProvider) RemoteDecrypt(keyID string, encrypted []byte) (plain []byte, err error)
func (*VaultSecretProvider) RemoteEncrypt ¶
func (v *VaultSecretProvider) RemoteEncrypt(keyID string, plain []byte) (encrypted []byte, err error)
Source Files
Click to show internal directories.
Click to hide internal directories.