Affected by 
Documentation
¶
Overview ¶
Package secrets is used for the core secrets data model.
Index ¶
- Constants
- func IsInternalSecretBackendID(backendID string) bool
- func NextBackendRotateTime(now time.Time, rotateInterval time.Duration) (*time.Time, error)
- type AccessInfo
- type Accessor
- type AccessorKind
- type Filter
- type Owner
- type OwnerKind
- type RotatePolicy
- type SecretBackend
- type SecretConfig
- type SecretConsumerMetadata
- type SecretData
- type SecretExternalRevision
- type SecretMetadata
- type SecretMetadataForDrain
- type SecretOwnerMetadata
- type SecretRevisionInfo
- type SecretRevisionMetadata
- type SecretRevisionRef
- type SecretRole
- type SecretValue
- type URI
- type ValueRef
Constants ¶
const ( RoleNone = SecretRole("") RoleView = SecretRole("view") RoleRotate = SecretRole("rotate") RoleManage = SecretRole("manage") )
const ( RotateNever = RotatePolicy("never") RotateHourly = RotatePolicy("hourly") RotateDaily = RotatePolicy("daily") RotateWeekly = RotatePolicy("weekly") RotateMonthly = RotatePolicy("monthly") RotateQuarterly = RotatePolicy("quarterly") RotateYearly = RotatePolicy("yearly") )
const ( // RotateRetryDelay is how long to wait to re-run the rotate hook // if the secret was not updated. RotateRetryDelay = 5 * time.Minute // ExpireRetryDelay is how long to wait to re-run the expire hook // if the expired secret revision was not removed. ExpireRetryDelay = 5 * time.Minute )
const (
// SecretScheme is the URL prefix for a secret.
SecretScheme = "secret"
)
Variables ¶
This section is empty.
Functions ¶
func IsInternalSecretBackendID ¶
IsInternalSecretBackendID returns true if the supplied backend ID is the internal backend ID.
Types ¶
type AccessInfo ¶
type AccessInfo struct {
Target string
Scope string
Role SecretRole
}
AccessInfo holds info about a secret access information.
type Accessor ¶
type Accessor struct {
Kind AccessorKind
ID string
}
Accessor is the accessor of a secret.
type AccessorKind ¶
type AccessorKind string
AccessorKind represents the kind of a secret accessor entity.
const ( UnitAccessor AccessorKind = "unit" ModelAccessor AccessorKind = "model" )
These represent the kinds of secret accessor.
type RotatePolicy ¶
type RotatePolicy string
RotatePolicy defines a policy for how often to rotate a secret.
func (RotatePolicy) IsValid ¶
func (p RotatePolicy) IsValid() bool
IsValid returns true if p is a valid rotate policy.
func (RotatePolicy) NextRotateTime ¶
func (p RotatePolicy) NextRotateTime(lastRotated time.Time) *time.Time
NextRotateTime returns when the policy dictates a secret should be next rotated given the last rotation time.
func (RotatePolicy) String ¶
func (p RotatePolicy) String() string
func (*RotatePolicy) WillRotate ¶
func (p *RotatePolicy) WillRotate() bool
WillRotate returns true if the policy is not RotateNever.
type SecretBackend ¶
type SecretBackend struct {
ID string
Name string
BackendType string
TokenRotateInterval *time.Duration
Config map[string]interface{}
}
SecretBackend defines a secrets backend.
type SecretConfig ¶
type SecretConfig struct {
RotatePolicy *RotatePolicy
NextRotateTime *time.Time
ExpireTime *time.Time
Description *string
Label *string
Params map[string]interface{}
}
SecretConfig is used when creating a secret.
func (*SecretConfig) Validate ¶
func (c *SecretConfig) Validate() error
Validate returns an error if params are invalid.
type SecretConsumerMetadata ¶
type SecretConsumerMetadata struct {
// Label is used when notifying the consumer
// about changes to the secret.
Label string
// CurrentRevision is current revision the
// consumer wants to read.
CurrentRevision int
}
SecretConsumerMetadata holds metadata about a secret for a consumer of the secret.
type SecretData ¶
SecretData holds secret key values.
func CreateSecretData ¶
func CreateSecretData(args []string) (SecretData, error)
CreateSecretData creates a secret data bag from a list of arguments. If a key has the #base64 suffix, then the value is already base64 encoded, otherwise the value is base64 encoded as it is added to the data bag.
func ReadSecretData ¶
func ReadSecretData(f string) (SecretData, error)
ReadSecretData reads secret data from a YAML or JSON file as key value pairs.
type SecretExternalRevision ¶
SecretExternalRevision holds metadata about an external secret revision.
type SecretMetadata ¶
type SecretMetadata struct {
// Read only after creation.
URI *URI
// Version starts at 1 and is incremented
// whenever an incompatible change is made.
Version int
// These can be updated after creation.
Description string
Label string
RotatePolicy RotatePolicy
// Owner is the entity which created the secret.
Owner Owner
CreateTime time.Time
UpdateTime time.Time
// LatestRevision is the most recent secret revision.
LatestRevision int
// LatestRevisionChecksum is the checksum of the most
// recent revision content.
LatestRevisionChecksum string
// LatestExpireTime is the expire time of the most recent revision.
LatestExpireTime *time.Time
// NextRotateTime is when the secret should be rotated.
NextRotateTime *time.Time
// AutoPrune is true if the secret revisions should be pruned when it's not been used.
AutoPrune bool
// Access is a list of access information for this secret.
Access []AccessInfo
}
SecretMetadata holds metadata about a secret.
type SecretMetadataForDrain ¶
type SecretMetadataForDrain struct {
URI *URI
Revisions []SecretExternalRevision
}
SecretMetadataForDrain holds a secret metadata and any backend references of revisions for drain.
type SecretOwnerMetadata ¶
type SecretOwnerMetadata struct {
Metadata SecretMetadata
Revisions []int
}
SecretOwnerMetadata holds a secret metadata and any backend references of revisions.
type SecretRevisionInfo ¶
SecretRevisionInfo holds info used to read a secret vale.
type SecretRevisionMetadata ¶
type SecretRevisionMetadata struct {
Revision int
ValueRef *ValueRef
BackendName *string
CreateTime time.Time
UpdateTime time.Time
ExpireTime *time.Time
}
SecretRevisionMetadata holds metadata about a secret revision.
type SecretRevisionRef ¶
SecretRevisionRef is a reference to a secret revision stored in a secret backend.
type SecretRole ¶
type SecretRole string
SecretRole is an access role on a secret.
func (SecretRole) Allowed ¶
func (r SecretRole) Allowed(wanted SecretRole) bool
func (SecretRole) IsValid ¶
func (r SecretRole) IsValid() bool
IsValid returns true if r is a valid secret role.
type SecretValue ¶
type SecretValue interface {
// EncodedValues returns the key values of a secret as
// the raw base64 encoded strings.
// For the special case where the secret only has a
// single key value "data", then use BinaryValue()
//to get the result.
EncodedValues() map[string]string
// Values returns the key values of a secret as strings.
// For the special case where the secret only has a
// single key value "data", then use StringValue()
//to get the result.
Values() (map[string]string, error)
// KeyValue returns the specified secret value for the key.
// If the key has a #base64 suffix, the returned value is base64 encoded.
KeyValue(string) (string, error)
// IsEmpty checks if the value is empty.
IsEmpty() bool
// Checksum is the checksum of the secret content.
Checksum() (string, error)
}
SecretValue holds the value of a secret. Instances of SecretValue are returned by a secret store when a secret look up is performed. The underlying value is a map of base64 encoded values represented as []byte.
func NewSecretBytes ¶
func NewSecretBytes(data map[string][]byte) SecretValue
NewSecretBytes returns a secret using the specified map of values. The map values are assumed to be already base64 encoded.
func NewSecretValue ¶
func NewSecretValue(data map[string]string) SecretValue
NewSecretValue returns a secret using the specified map of values. The map values are assumed to be already base64 encoded.
Source Files