Documentation ¶
Index ¶
- Constants
- Variables
- func KeyContextChecks(keyContext map[string]string, secretData map[string]interface{}) error
- func Register(name string, bInit BackendInit) error
- func RegisterReader(name string, init ReaderInit) error
- func RegisterStore(name string, init StoreInit) error
- func SetInstance(secretsInstance Secrets) error
- type BackendInit
- type ErrInvalidKeyContext
- type ErrProviderInternal
- type ReaderInit
- type SecretKey
- type SecretReader
- type SecretStore
- type Secrets
- type StoreInit
- type Version
Constants ¶
const ( SecretPath = "/var/lib/osd/secrets/" // CustomSecretData is a constant used in the key context of the secrets APIs // It indicates that the secret provider should not generate secret but use the provided secret // in the API CustomSecretData = "custom_secret_data" // PublicSecretData is a constant used in the key context of Secret APIs // It indicates that the API is dealing with the public part of a secret instead // of the actual secret PublicSecretData = "public_secret_data" // OverwriteSecretDataInStore is a constant used in the key context of Secret APIs // It indicates whether the secret data stored in the persistent store can // be overwritten OverwriteSecretDataInStore = "overwrite_secret_data_in_store" )
const ( TypeAWSKMS = "aws-kms" TypeAzure = "azure-kv" TypeDCOS = "dcos" TypeDocker = "docker" TypeGCloud = "gcloud-kms" TypeIBM = "ibm-kp" TypeK8s = "k8s" TypeKVDB = "kvdb" TypeVault = "vault" TypeVaultTransit = "vault-transit" TypeAWSSecretsManager = "aws-secrets-manager" )
const ( // KeyVaultNamespace is a keyContext parameter for vault secrets. KeyVaultNamespace = "vault-namespace" // DestroySecret is a keyContext parameter for Vault secrets indicating whether the Secret should be destroyed // This is only valid when Vault's KV Secret Engine is running on version 2 since by default keys are versioned and soft-deleted // Activating this will PERMANENTLY delete all metadata and versions for a key DestroySecret = "destroy-all-secret-versions" )
Variables ¶
var ( // ErrNotSupported returned when implementation of specific function is not supported ErrNotSupported = errors.New("implementation not supported") // ErrNotAuthenticated returned when not authenticated with secrets endpoint ErrNotAuthenticated = errors.New("Not authenticated with the secrets endpoint") // ErrInvalidSecretId returned when no secret data is found associated with the id ErrInvalidSecretId = errors.New("No Secret Data found for Secret ID") // ErrEmptySecretData returned when no secret data is provided to store the secret ErrEmptySecretData = errors.New("Secret data cannot be empty") // ErrEmptySecretId returned when no secret Name/ID is provided to retrive secret data ErrEmptySecretId = errors.New("Secret Name/ID cannot be empty") // ErrSecretExists returned when a secret for the given secret id already exists ErrSecretExists = errors.New("Secret Id already exists") // ErrInvalidSecretData is returned when no secret data is found ErrInvalidSecretData = errors.New("Secret Data cannot be empty when CustomSecretData|PublicSecretData flag is set") // ErrInvalidKvdbProvided is returned when an incorrect KVDB implementation is provided for persistence store. ErrInvalidKvdbProvided = errors.New("Invalid kvdb provided. secret store works in conjuction with a kvdb") )
Functions ¶
func KeyContextChecks ¶
KeyContextChecks performs a series of checks on the keys and values passed through the key context map
func RegisterReader ¶
func RegisterReader(name string, init ReaderInit) error
RegisterReader adds a new backend KMS that implements SecretReader
func RegisterStore ¶
RegisterStore adds a new backend KMS that implements SecretStore and SecretReader
func SetInstance ¶
SetInstance sets the singleton instance of the secrets backend.
Types ¶
type BackendInit ¶
type ErrInvalidKeyContext ¶
type ErrInvalidKeyContext struct {
Reason string
}
ErrInvalidKeyContext is returned when secret data is provided to the secret APIs with an invalid key context.
func (*ErrInvalidKeyContext) Error ¶
func (e *ErrInvalidKeyContext) Error() string
type ErrProviderInternal ¶
ErrProviderInternal is returned when an error is received from the secrets provider which is not known to this library
func (*ErrProviderInternal) Error ¶
func (e *ErrProviderInternal) Error() string
type ReaderInit ¶
type ReaderInit func(map[string]interface{}) (SecretReader, error)
type SecretKey ¶
type SecretKey struct { // Prefix is an optional part of the SecretKey. Prefix string // Name is a mandatory part of the SecretKey. Name string }
A SecretKey identifies a secret
type SecretReader ¶
type SecretReader interface { // String representation of the backend. String() string // Get returns the secret associate with the supplied key. Get(ctx context.Context, key SecretKey) (secret map[string]interface{}, err error) }
SecretReader interface implemented by Secrets Managers to read secrets
type SecretStore ¶
type SecretStore interface { SecretReader // Set stores the secret data identified by the key. // The caller should ensure they use unique key so that they won't // unknowingly overwrite an existing secret. Set(ctx context.Context, key SecretKey, secret map[string]interface{}) error // Delete deletes the secret data associated with the supplied key. Delete(ctx context.Context, key SecretKey) error }
SecretStore interface implemented by Secrets Managers to set and delete secrets.
type Secrets ¶
type Secrets interface { // String representation of the backend KMS String() string // GetSecret returns the secret data associated with the // supplied secretId. The secret data / plain text can be used // by callers to encrypt their data. It is assumed that the plain text // data will be destroyed by the caller once used. GetSecret( secretId string, keyContext map[string]string, ) (map[string]interface{}, Version, error) // PutSecret will associate an secretId to its secret data // provided in the arguments and store it into the secret backend // The caller should ensure they use unique secretIDs so that they won't // unknowingly overwrite an existing secret. PutSecret( secretId string, plainText map[string]interface{}, keyContext map[string]string, ) (Version, error) // DeleteSecret deletes the secret data associated with the // supplied secretId. DeleteSecret( secretId string, keyContext map[string]string, ) error // Encrypt encrypts the supplied plain text data using the given key. // The API would fetch the plain text key, encrypt the data with it. // The plain text key will not be stored anywhere else and would be // deleted from memory. Encrypt( secretId string, plaintTextData string, keyContext map[string]string, ) (string, error) // Decrypt decrypts the supplied encrypted data using the given key. // The API would fetch the plain text key, decrypt the data with it. // The plain text key will not be stored anywhere else and would be // deleted from memory. Decrypt( secretId string, encryptedData string, keyContext map[string]string, ) (string, error) // Reencrypt decrypts the data with the previous key and re-encrypts it // with the new key.. Rencrypt( originalSecretId string, newSecretId string, originalKeyContext map[string]string, newKeyContext map[string]string, encryptedData string, ) (string, error) // ListSecrets returns a list of known secretIDs ListSecrets() ([]string, error) }
Secrets interface implemented by backend Key Management Systems (KMS)
type StoreInit ¶
type StoreInit func(map[string]interface{}) (SecretStore, error)