secrets

package
v0.0.0-...-05d41a9 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 17, 2024 License: Apache-2.0 Imports: 3 Imported by: 0

Documentation

Index

Constants

View Source
const (
	SecretPath = "/var/lib/osd/secrets/"
	// CustomSecretData is a constant used in the key context of the secrets APIs
	// It indicates that the secret provider should not generate secret but use the provided secret
	// in the API
	CustomSecretData = "custom_secret_data"
	// PublicSecretData is a constant used in the key context of Secret APIs
	// It indicates that the API is dealing with the public part of a secret instead
	// of the actual secret
	PublicSecretData = "public_secret_data"
	// OverwriteSecretDataInStore is a constant used in the key context of Secret APIs
	// It indicates whether the secret data stored in the persistent store can
	// be overwritten
	OverwriteSecretDataInStore = "overwrite_secret_data_in_store"
)
View Source
const (
	TypeAWSKMS            = "aws-kms"
	TypeAzure             = "azure-kv"
	TypeDCOS              = "dcos"
	TypeDocker            = "docker"
	TypeGCloud            = "gcloud-kms"
	TypeIBM               = "ibm-kp"
	TypeK8s               = "k8s"
	TypeKVDB              = "kvdb"
	TypeVault             = "vault"
	TypeVaultTransit      = "vault-transit"
	TypeAWSSecretsManager = "aws-secrets-manager"
)
View Source
const (
	// KeyVaultNamespace is a keyContext parameter for vault secrets.
	KeyVaultNamespace = "vault-namespace"

	// DestroySecret is a keyContext parameter for Vault secrets indicating whether the Secret should be destroyed
	// This is only valid when Vault's KV Secret Engine is running on version 2 since by default keys are versioned and soft-deleted
	// Activating this will PERMANENTLY delete all metadata and versions for a key
	DestroySecret = "destroy-all-secret-versions"
)

Variables

View Source
var (
	// ErrNotSupported returned when implementation of specific function is not supported
	ErrNotSupported = errors.New("implementation not supported")
	// ErrNotAuthenticated returned when not authenticated with secrets endpoint
	ErrNotAuthenticated = errors.New("Not authenticated with the secrets endpoint")
	// ErrInvalidSecretId returned when no secret data is found associated with the id
	ErrInvalidSecretId = errors.New("No Secret Data found for Secret ID")
	// ErrEmptySecretData returned when no secret data is provided to store the secret
	ErrEmptySecretData = errors.New("Secret data cannot be empty")
	// ErrEmptySecretId returned when no secret Name/ID is provided to retrive secret data
	ErrEmptySecretId = errors.New("Secret Name/ID cannot be empty")
	// ErrSecretExists returned when a secret for the given secret id already exists
	ErrSecretExists = errors.New("Secret Id already exists")
	// ErrInvalidSecretData is returned when no secret data is found
	ErrInvalidSecretData = errors.New("Secret Data cannot be empty when CustomSecretData|PublicSecretData flag is set")
	// ErrInvalidKvdbProvided is returned when an incorrect KVDB implementation is provided for persistence store.
	ErrInvalidKvdbProvided = errors.New("Invalid kvdb provided. secret store works in conjuction with a kvdb")
)

Functions

func KeyContextChecks

func KeyContextChecks(
	keyContext map[string]string,
	secretData map[string]interface{},
) error

KeyContextChecks performs a series of checks on the keys and values passed through the key context map

func Register

func Register(name string, bInit BackendInit) error

Register adds a new backend KMS

func SetInstance

func SetInstance(secretsInstance Secrets) error

SetInstance sets the singleton instance of the secrets backend.

Types

type BackendInit

type BackendInit func(
	secretConfig map[string]interface{},
) (Secrets, error)

type ErrInvalidKeyContext

type ErrInvalidKeyContext struct {
	Reason string
}

ErrInvalidKeyContext is returned when secret data is provided to the secret APIs with an invalid key context.

func (*ErrInvalidKeyContext) Error

func (e *ErrInvalidKeyContext) Error() string

type ErrProviderInternal

type ErrProviderInternal struct {
	Provider string
	Reason   string
}

ErrProviderInternal is returned when an error is received from the secrets provider which is not known to this library

func (*ErrProviderInternal) Error

func (e *ErrProviderInternal) Error() string

type Secrets

type Secrets interface {
	// String representation of the backend KMS
	String() string

	// GetSecret returns the secret data associated with the
	// supplied secretId. The secret data / plain text  can be used
	// by callers to encrypt their data. It is assumed that the plain text
	// data will be destroyed by the caller once used.
	GetSecret(
		secretId string,
		keyContext map[string]string,
	) (map[string]interface{}, Version, error)

	// PutSecret will associate an secretId to its secret data
	// provided in the arguments and store it into the secret backend
	// The caller should ensure they use unique secretIDs so that they won't
	// unknowingly overwrite an existing secret.
	PutSecret(
		secretId string,
		plainText map[string]interface{},
		keyContext map[string]string,
	) (Version, error)

	// DeleteSecret deletes the secret data associated with the
	// supplied secretId.
	DeleteSecret(
		secretId string,
		keyContext map[string]string,
	) error

	// Encrypt encrypts the supplied plain text data using the given key.
	// The API would fetch the plain text key, encrypt the data with it.
	// The plain text key will not be stored anywhere else and would be
	// deleted from memory.
	Encrypt(
		secretId string,
		plaintTextData string,
		keyContext map[string]string,
	) (string, error)

	// Decrypt decrypts the supplied encrypted  data using the given key.
	// The API would fetch the plain text key, decrypt the data with it.
	// The plain text key will not be stored anywhere else and would be
	// deleted from memory.
	Decrypt(
		secretId string,
		encryptedData string,
		keyContext map[string]string,
	) (string, error)

	// Reencrypt decrypts the data with the previous key and re-encrypts it
	// with the new key..
	Rencrypt(
		originalSecretId string,
		newSecretId string,
		originalKeyContext map[string]string,
		newKeyContext map[string]string,
		encryptedData string,
	) (string, error)

	// ListSecrets returns a list of known secretIDs
	ListSecrets() ([]string, error)
}

Secrets interface implemented by backend Key Management Systems (KMS)

func Instance

func Instance() Secrets

Instance returns the instance set via SetInstance. nil if not set.

func New

func New(
	name string,
	secretConfig map[string]interface{},
) (Secrets, error)

New returns a new instance of Secrets backend KMS identified by the supplied name. SecretConfig is a map of key value pairs which could be used for authenticating with the backend

type Version

type Version string

Version represents the unique identifier associated with the version of the new secret.

const (
	// NoVersion indicates that the provider does not support versions for secrets
	NoVersion Version = "noversion"
)

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL