Documentation ¶
Index ¶
- Variables
- func BuildSecretTemplate(secretTemplate, namespace, name string) (string, error)
- func UnmarshalConfig(config json.RawMessage, target interface{}) error
- type Config
- type Credential
- type CredentialRequest
- type CredentialRequestConfig
- type CredentialType
- type Duration
- type Metadata
- type Provider
- type ProviderType
- type RequestConfig
- type Resource
- type Secret
- type SecretStore
- type Sidecred
- type State
- func (s *State) AddResource(resource *Resource)
- func (s *State) AddSecret(c *StoreConfig, secret *Secret)
- func (s *State) GetResourcesByID(t CredentialType, id, store string) []*Resource
- func (s *State) ListOrphanedSecrets(c *StoreConfig) []*Secret
- func (s *State) RemoveResource(resource *Resource)
- func (s *State) RemoveSecret(c *StoreConfig, secret *Secret)
- type StateBackend
- type StoreConfig
- type StoreType
Constants ¶
This section is empty.
Variables ¶
var NoConfig = []byte("{}")
NoConfig represents an empty JSON Configuration (used for testing).
Functions ¶
func BuildSecretTemplate ¶ added in v0.7.0
BuildSecretTemplate is a convenience function for building secret templates.
func UnmarshalConfig ¶ added in v0.7.0
func UnmarshalConfig(config json.RawMessage, target interface{}) error
UnmarshalConfig is a convenience method for performing a strict unmarshalling of a JSON config into a provided structure. If config is empty, no operation is performed by this function.
Types ¶
type Config ¶ added in v0.7.0
type Config struct { Version int `json:"version"` Namespace string `json:"namespace"` Stores []*StoreConfig `json:"stores"` Requests []*RequestConfig `json:"requests"` }
Config represents the user-defined configuration that should be passed to the sidecred.Sidecred.Process method.
type Credential ¶
type Credential struct { // Name is the identifier for the credential. Name string `json:"name,omitempty"` // Value is the credential value (typically a secret). Value string `json:"-"` // Description returns a short description of the credential. Description string `json:"-"` // Expiration is the time at which the credential will have expired. Expiration time.Time `json:"expiration"` }
Credential is a key/value pair returned by a sidecred.Provider.
type CredentialRequest ¶ added in v0.7.0
type CredentialRequest struct { // Type identifies the type of credential (and provider) for a request. Type CredentialType `json:"type"` // Name is an indentifier that can be used for naming resources and // credentials created by a sidecred.Provider. The exact usage for // name is up to the individual provider. Name string `json:"name"` // Rotation is an override for the default rotation window // measured in seconds. // This will aid in cases where we want to be more granular // for possibly longer running authentications or processes. RotationWindow *Duration `json:"rotation_window"` // Config holds the specific configuration for the requested credential // type, and must be deserialized by the provider when Create is called. Config json.RawMessage `json:"config"` }
CredentialRequest is the root datastructure used to request credentials in Sidecred.
func (*CredentialRequest) UnmarshalConfig ¶ added in v0.7.0
func (r *CredentialRequest) UnmarshalConfig(target interface{}) error
UnmarshalConfig performs a strict JSON unmarshal of the config to the desired struct.
type CredentialRequestConfig ¶ added in v0.7.0
type CredentialRequestConfig struct { *CredentialRequest `json:",inline"` List []*CredentialRequest `json:"list,omitempty"` }
CredentialRequestConfig extends sidecred.CredentialRequest by allowing it to be defined in two ways: 1. As a regular CredentialRequest. 2. As a list of requests that share a CredentialType (nested credential requests should omit "type"):
- type: aws:sts list:
- name: credential1 config ...
- name: credential2 config ...
type CredentialType ¶
type CredentialType string
CredentialType ...
const ( Randomized CredentialType = "random" AWSSTS CredentialType = "aws:sts" GithubDeployKey CredentialType = "github:deploy-key" GithubAccessToken CredentialType = "github:access-token" ArtifactoryAccessToken CredentialType = "artifactory:access-token" )
Enumeration of known credential types.
func (CredentialType) Provider ¶
func (c CredentialType) Provider() ProviderType
Provider returns the sidecred.ProviderType for the credential.
type Duration ¶ added in v0.10.0
Duration implements JSON (un)marshal for time.Duration.
func (Duration) MarshalJSON ¶ added in v0.10.0
MarshalJSON implements json.Marshaler.
func (*Duration) UnmarshalJSON ¶ added in v0.10.0
UnmarshalJSON implements json.Unmarshaler.
type Metadata ¶
Metadata allows providers to pass additional information to be stored in the sidecred.ResourceState after successfully creating credentials.
type Provider ¶
type Provider interface { // Type returns the provider type. Type() ProviderType // Create the requested credentials. Any sidecred.Resource // returned will be stored in state and used to determine // when credentials need to be rotated. Create(request *CredentialRequest) ([]*Credential, *Metadata, error) // Destroy the specified resource. This is scheduled if // a resource in the state has expired. For providers that // are not stateful this should be a no-op. Destroy(resource *Resource) error }
Provider is the interface that has to be satisfied by credential providers.
type ProviderType ¶
type ProviderType string
ProviderType ...
const ( Random ProviderType = "random" AWS ProviderType = "aws" Github ProviderType = "github" Artifactory ProviderType = "artifactory" )
Enumeration of known provider types.
type RequestConfig ¶ added in v0.7.0
type RequestConfig struct { Store string `json:"store"` Creds []*CredentialRequestConfig `json:"creds"` }
RequestConfig maps credential requests to a secret store, and is part of the configuration format for Sidecred.
func (*RequestConfig) CredentialRequests ¶ added in v0.7.0
func (c *RequestConfig) CredentialRequests() (requests []*CredentialRequest)
CredentialRequests returns the flattened list of CredentialRequest's.
type Resource ¶
type Resource struct { Type CredentialType `json:"type"` ID string `json:"id"` Store string `json:"store"` Expiration time.Time `json:"expiration"` Deposed bool `json:"deposed"` Config json.RawMessage `json:"config,omitempty"` Metadata *Metadata `json:"metadata,omitempty"` InUse bool `json:"-"` }
Resource represents a resource provisioned by a sidecred.Provider as part of creating the requested credentials.
type Secret ¶
type Secret struct { ResourceID string `json:"resource_id"` Path string `json:"path"` Expiration time.Time `json:"expiration"` }
Secret is used to hold state about secrets stored in a secret backend.
type SecretStore ¶
type SecretStore interface { // Type returns the store type. Type() StoreType // Write a sidecred.Credential to the secret store. Write(namespace string, secret *Credential, config json.RawMessage) (string, error) // Read the specified secret by reference. Read(path string, config json.RawMessage) (string, bool, error) // Delete the specified secret. Should not return an error // if the secret does not exist or has already been deleted. Delete(path string, config json.RawMessage) error }
SecretStore is implemented by store backends for secrets.
type Sidecred ¶
type Sidecred struct {
// contains filtered or unexported fields
}
Sidecred is the underlying datastructure for the service.
type State ¶
type State struct { Providers []*providerState `json:"providers,omitempty"` Stores []*storeState `json:"stores,omitempty"` }
State is responsible for keeping track of when credentials need to be rotated because they are expired, the configuration has changed, or they have been deposed and need to clean up resources and secrets.
func (*State) AddResource ¶
AddResource stores a resource state for the given provider. The provider will be added to state if it does not already exist. Any existing resources with the same ID will be marked as deposed.
func (*State) AddSecret ¶
func (s *State) AddSecret(c *StoreConfig, secret *Secret)
AddSecret adds state for the specified sidecred.SecretStore alias. The store will be added to state if it does not already exist, and any existing state for the same secret path will be overwritten.
func (*State) GetResourcesByID ¶
func (s *State) GetResourcesByID(t CredentialType, id, store string) []*Resource
GetResourcesByID returns all resources with the given ID from state, and also marks the resources as being in use.
func (*State) ListOrphanedSecrets ¶ added in v0.2.0
func (s *State) ListOrphanedSecrets(c *StoreConfig) []*Secret
ListOrphanedSecrets lists all secrets tied to missing resource IDs that should be considered orhpaned.
func (*State) RemoveResource ¶
RemoveResource from the state.
func (*State) RemoveSecret ¶
func (s *State) RemoveSecret(c *StoreConfig, secret *Secret)
RemoveSecret from the state.
type StateBackend ¶
type StateBackend interface { // Load state from the backend. If no state exists it should be created. Load(path string) (*State, error) // Save a state to the backend. Save(path string, state *State) error }
StateBackend is implemented by things that know how to store sidecred.State.
type StoreConfig ¶ added in v0.7.0
type StoreConfig struct { Type StoreType `json:"type"` Name string `json:"name"` Config json.RawMessage `json:"config,omitempty"` }
StoreConfig is used to define the secret stores in the configuration for Sidecred.
Directories ¶
Path | Synopsis |
---|---|
backend
|
|
file
Package file implements a sidecred.StateBackend that writes to a file.
|
Package file implements a sidecred.StateBackend that writes to a file. |
s3
Package s3 implements a sidecred.StateBackend using AWS S3.
|
Package s3 implements a sidecred.StateBackend using AWS S3. |
s3/s3fakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
cmd
|
|
internal
|
|
provider
|
|
artifactory
Package artifactory implements a sidecred.Provider for Artifactory access token credentials.
|
Package artifactory implements a sidecred.Provider for Artifactory access token credentials. |
artifactory/artifactoryfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
github
Package github implements a sidecred.Provider for Github access tokens and deploy keys.
|
Package github implements a sidecred.Provider for Github access tokens and deploy keys. |
github/githubfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
random
Package random implements a sidecred.Provider for random strings, and can be used for tests.
|
Package random implements a sidecred.Provider for random strings, and can be used for tests. |
sts
Package sts implements a sidecred.Provider for AWS STS Credentials.
|
Package sts implements a sidecred.Provider for AWS STS Credentials. |
sts/stsfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
store
|
|
github
Package github implements a sidecred.SecretStore on top of Github secrets.
|
Package github implements a sidecred.SecretStore on top of Github secrets. |
github/githubfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
inprocess
Package inprocess implements a sidecred.SecretStore in memory, and can be used for tests.
|
Package inprocess implements a sidecred.SecretStore in memory, and can be used for tests. |
secretsmanager
Package secretsmanager implements sidecred.SecretStore on top of AWS Secrets Manager.
|
Package secretsmanager implements sidecred.SecretStore on top of AWS Secrets Manager. |
secretsmanager/secretsmanagerfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
ssm
Package ssm implements sidecred.SecretStore on top of AWS Parameter store.
|
Package ssm implements sidecred.SecretStore on top of AWS Parameter store. |
ssm/ssmfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |