pushtofile

README

This directory will be used to define a package for the Secrets Provider "Push to File" functionality. It will contain source code to do the following:

• Parse the keys used in push-to-file annotations (e.g. sort annotations based on secrets group)
• Retrieve Conjur secrets for each secrets group
• Write a file for each secret group, combining a file template and the fetched Conjur secrets

Run tests

go test -v -coverprofile cover.out -count 1 ./... \
 && go tool cover -html=cover.out -o cover.html \
 && open ./cover.html

Documentation

Index

• func FetchSecretsForGroups(depRetrieveSecrets conjur.RetrieveSecretsFunc, secretGroups []*SecretGroup) (map[string][]*Secret, error)
• func FileTemplateForFormat(fileFormat string, secretSpecs []SecretSpec) (string, error)
• func NewProvider(retrieveSecretsFunc conjur.RetrieveSecretsFunc, secretsBasePath string, ...) (*fileProvider, []error)
• type Secret
• type SecretGroup
  • func NewSecretGroups(secretsBasePath string, annotations map[string]string) ([]*SecretGroup, []error)
  • func (sg *SecretGroup) PushToFile(secrets []*Secret) error
• type SecretSpec
  • func NewSecretSpecs(raw []byte) ([]SecretSpec, error)
  • func (t SecretSpec) MarshalYAML() (interface{}, error)
  • func (t *SecretSpec) UnmarshalYAML(node *yaml.Node) error

Functions

func FetchSecretsForGroups

func FetchSecretsForGroups(
	depRetrieveSecrets conjur.RetrieveSecretsFunc,
	secretGroups []*SecretGroup,
) (map[string][]*Secret, error)

FetchSecretsForGroups fetches the secrets for all the groups and returns map of [group name] to [a slice of secrets for the group]. Callers of this function should decorate any errors with messages.CSPFK052E

func FileTemplateForFormat

func FileTemplateForFormat(
	fileFormat string,
	secretSpecs []SecretSpec,
) (string, error)

FileTemplateForFormat returns the template for a file format, after ensuring the standard template exists and validating secret spec aliases against it

func NewProvider

func NewProvider(retrieveSecretsFunc conjur.RetrieveSecretsFunc, secretsBasePath string, annotations map[string]string) (*fileProvider, []error)

NewProvider creates a new provider for Push-to-File mode.

Types

type Secret

type Secret struct {
	Alias string
	Value string
}

Secret describes how Conjur secrets are represented in the Push-to-File context.

type SecretGroup

type SecretGroup struct {
	Name             string
	FilePath         string
	FileTemplate     string
	FileFormat       string
	PolicyPathPrefix string
	FilePermissions  os.FileMode
	SecretSpecs      []SecretSpec
}

SecretGroup incorporates all of the information about a secret group that has been parsed from that secret group's Annotations.

func NewSecretGroups

func NewSecretGroups(secretsBasePath string, annotations map[string]string) ([]*SecretGroup, []error)

NewSecretGroups creates a collection of secret groups from a map of annotations

func (*SecretGroup) PushToFile

func (sg *SecretGroup) PushToFile(secrets []*Secret) error

PushToFile uses the configuration on a secret group to inject secrets into a template and write the result to a file.

type SecretSpec

type SecretSpec struct {
	Alias string
	Path  string
}

SecretSpec specifies a secret to be retrieved from Conjur by defining its alias (i.e. the name of the secret from an application's perspective) and its variable path in Conjur.

func NewSecretSpecs

func NewSecretSpecs(raw []byte) ([]SecretSpec, error)

NewSecretSpecs creates a slice of SecretSpec structs by unmarshalling a YAML representation of secret specifications.

func (SecretSpec) MarshalYAML

func (t SecretSpec) MarshalYAML() (interface{}, error)

MarshalYAML is a custom marshaller for SecretSpec.

func (*SecretSpec) UnmarshalYAML

func (t *SecretSpec) UnmarshalYAML(node *yaml.Node) error

UnmarshalYAML is a custom unmarshaller for SecretSpec that allows us to unmarshal from different YAML node representations i.e. literal string or map.