Documentation
¶
Overview ¶
Package secrets defines a minimum abstract interface for a secret manager. Allows for a different implementation to be bound within the ServeEnv.
Although exported, this package is non intended for general consumption. It is a shared dependency between multiple exposure notifications projects. We cannot guarantee that there won't be breaking changes in the future.
Index ¶
- Constants
- func RegisterManager(name string, fn SecretManagerFunc)
- func RegisteredManagers() []string
- func Resolver(sm SecretManager, config *Config) envconfig.MutatorFunc
- type Cacher
- type Config
- type Filesystem
- type InMemory
- type JSONExpander
- type SecretManager
- func NewFilesystem(ctx context.Context, cfg *Config) (SecretManager, error)
- func NewInMemory(ctx context.Context, _ *Config) (SecretManager, error)
- func NewInMemoryFromMap(ctx context.Context, m map[string]string) (SecretManager, error)
- func SecretManagerFor(ctx context.Context, cfg *Config) (SecretManager, error)
- func WrapCacher(ctx context.Context, sm SecretManager, ttl time.Duration) (SecretManager, error)
- func WrapJSONExpander(ctx context.Context, sm SecretManager) (SecretManager, error)
- type SecretManagerFunc
- type SecretVersionManager
Constants ¶
const ( // SecretPrefix is the prefix, that if the value of an env var starts with // will be resolved through the configured secret store. SecretPrefix = "secret://" // FileSuffix is the suffix to use, if this secret path should be written to a file. // only interpreted on environment variable values that start w/ secret://. FileSuffix = "?target=file" )
Variables ¶
This section is empty.
Functions ¶
func RegisterManager ¶ added in v0.22.0
func RegisterManager(name string, fn SecretManagerFunc)
RegisterManager registers a new secret manager with the given name. If a manager is already registered with the given name, it panics. Managers are usually registered via an init function.
func RegisteredManagers ¶ added in v0.22.0
func RegisteredManagers() []string
RegisteredManagers returns the list of the names of the registered secret managers.
func Resolver ¶
func Resolver(sm SecretManager, config *Config) envconfig.MutatorFunc
Resolver returns a function that fetches secrets from the secret manager. If the provided secret manager is nil, the function is nil, Otherwise, it looks for values prefixed with secret:// and resolves them as secrets. For slice functions, values separated by commas are processed as individual secrets.
Types ¶
type Cacher ¶
type Cacher struct {
// contains filtered or unexported fields
}
Cacher is a secret manager implementation that wraps another secret manager and caches secret values.
type Config ¶
type Config struct {
Type string `env:"SECRET_MANAGER, default=IN_MEMORY"`
SecretsDir string `env:"SECRETS_DIR, default=/var/run/secrets"`
SecretCacheTTL time.Duration `env:"SECRET_CACHE_TTL, default=5m"`
SecretExpansion bool `env:"SECRET_EXPANSION, default=false"`
// FilesystemRoot is the root path where secrets are managed on the filesystem.
FilesystemRoot string `env:"SECRET_FILESYSTEM_ROOT"`
}
Config represents the config for a secret manager.
type Filesystem ¶ added in v0.26.0
type Filesystem struct {
// contains filtered or unexported fields
}
Filesystem is a local filesystem based secret manager, primarily used for local development and testing.
func (*Filesystem) CreateSecretVersion ¶ added in v0.26.0
func (sm *Filesystem) CreateSecretVersion(ctx context.Context, parent string, data []byte) (string, error)
CreateSecretVersion creates a new secret version on the given parent with the provided data. It returns a reference to the created version.
func (*Filesystem) DestroySecretVersion ¶ added in v0.26.0
func (sm *Filesystem) DestroySecretVersion(ctx context.Context, name string) error
DestroySecretVersion destroys the secret version with the given name. If the version does not exist, no action is taken.
func (*Filesystem) GetSecretValue ¶ added in v0.26.0
GetSecretValue returns the secret if it exists, otherwise an error.
type InMemory ¶
type InMemory struct {
// contains filtered or unexported fields
}
InMemory is an in-memory secret manager, primarily used for testing.
func (*InMemory) CreateSecretVersion ¶ added in v0.26.0
func (sm *InMemory) CreateSecretVersion(ctx context.Context, parent string, data []byte) (string, error)
CreateSecretVersion creates a new secret version on the given parent with the provided data. It returns a reference to the created version.
func (*InMemory) DestroySecretVersion ¶ added in v0.26.0
DestroySecretVersion destroys the secret version with the given name. If the version does not exist, no action is taken.
type JSONExpander ¶
type JSONExpander struct {
// contains filtered or unexported fields
}
func (*JSONExpander) GetSecretValue ¶
GetSecretValue implements the SecretManager interface, but allows for json-expansion of the secret-value. If the secret name contains a period, the secret value is expected to be json. The secret name is assumed to come before the period, while the map-key is expected to follow.
For example: If a secret with a name of "psqlcreds" has a value of `{"username":"gandalf", "password":"abc"}` When GetSecretValue(ctx, "psqlcreds") is called, the raw json value will be returned. When GetSecretValue(ctx, "psql.username") is called, only "gandalf" (without quotes) will be returned.
type SecretManager ¶
SecretManager defines the minimum shared functionality for a secret manager used by this application.
func NewFilesystem ¶ added in v0.26.0
func NewFilesystem(ctx context.Context, cfg *Config) (SecretManager, error)
NewFilesystem creates a new filesystem-based secret manager.
func NewInMemory ¶
func NewInMemory(ctx context.Context, _ *Config) (SecretManager, error)
NewInMemory creates a new in-memory secret manager.
func NewInMemoryFromMap ¶
NewInMemoryFromMap creates a new in-memory secret manager from the map.
func SecretManagerFor ¶
func SecretManagerFor(ctx context.Context, cfg *Config) (SecretManager, error)
SecretManagerFor returns the secret manager with the given name, or an error if one does not exist.
func WrapCacher ¶
func WrapCacher(ctx context.Context, sm SecretManager, ttl time.Duration) (SecretManager, error)
WrapCacher wraps an existing SecretManager with caching.
func WrapJSONExpander ¶
func WrapJSONExpander(ctx context.Context, sm SecretManager) (SecretManager, error)
WrapJSONExpander wraps an existing SecretManager with json-expansion logic.
type SecretManagerFunc ¶
type SecretManagerFunc func(context.Context, *Config) (SecretManager, error)
SecretManagerFunc is a func that returns a secret manager or error.
type SecretVersionManager ¶ added in v0.26.0
type SecretVersionManager interface {
SecretManager
CreateSecretVersion(ctx context.Context, parent string, data []byte) (string, error)
DestroySecretVersion(ctx context.Context, name string) error
}
SecretVersionManager is a secret manager that can manage secret versions.
Source Files