Documentation ¶
Overview ¶
Package secrets contains an engine for reading and writing secrets from configurable backends. Currently only a K8s secret backend provider is available, but eventually other interfaces can be added such as for vault.
The purpose of this package is to provide "filesystem" like access to sensitive values, e.g. JWT signing secrets, user credential hashes, OTP secrets, etc.
The main methods provided are `ReadSecret`, `WriteSecret`, and `AppendSecret` with the added ability to grab locks and use an optional cache.
Index ¶
- type SecretEngine
- func (s *SecretEngine) AppendSecret(name string, line []byte) error
- func (s *SecretEngine) Close() error
- func (s *SecretEngine) Lock(timeoutSeconds int) error
- func (s *SecretEngine) ReadSecret(name string, cache bool) ([]byte, error)
- func (s *SecretEngine) ReadSecretMap(name string, cache bool) (map[string][]byte, error)
- func (s *SecretEngine) Release()
- func (s *SecretEngine) Setup(c client.Client, cluster *appv1.VDICluster) error
- func (s *SecretEngine) WriteSecret(name string, contents []byte) error
- func (s *SecretEngine) WriteSecretMap(name string, contents map[string][]byte) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type SecretEngine ¶
type SecretEngine struct {
// contains filtered or unexported fields
}
SecretEngine is an object wrapper for interacting with backend secret "providers". It wraps a cache and a locking mechanism around the simple Read/Write methods that the backends provide.
func GetSecretEngine ¶
func GetSecretEngine(cluster *appv1.VDICluster) *SecretEngine
GetSecretEngine returns a new secret engine for the given cluster.
func (*SecretEngine) AppendSecret ¶
func (s *SecretEngine) AppendSecret(name string, line []byte) error
AppendSecret is a convenience wrapper around reading a secret, adding a line, and then overwriting the existing secret with the new value. When using this method it is assumed to use the cache.
func (*SecretEngine) Lock ¶
func (s *SecretEngine) Lock(timeoutSeconds int) error
Lock locks the secret engine. This is useful for long running operations that need to guarantee consistency. If there are multiple replicas of the app running, a remote lock is also acquired to keep peer processes from interfering.
func (*SecretEngine) ReadSecret ¶
func (s *SecretEngine) ReadSecret(name string, cache bool) ([]byte, error)
ReadSecret will fetch the requested secret from the backend. If cache is true, the cache will be checked first, and if not found then the backend will be queried. The secret is unconditionally written to the cache after retrieval.
func (*SecretEngine) ReadSecretMap ¶
ReadSecretMap will fetch the requested secret from the backend. If cache is true, the cache will be checked first, and if not found the backend will be queried. The result is then unconditionally written to the cache.
func (*SecretEngine) Release ¶
func (s *SecretEngine) Release()
Release will release any currently held locks.
func (*SecretEngine) Setup ¶
func (s *SecretEngine) Setup(c client.Client, cluster *appv1.VDICluster) error
Setup sets the local client inteface and calls Setup on the backend.
func (*SecretEngine) WriteSecret ¶
func (s *SecretEngine) WriteSecret(name string, contents []byte) error
WriteSecret writes the given secret to the backend. It also unconditionally writes it to the local cache.
func (*SecretEngine) WriteSecretMap ¶
func (s *SecretEngine) WriteSecretMap(name string, contents map[string][]byte) error
WriteSecretMap writes the given secret map to the backend. It also unconditionally writes it to the local cache.
Directories ¶
Path | Synopsis |
---|---|
Package common defines the core interface for various secrets backends to implement.
|
Package common defines the core interface for various secrets backends to implement. |
providers
|
|
k8secret
Package k8secret implements a SecretsProvider backend that uses Kubernetes secrets for the data store.
|
Package k8secret implements a SecretsProvider backend that uses Kubernetes secrets for the data store. |
vault
Package vault implements a SecretsProvider backend that uses the configured vault server for storing sensitive information.
|
Package vault implements a SecretsProvider backend that uses the configured vault server for storing sensitive information. |