secrets

Documentation

Overview

Package secrets contains an engine for reading and writing secrets from configurable backends. Currently only a K8s secret backend provider is available, but eventually other interfaces can be added such as for vault.

The purpose of this package is to provide "filesystem" like access to sensitive values, e.g. JWT signing secrets, user credential hashes, OTP secrets, etc.

The main methods provided are `ReadSecret`, `WriteSecret`, and `AppendSecret` with the added ability to grab locks and use an optional cache.

Index

• type SecretEngine
  • func GetSecretEngine(cluster *appv1.VDICluster) *SecretEngine
  • func (s *SecretEngine) AppendSecret(name string, line []byte) error
  • func (s *SecretEngine) Close() error
  • func (s *SecretEngine) Lock(timeoutSeconds int) error
  • func (s *SecretEngine) ReadSecret(name string, cache bool) ([]byte, error)
  • func (s *SecretEngine) ReadSecretMap(name string, cache bool) (map[string][]byte, error)
  • func (s *SecretEngine) Release()
  • func (s *SecretEngine) Setup(c client.Client, cluster *appv1.VDICluster) error
  • func (s *SecretEngine) WriteSecret(name string, contents []byte) error
  • func (s *SecretEngine) WriteSecretMap(name string, contents map[string][]byte) error

Types

type SecretEngine

type SecretEngine struct {
	// contains filtered or unexported fields
}

SecretEngine is an object wrapper for interacting with backend secret "providers". It wraps a cache and a locking mechanism around the simple Read/Write methods that the backends provide.

func GetSecretEngine

func GetSecretEngine(cluster *appv1.VDICluster) *SecretEngine

GetSecretEngine returns a new secret engine for the given cluster.

func (*SecretEngine) AppendSecret

func (s *SecretEngine) AppendSecret(name string, line []byte) error

AppendSecret is a convenience wrapper around reading a secret, adding a line, and then overwriting the existing secret with the new value. When using this method it is assumed to use the cache.

func (*SecretEngine) Close

func (s *SecretEngine) Close() error

Close calls close on the backend

func (*SecretEngine) Lock

func (s *SecretEngine) Lock(timeoutSeconds int) error

Lock locks the secret engine. This is useful for long running operations that need to guarantee consistency. If there are multiple replicas of the app running, a remote lock is also acquired to keep peer processes from interfering.

func (*SecretEngine) ReadSecret

func (s *SecretEngine) ReadSecret(name string, cache bool) ([]byte, error)

ReadSecret will fetch the requested secret from the backend. If cache is true, the cache will be checked first, and if not found then the backend will be queried. The secret is unconditionally written to the cache after retrieval.

func (*SecretEngine) ReadSecretMap

func (s *SecretEngine) ReadSecretMap(name string, cache bool) (map[string][]byte, error)

ReadSecretMap will fetch the requested secret from the backend. If cache is true, the cache will be checked first, and if not found the backend will be queried. The result is then unconditionally written to the cache.

func (*SecretEngine) Release

func (s *SecretEngine) Release()

Release will release any currently held locks.

func (*SecretEngine) Setup

func (s *SecretEngine) Setup(c client.Client, cluster *appv1.VDICluster) error

Setup sets the local client inteface and calls Setup on the backend.

func (*SecretEngine) WriteSecret

func (s *SecretEngine) WriteSecret(name string, contents []byte) error

WriteSecret writes the given secret to the backend. It also unconditionally writes it to the local cache.

func (*SecretEngine) WriteSecretMap

func (s *SecretEngine) WriteSecretMap(name string, contents map[string][]byte) error

WriteSecretMap writes the given secret map to the backend. It also unconditionally writes it to the local cache.