secrets

Documentation

Overview

Package secrets manages encrypted secrets for ctrlplane instances. It defines the Vault interface for pluggable secret storage backends (HashiCorp Vault, AWS Secrets Manager, etc.) and the Service/Store interfaces for secret lifecycle management.

Index

• type Secret
• type SecretType
• type Service
  • func NewService(store Store, vault Vault, auth auth.Provider) Service
• type SetRequest
• type Store
• type Vault

Types

type Secret

type Secret struct {
	ctrlplane.Entity

	TenantID   string     `db:"tenant_id"   json:"tenant_id"`
	InstanceID id.ID      `db:"instance_id" json:"instance_id"`
	Key        string     `db:"key"         json:"key"`
	Type       SecretType `db:"type"        json:"type"`
	Version    int        `db:"version"     json:"version"`
	Value      []byte     `db:"value"       json:"-"`
}

Secret represents a managed secret. The Value field is never serialized to JSON — only metadata is exposed.

type SecretType

type SecretType string

SecretType identifies the kind of secret.

const (
	// SecretEnvVar is an environment variable secret.
	SecretEnvVar SecretType = "env"

	// SecretFile is a file-based secret.
	SecretFile SecretType = "file"

	// SecretRegistry holds Docker registry credentials.
	SecretRegistry SecretType = "registry"

	// SecretTLS holds TLS certificate material.
	SecretTLS SecretType = "tls"
)

type Service

type Service interface {
	// Set creates or updates a secret for an instance.
	Set(ctx context.Context, req SetRequest) (*Secret, error)

	// Get retrieves a secret's metadata by instance and key.
	Get(ctx context.Context, instanceID id.ID, key string) (*Secret, error)

	// Delete removes a secret from an instance.
	Delete(ctx context.Context, instanceID id.ID, key string) error

	// List returns all secrets for an instance (values omitted).
	List(ctx context.Context, instanceID id.ID) ([]Secret, error)

	// Inject resolves all env-type secrets for an instance into a key-value map.
	Inject(ctx context.Context, instanceID id.ID) (map[string]string, error)
}

Service manages secrets for instances.

func NewService

func NewService(store Store, vault Vault, auth auth.Provider) Service

NewService creates a new secrets service.

type SetRequest

type SetRequest struct {
	InstanceID id.ID      `json:"instance_id" validate:"required"`
	Key        string     `json:"key"         validate:"required"`
	Value      string     `json:"value"       validate:"required"`
	Type       SecretType `default:"env"      json:"type"`
}

SetRequest holds the parameters for creating or updating a secret.

type Store

type Store interface {
	// InsertSecret persists a new secret.
	InsertSecret(ctx context.Context, secret *Secret) error

	// GetSecretByKey retrieves a secret by instance ID and key.
	GetSecretByKey(ctx context.Context, tenantID string, instanceID id.ID, key string) (*Secret, error)

	// ListSecrets returns all secrets for an instance (values omitted).
	ListSecrets(ctx context.Context, tenantID string, instanceID id.ID) ([]Secret, error)

	// UpdateSecret persists changes to a secret.
	UpdateSecret(ctx context.Context, secret *Secret) error

	// DeleteSecret removes a secret by instance ID and key.
	DeleteSecret(ctx context.Context, tenantID string, instanceID id.ID, key string) error

	// CountSecretsByTenant returns the number of secrets for a tenant.
	CountSecretsByTenant(ctx context.Context, tenantID string) (int, error)
}

Store is the persistence interface for secrets.

type Vault

type Vault interface {
	// Store encrypts and persists a secret value.
	Store(ctx context.Context, key string, value []byte) error

	// Retrieve decrypts and returns a secret value.
	Retrieve(ctx context.Context, key string) ([]byte, error)

	// Delete removes a secret from the vault.
	Delete(ctx context.Context, key string) error

	// Rotate generates a new encryption key version.
	Rotate(ctx context.Context, key string) error
}

Vault abstracts the secret storage backend. Implement for HashiCorp Vault, AWS Secrets Manager, sealed secrets, etc.