secrets

package
v0.0.0-...-dac86b4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 16, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source 
const SecretPrefix = "secret://"

SecretPrefix is the URI scheme used in config values to reference secrets.

Variables

View Source 
var (
	ErrNotFound     = errors.New("secrets: secret not found")
	ErrUnsupported  = errors.New("secrets: operation not supported")
	ErrInvalidKey   = errors.New("secrets: invalid key")
	ErrProviderInit = errors.New("secrets: provider initialization failed")
)

Common errors.

Functions

This section is empty.

Types

type AWSConfig 

type AWSConfig struct {
	Region          string `json:"region" yaml:"region"`
	AccessKeyID     string `json:"accessKeyId,omitempty" yaml:"accessKeyId,omitempty"`
	SecretAccessKey string `json:"secretAccessKey,omitempty" yaml:"secretAccessKey,omitempty"`
}

AWSConfig holds configuration for AWS Secrets Manager.

type AWSSecretsManagerProvider 

type AWSSecretsManagerProvider struct {
	// contains filtered or unexported fields
}

AWSSecretsManagerProvider reads secrets from AWS Secrets Manager using the HTTP API with AWS Signature V4 signing. No external AWS SDK is required.

func NewAWSSecretsManagerProvider 

func NewAWSSecretsManagerProvider(cfg AWSConfig) (*AWSSecretsManagerProvider, error)

NewAWSSecretsManagerProvider creates a new AWS Secrets Manager provider. If AccessKeyID/SecretAccessKey are empty, it falls back to the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

func NewAWSSecretsManagerProviderWithClient 

func NewAWSSecretsManagerProviderWithClient(cfg AWSConfig, client HTTPClient) *AWSSecretsManagerProvider

NewAWSSecretsManagerProviderWithClient creates an AWS provider with a custom HTTP client (for testing).

func (*AWSSecretsManagerProvider) Config 

func (p *AWSSecretsManagerProvider) Config() AWSConfig

Config returns the provider's AWS configuration.

func (*AWSSecretsManagerProvider) Delete 

func (p *AWSSecretsManagerProvider) Delete(_ context.Context, _ string) error

func (*AWSSecretsManagerProvider) Get 

func (p *AWSSecretsManagerProvider) Get(ctx context.Context, key string) (string, error)

func (*AWSSecretsManagerProvider) List 

func (p *AWSSecretsManagerProvider) List(_ context.Context) ([]string, error)

func (*AWSSecretsManagerProvider) Name 

func (p *AWSSecretsManagerProvider) Name() string

func (*AWSSecretsManagerProvider) Set 

func (p *AWSSecretsManagerProvider) Set(_ context.Context, _ string, _ string) error

type EnvProvider 

type EnvProvider struct {
	// contains filtered or unexported fields
}

EnvProvider reads secrets from environment variables. Keys are converted to uppercase with dots replaced by underscores. For example, "database.password" becomes "DATABASE_PASSWORD".

func NewEnvProvider 

func NewEnvProvider(prefix string) *EnvProvider

NewEnvProvider creates a new environment variable secret provider. If prefix is non-empty, it is prepended to all key lookups (e.g., prefix "APP_" + key "db_pass" -> "APP_DB_PASS").

func (*EnvProvider) Delete 

func (p *EnvProvider) Delete(_ context.Context, key string) error

func (*EnvProvider) Get 

func (p *EnvProvider) Get(_ context.Context, key string) (string, error)

func (*EnvProvider) List 

func (p *EnvProvider) List(_ context.Context) ([]string, error)

func (*EnvProvider) Name 

func (p *EnvProvider) Name() string

func (*EnvProvider) Set 

func (p *EnvProvider) Set(_ context.Context, key, value string) error

type FileProvider 

type FileProvider struct {
	// contains filtered or unexported fields
}

FileProvider reads secrets from files in a directory. Each file name is the secret key, and the file content is the value. This is compatible with Kubernetes secret volume mounts.

func NewFileProvider 

func NewFileProvider(dir string) *FileProvider

NewFileProvider creates a file-based secret provider rooted at dir.

func (*FileProvider) Delete 

func (p *FileProvider) Delete(_ context.Context, key string) error

func (*FileProvider) Get 

func (p *FileProvider) Get(_ context.Context, key string) (string, error)

func (*FileProvider) List 

func (p *FileProvider) List(_ context.Context) ([]string, error)

func (*FileProvider) Name 

func (p *FileProvider) Name() string

func (*FileProvider) Set 

func (p *FileProvider) Set(_ context.Context, key, value string) error

type HTTPClient 

type HTTPClient interface {
	Do(req *http.Request) (*http.Response, error)
}

HTTPClient is an interface for HTTP requests (allows testing).

type MultiResolver 

type MultiResolver struct {
	// contains filtered or unexported fields
}

MultiResolver resolves secret references in configuration values using multiple providers identified by URI scheme. It is backward-compatible: bare ${VAR_NAME} references (without a scheme) default to env resolution.

func NewMultiResolver 

func NewMultiResolver() *MultiResolver

NewMultiResolver creates a new MultiResolver. An EnvProvider is registered by default under the "env" scheme.

func (*MultiResolver) Expand 

func (m *MultiResolver) Expand(ctx context.Context, input string) (string, error)

Expand replaces all ${...} patterns in input with resolved values.

Supported formats:

  • ${vault:secret/path#field} — uses "vault" provider with key "secret/path#field"
  • ${aws-sm:secret-name} — uses "aws-sm" provider with key "secret-name"
  • ${env:VAR_NAME} — uses "env" provider with key "VAR_NAME"
  • ${VAR_NAME} — backward-compatible, uses "env" provider (os.LookupEnv via EnvProvider)

func (*MultiResolver) Provider 

func (m *MultiResolver) Provider(scheme string) Provider

Provider returns the provider for a given scheme, or nil if not found.

func (*MultiResolver) Register 

func (m *MultiResolver) Register(scheme string, provider Provider)

Register adds or replaces a provider for a given scheme.

func (*MultiResolver) Schemes 

func (m *MultiResolver) Schemes() []string

Schemes returns the list of registered provider schemes.

func (*MultiResolver) Unregister 

func (m *MultiResolver) Unregister(scheme string)

Unregister removes a provider for the given scheme.

type Provider 

type Provider interface {
	// Name returns the provider identifier.
	Name() string
	// Get retrieves a secret value by key.
	Get(ctx context.Context, key string) (string, error)
	// Set stores a secret. Returns ErrUnsupported if read-only.
	Set(ctx context.Context, key, value string) error
	// Delete removes a secret. Returns ErrUnsupported if read-only.
	Delete(ctx context.Context, key string) error
	// List returns all available secret keys. Returns ErrUnsupported if not supported.
	List(ctx context.Context) ([]string, error)
}

Provider defines the interface for secret storage backends.

type Resolver 

type Resolver struct {
	// contains filtered or unexported fields
}

Resolver resolves secret:// references in configuration values.

func NewResolver 

func NewResolver(provider Provider) *Resolver

NewResolver creates a resolver backed by the given provider.

func (*Resolver) Provider 

func (r *Resolver) Provider() Provider

Provider returns the underlying provider.

func (*Resolver) Resolve 

func (r *Resolver) Resolve(ctx context.Context, value string) (string, error)

Resolve replaces a value containing a secret:// reference with the actual secret. If the value does not start with SecretPrefix, it is returned as-is.

func (*Resolver) ResolveMap 

func (r *Resolver) ResolveMap(ctx context.Context, m map[string]any) (map[string]any, error)

ResolveMap resolves all secret:// references in a string map.

type VaultConfig 

type VaultConfig struct {
	Address   string `json:"address" yaml:"address"`
	Token     string `json:"token" yaml:"token"`
	MountPath string `json:"mount_path" yaml:"mount_path"`
	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
}

VaultConfig holds configuration for HashiCorp Vault.

type VaultProvider 

type VaultProvider struct {
	// contains filtered or unexported fields
}

VaultProvider implements a HashiCorp Vault secret provider. When created with NewVaultProviderHTTP, it uses the Vault HTTP API. When created with NewVaultProvider, it acts as a stub.

func NewVaultProvider 

func NewVaultProvider(cfg VaultConfig) (*VaultProvider, error)

NewVaultProvider creates a new Vault provider stub.

func NewVaultProviderHTTP 

func NewVaultProviderHTTP(cfg VaultConfig) (*VaultProvider, error)

NewVaultProviderHTTP creates a new Vault provider that uses the Vault HTTP API. This replaces the stub VaultProvider with real functionality.

func (*VaultProvider) Config 

func (p *VaultProvider) Config() VaultConfig

Config returns the provider's Vault configuration.

func (*VaultProvider) Delete 

func (p *VaultProvider) Delete(_ context.Context, key string) error

func (*VaultProvider) Get 

func (p *VaultProvider) Get(ctx context.Context, key string) (string, error)

func (*VaultProvider) GetFromVault 

func (p *VaultProvider) GetFromVault(ctx context.Context, key string) (string, error)

GetFromVault retrieves a secret value from the Vault HTTP API. The key can be in the format "path" or "path#field". If #field is specified, returns that specific field from the secret data. Otherwise, returns the entire data as JSON.

func (*VaultProvider) List 

func (p *VaultProvider) List(_ context.Context) ([]string, error)

func (*VaultProvider) Name 

func (p *VaultProvider) Name() string

func (*VaultProvider) Set 

func (p *VaultProvider) Set(_ context.Context, key, value string) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.