store

package
v1.222.0-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 15, 2026 License: Apache-2.0 Imports: 54 Imported by: 0

Documentation

Overview

Package store is a generated GoMock package.

Package store is a generated GoMock package.

Index

Constants

View Source 
const (
	KindArtifactory    = "artifactory"
	KindAzureKeyVault  = "azure/keyvault"
	KindAWSSSM         = "aws/ssm"
	KindAWSASM         = "aws/asm"
	KindGCPSecret      = "gcp/secretmanager"
	KindHashicorpVault = "hashicorp/vault"
	KindRedis          = "redis"
	KindOnePassword    = "onepassword"
	KindKeychain       = "keychain"
	KindGitHubActions  = "github/actions"
)

Backend kind constants (cloud/thing vocabulary, shared with the secrets subsystem).

View Source 
const (

	// AzureKeyVaultHyphen is the hyphen character used for Azure Key Vault secret name normalization.
	AzureKeyVaultHyphen = "-"
)

Variables

View Source 
var (
	// Common validation errors.
	ErrEmptyStack           = errors.New("stack cannot be empty")
	ErrEmptyComponent       = errors.New("component cannot be empty")
	ErrEmptyKey             = errors.New("key cannot be empty")
	ErrStackDelimiterNotSet = errors.New("stack delimiter is not set")
	ErrGetKey               = errors.New("failed to get key")

	// AWS SSM specific errors.
	ErrRegionRequired  = errors.New("region is required in ssm store configuration")
	ErrLoadAWSConfig   = errors.New("failed to load AWS config")
	ErrSetParameter    = errors.New("failed to set parameter")
	ErrGetParameter    = errors.New("failed to get parameter")
	ErrDeleteParameter = errors.New("failed to delete parameter")

	// ErrDeleteNotSupported is returned by stores that do not support deletion.
	ErrDeleteNotSupported = errors.New("delete is not supported by this store")

	// Azure Key Vault specific errors.
	ErrVaultURLRequired = errors.New("vault_url is required in azure key vault store configuration")
	ErrCreateClient     = errors.New("failed to create client")
	ErrAccessSecret     = errors.New("failed to access secret")
	ErrResourceNotFound = errors.New("resource not found")
	ErrPermissionDenied = errors.New("permission denied")

	// Redis specific errors.
	ErrParseRedisURL   = errors.New("failed to parse redis url")
	ErrMissingRedisURL = errors.New("either url must be set in options or ATMOS_REDIS_URL environment variable must be set")
	ErrGetRedisKey     = errors.New("failed to get key from redis")

	// Artifactory specific errors.
	ErrMissingArtifactoryToken = errors.New("either access_token must be set in options or one of JFROG_ACCESS_TOKEN or ARTIFACTORY_ACCESS_TOKEN environment variables must be set")
	ErrCreateTempDir           = errors.New("failed to create temp dir")
	ErrCreateTempFile          = errors.New("failed to create temp file")
	ErrDownloadFile            = errors.New("failed to download file")
	ErrNoFilesDownloaded       = errors.New("no files downloaded")
	ErrReadFile                = errors.New("failed to read file")
	ErrUnmarshalFile           = errors.New("failed to unmarshal file")
	ErrWriteTempFile           = errors.New("failed to write to temp file")
	ErrUploadFile              = errors.New("failed to upload file")

	// Google Secret Manager specific errors.
	ErrProjectIDRequired = errors.New("project_id is required in Google Secret Manager store configuration")
	ErrValueMustBeString = errors.New("value must be a string")
	ErrCreateSecret      = errors.New("failed to create secret")
	ErrAddSecretVersion  = errors.New("failed to add secret version")

	// Registry specific errors.
	ErrParseArtifactoryOptions    = errors.New("failed to parse Artifactory store options")
	ErrParseAzureKeyVaultOptions  = errors.New("failed to parse Azure Key Vault store options")
	ErrParseSSMOptions            = errors.New("failed to parse SSM store options")
	ErrParseSecretsManagerOptions = errors.New("failed to parse AWS Secrets Manager store options")
	ErrParseGSMOptions            = errors.New("failed to parse Google Secret Manager store options")
	ErrParseVaultOptions          = errors.New("failed to parse HashiCorp Vault store options")
	ErrParseRedisOptions          = errors.New("failed to parse Redis store options")
	ErrStoreTypeNotFound          = errors.New("store type not found")
	ErrSecretBackendNotEncrypted  = errors.New("store cannot be marked secret: backend does not encrypt values at rest")

	// AWS Secrets Manager specific errors.
	ErrSetSecret    = errors.New("failed to set secret")
	ErrGetSecret    = errors.New("failed to get secret")
	ErrDeleteSecret = errors.New("failed to delete secret")

	// HashiCorp Vault specific errors.
	ErrVaultAddressRequired = errors.New("address is required in hashicorp vault store configuration")
	ErrVaultMountRequired   = errors.New("mount is required in hashicorp vault store configuration")
	ErrVaultWrite           = errors.New("failed to write secret to vault")
	ErrVaultRead            = errors.New("failed to read secret from vault")
	ErrVaultDelete          = errors.New("failed to delete secret from vault")
	ErrVaultEmptyData       = errors.New("vault returned empty data for secret")

	// 1Password specific errors.
	ErrOnePasswordNoAuth            = errors.New("no 1Password credentials found: set OP_SERVICE_ACCOUNT_TOKEN (or options.token), or OP_CONNECT_HOST + OP_CONNECT_TOKEN (or options.connect_host/connect_token)")
	ErrOnePasswordUnknownMode       = errors.New("unknown 1Password mode (expected auto, connect, or service-account)")
	ErrOnePasswordClientInit        = errors.New("failed to initialize 1Password client")
	ErrOnePasswordResolve           = errors.New("failed to resolve 1Password reference")
	ErrOnePasswordWrite             = errors.New("failed to write 1Password secret")
	ErrOnePasswordDelete            = errors.New("failed to delete 1Password secret")
	ErrOnePasswordReferenceTemplate = errors.New("failed to render 1Password reference template")
	ErrOnePasswordInvalidReference  = errors.New("invalid 1Password secret reference")
	ErrOnePasswordNotFound          = errors.New("1Password reference not found")
	ErrParseOnePasswordOptions      = errors.New("failed to parse 1Password store options")

	// GitHub Actions specific errors.
	ErrParseGitHubActionsOptions = errors.New("failed to parse GitHub Actions store options")
	ErrGitHubOwnerRepoRequired   = errors.New("owner and repo are required in GitHub Actions store configuration")
	ErrGitHubInvalidSecretName   = errors.New("invalid GitHub Actions secret name")
	ErrGitHubSecretValueCIOnly   = errors.New("GitHub Actions secret value is not readable outside a GitHub Actions runner")
	ErrGitHubSecretNotInEnv      = errors.New("GitHub Actions secret is not present in the environment")
	ErrGitHubSealSecret          = errors.New("failed to encrypt GitHub Actions secret")
	ErrGitHubPublicKeySize       = errors.New("GitHub Actions public key has unexpected size")
	ErrGitHubGetPublicKey        = errors.New("failed to get GitHub Actions public key")
	ErrGitHubPutSecret           = errors.New("failed to write GitHub Actions secret")
	ErrGitHubGetSecret           = errors.New("failed to get GitHub Actions secret")
	ErrGitHubDeleteSecret        = errors.New("failed to delete GitHub Actions secret")
	ErrGitHubResolveRepoID       = errors.New("failed to resolve GitHub repository ID")

	// Keychain specific errors.
	ErrParseKeychainOptions = errors.New("failed to parse keychain store options")
	ErrKeychainInit         = errors.New("failed to initialize keychain store")
	ErrKeychainWrite        = errors.New("failed to write keychain secret")
	ErrKeychainRead         = errors.New("failed to read keychain secret")
	ErrKeychainDelete       = errors.New("failed to delete keychain secret")
	ErrKeychainNotFound     = errors.New("keychain secret not found")

	// Identity errors.
	ErrIdentityNotConfigured   = errors.New("store identity is configured but auth resolver is not set")
	ErrAuthContextNotAvailable = errors.New("auth context not available for identity")

	// Shared errors.
	ErrSerializeJSON = errors.New("failed to serialize value to JSON")
	ErrMarshalValue  = errors.New("failed to marshal value")
	ErrNilValue      = errors.New("cannot store nil value")
)

Common errors shared across store implementations.

Functions

func ApplySecretDefaults 

func ApplySecretDefaults(config StoresConfig)

ApplySecretDefaults marks secret-by-default backends (e.g. 1Password) as `secret: true` when the config didn't set it. It mutates the config in place so both the store registry and the secrets subsystem (which reads StoreConfig.Secret) agree on subsystem membership. Call it once after loading the stores config and before building the registry.

Types

type AWSAuthConfig added in v1.208.0 

type AWSAuthConfig struct {
	CredentialsFile string
	ConfigFile      string
	Profile         string
	Region          string
}

AWSAuthConfig holds the AWS-specific authentication configuration resolved from an identity. This mirrors the relevant fields from schema.AWSAuthContext without importing pkg/schema to avoid circular dependencies (pkg/schema imports pkg/store).

type ArtifactoryClient added in v1.148.1 

type ArtifactoryClient interface {
	DownloadFiles(...services.DownloadParams) (int, int, error)
	UploadFiles(artifactory.UploadServiceOptions, ...services.UploadParams) (int, int, error)
}

ArtifactoryClient interface allows us to mock the Artifactory Services Manager in test with only the methods we are using in the ArtifactoryStore.

type ArtifactoryStore added in v1.148.1 

type ArtifactoryStore struct {
	// contains filtered or unexported fields
}

func (*ArtifactoryStore) Get added in v1.148.1 

func (s *ArtifactoryStore) Get(stack string, component string, key string) (interface{}, error)

func (*ArtifactoryStore) GetKey added in v1.187.0 

func (s *ArtifactoryStore) GetKey(key string) (interface{}, error)

func (*ArtifactoryStore) Set added in v1.148.1 

func (s *ArtifactoryStore) Set(stack string, component string, key string, value interface{}) error

type ArtifactoryStoreOptions added in v1.148.1 

type ArtifactoryStoreOptions struct {
	AccessToken    *string `mapstructure:"access_token"`
	Prefix         *string `mapstructure:"prefix"`
	RepoName       string  `mapstructure:"repo_name"`
	StackDelimiter *string `mapstructure:"stack_delimiter"`
	URL            string  `mapstructure:"url"`
}

type AuthContextResolver added in v1.208.0 

type AuthContextResolver interface {
	// ResolveAWSAuthContext authenticates the named identity and returns AWS credentials.
	ResolveAWSAuthContext(ctx context.Context, identityName string) (*AWSAuthConfig, error)

	// ResolveAzureAuthContext authenticates the named identity and returns Azure credentials.
	ResolveAzureAuthContext(ctx context.Context, identityName string) (*AzureAuthConfig, error)

	// ResolveGCPAuthContext authenticates the named identity and returns GCP credentials.
	ResolveGCPAuthContext(ctx context.Context, identityName string) (*GCPAuthConfig, error)
}

AuthContextResolver resolves an identity name to a cloud-specific auth configuration. Implemented outside this package (in pkg/store/authbridge) to avoid circular deps.

type AzureAuthConfig added in v1.208.0 

type AzureAuthConfig struct {
	CredentialsFile string
	SubscriptionID  string
	TenantID        string
	UseOIDC         bool
	ClientID        string
	TokenFilePath   string
}

AzureAuthConfig holds the Azure-specific authentication configuration resolved from an identity. Fields mirror schema.AzureAuthContext; realm-scoped paths are embedded in CredentialsFile.

type AzureKeyVaultClient added in v1.181.0 

type AzureKeyVaultClient interface {
	SetSecret(ctx context.Context, name string, parameters azsecrets.SetSecretParameters, options *azsecrets.SetSecretOptions) (azsecrets.SetSecretResponse, error)
	GetSecret(ctx context.Context, name string, version string, options *azsecrets.GetSecretOptions) (azsecrets.GetSecretResponse, error)
	DeleteSecret(ctx context.Context, name string, options *azsecrets.DeleteSecretOptions) (azsecrets.DeleteSecretResponse, error)
}

AzureKeyVaultClient interface allows us to mock the Azure Key Vault client.

type AzureKeyVaultStore added in v1.181.0 

type AzureKeyVaultStore struct {
	// contains filtered or unexported fields
}

AzureKeyVaultStore is an implementation of the Store interface for Azure Key Vault.

func (*AzureKeyVaultStore) Delete 

func (s *AzureKeyVaultStore) Delete(stack string, component string, key string) error

Delete removes a secret from Azure Key Vault for the given stack, component, and key.

func (*AzureKeyVaultStore) Get added in v1.181.0 

func (s *AzureKeyVaultStore) Get(stack string, component string, key string) (interface{}, error)

func (*AzureKeyVaultStore) GetKey added in v1.187.0 

func (s *AzureKeyVaultStore) GetKey(key string) (interface{}, error)

func (*AzureKeyVaultStore) Has 

func (s *AzureKeyVaultStore) Has(stack string, component string, key string) (bool, error)

Has reports whether a secret exists for the given stack, component, and key. It performs a Get and maps a not-found result to false; any other error is propagated.

func (*AzureKeyVaultStore) Set added in v1.181.0 

func (s *AzureKeyVaultStore) Set(stack string, component string, key string, value interface{}) error

func (*AzureKeyVaultStore) SetAuthContext added in v1.208.0 

func (s *AzureKeyVaultStore) SetAuthContext(resolver AuthContextResolver, identityName string)

SetAuthContext implements IdentityAwareStore. If identityName is non-empty, it overrides the store's identity. Otherwise, the existing identity is preserved.

type AzureKeyVaultStoreOptions added in v1.181.0 

type AzureKeyVaultStoreOptions struct {
	VaultURL       string  `mapstructure:"vault_url"`
	Prefix         *string `mapstructure:"prefix"`
	StackDelimiter *string `mapstructure:"stack_delimiter"`
}

type DeletableStore 

type DeletableStore interface {
	Store
	// Delete removes the value for a specific stack, component, and key combination.
	Delete(stack string, component string, key string) error
}

DeletableStore extends Store with the ability to remove a value. Backends that support deletion (SSM, ASM, Vault, Azure Key Vault, GCP Secret Manager) implement this; backends that don't may return ErrDeleteNotSupported. The secrets CLI (`atmos secret delete`) requires it.

type GCPAuthConfig added in v1.208.0 

type GCPAuthConfig struct {
	CredentialsFile string
	ProjectID       string
	AccessToken     string //nolint:gosec // Intentional credential field resolved from Atmos identity context.
	TokenExpiry     time.Time
}

GCPAuthConfig holds the GCP-specific authentication configuration resolved from an identity. Fields mirror schema.GCPAuthContext; realm-scoped paths are embedded in CredentialsFile.

type GSMClient added in v1.166.0 

type GSMClient interface {
	CreateSecret(ctx context.Context, req *secretmanagerpb.CreateSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
	AddSecretVersion(ctx context.Context, req *secretmanagerpb.AddSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
	AccessSecretVersion(ctx context.Context, req *secretmanagerpb.AccessSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.AccessSecretVersionResponse, error)
	DeleteSecret(ctx context.Context, req *secretmanagerpb.DeleteSecretRequest, opts ...gax.CallOption) error
	Close() error
}

GSMClient is the interface that wraps the Google Secret Manager client methods we use.

type GSMStore added in v1.166.0 

type GSMStore struct {
	// contains filtered or unexported fields
}

GSMStore is an implementation of the Store interface for Google Secret Manager.

func (*GSMStore) Delete 

func (s *GSMStore) Delete(stack string, component string, key string) error

Delete removes a secret (and all its versions) from Google Secret Manager for the given stack, component, and key. An empty stack and/or component is permitted: scoped secret coordinates (stack/global scope) omit those path segments.

func (*GSMStore) Get added in v1.166.0 

func (s *GSMStore) Get(stack string, component string, key string) (any, error)

Get retrieves a value by key from Google Secret Manager. An empty stack and/or component is permitted: scoped secret coordinates (stack/global scope) omit those path segments.

func (*GSMStore) GetKey added in v1.187.0 

func (s *GSMStore) GetKey(key string) (interface{}, error)

GetKey retrieves a secret value directly by its key name, without stack/component scoping.

func (*GSMStore) Has 

func (s *GSMStore) Has(stack string, component string, key string) (bool, error)

Has reports whether a secret exists for the given stack, component, and key. It performs a Get and maps a not-found result to false; any other error is propagated.

func (*GSMStore) Set added in v1.166.0 

func (s *GSMStore) Set(stack string, component string, key string, value any) error

Set stores a key-value pair in Google Secret Manager. An empty stack and/or component is permitted: scoped secret coordinates (stack/global scope) omit those path segments.

func (*GSMStore) SetAuthContext added in v1.208.0 

func (s *GSMStore) SetAuthContext(resolver AuthContextResolver, identityName string)

SetAuthContext implements IdentityAwareStore. If identityName is non-empty, it overrides the store's identity. Otherwise, the existing identity is preserved.

type GSMStoreOptions added in v1.166.0 

type GSMStoreOptions struct {
	Prefix         *string   `mapstructure:"prefix"`
	ProjectID      string    `mapstructure:"project_id"`
	StackDelimiter *string   `mapstructure:"stack_delimiter"`
	Credentials    *string   `mapstructure:"credentials"` // Optional JSON credentials
	Locations      *[]string `mapstructure:"locations"`   // Optional replication locations
}

GSMStoreOptions defines the configuration options for Google Secret Manager store.

type GitHubActionsCIOptions 

type GitHubActionsCIOptions struct {
	// Enabled forces value reads (Get) on even when GitHub Actions is not auto-detected. By
	// default reads are allowed only inside a GitHub Actions runner (see actions.IsGitHubActions).
	Enabled bool `mapstructure:"enabled"`
}

GitHubActionsCIOptions gates value reads for a GitHub Actions store.

type GitHubActionsStore 

type GitHubActionsStore struct {
	// contains filtered or unexported fields
}

GitHubActionsStore implements the Store interface backed by GitHub Actions secrets. It is a "native CI" store: Set/Has/Delete go through the GitHub API, while Get reads the value from the process environment (only populated inside a runner) and is gated by CI detection.

func (*GitHubActionsStore) Delete 

func (s *GitHubActionsStore) Delete(_ string, _ string, key string) error

Delete removes the secret via the GitHub API. It is idempotent: a missing secret is not an error.

func (*GitHubActionsStore) Get 

func (s *GitHubActionsStore) Get(_ string, _ string, key string) (any, error)

Get returns the secret value from the process environment. This only works inside a GitHub Actions runner (where GitHub injects the secret), gated by CI detection; the GitHub API never exposes secret values.

func (*GitHubActionsStore) GetKey 

func (s *GitHubActionsStore) GetKey(key string) (any, error)

GetKey returns the secret value for a raw key without stack/component context (same env-read semantics as Get).

func (*GitHubActionsStore) Has 

func (s *GitHubActionsStore) Has(_ string, _ string, key string) (bool, error)

Has reports whether the secret exists, via the GitHub API (metadata only, no value, no CI context). A missing secret returns (false, nil); auth/transport errors propagate.

func (*GitHubActionsStore) Set 

func (s *GitHubActionsStore) Set(_ string, _ string, key string, value any) error

Set encrypts and writes a secret value via the GitHub API. The stack and component do not affect the secret name (GitHub secrets are a flat, repo-global namespace).

type GitHubActionsStoreOptions 

type GitHubActionsStoreOptions struct {
	// Owner is the repository owner (org or user). Required.
	Owner string `mapstructure:"owner"`
	// Repo is the repository name. Required.
	Repo string `mapstructure:"repo"`
	// Environment optionally targets environment-level secrets instead of repository secrets.
	Environment string `mapstructure:"environment"`
	// Prefix is an optional name prefix applied before the key (e.g. prefix "atmos" + key
	// "db_password" → secret "ATMOS_DB_PASSWORD").
	Prefix string `mapstructure:"prefix"`
	// Token optionally overrides the GitHub token; when empty the standard Atmos resolution chain
	// is used (--github-token → ATMOS_GITHUB_TOKEN → GITHUB_TOKEN → `gh auth token`).
	Token string `mapstructure:"token"`
	// CI gates value reads (Get).
	CI GitHubActionsCIOptions `mapstructure:"ci"`
}

GitHubActionsStoreOptions configures a GitHub Actions secrets store. Secrets are written, listed, and deleted through the GitHub API (anywhere a token is available), but their *values* can only be read back inside a GitHub Actions runner, where GitHub injects the secret into the environment. Addressing is flat: a secret is named [PREFIX_]KEY (uppercased), repo-global, so the same key resolves to the same GitHub secret across stacks/components.

type IdentityAwareStore added in v1.208.0 

type IdentityAwareStore interface {
	Store
	// SetAuthContext injects the resolver and identity name so the store can
	// lazily resolve credentials on first Get/Set call.
	SetAuthContext(resolver AuthContextResolver, identityName string)
}

IdentityAwareStore is implemented by stores that support identity-based authentication. Stores that implement this interface can authenticate using Atmos auth identities instead of the default credential chain.

type KeychainStore 

type KeychainStore struct {
	// contains filtered or unexported fields
}

KeychainStore implements a writable Store over an OS keychain or encrypted file via pkg/keyring.

func (*KeychainStore) Delete 

func (s *KeychainStore) Delete(stack string, component string, key string) error

Delete removes the value for the stack/component/key triple. It is idempotent.

func (*KeychainStore) Get 

func (s *KeychainStore) Get(stack string, component string, key string) (any, error)

Get retrieves the value for the stack/component/key triple.

func (*KeychainStore) GetKey 

func (s *KeychainStore) GetKey(key string) (any, error)

GetKey retrieves a value directly by its composed key, without stack/component context.

func (*KeychainStore) Has 

func (s *KeychainStore) Has(stack string, component string, key string) (bool, error)

Has reports whether a value exists for the stack/component/key triple.

func (*KeychainStore) Set 

func (s *KeychainStore) Set(stack string, component string, key string, value any) error

Set stores a value for the stack/component/key triple. The value is JSON-encoded so any type round-trips through the string-valued keyring.

type KeychainStoreOptions 

type KeychainStoreOptions struct {
	// Backend selects the keyring backend: "system" (OS keychain, default), "file" (encrypted
	// file), or "memory" (testing).
	Backend string `mapstructure:"backend"`
	// Service namespaces the entries. Defaults to "atmos-secrets".
	Service string `mapstructure:"service"`
	// FileDir is the directory for the file backend (defaults to the XDG data dir).
	FileDir string `mapstructure:"file_dir"`
	// PasswordEnv names the environment variable holding the file-backend password (defaults to
	// ATMOS_KEYRING_PASSWORD).
	PasswordEnv string `mapstructure:"password_env"`
	// Prefix is prepended to every composed key. Defaults to "atmos".
	Prefix string `mapstructure:"prefix"`
	// StackDelimiter splits the stack into key segments. Defaults to "-". A pointer distinguishes
	// "unset" (use default) from an explicit empty string.
	StackDelimiter *string `mapstructure:"stack_delimiter"`
}

KeychainStoreOptions configures a keychain secret store backed by pkg/keyring. Unlike the read-only cloud stores, a keychain store is writable, making it a good local-development backend for `atmos secret set/get/delete` (and a place to keep bootstrap credentials like a 1Password token or a SOPS age key).

type MockAuthContextResolver added in v1.208.0 

type MockAuthContextResolver struct {
	// contains filtered or unexported fields
}

MockAuthContextResolver is a mock of AuthContextResolver interface.

func NewMockAuthContextResolver added in v1.208.0 

func NewMockAuthContextResolver(ctrl *gomock.Controller) *MockAuthContextResolver

NewMockAuthContextResolver creates a new mock instance.

func (*MockAuthContextResolver) EXPECT added in v1.208.0 

func (m *MockAuthContextResolver) EXPECT() *MockAuthContextResolverMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockAuthContextResolver) ResolveAWSAuthContext added in v1.208.0 

func (m *MockAuthContextResolver) ResolveAWSAuthContext(ctx context.Context, identityName string) (*AWSAuthConfig, error)

ResolveAWSAuthContext mocks base method.

func (*MockAuthContextResolver) ResolveAzureAuthContext added in v1.208.0 

func (m *MockAuthContextResolver) ResolveAzureAuthContext(ctx context.Context, identityName string) (*AzureAuthConfig, error)

ResolveAzureAuthContext mocks base method.

func (*MockAuthContextResolver) ResolveGCPAuthContext added in v1.208.0 

func (m *MockAuthContextResolver) ResolveGCPAuthContext(ctx context.Context, identityName string) (*GCPAuthConfig, error)

ResolveGCPAuthContext mocks base method.

type MockAuthContextResolverMockRecorder added in v1.208.0 

type MockAuthContextResolverMockRecorder struct {
	// contains filtered or unexported fields
}

MockAuthContextResolverMockRecorder is the mock recorder for MockAuthContextResolver.

func (*MockAuthContextResolverMockRecorder) ResolveAWSAuthContext added in v1.208.0 

func (mr *MockAuthContextResolverMockRecorder) ResolveAWSAuthContext(ctx, identityName any) *gomock.Call

ResolveAWSAuthContext indicates an expected call of ResolveAWSAuthContext.

func (*MockAuthContextResolverMockRecorder) ResolveAzureAuthContext added in v1.208.0 

func (mr *MockAuthContextResolverMockRecorder) ResolveAzureAuthContext(ctx, identityName any) *gomock.Call

ResolveAzureAuthContext indicates an expected call of ResolveAzureAuthContext.

func (*MockAuthContextResolverMockRecorder) ResolveGCPAuthContext added in v1.208.0 

func (mr *MockAuthContextResolverMockRecorder) ResolveGCPAuthContext(ctx, identityName any) *gomock.Call

ResolveGCPAuthContext indicates an expected call of ResolveGCPAuthContext.

type MockDeletableStore 

type MockDeletableStore struct {
	// contains filtered or unexported fields
}

MockDeletableStore is a mock of DeletableStore interface.

func NewMockDeletableStore 

func NewMockDeletableStore(ctrl *gomock.Controller) *MockDeletableStore

NewMockDeletableStore creates a new mock instance.

func (*MockDeletableStore) Delete 

func (m *MockDeletableStore) Delete(stack, component, key string) error

Delete mocks base method.

func (*MockDeletableStore) EXPECT 

func (m *MockDeletableStore) EXPECT() *MockDeletableStoreMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockDeletableStore) Get 

func (m *MockDeletableStore) Get(stack, component, key string) (any, error)

Get mocks base method.

func (*MockDeletableStore) GetKey 

func (m *MockDeletableStore) GetKey(key string) (any, error)

GetKey mocks base method.

func (*MockDeletableStore) Set 

func (m *MockDeletableStore) Set(stack, component, key string, value any) error

Set mocks base method.

type MockDeletableStoreMockRecorder 

type MockDeletableStoreMockRecorder struct {
	// contains filtered or unexported fields
}

MockDeletableStoreMockRecorder is the mock recorder for MockDeletableStore.

func (*MockDeletableStoreMockRecorder) Delete 

func (mr *MockDeletableStoreMockRecorder) Delete(stack, component, key any) *gomock.Call

Delete indicates an expected call of Delete.

func (*MockDeletableStoreMockRecorder) Get 

func (mr *MockDeletableStoreMockRecorder) Get(stack, component, key any) *gomock.Call

Get indicates an expected call of Get.

func (*MockDeletableStoreMockRecorder) GetKey 

func (mr *MockDeletableStoreMockRecorder) GetKey(key any) *gomock.Call

GetKey indicates an expected call of GetKey.

func (*MockDeletableStoreMockRecorder) Set 

func (mr *MockDeletableStoreMockRecorder) Set(stack, component, key, value any) *gomock.Call

Set indicates an expected call of Set.

type MockIdentityAwareStore added in v1.208.0 

type MockIdentityAwareStore struct {
	// contains filtered or unexported fields
}

MockIdentityAwareStore is a mock of IdentityAwareStore interface.

func NewMockIdentityAwareStore added in v1.208.0 

func NewMockIdentityAwareStore(ctrl *gomock.Controller) *MockIdentityAwareStore

NewMockIdentityAwareStore creates a new mock instance.

func (*MockIdentityAwareStore) EXPECT added in v1.208.0 

func (m *MockIdentityAwareStore) EXPECT() *MockIdentityAwareStoreMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockIdentityAwareStore) Get added in v1.208.0 

func (m *MockIdentityAwareStore) Get(stack, component, key string) (any, error)

Get mocks base method.

func (*MockIdentityAwareStore) GetKey added in v1.208.0 

func (m *MockIdentityAwareStore) GetKey(key string) (any, error)

GetKey mocks base method.

func (*MockIdentityAwareStore) Set added in v1.208.0 

func (m *MockIdentityAwareStore) Set(stack, component, key string, value any) error

Set mocks base method.

func (*MockIdentityAwareStore) SetAuthContext added in v1.208.0 

func (m *MockIdentityAwareStore) SetAuthContext(resolver AuthContextResolver, identityName string)

SetAuthContext mocks base method.

type MockIdentityAwareStoreMockRecorder added in v1.208.0 

type MockIdentityAwareStoreMockRecorder struct {
	// contains filtered or unexported fields
}

MockIdentityAwareStoreMockRecorder is the mock recorder for MockIdentityAwareStore.

func (*MockIdentityAwareStoreMockRecorder) Get added in v1.208.0 

func (mr *MockIdentityAwareStoreMockRecorder) Get(stack, component, key any) *gomock.Call

Get indicates an expected call of Get.

func (*MockIdentityAwareStoreMockRecorder) GetKey added in v1.208.0 

func (mr *MockIdentityAwareStoreMockRecorder) GetKey(key any) *gomock.Call

GetKey indicates an expected call of GetKey.

func (*MockIdentityAwareStoreMockRecorder) Set added in v1.208.0 

func (mr *MockIdentityAwareStoreMockRecorder) Set(stack, component, key, value any) *gomock.Call

Set indicates an expected call of Set.

func (*MockIdentityAwareStoreMockRecorder) SetAuthContext added in v1.208.0 

func (mr *MockIdentityAwareStoreMockRecorder) SetAuthContext(resolver, identityName any) *gomock.Call

SetAuthContext indicates an expected call of SetAuthContext.

type MockSecretAwareStore 

type MockSecretAwareStore struct {
	// contains filtered or unexported fields
}

MockSecretAwareStore is a mock of SecretAwareStore interface.

func NewMockSecretAwareStore 

func NewMockSecretAwareStore(ctrl *gomock.Controller) *MockSecretAwareStore

NewMockSecretAwareStore creates a new mock instance.

func (*MockSecretAwareStore) EXPECT 

func (m *MockSecretAwareStore) EXPECT() *MockSecretAwareStoreMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockSecretAwareStore) Get 

func (m *MockSecretAwareStore) Get(stack, component, key string) (any, error)

Get mocks base method.

func (*MockSecretAwareStore) GetKey 

func (m *MockSecretAwareStore) GetKey(key string) (any, error)

GetKey mocks base method.

func (*MockSecretAwareStore) Set 

func (m *MockSecretAwareStore) Set(stack, component, key string, value any) error

Set mocks base method.

func (*MockSecretAwareStore) SetSecret 

func (m *MockSecretAwareStore) SetSecret(secret bool)

SetSecret mocks base method.

type MockSecretAwareStoreMockRecorder 

type MockSecretAwareStoreMockRecorder struct {
	// contains filtered or unexported fields
}

MockSecretAwareStoreMockRecorder is the mock recorder for MockSecretAwareStore.

func (*MockSecretAwareStoreMockRecorder) Get 

func (mr *MockSecretAwareStoreMockRecorder) Get(stack, component, key any) *gomock.Call

Get indicates an expected call of Get.

func (*MockSecretAwareStoreMockRecorder) GetKey 

func (mr *MockSecretAwareStoreMockRecorder) GetKey(key any) *gomock.Call

GetKey indicates an expected call of GetKey.

func (*MockSecretAwareStoreMockRecorder) Set 

func (mr *MockSecretAwareStoreMockRecorder) Set(stack, component, key, value any) *gomock.Call

Set indicates an expected call of Set.

func (*MockSecretAwareStoreMockRecorder) SetSecret 

func (mr *MockSecretAwareStoreMockRecorder) SetSecret(secret any) *gomock.Call

SetSecret indicates an expected call of SetSecret.

type MockStatusStore 

type MockStatusStore struct {
	// contains filtered or unexported fields
}

MockStatusStore is a mock of StatusStore interface.

func NewMockStatusStore 

func NewMockStatusStore(ctrl *gomock.Controller) *MockStatusStore

NewMockStatusStore creates a new mock instance.

func (*MockStatusStore) EXPECT 

func (m *MockStatusStore) EXPECT() *MockStatusStoreMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockStatusStore) Get 

func (m *MockStatusStore) Get(stack, component, key string) (any, error)

Get mocks base method.

func (*MockStatusStore) GetKey 

func (m *MockStatusStore) GetKey(key string) (any, error)

GetKey mocks base method.

func (*MockStatusStore) Has 

func (m *MockStatusStore) Has(stack, component, key string) (bool, error)

Has mocks base method.

func (*MockStatusStore) Set 

func (m *MockStatusStore) Set(stack, component, key string, value any) error

Set mocks base method.

type MockStatusStoreMockRecorder 

type MockStatusStoreMockRecorder struct {
	// contains filtered or unexported fields
}

MockStatusStoreMockRecorder is the mock recorder for MockStatusStore.

func (*MockStatusStoreMockRecorder) Get 

func (mr *MockStatusStoreMockRecorder) Get(stack, component, key any) *gomock.Call

Get indicates an expected call of Get.

func (*MockStatusStoreMockRecorder) GetKey 

func (mr *MockStatusStoreMockRecorder) GetKey(key any) *gomock.Call

GetKey indicates an expected call of GetKey.

func (*MockStatusStoreMockRecorder) Has 

func (mr *MockStatusStoreMockRecorder) Has(stack, component, key any) *gomock.Call

Has indicates an expected call of Has.

func (*MockStatusStoreMockRecorder) Set 

func (mr *MockStatusStoreMockRecorder) Set(stack, component, key, value any) *gomock.Call

Set indicates an expected call of Set.

type MockStore added in v1.203.0 

type MockStore struct {
	// contains filtered or unexported fields
}

MockStore is a mock of Store interface.

func NewMockStore added in v1.203.0 

func NewMockStore(ctrl *gomock.Controller) *MockStore

NewMockStore creates a new mock instance.

func (*MockStore) EXPECT added in v1.203.0 

func (m *MockStore) EXPECT() *MockStoreMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockStore) Get added in v1.203.0 

func (m *MockStore) Get(stack, component, key string) (any, error)

Get mocks base method.

func (*MockStore) GetKey added in v1.203.0 

func (m *MockStore) GetKey(key string) (any, error)

GetKey mocks base method.

func (*MockStore) Set added in v1.203.0 

func (m *MockStore) Set(stack, component, key string, value any) error

Set mocks base method.

type MockStoreMockRecorder added in v1.203.0 

type MockStoreMockRecorder struct {
	// contains filtered or unexported fields
}

MockStoreMockRecorder is the mock recorder for MockStore.

func (*MockStoreMockRecorder) Get added in v1.203.0 

func (mr *MockStoreMockRecorder) Get(stack, component, key any) *gomock.Call

Get indicates an expected call of Get.

func (*MockStoreMockRecorder) GetKey added in v1.203.0 

func (mr *MockStoreMockRecorder) GetKey(key any) *gomock.Call

GetKey indicates an expected call of GetKey.

func (*MockStoreMockRecorder) Set added in v1.203.0 

func (mr *MockStoreMockRecorder) Set(stack, component, key, value any) *gomock.Call

Set indicates an expected call of Set.

type OnePasswordStore 

type OnePasswordStore struct {
	// contains filtered or unexported fields
}

OnePasswordStore implements the Store interface backed by 1Password. It resolves templated `op://` references via either the native SDK (service account) or Connect (REST). Writes (Set/Delete) create/update/remove the field the reference points to (creating the item if needed); created items use the API Credential category with a Concealed value field.

func (*OnePasswordStore) Delete 

func (s *OnePasswordStore) Delete(stack string, component string, key string) error

Delete removes the field the templated reference points to (deleting the item if it becomes empty). It is idempotent: a missing vault/item/field is not an error.

func (*OnePasswordStore) Get 

func (s *OnePasswordStore) Get(stack string, component string, key string) (any, error)

Get resolves the templated reference (carried as `key`) for the given stack/component.

func (*OnePasswordStore) GetKey 

func (s *OnePasswordStore) GetKey(key string) (any, error)

GetKey resolves a raw reference without stack/component context (templated vars render empty).

func (*OnePasswordStore) Has 

func (s *OnePasswordStore) Has(stack string, component string, key string) (bool, error)

Has reports whether the referenced secret exists, treating a not-found reference as absence while propagating auth/transport errors.

func (*OnePasswordStore) Set 

func (s *OnePasswordStore) Set(stack string, component string, key string, value any) error

Set creates or updates the field the templated reference (carried as `key`) points to, creating the 1Password item if it does not yet exist.

type OnePasswordStoreOptions 

type OnePasswordStoreOptions struct {
	// Mode selects the integration backend: "auto" (default), "connect", or "service-account".
	Mode string `mapstructure:"mode"`
	// Token is the service-account token; falls back to OP_SERVICE_ACCOUNT_TOKEN.
	Token string `mapstructure:"token"`
	// ConnectHost is the 1Password Connect server URL; falls back to OP_CONNECT_HOST.
	ConnectHost string `mapstructure:"connect_host"`
	// ConnectToken is the 1Password Connect API token; falls back to OP_CONNECT_TOKEN.
	ConnectToken string `mapstructure:"connect_token"`
	// Vault optionally supplies a default vault, letting references omit the scheme and vault
	// (e.g. `Datadog/api_key` becomes `op://<vault>/Datadog/api_key`).
	Vault string `mapstructure:"vault"`
}

OnePasswordStoreOptions configures a 1Password store. Addressing is reference-based: each declared secret carries an `op://...` reference (optionally Go-templated), so there is no prefix/stack-delimiter key composition like the other stores.

type RedisClient added in v1.159.0 

type RedisClient interface {
	Get(ctx context.Context, key string) *redis.StringCmd
	Set(ctx context.Context, key string, value interface{}, expiration time.Duration) *redis.StatusCmd
}

RedisClient interface allows us to mock the Redis Client in test with only the methods we are using in the RedisStore.

type RedisStore added in v1.159.0 

type RedisStore struct {
	// contains filtered or unexported fields
}

func (*RedisStore) Get added in v1.159.0 

func (s *RedisStore) Get(stack string, component string, key string) (interface{}, error)

func (*RedisStore) GetKey added in v1.187.0 

func (s *RedisStore) GetKey(key string) (interface{}, error)

func (*RedisStore) RedisClient added in v1.187.0 

func (s *RedisStore) RedisClient() RedisClient

RedisClient returns the underlying Redis client for testing purposes.

func (*RedisStore) Set added in v1.159.0 

func (s *RedisStore) Set(stack string, component string, key string, value interface{}) error

type RedisStoreOptions added in v1.159.0 

type RedisStoreOptions struct {
	Prefix         *string `mapstructure:"prefix"`
	StackDelimiter *string `mapstructure:"stack_delimiter"`
	URL            *string `mapstructure:"url"`
}

type SSMClient 

type SSMClient interface {
	PutParameter(ctx context.Context, params *ssm.PutParameterInput, optFns ...func(*ssm.Options)) (*ssm.PutParameterOutput, error)
	GetParameter(ctx context.Context, params *ssm.GetParameterInput, optFns ...func(*ssm.Options)) (*ssm.GetParameterOutput, error)
	DeleteParameter(ctx context.Context, params *ssm.DeleteParameterInput, optFns ...func(*ssm.Options)) (*ssm.DeleteParameterOutput, error)
}

SSMClient interface allows us to mock the AWS SSM client.

type SSMStore 

type SSMStore struct {
	// contains filtered or unexported fields
}

SSMStore is an implementation of the Store interface for AWS SSM Parameter Store.

func (*SSMStore) Delete 

func (s *SSMStore) Delete(stack string, component string, key string) error

Delete removes a parameter for an Atmos component in a stack from AWS SSM Parameter Store. An empty stack and/or component is permitted: scoped secret coordinates (stack/global scope) omit those path segments.

func (*SSMStore) Get 

func (s *SSMStore) Get(stack string, component string, key string) (any, error)

Get retrieves a value by key for an Atmos component in a stack from AWS SSM Parameter Store. An empty stack and/or component is permitted: scoped secret coordinates (stack/global scope) omit those path segments.

func (*SSMStore) GetKey added in v1.187.0 

func (s *SSMStore) GetKey(key string) (any, error)

GetKey retrieves a value by key from AWS SSM Parameter Store.

func (*SSMStore) Has 

func (s *SSMStore) Has(stack string, component string, key string) (bool, error)

Has reports whether a parameter exists for an Atmos component in a stack. It uses Get and treats a not-found error as a non-existent (uninitialized) value.

func (*SSMStore) Set 

func (s *SSMStore) Set(stack string, component string, key string, value any) error

Set stores a key-value pair in AWS SSM Parameter Store. An empty stack and/or component is permitted: scoped secret coordinates (stack/global scope) omit those path segments.

func (*SSMStore) SetAuthContext added in v1.208.0 

func (s *SSMStore) SetAuthContext(resolver AuthContextResolver, identityName string)

SetAuthContext implements IdentityAwareStore. If identityName is non-empty, it overrides the store's identity. Otherwise, the existing identity is preserved.

func (*SSMStore) SetSecret 

func (s *SSMStore) SetSecret(secret bool)

SetSecret implements SecretAwareStore. When true, writes use the SecureString type.

type SSMStoreOptions 

type SSMStoreOptions struct {
	Prefix         *string `mapstructure:"prefix"`
	Region         string  `mapstructure:"region"`
	StackDelimiter *string `mapstructure:"stack_delimiter"`
	ReadRoleArn    *string `mapstructure:"read_role_arn"`
	WriteRoleArn   *string `mapstructure:"write_role_arn"`
}

type STSClient added in v1.168.0 

type STSClient interface {
	AssumeRole(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error)
}

STSClient interface allows us to mock the AWS STS client.

type SecretAwareStore 

type SecretAwareStore interface {
	Store
	// SetSecret marks the store as a secret backend so writes use the sensitive at-rest variant.
	SetSecret(secret bool)
}

SecretAwareStore is implemented by stores that change their at-rest behavior when used as a secret backend (e.g. AWS SSM writes a SecureString instead of a String). The registry calls SetSecret(true) for stores configured with `secret: true`.

type SecretsManagerClient 

type SecretsManagerClient interface {
	CreateSecret(ctx context.Context, params *secretsmanager.CreateSecretInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.CreateSecretOutput, error)
	PutSecretValue(ctx context.Context, params *secretsmanager.PutSecretValueInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.PutSecretValueOutput, error)
	GetSecretValue(ctx context.Context, params *secretsmanager.GetSecretValueInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.GetSecretValueOutput, error)
	DeleteSecret(ctx context.Context, params *secretsmanager.DeleteSecretInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.DeleteSecretOutput, error)
}

SecretsManagerClient is the subset of the AWS Secrets Manager API used by the store.

type SecretsManagerStore 

type SecretsManagerStore struct {
	// contains filtered or unexported fields
}

SecretsManagerStore is an implementation of the Store interface for AWS Secrets Manager. Unlike SSM Parameter Store, Secrets Manager is encrypted at rest by default and is suited to structured/JSON secrets, rotation, and larger values.

func (*SecretsManagerStore) Delete 

func (s *SecretsManagerStore) Delete(stack string, component string, key string) error

Delete removes a secret (with no recovery window so the name can be reused immediately). An empty stack and/or component is permitted: scoped secret coordinates (stack/global scope) omit those path segments.

func (*SecretsManagerStore) Get 

func (s *SecretsManagerStore) Get(stack string, component string, key string) (any, error)

Get retrieves a value for an Atmos component in a stack. An empty stack and/or component is permitted: scoped secret coordinates (stack/global scope) omit those path segments.

func (*SecretsManagerStore) GetKey 

func (s *SecretsManagerStore) GetKey(key string) (any, error)

GetKey retrieves a value by its raw secret id (optionally prefixed).

func (*SecretsManagerStore) Has 

func (s *SecretsManagerStore) Has(stack string, component string, key string) (bool, error)

Has reports whether a secret exists, treating ResourceNotFound as non-existent.

func (*SecretsManagerStore) Set 

func (s *SecretsManagerStore) Set(stack string, component string, key string, value any) error

Set stores a value, creating the secret if it does not yet exist. An empty stack and/or component is permitted: scoped secret coordinates (stack/global scope) omit those path segments.

func (*SecretsManagerStore) SetAuthContext 

func (s *SecretsManagerStore) SetAuthContext(resolver AuthContextResolver, identityName string)

SetAuthContext implements IdentityAwareStore.

type SecretsManagerStoreOptions 

type SecretsManagerStoreOptions struct {
	Prefix         *string `mapstructure:"prefix"`
	Region         string  `mapstructure:"region"`
	StackDelimiter *string `mapstructure:"stack_delimiter"`
}

SecretsManagerStoreOptions configures an AWS Secrets Manager store.

type StatusStore 

type StatusStore interface {
	Store
	// Has reports whether a value exists for a specific stack, component, and key.
	Has(stack string, component string, key string) (bool, error)
}

StatusStore extends Store with an existence check used by `atmos secret list`/`validate` to report whether a declared secret has been initialized, without retrieving (and thus without registering) its value.

type Store 

type Store interface {
	// Set stores a value for a specific stack, component, and key combination.
	Set(stack string, component string, key string, value any) error
	// Get retrieves a value for a specific stack, component, and key combination.
	Get(stack string, component string, key string) (any, error)
	// GetKey retrieves a value directly by key without stack or component context.
	GetKey(key string) (any, error)
}

Store defines the common interface for all store implementations.

func NewArtifactoryStore added in v1.148.1 

func NewArtifactoryStore(options ArtifactoryStoreOptions) (Store, error)

func NewAzureKeyVaultStore added in v1.181.0 

func NewAzureKeyVaultStore(options AzureKeyVaultStoreOptions, identityName string) (Store, error)

NewAzureKeyVaultStore creates a new Azure Key Vault store. If identityName is non-empty, client initialization is deferred until first use (lazy init).

func NewGSMStore added in v1.166.0 

func NewGSMStore(options GSMStoreOptions, identityName string) (Store, error)

NewGSMStore initializes a new Google Secret Manager Store. Client initialization is always deferred to first use via ensureClient(). This allows auth credentials (e.g., GOOGLE_OAUTH_ACCESS_TOKEN) to be established after config loading but before the store is actually used.

func NewGitHubActionsStore 

func NewGitHubActionsStore(options *GitHubActionsStoreOptions) (Store, error)

NewGitHubActionsStore initializes a GitHub Actions secrets store. The GitHub client is built lazily on first API call, so this only validates required addressing options.

func NewKeychainStore 

func NewKeychainStore(options *KeychainStoreOptions) (Store, error)

NewKeychainStore initializes a keychain store. Constructing the system backend probes keyring availability, so an unusable keychain (e.g. a headless container) fails here rather than silently dropping writes.

func NewOnePasswordStore 

func NewOnePasswordStore(options *OnePasswordStoreOptions) (Store, error)

NewOnePasswordStore initializes a 1Password store. Credential selection is deferred until the first secret resolution (see getClient), so this never fails for missing credentials.

func NewRedisStore added in v1.159.0 

func NewRedisStore(options RedisStoreOptions) (Store, error)

func NewSSMStore 

func NewSSMStore(options SSMStoreOptions, identityName string) (Store, error)

NewSSMStore initializes a new SSMStore. If identityName is non-empty, client initialization is deferred until first use (lazy init).

func NewSecretsManagerStore 

func NewSecretsManagerStore(options SecretsManagerStoreOptions, identityName string) (Store, error)

NewSecretsManagerStore initializes a new SecretsManagerStore. If identityName is non-empty, client initialization is deferred until first use (lazy init).

func NewVaultStore 

func NewVaultStore(options *VaultStoreOptions, identityName string) (Store, error)

NewVaultStore initializes a new VaultStore using token authentication. The address may be supplied via options or the standard VAULT_ADDR environment variable (read by the Vault SDK); the token may be supplied via options or the standard VAULT_TOKEN environment variable.

type StoreConfig 

type StoreConfig struct {
	// Type is the legacy backend selector (e.g. "aws-ssm-parameter-store").
	Type string `yaml:"type"`
	// Kind is the new cloud/thing backend selector (e.g. "aws/ssm"); when set it takes
	// precedence over Type. The registry maps legacy Type to Kind for backward compatibility.
	Kind string `yaml:"kind,omitempty"`
	// Secret marks this store as a secret backend (subsystem membership). A secret store
	// is the only backend the !secret function and the `atmos secret` CLI resolve from, and
	// `!store` against it is an error ("use !secret"). Secret stores always write the
	// sensitive variant at rest (e.g. SSM SecureString).
	Secret   bool                   `yaml:"secret,omitempty"`
	Identity string                 `yaml:"identity,omitempty"`
	Options  map[string]interface{} `yaml:"options"`
}

type StoreFactory 

type StoreFactory func(options map[string]any) (Store, error)

StoreFactory is a function type to initialize a new store.

type StoreRegistry 

type StoreRegistry map[string]Store

func NewStoreRegistry 

func NewStoreRegistry(config *StoresConfig) (StoreRegistry, error)

func (StoreRegistry) SetAuthContextResolver added in v1.208.0 

func (r StoreRegistry) SetAuthContextResolver(resolver AuthContextResolver)

SetAuthContextResolver injects an auth context resolver into all identity-aware stores that have an identity configured. This should be called after authentication is complete and before stores are accessed.

func (StoreRegistry) SetAuthContextResolverWithDefaultIdentity added in v1.221.0 

func (r StoreRegistry) SetAuthContextResolverWithDefaultIdentity(resolver AuthContextResolver, defaultIdentity string)

SetAuthContextResolverWithDefaultIdentity injects an auth context resolver into identity-aware stores. Stores with their own configured identity keep it; stores without a configured identity inherit defaultIdentity.

type StoresConfig 

type StoresConfig = map[string]StoreConfig

type VaultKVClient 

type VaultKVClient interface {
	Put(ctx context.Context, path string, data map[string]any) error
	Get(ctx context.Context, path string) (map[string]any, error)
	Delete(ctx context.Context, path string) error
}

VaultKVClient abstracts the Vault KV v2 operations the store needs (for testability).

type VaultStore 

type VaultStore struct {
	// contains filtered or unexported fields
}

VaultStore is an implementation of the Store interface for HashiCorp Vault (KV v2).

func (*VaultStore) Delete 

func (s *VaultStore) Delete(stack string, component string, key string) error

Delete removes a KV v2 secret at the computed path.

func (*VaultStore) Get 

func (s *VaultStore) Get(stack string, component string, key string) (any, error)

Get reads the "value" field from a KV v2 path.

func (*VaultStore) GetKey 

func (s *VaultStore) GetKey(key string) (any, error)

GetKey reads the "value" field by a raw KV path (optionally prefixed).

func (*VaultStore) Has 

func (s *VaultStore) Has(stack string, component string, key string) (bool, error)

Has reports whether a secret exists at the computed path.

func (*VaultStore) Set 

func (s *VaultStore) Set(stack string, component string, key string, value any) error

Set writes the value to a KV v2 path under a single "value" field.

func (*VaultStore) SetAuthContext 

func (s *VaultStore) SetAuthContext(resolver AuthContextResolver, identityName string)

SetAuthContext implements IdentityAwareStore. Vault token auth needs no resolver, but the hook is kept for future cloud auth methods.

type VaultStoreOptions 

type VaultStoreOptions struct {
	URL            string  `mapstructure:"url"`
	Address        string  `mapstructure:"address"`
	Token          string  `mapstructure:"token"`
	Mount          string  `mapstructure:"mount"`
	Path           string  `mapstructure:"path"`
	Prefix         *string `mapstructure:"prefix"`
	StackDelimiter *string `mapstructure:"stack_delimiter"`
}

VaultStoreOptions configures a HashiCorp Vault store.

Source Files

View all Source files

Directories

Path Synopsis
Package authbridge provides an implementation of store.AuthContextResolver that bridges the store package with the auth system.
 Package authbridge provides an implementation of store.AuthContextResolver that bridges the store package with the auth system.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.