secrets

package

v0.0.5 Latest Latest Go to latest Published: Jul 16, 2025 License: MIT Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/docker/secrets-engine

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type Envelope
- func EnvelopeErr(req Request, err error) Envelope
type ID
- func ParseID(s string) (ID, error)
type Pattern
- func ParsePattern(pattern string) (Pattern, error)
- func (p Pattern) Match(id ID) bool
- func (p Pattern) Valid() error
type Request
type Resolver
type Restricted
- func NewRestricted(resolver Resolver, allowed ...ID) *Restricted
- func (r *Restricted) Allow(allowed ...ID)
- func (r *Restricted) GetSecret(ctx context.Context, request Request) (Envelope, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrNotFound     = errors.New("secret not found")
	ErrAccessDenied = errors.New("access denied") // nuh, uh, uh!
	ErrIDMismatch   = errors.New("id mismatch")
)

View Source

var ErrInvalidPattern = errors.New("invalid pattern")

Functions ¶

This section is empty.

Types ¶

type Envelope ¶

type Envelope struct {
	ID         ID
	Value      []byte    `json:",omitzero"`
	Provider   string    `json:",omitzero"`
	Version    string    `json:",omitzero"`
	Error      string    `json:",omitzero"`
	CreatedAt  time.Time `json:",omitzero"`
	ResolvedAt time.Time `json:",omitzero"`
	ExpiresAt  time.Time `json:",omitzero"`
}

func EnvelopeErr ¶ added in v0.0.5

func EnvelopeErr(req Request, err error) Envelope

type ID ¶

type ID string

ID contains a secret identifier. Valid secret identifiers must match the format [A-Za-z0-9.-]+(/[A-Za-z0-9.-]+)+?.

For storage, we don't really differentiate much about the ID format but by convention we do simple, slash-separated management, providing a groupable access control system for management across plugins.

func ParseID ¶

func ParseID(s string) (ID, error)

func (ID) Match ¶

func (id ID) Match(pattern Pattern) bool

Match checks if a given identifier matches the pattern. - "*" matches a single component - "**" matches zero or more components - "/" is the separator

func (ID) String ¶

func (id ID) String() string

func (ID) Valid ¶

func (id ID) Valid() error

Valid returns nil if the identifier is considered valid.

type Pattern ¶

type Pattern string

Pattern can be used to match secret identifiers. Valid patterns must follow the same validation rules as secret identifiers, with the exception that '*' can be used to match a single component, and '**' can be used to match zero or more components.

func ParsePattern ¶

func ParsePattern(pattern string) (Pattern, error)

func (Pattern) Match ¶

func (p Pattern) Match(id ID) bool

func (Pattern) Valid ¶

func (p Pattern) Valid() error

Valid returns nil if the pattern is considered valid.

type Request ¶

type Request struct {
	ID ID `json:",omitzero"`

	// Provider can be optionally specified to restrict the resolver
	// to a particular provider stack.
	Provider    string `json:",omitzero"`
	ClientID    string `json:",omitzero"`
	RequestedAt time.Time
}

type Resolver ¶

type Resolver interface {
	GetSecret(ctx context.Context, request Request) (Envelope, error)
}

type Restricted ¶

type Restricted struct {
	// contains filtered or unexported fields
}

Restricted controls access to a set of secrets.

By default, it allows access to no secrets but can be modified safely from other threads.

func NewRestricted ¶

func NewRestricted(resolver Resolver, allowed ...ID) *Restricted

func (*Restricted) Allow ¶

func (r *Restricted) Allow(allowed ...ID)

func (*Restricted) GetSecret ¶

func (r *Restricted) GetSecret(ctx context.Context, request Request) (Envelope, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL