secrets

package
v0.65.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 11, 2025 License: Apache-2.0 Imports: 15 Imported by: 2

Documentation

Overview

Package secrets provides utilities for handling Kubernetes secrets in Flux controllers.

This package consolidates common secret handling patterns used across Flux controllers including TLS certificate secrets, proxy configuration secrets, basic authentication secrets, API token secrets, and image pull secrets.

Index

Constants

View Source 
const (
	// TLSCertKey is the standard key for TLS certificate data in secrets.
	TLSCertKey = corev1.TLSCertKey
	// TLSPrivateKeyKey is the standard key for TLS private key data in secrets.
	TLSPrivateKeyKey = corev1.TLSPrivateKeyKey
	// CACertKey is the standard key for CA certificate data in secrets.
	CACertKey = "ca.crt"

	// LegacyTLSCertFileKey is the legacy key for TLS certificate data in secrets.
	LegacyTLSCertFileKey = "certFile"
	// LegacyTLSPrivateKeyKey is the legacy key for TLS private key data in secrets.
	LegacyTLSPrivateKeyKey = "keyFile"
	// LegacyCACertKey is the legacy key for CA certificate data in secrets.
	LegacyCACertKey = "caFile"

	// UsernameKey is the key for username data in basic auth secrets.
	UsernameKey = "username"
	// PasswordKey is the key for password data in basic auth secrets.
	PasswordKey = "password"

	// AddressKey is the key for proxy address data in proxy secrets.
	AddressKey = "address"

	// BearerTokenKey is the key for bearer token data in secrets.
	BearerTokenKey = "bearerToken"
	// TokenKey is the key for generic API token data in secrets.
	TokenKey = "token"
)

Variables

View Source 
var (
	// ErrKeyNotFound is returned when a required key is not found in a secret.
	ErrKeyNotFound = errors.New("key not found in secret")
)

Functions

func BasicAuthFromSecret 

func BasicAuthFromSecret(ctx context.Context, secret *corev1.Secret) (string, string, error)

BasicAuthFromSecret retrieves basic authentication credentials from a Kubernetes secret.

The function expects the secret to contain "username" and "password" fields. Both fields are required and the function will return an error if either is missing.

func MakeBasicAuthSecret 

func MakeBasicAuthSecret(name, namespace, username, password string) (*corev1.Secret, error)

MakeBasicAuthSecret creates a Kubernetes basic auth secret.

The function requires both username and password to be non-empty. The resulting secret will be of type kubernetes.io/basic-auth.

func MakeBearerTokenSecret 

func MakeBearerTokenSecret(name, namespace, token string) (*corev1.Secret, error)

MakeBearerTokenSecret creates a Kubernetes secret for bearer token authentication.

The function requires a non-empty token value. The resulting secret will be of type Opaque with the token stored under the "bearerToken" key.

func MakeProxySecret 

func MakeProxySecret(name, namespace, address, username, password string) (*corev1.Secret, error)

MakeProxySecret creates a Kubernetes secret for proxy configuration.

The function requires a valid proxy address (URL format). Optional username and password can be provided for proxy authentication. The resulting secret will be of type Opaque.

func MakeRegistrySecret 

func MakeRegistrySecret(name, namespace, server, username, password string) (*corev1.Secret, error)

MakeRegistrySecret creates a Kubernetes Docker config secret for container registry authentication.

The function requires server, username, and password to be non-empty. It generates a Docker config JSON with base64-encoded auth field containing "username:password". The resulting secret will be of type kubernetes.io/dockerconfigjson.

func MakeTLSSecret 

func MakeTLSSecret(name, namespace string, opts ...TLSSecretOption) (*corev1.Secret, error)

MakeTLSSecret creates a Kubernetes TLS secret from certificate data.

The function supports creating secrets with CA certificate only, client certificate and key pair only, or both. At least one option must be provided.

func MakeTokenSecret 

func MakeTokenSecret(name, namespace, token string) (*corev1.Secret, error)

MakeTokenSecret creates a Kubernetes secret for generic API token authentication.

The function requires a non-empty token value. The resulting secret will be of type Opaque with the token stored under the "token" key. This is suitable for various API tokens like GitHub, Slack, Telegram, etc.

func ProxyURLFromSecret 

func ProxyURLFromSecret(ctx context.Context, secret *corev1.Secret) (*url.URL, error)

ProxyURLFromSecret creates a proxy URL from a Kubernetes secret.

The function expects the secret to contain an "address" field with the proxy URL. Optional "username" and "password" fields can be provided for proxy authentication.

func PullSecretsFromServiceAccountRef added in v0.65.0 

func PullSecretsFromServiceAccountRef(ctx context.Context, c client.Client, saRef types.NamespacedName) ([]corev1.Secret, error)

PullSecretsFromServiceAccountRef retrieves all image pull secrets referenced by a service account.

The function resolves all secrets listed in the service account's imagePullSecrets field and returns them as a slice. If any referenced secret cannot be found, an error is returned.

func TLSConfigFromSecret 

func TLSConfigFromSecret(ctx context.Context, secret *corev1.Secret) (*tls.Config, error)

TLSConfigFromSecret creates a TLS configuration from a Kubernetes secret.

The function looks for TLS certificate data in the secret using standard field names (tls.crt, tls.key, ca.crt). It also supports legacy field names (certFile, keyFile, caFile) as fallbacks, logging warnings when they are used.

Standard field names always take precedence over legacy ones.

Types

type KeyNotFoundError 

type KeyNotFoundError struct {
	Key    string
	Secret *corev1.Secret
}

KeyNotFoundError is returned when a specific key is not found in a secret.

func (*KeyNotFoundError) Error 

func (e *KeyNotFoundError) Error() string

func (*KeyNotFoundError) Is 

func (e *KeyNotFoundError) Is(target error) bool

type TLSSecretOption 

type TLSSecretOption func(*tlsCertificateData)

TLSSecretOption configures a TLS secret.

func WithCAData 

func WithCAData(caData []byte) TLSSecretOption

WithCAData sets the CA certificate data for the TLS secret.

func WithCertKeyPair 

func WithCertKeyPair(certData, keyData []byte) TLSSecretOption

WithCertKeyPair sets the certificate and key data for the TLS secret.

type TLSValidationError 

type TLSValidationError struct {
	Type TLSValidationErrorType
}

TLSValidationError represents TLS certificate validation errors.

func (*TLSValidationError) Error 

func (e *TLSValidationError) Error() string

type TLSValidationErrorType 

type TLSValidationErrorType int

TLSValidationErrorType defines the type of TLS validation error. 

const (
	// ErrMissingPrivateKey indicates that a certificate exists but the private key is missing.
	ErrMissingPrivateKey TLSValidationErrorType = iota
	// ErrMissingCertificate indicates that a private key exists but the certificate is missing.
	ErrMissingCertificate
	// ErrNoCertificatePairOrCA indicates that neither a certificate pair nor a CA certificate is present.
	ErrNoCertificatePairOrCA
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.