secrets

package
v0.72.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 16, 2025 License: Apache-2.0 Imports: 16 Imported by: 2

Documentation

Overview

Package secrets provides utilities for handling Kubernetes secrets in Flux controllers.

This package consolidates common secret handling patterns used across Flux controllers including TLS certificate secrets, proxy configuration secrets, basic authentication secrets, API token secrets, and image pull secrets.

Index

Constants

View Source 
const (
	// KeyTLSCert is the standard key for TLS certificate data in secrets.
	KeyTLSCert = corev1.TLSCertKey
	// KeyTLSPrivateKey is the standard key for TLS private key data in secrets.
	KeyTLSPrivateKey = corev1.TLSPrivateKeyKey
	// KeyCACert is the standard key for CA certificate data in secrets.
	KeyCACert = "ca.crt"

	// LegacyKeyTLSCert is the legacy key for TLS certificate data in secrets.
	LegacyKeyTLSCert = "certFile"
	// LegacyKeyTLSPrivateKey is the legacy key for TLS private key data in secrets.
	LegacyKeyTLSPrivateKey = "keyFile"
	// LegacyKeyCACert is the legacy key for CA certificate data in secrets.
	LegacyKeyCACert = "caFile"

	// KeyUsername is the key for username data in basic auth secrets.
	KeyUsername = "username"
	// KeyPassword is the key for password data in basic auth secrets.
	KeyPassword = "password"

	// KeyAddress is the key for proxy address data in proxy secrets.
	KeyAddress = "address"

	// KeyBearerToken is the key for bearer token data in secrets.
	KeyBearerToken = "bearerToken"
	// KeyToken is the key for generic API token data in secrets.
	KeyToken = "token"

	// KeyGitHubAppID is the key for GitHub App ID data in secrets.
	KeyGitHubAppID = "githubAppID"
	// KeyGitHubAppInstallationID is the key for GitHub App installation ID data in secrets.
	KeyGitHubAppInstallationID = "githubAppInstallationID"
	// KeyGitHubAppPrivateKey is the key for GitHub App private key data in secrets.
	KeyGitHubAppPrivateKey = "githubAppPrivateKey"
	// KeyGitHubAppBaseURL is the key for GitHub App base URL data in secrets.
	KeyGitHubAppBaseURL = "githubAppBaseURL"

	// KeySSHPrivateKey is the key for SSH private key data in secrets.
	KeySSHPrivateKey = "identity"
	// KeySSHPublicKey is the key for SSH public key data in secrets.
	KeySSHPublicKey = "identity.pub"
	// KeySSHKnownHosts is the key for SSH known hosts data in secrets.
	KeySSHKnownHosts = "known_hosts"
)

Variables

View Source 
var (
	// ErrKeyNotFound is returned when a required key is not found in a secret.
	ErrKeyNotFound = errors.New("key not found in secret")
)

Functions

func Apply added in v0.67.0 

func Apply(ctx context.Context, c client.Client, secret *corev1.Secret, opts ...ApplyOption) error

Apply applies a Kubernetes secret using server-side apply with configurable options. If the secret already exists and is immutable, the object is deleted first.

func BasicAuthFromSecret 

func BasicAuthFromSecret(ctx context.Context, secret *corev1.Secret) (string, string, error)

BasicAuthFromSecret retrieves basic authentication credentials from a Kubernetes secret.

The function expects the secret to contain "username" and "password" fields. Both fields are required and the function will return an error if either is missing.

func MakeBasicAuthSecret 

func MakeBasicAuthSecret(name, namespace, username, password string) (*corev1.Secret, error)

MakeBasicAuthSecret creates a Kubernetes basic auth secret.

The function requires both username and password to be non-empty. The resulting secret will be of type kubernetes.io/basic-auth.

func MakeBearerTokenSecret 

func MakeBearerTokenSecret(name, namespace, token string) (*corev1.Secret, error)

MakeBearerTokenSecret creates a Kubernetes secret for bearer token authentication.

The function requires a non-empty token value. The resulting secret will be of type Opaque with the token stored under the "bearerToken" key.

func MakeGitHubAppSecret added in v0.67.0 

func MakeGitHubAppSecret(name, namespace, appID, installationID, privateKey, baseURL string) (*corev1.Secret, error)

MakeGitHubAppSecret creates a Kubernetes secret for GitHub App authentication.

The function requires appID, installationID, and privateKey to be non-empty. Optional baseURL can be provided for GitHub Enterprise Server instances. The resulting secret will be of type Opaque.

func MakeProxySecret 

func MakeProxySecret(name, namespace, address, username, password string) (*corev1.Secret, error)

MakeProxySecret creates a Kubernetes secret for proxy configuration.

The function requires a valid proxy address (URL format). Optional username and password can be provided for proxy authentication. The resulting secret will be of type Opaque.

func MakeRegistrySecret 

func MakeRegistrySecret(name, namespace, server, username, password string) (*corev1.Secret, error)

MakeRegistrySecret creates a Kubernetes Docker config secret for container registry authentication.

The function requires server, username, and password to be non-empty. It generates a Docker config JSON with base64-encoded auth field containing "username:password". The resulting secret will be of type kubernetes.io/dockerconfigjson.

func MakeSOPSSecret added in v0.68.0 

func MakeSOPSSecret(name, namespace string, ageKeys, gpgKeys []string) (*corev1.Secret, error)

MakeSOPSSecret creates a Kubernetes secret with Age and/or GPG keys for Flux SOPS decryption.

The function requires at least one Age or GPG private key to be provided. It generates unique names for each provided key using Adler-32 checksum to avoid collisions. The resulting secret will be of type Opaque.

func MakeSSHSecret added in v0.67.0 

func MakeSSHSecret(name, namespace, privateKey, publicKey, knownHosts, password string) (*corev1.Secret, error)

MakeSSHSecret creates a Kubernetes secret for Git over SSH authentication.

The function requires privateKey and knownHosts to be non-empty. Optionally, the publicKey and private key password can be provided. The resulting secret will be of type Opaque.

func MakeTLSSecret 

func MakeTLSSecret(name, namespace string, opts ...TLSSecretOption) (*corev1.Secret, error)

MakeTLSSecret creates a Kubernetes TLS secret from certificate data.

The function supports creating secrets with CA certificate only, client certificate and key pair only, or both. At least one option must be provided.

func MakeTokenSecret 

func MakeTokenSecret(name, namespace, token string) (*corev1.Secret, error)

MakeTokenSecret creates a Kubernetes secret for generic API token authentication.

The function requires a non-empty token value. The resulting secret will be of type Opaque with the token stored under the "token" key. This is suitable for various API tokens like GitHub, Slack, Telegram, etc.

func ProxyURLFromSecret 

func ProxyURLFromSecret(ctx context.Context, secret *corev1.Secret) (*url.URL, error)

ProxyURLFromSecret creates a proxy URL from a Kubernetes secret.

The function expects the secret to contain an "address" field with the proxy URL. Optional "username" and "password" fields can be provided for proxy authentication.

func ProxyURLFromSecretRef added in v0.66.0 

func ProxyURLFromSecretRef(ctx context.Context, c client.Client, secretRef types.NamespacedName) (*url.URL, error)

ProxyURLFromSecretRef creates a proxy URL from a Kubernetes secret reference.

The function fetches the secret from the API server and then processes it using ProxyURLFromSecret. It expects the same field structure for proxy configuration.

func PullSecretsFromServiceAccountRef added in v0.65.0 

func PullSecretsFromServiceAccountRef(ctx context.Context, c client.Client, saRef types.NamespacedName) ([]corev1.Secret, error)

PullSecretsFromServiceAccountRef retrieves all image pull secrets referenced by a service account.

The function resolves all secrets listed in the service account's imagePullSecrets field and returns them as a slice. If any referenced secret cannot be found, an error is returned.

func TLSConfigFromSecret 

func TLSConfigFromSecret(ctx context.Context, secret *corev1.Secret) (*tls.Config, error)

TLSConfigFromSecret creates a TLS configuration from a Kubernetes secret.

The function looks for TLS certificate data in the secret using standard field names (tls.crt, tls.key, ca.crt). It also supports legacy field names (certFile, keyFile, caFile) as fallbacks, logging warnings when they are used.

Standard field names always take precedence over legacy ones.

func TLSConfigFromSecretRef added in v0.66.0 

func TLSConfigFromSecretRef(ctx context.Context, c client.Client, secretRef types.NamespacedName) (*tls.Config, error)

TLSConfigFromSecretRef creates a TLS configuration from a Kubernetes secret reference.

The function fetches the secret from the API server and then processes it using TLSConfigFromSecret. It supports the same field names and legacy field handling.

Types

type ApplyOption added in v0.67.0 

type ApplyOption func(*ApplyOptions)

ApplyOption configures an ApplyOptions.

func WithAnnotations added in v0.67.0 

func WithAnnotations(annotations map[string]string) ApplyOption

WithAnnotations sets annotations to be applied to the secret.

func WithForce added in v0.67.0 

func WithForce() ApplyOption

WithForce enables force apply, which can result in the deletion of existing secrets that are immutable or have a different type.

func WithImmutable added in v0.67.0 

func WithImmutable(immutable bool) ApplyOption

WithImmutable sets the immutable flag for the secret.

func WithLabels added in v0.67.0 

func WithLabels(labels map[string]string) ApplyOption

WithLabels sets labels to be applied to the secret.

func WithOwner added in v0.67.0 

func WithOwner(owner string) ApplyOption

WithOwner sets the field owner for server-side apply.

type ApplyOptions added in v0.67.0 

type ApplyOptions struct {
	// contains filtered or unexported fields
}

ApplyOptions configures the Kubernetes secret apply operations.

type KeyNotFoundError 

type KeyNotFoundError struct {
	Key    string
	Secret *corev1.Secret
}

KeyNotFoundError is returned when a specific key is not found in a secret.

func (*KeyNotFoundError) Error 

func (e *KeyNotFoundError) Error() string

func (*KeyNotFoundError) Is 

func (e *KeyNotFoundError) Is(target error) bool

type TLSSecretOption 

type TLSSecretOption func(*tlsCertificateData)

TLSSecretOption configures a TLS secret.

func WithCAData 

func WithCAData(caData []byte) TLSSecretOption

WithCAData sets the CA certificate data for the TLS secret.

func WithCertKeyPair 

func WithCertKeyPair(certData, keyData []byte) TLSSecretOption

WithCertKeyPair sets the certificate and key data for the TLS secret.

type TLSValidationError 

type TLSValidationError struct {
	Type TLSValidationErrorType
}

TLSValidationError represents TLS certificate validation errors.

func (*TLSValidationError) Error 

func (e *TLSValidationError) Error() string

type TLSValidationErrorType 

type TLSValidationErrorType int

TLSValidationErrorType defines the type of TLS validation error. 

const (
	// ErrMissingPrivateKey indicates that a certificate exists but the private key is missing.
	ErrMissingPrivateKey TLSValidationErrorType = iota
	// ErrMissingCertificate indicates that a private key exists but the certificate is missing.
	ErrMissingCertificate
	// ErrNoCertificatePairOrCA indicates that neither a certificate pair nor a CA certificate is present.
	ErrNoCertificatePairOrCA
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.