secrets

package
v0.85.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 13, 2025 License: Apache-2.0 Imports: 16 Imported by: 2

Documentation

Overview

Package secrets provides utilities for handling Kubernetes secrets in Flux controllers.

This package consolidates common secret handling patterns used across Flux controllers including TLS certificates, proxy configuration, basic authentication, API tokens, SSH authentication, GitHub App authentication, and image pull secrets.

Index

Constants

View Source 
const (
	// KeyTLSCert is the standard key for TLS certificate data in secrets.
	KeyTLSCert = corev1.TLSCertKey
	// KeyTLSPrivateKey is the standard key for TLS private key data in secrets.
	KeyTLSPrivateKey = corev1.TLSPrivateKeyKey
	// KeyCACert is the standard key for CA certificate data in secrets.
	KeyCACert = "ca.crt"

	// LegacyKeyTLSCert is the legacy key for TLS certificate data in secrets.
	LegacyKeyTLSCert = "certFile"
	// LegacyKeyTLSPrivateKey is the legacy key for TLS private key data in secrets.
	LegacyKeyTLSPrivateKey = "keyFile"
	// LegacyKeyCACert is the legacy key for CA certificate data in secrets.
	LegacyKeyCACert = "caFile"

	// KeyUsername is the key for username data in basic auth secrets.
	KeyUsername = "username"
	// KeyPassword is the key for password data in basic auth secrets.
	KeyPassword = "password"

	// KeyAddress is the key for proxy address data in proxy secrets.
	KeyAddress = "address"

	// KeyBearerToken is the key for bearer token data in secrets.
	KeyBearerToken = "bearerToken"
	// KeyToken is the key for generic API token data in secrets.
	KeyToken = "token"

	// KeyGitHubAppID is the key for GitHub App ID data in secrets.
	KeyGitHubAppID = "githubAppID"
	// KeyGitHubAppInstallationID is the key for GitHub App installation ID data in secrets.
	KeyGitHubAppInstallationID = "githubAppInstallationID"
	// KeyGitHubAppPrivateKey is the key for GitHub App private key data in secrets.
	KeyGitHubAppPrivateKey = "githubAppPrivateKey"
	// KeyGitHubAppBaseURL is the key for GitHub App base URL data in secrets.
	KeyGitHubAppBaseURL = "githubAppBaseURL"

	// KeySSHPrivateKey is the key for SSH private key data in secrets.
	KeySSHPrivateKey = "identity"
	// KeySSHPublicKey is the key for SSH public key data in secrets.
	KeySSHPublicKey = "identity.pub"
	// KeySSHKnownHosts is the key for SSH known hosts data in secrets.
	KeySSHKnownHosts = "known_hosts"
)

Variables

View Source 
var (
	// ErrKeyNotFound is returned when a required key is not found in a secret.
	ErrKeyNotFound = errors.New("key not found in secret")
)

Functions

func Apply added in v0.67.0 

func Apply(ctx context.Context, c client.Client, secret *corev1.Secret, opts ...ApplyOption) error

Apply applies a Kubernetes secret using server-side apply with configurable options. If the secret already exists and is immutable, the object is deleted first.

func MakeBasicAuthSecret 

func MakeBasicAuthSecret(name, namespace, username, password string) (*corev1.Secret, error)

MakeBasicAuthSecret creates a Kubernetes basic auth secret.

The function requires both username and password to be non-empty. The resulting secret will be of type kubernetes.io/basic-auth.

func MakeBearerTokenSecret 

func MakeBearerTokenSecret(name, namespace, token string) (*corev1.Secret, error)

MakeBearerTokenSecret creates a Kubernetes secret for bearer token authentication.

The function requires a non-empty token value. The resulting secret will be of type Opaque with the token stored under the "bearerToken" key.

func MakeGitHubAppSecret added in v0.67.0 

func MakeGitHubAppSecret(name, namespace, appID, installationID, privateKey, baseURL string) (*corev1.Secret, error)

MakeGitHubAppSecret creates a Kubernetes secret for GitHub App authentication.

The function requires appID, installationID, and privateKey to be non-empty. Optional baseURL can be provided for GitHub Enterprise Server instances. The resulting secret will be of type Opaque.

func MakeProxySecret 

func MakeProxySecret(name, namespace, address, username, password string) (*corev1.Secret, error)

MakeProxySecret creates a Kubernetes secret for proxy configuration.

The function requires a valid proxy address (URL format). Optional username and password can be provided for proxy authentication. The resulting secret will be of type Opaque.

func MakeRegistrySecret 

func MakeRegistrySecret(name, namespace, server, username, password string) (*corev1.Secret, error)

MakeRegistrySecret creates a Kubernetes Docker config secret for container registry authentication.

The function requires server, username, and password to be non-empty. It generates a Docker config JSON with base64-encoded auth field containing "username:password". The resulting secret will be of type kubernetes.io/dockerconfigjson.

func MakeSOPSSecret added in v0.68.0 

func MakeSOPSSecret(name, namespace string, ageKeys, gpgKeys []string) (*corev1.Secret, error)

MakeSOPSSecret creates a Kubernetes secret with Age and/or GPG keys for Flux SOPS decryption.

The function requires at least one Age or GPG private key to be provided. It generates unique names for each provided key using Adler-32 checksum to avoid collisions. The resulting secret will be of type Opaque.

func MakeSSHSecret added in v0.67.0 

func MakeSSHSecret(name, namespace, privateKey, publicKey, knownHosts, password string) (*corev1.Secret, error)

MakeSSHSecret creates a Kubernetes secret for Git over SSH authentication.

The function requires privateKey and knownHosts to be non-empty. Optionally, the publicKey and private key password can be provided. The resulting secret will be of type Opaque.

func MakeTLSSecret 

func MakeTLSSecret(name, namespace string, opts ...TLSSecretOption) (*corev1.Secret, error)

MakeTLSSecret creates a Kubernetes TLS secret from certificate data.

The function supports creating secrets with CA certificate only, client certificate and key pair only, or both. At least one option must be provided.

func MakeTokenSecret 

func MakeTokenSecret(name, namespace, token string) (*corev1.Secret, error)

MakeTokenSecret creates a Kubernetes secret for generic API token authentication.

The function requires a non-empty token value. The resulting secret will be of type Opaque with the token stored under the "token" key. This is suitable for various API tokens like GitHub, Slack, Telegram, etc.

func ProxyURLFromSecret 

func ProxyURLFromSecret(ctx context.Context, secret *corev1.Secret) (*url.URL, error)

ProxyURLFromSecret creates a proxy URL from a Kubernetes secret.

The function expects the secret to contain an "address" field with the proxy URL. Optional "username" and "password" fields can be provided for proxy authentication.

func ProxyURLFromSecretRef added in v0.66.0 

func ProxyURLFromSecretRef(ctx context.Context, c client.Client, secretRef types.NamespacedName) (*url.URL, error)

ProxyURLFromSecretRef creates a proxy URL from a Kubernetes secret reference.

The function fetches the secret from the API server and then processes it using ProxyURLFromSecret. It expects the same field structure for proxy configuration.

func PullSecretsFromServiceAccountRef added in v0.65.0 

func PullSecretsFromServiceAccountRef(ctx context.Context, c client.Client, saRef types.NamespacedName) ([]corev1.Secret, error)

PullSecretsFromServiceAccountRef retrieves all image pull secrets referenced by a service account.

The function resolves all secrets listed in the service account's imagePullSecrets field and returns them as a slice. If any referenced secret cannot be found, an error is returned.

func TLSConfigFromSecret 

func TLSConfigFromSecret(ctx context.Context, secret *corev1.Secret, opts ...TLSConfigOption) (*tls.Config, error)

TLSConfigFromSecret creates a TLS configuration from a Kubernetes secret.

The function looks for TLS certificate data in the secret using standard field names (tls.crt, tls.key, ca.crt). It also supports legacy field names (certFile, keyFile, caFile) as fallbacks, logging warnings when they are used.

Standard field names always take precedence over legacy ones.

Optional TLSConfigOption parameters can be used to configure CA certificate handling:

  • WithSystemCertPool(): Include system certificates in addition to user-provided CA

func TLSConfigFromSecretRef added in v0.66.0 

func TLSConfigFromSecretRef(ctx context.Context, c client.Client, secretRef types.NamespacedName, opts ...TLSConfigOption) (*tls.Config, error)

TLSConfigFromSecretRef creates a TLS configuration from a Kubernetes secret reference.

The function fetches the secret from the API server and then processes it using TLSConfigFromSecret. It supports the same field names and legacy field handling.

Optional TLSConfigOption parameters can be used to configure CA certificate handling:

  • WithSystemCertPool(): Include system certificates in addition to user-provided CA

Types

type ApplyOption added in v0.67.0 

type ApplyOption func(*ApplyOptions)

ApplyOption configures an ApplyOptions.

func WithAnnotations added in v0.67.0 

func WithAnnotations(annotations map[string]string) ApplyOption

WithAnnotations sets annotations to be applied to the secret.

func WithForce added in v0.67.0 

func WithForce() ApplyOption

WithForce enables force apply, which can result in the deletion of existing secrets that are immutable or have a different type.

func WithImmutable added in v0.67.0 

func WithImmutable(immutable bool) ApplyOption

WithImmutable sets the immutable flag for the secret.

func WithLabels added in v0.67.0 

func WithLabels(labels map[string]string) ApplyOption

WithLabels sets labels to be applied to the secret.

func WithOwner added in v0.67.0 

func WithOwner(owner string) ApplyOption

WithOwner sets the field owner for server-side apply.

type ApplyOptions added in v0.67.0 

type ApplyOptions struct {
	// contains filtered or unexported fields
}

ApplyOptions configures the Kubernetes secret apply operations.

type AuthMethods added in v0.73.0 

type AuthMethods struct {
	Basic         *BasicAuth
	Bearer        BearerAuth
	Token         TokenAuth
	SSH           *SSHAuth
	GitHubAppData GitHubAppData
	TLS           *tls.Config
}

AuthMethods holds all available authentication methods detected from a secret.

func AuthMethodsFromSecret added in v0.73.0 

func AuthMethodsFromSecret(ctx context.Context, secret *corev1.Secret, opts ...AuthMethodsOption) (*AuthMethods, error)

AuthMethodsFromSecret extracts all available authentication methods from a Kubernetes secret.

The function attempts to parse all supported authentication methods from the secret data. It does not fail if a particular authentication method is not present, but will return an error if the secret contains malformed authentication data.

Supported authentication methods:

  • Basic authentication (username/password)
  • Bearer token authentication
  • Token authentication
  • SSH authentication (private key, known hosts)
  • GitHub App authentication (app ID, installation ID, private key)
  • TLS client certificates

Multiple authentication methods can be present in a single secret and will be extracted simultaneously, enabling use cases like Basic Auth + TLS or Bearer Token + TLS.

Options can be provided to configure TLS extraction behavior.

func (*AuthMethods) HasBasicAuth added in v0.73.0 

func (am *AuthMethods) HasBasicAuth() bool

HasBasicAuth returns true if basic authentication is available.

func (*AuthMethods) HasBearerAuth added in v0.73.0 

func (am *AuthMethods) HasBearerAuth() bool

HasBearerAuth returns true if bearer token authentication is available.

func (*AuthMethods) HasGitHubAppData added in v0.79.0 

func (am *AuthMethods) HasGitHubAppData() bool

HasGitHubAppData returns true if GitHub App authentication data is available.

func (*AuthMethods) HasSSH added in v0.73.0 

func (am *AuthMethods) HasSSH() bool

HasSSH returns true if SSH authentication is available.

func (*AuthMethods) HasTLS added in v0.73.0 

func (am *AuthMethods) HasTLS() bool

HasTLS returns true if TLS configuration is available.

func (*AuthMethods) HasTokenAuth added in v0.74.0 

func (am *AuthMethods) HasTokenAuth() bool

HasTokenAuth returns true if token authentication is available.

type AuthMethodsOption added in v0.75.0 

type AuthMethodsOption func(*authMethodsConfig)

AuthMethodsOption configures the behavior of AuthMethodsFromSecret.

func WithTLSSystemCertPool added in v0.77.0 

func WithTLSSystemCertPool() AuthMethodsOption

WithTLSSystemCertPool enables the use of system certificate pool in addition to user-provided CA certificates.

type BasicAuth added in v0.73.0 

type BasicAuth struct {
	Username string
	Password string
}

BasicAuth holds basic authentication credentials.

func BasicAuthFromSecret 

func BasicAuthFromSecret(ctx context.Context, secret *corev1.Secret) (*BasicAuth, error)

BasicAuthFromSecret retrieves basic authentication credentials from a Kubernetes secret.

The function expects the secret to contain "username" and "password" fields. Both fields are required and the function will return an error if either is missing. Partial presence (username without password, or password without username) is treated as malformed and will return a BasicAuthMalformedError.

type BasicAuthMalformedError added in v0.73.0 

type BasicAuthMalformedError struct {
	Present string
	Missing string
	Secret  *corev1.Secret
}

BasicAuthMalformedError is returned when a secret contains partial basic auth data. This indicates a configuration error where one of username/password is present but the other is missing.

func (*BasicAuthMalformedError) Error added in v0.73.0 

func (e *BasicAuthMalformedError) Error() string

type BearerAuth added in v0.73.0 

type BearerAuth string

BearerAuth holds bearer token authentication credentials.

func BearerAuthFromSecret added in v0.73.0 

func BearerAuthFromSecret(ctx context.Context, secret *corev1.Secret) (BearerAuth, error)

BearerAuthFromSecret retrieves bearer token authentication credentials from a Kubernetes secret.

The function expects the secret to contain "bearerToken" field. The field is required and the function will return an error if it is missing.

type GitHubAppData added in v0.79.0 

type GitHubAppData = map[string][]byte

GitHubAppData holds GitHub App authentication data as key-value pairs.

func GitHubAppDataFromSecret added in v0.79.0 

func GitHubAppDataFromSecret(ctx context.Context, secret *corev1.Secret) (GitHubAppData, error)

GitHubAppDataFromSecret retrieves GitHub App authentication data from a Kubernetes secret.

The function expects the secret to contain "githubAppID", "githubAppInstallationID", and "githubAppPrivateKey" fields. All three fields are required and the function will return an error if any is missing. Optional "githubAppBaseURL" field can be present for GitHub Enterprise Server instances.

func GitHubAppDataFromSecretRef added in v0.79.0 

func GitHubAppDataFromSecretRef(ctx context.Context, c client.Client, secretRef types.NamespacedName) (GitHubAppData, error)

GitHubAppDataFromSecretRef retrieves GitHub App authentication data from a Kubernetes secret reference.

The function fetches the secret from the API server and then processes it using GitHubAppDataFromSecret. It expects the same field structure for GitHub App configuration.

type KeyNotFoundError 

type KeyNotFoundError struct {
	Key    string
	Secret *corev1.Secret
}

KeyNotFoundError is returned when a specific key is not found in a secret.

func (*KeyNotFoundError) Error 

func (e *KeyNotFoundError) Error() string

func (*KeyNotFoundError) Is 

func (e *KeyNotFoundError) Is(target error) bool

type SSHAuth added in v0.73.0 

type SSHAuth struct {
	PrivateKey []byte
	PublicKey  []byte
	KnownHosts string
	Password   string
}

SSHAuth holds SSH authentication credentials.

func SSHAuthFromSecret added in v0.73.0 

func SSHAuthFromSecret(ctx context.Context, secret *corev1.Secret) (*SSHAuth, error)

SSHAuthFromSecret retrieves SSH authentication credentials from a Kubernetes secret.

The function expects the secret to contain "identity" and "known_hosts" fields. Both fields are required and the function will return an error if either is missing. Optional "identity.pub" and "password" fields can be present.

type SecretTLSValidationError added in v0.73.0 

type SecretTLSValidationError struct {
	*TLSValidationError
	Secret *corev1.Secret
}

SecretTLSValidationError wraps TLSValidationError with secret reference information.

func (*SecretTLSValidationError) Error added in v0.73.0 

func (e *SecretTLSValidationError) Error() string

func (*SecretTLSValidationError) Unwrap added in v0.73.0 

func (e *SecretTLSValidationError) Unwrap() error

type TLSConfigOption added in v0.77.0 

type TLSConfigOption func(*tlsConfig)

TLSConfigOption is a functional option for configuring TLS behavior.

func WithSystemCertPool added in v0.77.0 

func WithSystemCertPool() TLSConfigOption

WithSystemCertPool enables the use of system certificate pool in addition to user-provided CA certificates.

type TLSSecretOption 

type TLSSecretOption func(*tlsCertificateData)

TLSSecretOption configures a TLS secret.

func WithCAData 

func WithCAData(caData []byte) TLSSecretOption

WithCAData sets the CA certificate data for the TLS secret.

func WithCertKeyPair 

func WithCertKeyPair(certData, keyData []byte) TLSSecretOption

WithCertKeyPair sets the certificate and key data for the TLS secret.

type TLSValidationError 

type TLSValidationError struct {
	Type TLSValidationErrorType
}

TLSValidationError represents TLS certificate validation errors.

func (*TLSValidationError) Error 

func (e *TLSValidationError) Error() string

type TLSValidationErrorType 

type TLSValidationErrorType int

TLSValidationErrorType defines the type of TLS validation error. 

const (
	// ErrMissingPrivateKey indicates that a certificate exists but the private key is missing.
	ErrMissingPrivateKey TLSValidationErrorType = iota
	// ErrMissingCertificate indicates that a private key exists but the certificate is missing.
	ErrMissingCertificate
	// ErrNoCertificatePairOrCA indicates that neither a certificate pair nor a CA certificate is present.
	ErrNoCertificatePairOrCA
)

type TokenAuth added in v0.74.0 

type TokenAuth string

TokenAuth holds generic token authentication credentials.

func TokenAuthFromSecret added in v0.74.0 

func TokenAuthFromSecret(ctx context.Context, secret *corev1.Secret) (TokenAuth, error)

TokenAuthFromSecret retrieves token authentication credentials from a Kubernetes secret.

The function expects the secret to contain "token" field. The field is required and the function will return an error if it is missing.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.