kms

package
v1.18.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 20, 2026 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Overview

Package kms wraps the native-ZAP base/plugins/kms client for IAM.

IAM fetches infrastructure secrets (DB URL, OAuth client secrets, OTP seeds, signing keys) through the MPC cluster at boot. All encryption / decryption is client-side; the MPC nodes only store encrypted blobs.

Configuration is environment-only (no conf/*.conf variables): 

BASE_KMS_NODES       CSV of MPC node addrs, e.g.
                     "https://pod-0.svc:9999,https://pod-1.svc:9999,https://pod-2.svc:9999"
BASE_KMS_ORG_SLUG    Organization identifier for CEK derivation
BASE_KMS_THRESHOLD   t-of-n threshold (defaults to ceil(n/2)+1)
BASE_KMS_PASSPHRASE  Bootstrap passphrase (injected from K8s secret)

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client is a process-wide singleton that fronts the base KMS plugin's SDK.

func Global 

func Global() *Client

Global returns the process-wide client, or nil if KMS is not configured.

func Init 

func Init() (*Client, error)

Init parses env, constructs the client, optionally unlocks with BASE_KMS_PASSPHRASE, and stores it as the process-wide singleton. Returns (nil, nil) when KMS is not configured — the caller decides whether that is acceptable for the current deployment.

func InitWithConfig 

func InitWithConfig(cfg Config) (*Client, error)

InitWithConfig is the same as Init but takes an explicit Config. Tests use this to wire the client to a stub MPC server without touching the process environment.

func (*Client) Get 

func (c *Client) Get(key string) (string, error)

Get returns the plaintext value for key, decrypted client-side. Returns an error if the client is locked or the key does not exist.

func (*Client) Org 

func (c *Client) Org() string

Org returns the configured org slug (used by callers that need it to scope derived state such as KMS-stored session keys).

func (*Client) Ready 

func (c *Client) Ready() bool

Ready reports whether the client is unlocked and ready to serve secrets.

func (*Client) Set 

func (c *Client) Set(key, value string) error

Set encrypts value client-side and stores it in the MPC cluster. Used by tests and by bootstrap flows; IAM request handlers should not call Set — that is the KMS service's responsibility.

type Config 

type Config struct {
	Nodes      []string
	OrgSlug    string
	Threshold  int
	Passphrase string // optional; if empty Init leaves the client locked
}

Config is parsed from environment by Init. Exposed for tests.

func LoadConfig 

func LoadConfig() (*Config, error)

LoadConfig parses BASE_KMS_* environment variables. Returns (nil, nil) when BASE_KMS_NODES is empty — the caller should treat that as "KMS disabled" and fall back to plain env vars.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.