secrets

package

v0.3.0 Latest Latest Go to latest Published: May 24, 2026 License: MIT Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/shareed2k/honey

Links

Open Source Insights

Documentation ¶

Overview ¶

Package secrets resolves CUE recipe secret refs.

Recipe values must be symmetric: secure:v1:<nonce-b64>:<ciphertext-b64>. The stack data key comes from honey defaults.secretsprovider + defaults.encryptedkey (or SymmetricDataKey in tests), unwrapped via stackunwrap.DataKeyUnwrapper providers:

gcpkms://projects/…/locations/…/keyRings/…/cryptoKeys/… — encryptedkey is KMS ciphertext (base64)
awskms:// — encryptedkey is base64 KMS ciphertext blob
vault-transit://mount/keyName — encryptedkey is transit ciphertext
k8s://namespace/secretName — encryptedkey is Secret data key name (32 raw bytes or base64)
keyring://service/user — OS keyring holds the data key (base64 or raw)
age:// — encryptedkey is armored age ciphertext (requires AgeIdentityFile)
age-file://path — ciphertext file on disk (requires AgeIdentityFile)

Authoring: honey secrets keyring-init (local OS keyring), honey secrets seal, and honey secrets unseal for recipe secure:v1 values with the same stack key as runtime resolution.

Index ¶

func FormatKeyringStackKeyValue(key []byte) (string, error)
func GenerateStackDataKey() ([]byte, error)
func KeyringConfigSnippet(providerURL string) string
func KeyringEntryExists(service, user string) (bool, error)
func KeyringProviderURL(service, user string) string
func RecipeDirFrom(ctx context.Context) string
func ResolveStackDataKey(ctx context.Context, opts Options) ([]byte, error)
func Seal(ctx context.Context, opts Options, plaintext string) (string, error)
func StoreStackDataKeyInKeyring(service, user string, key []byte) error
func Unseal(ctx context.Context, opts Options, ref string) (string, error)
func WithRecipeDir(ctx context.Context, absDir string) context.Context
type Manager
- func NewManager(backends ...ref.Backend) *Manager
- func (m *Manager) Resolve(ctx context.Context, ref string) (string, error)
type MockResolver
- func (m *MockResolver) Resolve(_ context.Context, _ string) (string, error)
type Options
type Resolver
- func NewResolver(opts Options) (Resolver, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func FormatKeyringStackKeyValue ¶

func FormatKeyringStackKeyValue(key []byte) (string, error)

FormatKeyringStackKeyValue encodes a 32-byte stack key for OS keyring storage.

func GenerateStackDataKey ¶

func GenerateStackDataKey() ([]byte, error)

GenerateStackDataKey returns a random 32-byte AES stack key.

func KeyringConfigSnippet ¶

func KeyringConfigSnippet(providerURL string) string

KeyringConfigSnippet returns YAML defaults for a keyring stack provider.

func KeyringEntryExists ¶

func KeyringEntryExists(service, user string) (bool, error)

KeyringEntryExists reports whether keyring.Get succeeds for service/user.

func KeyringProviderURL ¶

func KeyringProviderURL(service, user string) string

KeyringProviderURL returns the secretsprovider value for keyring://service/user.

func RecipeDirFrom ¶

func RecipeDirFrom(ctx context.Context) string

RecipeDirFrom returns the directory set by WithRecipeDir, or empty.

func ResolveStackDataKey ¶

func ResolveStackDataKey(ctx context.Context, opts Options) ([]byte, error)

ResolveStackDataKey returns the 32-byte AES stack key from opts (static test key or registry unwrap).

func Seal ¶

func Seal(ctx context.Context, opts Options, plaintext string) (string, error)

Seal encrypts plaintext with the stack data key and returns a full secure:v1 ref.

func StoreStackDataKeyInKeyring ¶

func StoreStackDataKeyInKeyring(service, user string, key []byte) error

StoreStackDataKeyInKeyring writes key to the OS credential store (base64-encoded).

func Unseal ¶

func Unseal(ctx context.Context, opts Options, ref string) (string, error)

Unseal decrypts a secure:v1 ref to plaintext using the stack data key.

func WithRecipeDir ¶

func WithRecipeDir(ctx context.Context, absDir string) context.Context

WithRecipeDir attaches the absolute recipe directory for relative refs (e.g. age-file:).

Types ¶

type Manager ¶

type Manager struct {
	// contains filtered or unexported fields
}

Manager coordinates resolution across multiple ref.Backend instances (analogous to

func NewManager ¶

func NewManager(backends ...ref.Backend) *Manager

NewManager builds a manager from an explicit backend list (tests may inject mocks).

func (*Manager) Resolve ¶

func (m *Manager) Resolve(ctx context.Context, ref string) (string, error)

Resolve implements Resolver.

type MockResolver ¶

type MockResolver struct {
	Value string
	Err   error
}

MockResolver is a fixed-value resolver for tests .

func (*MockResolver) Resolve ¶

func (m *MockResolver) Resolve(_ context.Context, _ string) (string, error)

Resolve implements Resolver.

type Options ¶

type Options struct {
	// SymmetricDataKey, when exactly [stack.SymmetricKeyBytes] long, decrypts secure:v1 without KMS (tests).
	SymmetricDataKey []byte
	// SecretsProvider and EncryptedKey unwrap the stack data key (e.g. gcpkms://…, age://…).
	SecretsProvider string
	EncryptedKey    string
	// AgeIdentityFile enables age:// and age-file:// stack providers and loads age identities.
	AgeIdentityFile string
	// ExtraBackends append plugin or test secret backends after built-in wiring.
	ExtraBackends []ref.Backend
}

Options configures stack data-key unwrap and optional symmetric test keys.

type Resolver ¶

type Resolver interface {
	Resolve(ctx context.Context, ref string) (string, error)
}

Resolver resolves a full recipe secrets ref string to plaintext (honey's execution-time contract).

func NewResolver ¶

func NewResolver(opts Options) (Resolver, error)

NewResolver builds the default Manager from Options.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cloud Package cloud resolves cloud and enterprise secret refs (Vault, AWS), analogous to	Package cloud resolves cloud and enterprise secret refs (Vault, AWS), analogous to
env Package env resolves env:NAME refs from the process environment (local analogue of cloud:/aws-sm:/aws-kms:/k8s:/age:/age-b64:/age-file:/keyring:/vault).	Package env resolves env:NAME refs from the process environment (local analogue of cloud:/aws-sm:/aws-kms:/k8s:/age:/age-b64:/age-file:/keyring:/vault).
k8s Package k8s resolves Kubernetes Secret data keys.	Package k8s resolves Kubernetes Secret data keys.
passphrase Package passphrase resolves age-encrypted material.	Package passphrase resolves age-encrypted material.
ref Package ref holds shared contracts for recipe secret backends (similar in role to how honey centralizes crypto provider contracts).	Package ref holds shared contracts for recipe secret backends (similar in role to how honey centralizes crypto provider contracts).
service Package service resolves keyring:// refs via the OS credential store (Zalando keyring), analogous to cloud:/aws-sm:/aws-kms:/k8s:/age:/age-b64:/age-file:/keyring:/vault.	Package service resolves keyring:// refs via the OS credential store (Zalando keyring), analogous to cloud:/aws-sm:/aws-kms:/k8s:/age:/age-b64:/age-file:/keyring:/vault.
stack Package stack implements symmetric secure:v1 encryption for recipe secrets.	Package stack implements symmetric secure:v1 encryption for recipe secrets.
stackunwrap Package stackunwrap unwraps stack data keys from secretsprovider URLs (KMS, keyring, age, etc.).	Package stackunwrap unwraps stack data keys from secretsprovider URLs (KMS, keyring, age, etc.).

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL