Documentation
¶
Overview ¶
Package secrets manages encrypted secrets for ctrlplane instances. It defines the Vault interface for pluggable secret storage backends (HashiCorp Vault, AWS Secrets Manager, etc.) and the Service/Store interfaces for secret lifecycle management.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Secret ¶
type Secret struct {
ctrlplane.Entity
TenantID string `db:"tenant_id" json:"tenant_id"`
InstanceID id.ID `db:"instance_id" json:"instance_id"`
Key string `db:"key" json:"key"`
Type SecretType `db:"type" json:"type"`
Version int `db:"version" json:"version"`
Value []byte `db:"value" json:"-"`
}
Secret represents a managed secret. The Value field is never serialized to JSON — only metadata is exposed.
type SecretType ¶
type SecretType string
SecretType identifies the kind of secret.
const ( // SecretEnvVar is an environment variable secret. SecretEnvVar SecretType = "env" // SecretFile is a file-based secret. SecretFile SecretType = "file" // SecretRegistry holds Docker registry credentials. SecretRegistry SecretType = "registry" // SecretTLS holds TLS certificate material. SecretTLS SecretType = "tls" )
type Service ¶
type Service interface {
// Set creates or updates a secret for an instance.
Set(ctx context.Context, req SetRequest) (*Secret, error)
// Get retrieves a secret's metadata by instance and key.
Get(ctx context.Context, instanceID id.ID, key string) (*Secret, error)
// Delete removes a secret from an instance.
Delete(ctx context.Context, instanceID id.ID, key string) error
// List returns all secrets for an instance (values omitted).
List(ctx context.Context, instanceID id.ID) ([]Secret, error)
// Inject resolves all env-type secrets for an instance into a key-value map.
Inject(ctx context.Context, instanceID id.ID) (map[string]string, error)
}
Service manages secrets for instances.
type SetRequest ¶
type SetRequest struct {
InstanceID id.ID `json:"instance_id" validate:"required"`
Key string `json:"key" validate:"required"`
Value string `json:"value" validate:"required"`
Type SecretType `default:"env" json:"type"`
}
SetRequest holds the parameters for creating or updating a secret.
type Store ¶
type Store interface {
// InsertSecret persists a new secret.
InsertSecret(ctx context.Context, secret *Secret) error
// GetSecretByKey retrieves a secret by instance ID and key.
GetSecretByKey(ctx context.Context, tenantID string, instanceID id.ID, key string) (*Secret, error)
// ListSecrets returns all secrets for an instance (values omitted).
ListSecrets(ctx context.Context, tenantID string, instanceID id.ID) ([]Secret, error)
// UpdateSecret persists changes to a secret.
UpdateSecret(ctx context.Context, secret *Secret) error
// DeleteSecret removes a secret by instance ID and key.
DeleteSecret(ctx context.Context, tenantID string, instanceID id.ID, key string) error
// CountSecretsByTenant returns the number of secrets for a tenant.
CountSecretsByTenant(ctx context.Context, tenantID string) (int, error)
}
Store is the persistence interface for secrets.
type Vault ¶
type Vault interface {
// Store encrypts and persists a secret value.
Store(ctx context.Context, key string, value []byte) error
// Retrieve decrypts and returns a secret value.
Retrieve(ctx context.Context, key string) ([]byte, error)
// Delete removes a secret from the vault.
Delete(ctx context.Context, key string) error
// Rotate generates a new encryption key version.
Rotate(ctx context.Context, key string) error
}
Vault abstracts the secret storage backend. Implement for HashiCorp Vault, AWS Secrets Manager, sealed secrets, etc.
Source Files
Click to show internal directories.
Click to hide internal directories.