SecretsService

class phalanx.services.secrets.SecretsService(config_storage, vault_storage)

Bases: object

Service to manipulate Phalanx secrets.

Parameters:

• config_storage (ConfigStorage) – Storage object for the Phalanx configuration.

• vault_storage (VaultStorage) – Storage object for Vault.

Methods Summary

audit(env_name[, static_secrets])	Compare existing secrets to configuration and report problems.
generate_static_template(env_name)	Generate a template for providing static secrets.
list_secrets(env_name)	List all required secrets for the given environment.
save_vault_secrets(env_name, path)	Generate JSON files containing the Vault secrets for an environment.
sync(env_name[, static_secrets, regenerate, ...])	Synchronize secrets for an environment with Vault.

Methods Documentation

audit(env_name, static_secrets=None)

Compare existing secrets to configuration and report problems.

Parameters:

• env_name (str) – Name of the environment to audit.

• static_secrets (Optional[dict[str, dict[str, StaticSecret]]], default: None) – User-provided static secrets.

Returns:

Audit report as a text document.

Return type:

str

generate_static_template(env_name)

Generate a template for providing static secrets.

The template provides space for all static secrets required for a given environment. The resulting file, once the values have been added, can be used as input to other secret commands instead of an external secret source such as 1Password.

Parameters:

env_name (str) – Name of the environment.

Returns:

YAML template the user can fill out, as a string.

Return type:

dict

list_secrets(env_name)

List all required secrets for the given environment.

Parameters:

env_name (str) – Name of the environment.

Returns:

Secrets required for the given environment.

Return type:

list of Secret

save_vault_secrets(env_name, path)

Generate JSON files containing the Vault secrets for an environment.

One file per application with secrets will be written to the provided path. Each file will be named after the application with .json appended, and will contain the secret values for that application. Secrets that are required but have no known value will be written as null.

Parameters:

• env_name (str) – Name of the environment.

• path (Path) – Output path.

Return type:

None

sync(env_name, static_secrets=None, *, regenerate=False, delete=False)

Synchronize secrets for an environment with Vault.

Any incorrect secrets will be replaced with the correct value and any missing secrets with generate rules will be generated. For generated secrets that already have a value in Vault, that value will be kept and not replaced.

Parameters:

• env_name (str) – Name of the environment.

• static_secrets (Optional[dict[str, dict[str, StaticSecret]]], default: None) – User-provided static secrets.

• regenerate (bool, default: False) – Whether to regenerate any generated secrets.

• delete (bool, default: False) – Whether to delete unknown Vault secrets.

Return type:

None