SecretsService¶
- class phalanx.services.secrets.SecretsService(config_storage, onepassword_storage, vault_storage)¶
Bases:
object
Service to manipulate Phalanx secrets.
- Parameters:
config_storage (
ConfigStorage
) – Storage object for the Phalanx configuration.onepassword_storage (
OnepasswordStorage
) – Storage object for 1Password.vault_storage (
VaultStorage
) – Storage object for Vault.
Methods Summary
audit
(env_name, exclude[, static_secrets])Compare existing secrets to configuration and report problems.
generate_static_template
(env_name)Generate a template for providing static secrets.
get_onepassword_static_secrets
(env_name)Retrieve static secrets for an environment from 1Password.
list_secrets
(env_name)List all required secrets for the given environment.
sync
(env_name, exclude[, static_secrets, ...])Synchronize secrets for an environment with Vault.
Methods Documentation
- audit(env_name, exclude, static_secrets=None)¶
Compare existing secrets to configuration and report problems.
If the Vault path doesn’t exist, assume that it hasn’t been created yet and act as if there are no secrets in Vault. Unfortunately, we will also get this behavior if the Vault token doesn’t have appropriate permissions, since the Vault server returns permission denied for unknown paths and there’s no way to distinguish.
- generate_static_template(env_name)¶
Generate a template for providing static secrets.
The template provides space for all static secrets required for a given environment. The resulting file, once the values have been added, can be used as input to other secret commands instead of an external secret source such as 1Password.
- get_onepassword_static_secrets(env_name)¶
Retrieve static secrets for an environment from 1Password.
- Parameters:
env_name (
str
) – Name of the environment.- Returns:
Static secrets for that environment with secret values retrieved from 1Password.
- Return type:
- list_secrets(env_name)¶
List all required secrets for the given environment.
- sync(env_name, exclude, static_secrets=None, *, regenerate=False, delete=False)¶
Synchronize secrets for an environment with Vault.
Any incorrect secrets will be replaced with the correct value and any missing secrets with generate rules will be generated. For generated secrets that already have a value in Vault, that value will be kept and not replaced.
If the Vault path doesn’t exist, assume that it hasn’t been created yet and act as if there are no secrets in Vault.
- Parameters:
env_name (
str
) – Name of the environment.static_secrets (
StaticSecrets
|None
, default:None
) – User-provided static secrets.regenerate (
bool
, default:False
) – Whether to regenerate any generated secrets.delete (
bool
, default:False
) – Whether to delete unknown Vault secrets.
- Return type: