SecretsService

class phalanx.services.secrets.SecretsService(config_storage, onepassword_storage, vault_storage)

Bases: object

Service to manipulate Phalanx secrets.

Parameters:
  • config_storage (ConfigStorage) – Storage object for the Phalanx configuration.

  • onepassword_storage (OnepasswordStorage) – Storage object for 1Password.

  • vault_storage (VaultStorage) – Storage object for Vault.

Methods Summary

audit(env_name, exclude[, static_secrets])

Compare existing secrets to configuration and report problems.

generate_static_template(env_name)

Generate a template for providing static secrets.

get_onepassword_static_secrets(env_name)

Retrieve static secrets for an environment from 1Password.

list_secrets(env_name)

List all required secrets for the given environment.

sync(env_name, exclude[, static_secrets, ...])

Synchronize secrets for an environment with Vault.

Methods Documentation

audit(env_name, exclude, static_secrets=None)

Compare existing secrets to configuration and report problems.

If the Vault path doesn’t exist, assume that it hasn’t been created yet and act as if there are no secrets in Vault. Unfortunately, we will also get this behavior if the Vault token doesn’t have appropriate permissions, since the Vault server returns permission denied for unknown paths and there’s no way to distinguish.

Parameters:
  • env_name (str) – Name of the environment to audit.

  • exclude (set[str]) – Applications to exclude from the audit.

  • static_secrets (StaticSecrets | None, default: None) – User-provided static secrets.

Returns:

Audit report as a text document.

Return type:

str

generate_static_template(env_name)

Generate a template for providing static secrets.

The template provides space for all static secrets required for a given environment. The resulting file, once the values have been added, can be used as input to other secret commands instead of an external secret source such as 1Password.

Parameters:

env_name (str) – Name of the environment.

Returns:

YAML template the user can fill out, as a string.

Return type:

dict

get_onepassword_static_secrets(env_name)

Retrieve static secrets for an environment from 1Password.

Parameters:

env_name (str) – Name of the environment.

Returns:

Static secrets for that environment with secret values retrieved from 1Password.

Return type:

StaticSecrets

list_secrets(env_name)

List all required secrets for the given environment.

Parameters:

env_name (str) – Name of the environment.

Returns:

Secrets required for the given environment.

Return type:

list of Secret

sync(env_name, exclude, static_secrets=None, *, regenerate=False, delete=False)

Synchronize secrets for an environment with Vault.

Any incorrect secrets will be replaced with the correct value and any missing secrets with generate rules will be generated. For generated secrets that already have a value in Vault, that value will be kept and not replaced.

If the Vault path doesn’t exist, assume that it hasn’t been created yet and act as if there are no secrets in Vault.

Parameters:
  • env_name (str) – Name of the environment.

  • exclude (set[str]) – Applications to exclude from the sync.

  • static_secrets (StaticSecrets | None, default: None) – User-provided static secrets.

  • regenerate (bool, default: False) – Whether to regenerate any generated secrets.

  • delete (bool, default: False) – Whether to delete unknown Vault secrets.

Return type:

None