gsmsecrets

package
v0.0.0-...-c12a711 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 10, 2026 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Overview

Package gsmsecrets is a generated GoMock package.

Index

Constants

View Source 
const (
	TestPlatform = "test platform"

	GCPMaxServiceAccountIDLength = 30

	UpdaterSASecretName   = "updater-service-account"
	UpdaterSASecretSuffix = "__updater-service-account"
	IndexSecretSuffix     = "____index"

	ServiceAccountIDSuffix          = "-updater"
	ServiceAccountDescriptionPrefix = "Updater service account for secret collection: "

	// IAM binding condition title prefixes
	SecretsViewerConditionTitlePrefix  = "Read access to secrets for "
	SecretsUpdaterConditionTitlePrefix = "Create, update, and delete access for "

	// IAM binding condition description templates
	SecretsViewerConditionDescriptionTemplate  = "Managed by %s: Read access to secrets in %s collection"
	SecretsUpdaterConditionDescriptionTemplate = "Managed by %s: Create, update, and delete access to secrets in %s collection"
)

Variables

This section is empty.

Functions

func BuildSecretAccessorRoleConditionExpression 

func BuildSecretAccessorRoleConditionExpression(collection string) string

BuildSecretAccessorRoleConditionExpression builds the IAM condition expression for secret accessor role

func BuildSecretUpdaterRoleConditionExpression 

func BuildSecretUpdaterRoleConditionExpression(collection string) string

BuildSecretUpdaterRoleConditionExpression builds the IAM condition expression for secret updater role

func ConstructIndexSecretContent 

func ConstructIndexSecretContent(secretsList []string) []byte

ConstructIndexSecretContent constructs the index secret content from the secretsList, with UpdaterSASecretName automatically added in this function.

func CreateOrUpdateSecret 

func CreateOrUpdateSecret(ctx context.Context, client SecretManagerClient, projectIdNumber, secretName string, payload []byte, labels, annotations map[string]string) error

CreateOrUpdateSecret creates a new secret in Google Secret Manager or updates an existing one with a new version. If labels or annotations are nil, they won't be set on the secret.

func DiffIAMBindings 

func DiffIAMBindings(desiredBindings []*iampb.Binding, actualPolicy *iampb.Policy) *iampb.Policy

func DiffServiceAccounts 

func DiffServiceAccounts(desiredSAs []ServiceAccountInfo, actualSAs []ServiceAccountInfo) (toCreate SAMap, toDelete SAMap)

func ExtractCollectionFromDescription 

func ExtractCollectionFromDescription(description string) string

ExtractCollectionFromDescription extracts the collection name from a service account description

func ExtractCollectionFromSecretName 

func ExtractCollectionFromSecretName(secretName string) string

ExtractCollectionFromSecretName returns the substring before the first "__" in a secret name. Supports both 2-level (collection__field) and 3-level (collection__group__field) hierarchies.

func GenerateServiceAccountKey 

func GenerateServiceAccountKey(ctx context.Context, client IAMClient, saEmail string, projectID string) ([]byte, error)

func GetAllSecrets 

func GetAllSecrets(ctx context.Context, client SecretManagerClient, config Config) (map[string]GCPSecret, error)

GetAllSecrets returns all secrets in the gcp project, as a map of secret IDs to secrets

func GetGSMSecretName 

func GetGSMSecretName(collection, group, field string) string

GetGSMSecretName returns the actual secret name in GSM, in format {collection}__{group}__{secret} Group path separators (/) are converted to __ for the hierarchical structure.

Example: collection="vsphere", group="ibmcloud/ci", field="username" => "vsphere__ibmcloud__ci__username"

func GetGSMSecretResourceName 

func GetGSMSecretResourceName(projectIdNumber, collection, group, field string) string

GetGSMSecretResourceName returns the full GCP resource name for a GSM secret, in format: "projects/{project ID number}/secrets/{collection}__{group}__{secret}"

func GetIndexSecretName 

func GetIndexSecretName(collection string) string

GetIndexSecretName returns standardized name for the index secret, `{collection}____index`.

func GetProjectIAMPolicy 

func GetProjectIAMPolicy(ctx context.Context, client ResourceManagerClient, projectIdNumber string) (*iampb.Policy, error)

func GetProjectResourceIdNumber 

func GetProjectResourceIdNumber(projectIdNumber string) string

GetProjectResourceIdNumber returns the resource id number for our GCP project in format `projects/{project id number}`, e.g., "projects/1234567890"

func GetProjectResourceString 

func GetProjectResourceString(projectIdString string) string

GetProjectResourceString returns the resource string for our GCP project in format `projects/{project id string}`, e.g., "projects/ci-secrets"

func GetSecretID 

func GetSecretID(secretName string) string

GetSecretID extracts the secret ID from the secret name, e.g., "projects/openshift-ci-secrets/secrets/collection__secret" -> "collection__secret"

func GetSecretPayload 

func GetSecretPayload(ctx context.Context, client SecretManagerClient, secretResourceName string) ([]byte, error)

GetSecretPayload retrieves the latest version of a secret's payload data from Google Secret Manager. It takes the secret resource name (e.g., "projects/my-project/secrets/my-secret") and returns the raw payload bytes.

func GetSecretsUpdaterConditionDescription 

func GetSecretsUpdaterConditionDescription(collection string) string

GetSecretsUpdaterConditionDescription returns the condition description for secrets updater role

func GetSecretsUpdaterConditionTitle 

func GetSecretsUpdaterConditionTitle(collection string) string

GetSecretsUpdaterConditionTitle returns the condition title for secrets updater role

func GetSecretsViewerConditionDescription 

func GetSecretsViewerConditionDescription(collection string) string

GetSecretsViewerConditionDescription returns the condition description for secrets viewer role

func GetSecretsViewerConditionTitle 

func GetSecretsViewerConditionTitle(collection string) string

GetSecretsViewerConditionTitle returns the condition title for secrets viewer role

func GetUpdaterSADescription 

func GetUpdaterSADescription(collection string) string

GetUpdaterSADescription returns the description for the service account

func GetUpdaterSADisplayName 

func GetUpdaterSADisplayName(collection string) string

GetUpdaterSADisplayName returns the display name for the service account, which is the collection name.

func GetUpdaterSAEmail 

func GetUpdaterSAEmail(collection string, config Config) string

GetUpdaterSAEmail returns the updater service account email for a collection.

func GetUpdaterSAEmailRegex 

func GetUpdaterSAEmailRegex(config Config) string

GetUpdaterSAEmailRegex returns the regex pattern for updater service account emails for a given project

func GetUpdaterSAId 

func GetUpdaterSAId(collection string) string

GetUpdaterSAId returns the updater service account ID for a given collection name. Uses the collection name directly if it fits within GCP's 30-character limit, otherwise uses a hash-based approach.

func GetUpdaterSASecretName 

func GetUpdaterSASecretName(collection string) string

GetUpdaterSASecretName returns standardized name for updater service account secret, `{collection}__updater-service-account`.

func IsManagedBinding 

func IsManagedBinding(b *iampb.Binding) bool

IsManagedBinding checks if an IAM binding is managed by this tool.

func ListSecretFieldsByCollectionAndGroup 

func ListSecretFieldsByCollectionAndGroup(ctx context.Context, client SecretManagerClient, config Config, collection, group string) ([]string, error)

ListSecretFieldsByCollectionAndGroup lists all field (secret) names in a GSM collection and group. Uses substring filtering on the server side, then validates client-side to match only direct children (non-recursive). Group path separators (/) are converted to __ for the GSM secret name pattern.

Example: 

	collection="vsphere", group="ibmcloud/ci"
	→ Matches: vsphere__ibmcloud__ci__username, vsphere__ibmcloud__ci__password
	→ Does NOT match: vsphere__ibmcloud__ci__subgroup__field (subgroup is excluded)

 Returns field names as saved in GSM (e.g., "aws--u--creds", not "aws_creds")

func ParseIndexSecretContent 

func ParseIndexSecretContent(content []byte) []string

ParseIndexSecretContent parses the index secret YAML content and returns the list of secret names, filtering out the UpdaterSASecretName which is automatically added by ConstructIndexSecretContent.

func VerifyIndexSecretContent 

func VerifyIndexSecretContent(payload []byte) error

VerifyIndexSecretContent verifies that the index secret content is correct. At this point we assume that the index secret only contains the updater service account secret name.

Types

type Actions 

type Actions struct {
	Config                Config
	SAsToCreate           SAMap
	SAsToDelete           SAMap
	SecretsToCreate       map[string]GCPSecret
	SecretsToDelete       []GCPSecret
	ConsolidatedIAMPolicy *iampb.Policy
}

func ComputeDiff 

func ComputeDiff(
	config Config,
	desiredSAs []ServiceAccountInfo,
	actualSAs []ServiceAccountInfo,
	desiredSecrets map[string]GCPSecret,
	actualSecrets map[string]GCPSecret,
	desiredIAMBindings []*iampb.Binding,
	actualIAMPolicy *iampb.Policy,
	desiredCollections map[string]bool,
) Actions

func (*Actions) ApplyPolicy 

func (a *Actions) ApplyPolicy(ctx context.Context, client ResourceManagerClient) error

func (*Actions) CreateSecrets 

func (a *Actions) CreateSecrets(ctx context.Context, secretsClient SecretManagerClient, iamClient IAMClient)

func (*Actions) CreateServiceAccounts 

func (a *Actions) CreateServiceAccounts(ctx context.Context, client IAMClient)

func (*Actions) DeleteObsoleteSecrets 

func (a *Actions) DeleteObsoleteSecrets(ctx context.Context, client SecretManagerClient)

func (*Actions) DeleteObsoleteServiceAccounts 

func (a *Actions) DeleteObsoleteServiceAccounts(ctx context.Context, client IAMClient)

func (*Actions) ExecuteActions 

func (a *Actions) ExecuteActions(ctx context.Context, iamClient IAMClient, secretsClient SecretManagerClient, projectsClient ResourceManagerClient)

ExecuteActions performs the actual resource changes in GCP based on the computed diff.

func (*Actions) RevokeObsoleteServiceAccountKeys 

func (a *Actions) RevokeObsoleteServiceAccountKeys(ctx context.Context, client IAMClient)

type CanonicalIAMBinding 

type CanonicalIAMBinding struct {
	Role           string
	Members        string // Sorted members joined by a delimiter (e.g., ",")
	ConditionTitle string // The condition title, or "" if no condition
	ConditionDesc  string // The condition description, or "" if no condition
	ConditionExpr  string // The raw expression string, or "" if no condition
}

CanonicalIAMBinding is a simplified, canonical representation for diffing IAM bindings.

func ToCanonicalIAMBinding 

func ToCanonicalIAMBinding(b *iampb.Binding) CanonicalIAMBinding

ToCanonicalIAMBinding converts an iampb.Binding into our canonical form. This is necessary for consistent key generation and comparison.

type Config 

type Config struct {
	ProjectIdString string `json:"GCP_PROJECT_ID" yaml:"GCP_PROJECT_ID"`
	ProjectIdNumber string `json:"GCP_PROJECT_NUMBER" yaml:"GCP_PROJECT_NUMBER"`
}

func GetConfigFromEnv 

func GetConfigFromEnv() (Config, error)

func (Config) GetSecretAccessorRole 

func (c Config) GetSecretAccessorRole() string

func (Config) GetSecretUpdaterRole 

func (c Config) GetSecretUpdaterRole() string

type DesiredCollection 

type DesiredCollection struct {
	Name             string
	GroupsWithAccess []string
}

type DesiredGroupsMap 

type DesiredGroupsMap map[string]GroupAccessInfo

DesiredGroupsMap represents the groups contained within the _config.yaml file.

type GCPSecret 

type GCPSecret struct {
	Name         string // just the name, e.g. "my-secret"
	ResourceName string // full resource name, e.g. "projects/openshift-ci-secrets/secrets/my-secret"
	Collection   string
	Labels       map[string]string
	Annotations  map[string]string
	Payload      []byte
	Type         SecretType // Classification for cleanup decisions
}

func DiffSecrets 

func DiffSecrets(desiredSecrets, actualSecrets map[string]GCPSecret, desiredCollections map[string]bool) (map[string]GCPSecret, []GCPSecret)

type GroupAccessInfo 

type GroupAccessInfo struct {
	Name              string
	Email             string
	SecretCollections []string
}

type IAMClient 

type IAMClient interface {
	CreateServiceAccountKey(ctx context.Context, req *adminpb.CreateServiceAccountKeyRequest, opts ...gax.CallOption) (*adminpb.ServiceAccountKey, error)
	CreateServiceAccount(ctx context.Context, req *adminpb.CreateServiceAccountRequest, opts ...gax.CallOption) (*adminpb.ServiceAccount, error)
	DeleteServiceAccount(ctx context.Context, req *adminpb.DeleteServiceAccountRequest, opts ...gax.CallOption) error
	GetServiceAccount(ctx context.Context, req *adminpb.GetServiceAccountRequest, opts ...gax.CallOption) (*adminpb.ServiceAccount, error)
	ListServiceAccounts(ctx context.Context, req *adminpb.ListServiceAccountsRequest, opts ...gax.CallOption) *iamadmin.ServiceAccountIterator
	ListServiceAccountKeys(ctx context.Context, req *adminpb.ListServiceAccountKeysRequest, opts ...gax.CallOption) (*adminpb.ListServiceAccountKeysResponse, error)
	DeleteServiceAccountKey(ctx context.Context, req *adminpb.DeleteServiceAccountKeyRequest, opts ...gax.CallOption) error
}

type MockIAMClient 

type MockIAMClient struct {
	// contains filtered or unexported fields
}

MockIAMClient is a mock of IAMClient interface.

func NewMockIAMClient 

func NewMockIAMClient(ctrl *gomock.Controller) *MockIAMClient

NewMockIAMClient creates a new mock instance.

func (*MockIAMClient) CreateServiceAccount 

func (m *MockIAMClient) CreateServiceAccount(ctx context.Context, req *adminpb.CreateServiceAccountRequest, opts ...gax.CallOption) (*adminpb.ServiceAccount, error)

CreateServiceAccount mocks base method.

func (*MockIAMClient) CreateServiceAccountKey 

func (m *MockIAMClient) CreateServiceAccountKey(ctx context.Context, req *adminpb.CreateServiceAccountKeyRequest, opts ...gax.CallOption) (*adminpb.ServiceAccountKey, error)

CreateServiceAccountKey mocks base method.

func (*MockIAMClient) DeleteServiceAccount 

func (m *MockIAMClient) DeleteServiceAccount(ctx context.Context, req *adminpb.DeleteServiceAccountRequest, opts ...gax.CallOption) error

DeleteServiceAccount mocks base method.

func (*MockIAMClient) DeleteServiceAccountKey 

func (m *MockIAMClient) DeleteServiceAccountKey(ctx context.Context, req *adminpb.DeleteServiceAccountKeyRequest, opts ...gax.CallOption) error

DeleteServiceAccountKey mocks base method.

func (*MockIAMClient) EXPECT 

func (m *MockIAMClient) EXPECT() *MockIAMClientMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockIAMClient) GetServiceAccount 

func (m *MockIAMClient) GetServiceAccount(ctx context.Context, req *adminpb.GetServiceAccountRequest, opts ...gax.CallOption) (*adminpb.ServiceAccount, error)

GetServiceAccount mocks base method.

func (*MockIAMClient) ListServiceAccountKeys 

func (m *MockIAMClient) ListServiceAccountKeys(ctx context.Context, req *adminpb.ListServiceAccountKeysRequest, opts ...gax.CallOption) (*adminpb.ListServiceAccountKeysResponse, error)

ListServiceAccountKeys mocks base method.

func (*MockIAMClient) ListServiceAccounts 

func (m *MockIAMClient) ListServiceAccounts(ctx context.Context, req *adminpb.ListServiceAccountsRequest, opts ...gax.CallOption) *admin.ServiceAccountIterator

ListServiceAccounts mocks base method.

type MockIAMClientMockRecorder 

type MockIAMClientMockRecorder struct {
	// contains filtered or unexported fields
}

MockIAMClientMockRecorder is the mock recorder for MockIAMClient.

func (*MockIAMClientMockRecorder) CreateServiceAccount 

func (mr *MockIAMClientMockRecorder) CreateServiceAccount(ctx, req any, opts ...any) *gomock.Call

CreateServiceAccount indicates an expected call of CreateServiceAccount.

func (*MockIAMClientMockRecorder) CreateServiceAccountKey 

func (mr *MockIAMClientMockRecorder) CreateServiceAccountKey(ctx, req any, opts ...any) *gomock.Call

CreateServiceAccountKey indicates an expected call of CreateServiceAccountKey.

func (*MockIAMClientMockRecorder) DeleteServiceAccount 

func (mr *MockIAMClientMockRecorder) DeleteServiceAccount(ctx, req any, opts ...any) *gomock.Call

DeleteServiceAccount indicates an expected call of DeleteServiceAccount.

func (*MockIAMClientMockRecorder) DeleteServiceAccountKey 

func (mr *MockIAMClientMockRecorder) DeleteServiceAccountKey(ctx, req any, opts ...any) *gomock.Call

DeleteServiceAccountKey indicates an expected call of DeleteServiceAccountKey.

func (*MockIAMClientMockRecorder) GetServiceAccount 

func (mr *MockIAMClientMockRecorder) GetServiceAccount(ctx, req any, opts ...any) *gomock.Call

GetServiceAccount indicates an expected call of GetServiceAccount.

func (*MockIAMClientMockRecorder) ListServiceAccountKeys 

func (mr *MockIAMClientMockRecorder) ListServiceAccountKeys(ctx, req any, opts ...any) *gomock.Call

ListServiceAccountKeys indicates an expected call of ListServiceAccountKeys.

func (*MockIAMClientMockRecorder) ListServiceAccounts 

func (mr *MockIAMClientMockRecorder) ListServiceAccounts(ctx, req any, opts ...any) *gomock.Call

ListServiceAccounts indicates an expected call of ListServiceAccounts.

type MockResourceManagerClient 

type MockResourceManagerClient struct {
	// contains filtered or unexported fields
}

MockResourceManagerClient is a mock of ResourceManagerClient interface.

func NewMockResourceManagerClient 

func NewMockResourceManagerClient(ctrl *gomock.Controller) *MockResourceManagerClient

NewMockResourceManagerClient creates a new mock instance.

func (*MockResourceManagerClient) EXPECT 

func (m *MockResourceManagerClient) EXPECT() *MockResourceManagerClientMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockResourceManagerClient) GetIamPolicy 

func (m *MockResourceManagerClient) GetIamPolicy(ctx context.Context, req *iampb.GetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error)

GetIamPolicy mocks base method.

func (*MockResourceManagerClient) SetIamPolicy 

func (m *MockResourceManagerClient) SetIamPolicy(ctx context.Context, req *iampb.SetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error)

SetIamPolicy mocks base method.

type MockResourceManagerClientMockRecorder 

type MockResourceManagerClientMockRecorder struct {
	// contains filtered or unexported fields
}

MockResourceManagerClientMockRecorder is the mock recorder for MockResourceManagerClient.

func (*MockResourceManagerClientMockRecorder) GetIamPolicy 

func (mr *MockResourceManagerClientMockRecorder) GetIamPolicy(ctx, req any, opts ...any) *gomock.Call

GetIamPolicy indicates an expected call of GetIamPolicy.

func (*MockResourceManagerClientMockRecorder) SetIamPolicy 

func (mr *MockResourceManagerClientMockRecorder) SetIamPolicy(ctx, req any, opts ...any) *gomock.Call

SetIamPolicy indicates an expected call of SetIamPolicy.

type MockSecretManagerClient 

type MockSecretManagerClient struct {
	// contains filtered or unexported fields
}

MockSecretManagerClient is a mock of SecretManagerClient interface.

func NewMockSecretManagerClient 

func NewMockSecretManagerClient(ctrl *gomock.Controller) *MockSecretManagerClient

NewMockSecretManagerClient creates a new mock instance.

func (*MockSecretManagerClient) AccessSecretVersion 

func (m *MockSecretManagerClient) AccessSecretVersion(ctx context.Context, req *secretmanagerpb.AccessSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.AccessSecretVersionResponse, error)

AccessSecretVersion mocks base method.

func (*MockSecretManagerClient) AddSecretVersion 

func (m *MockSecretManagerClient) AddSecretVersion(ctx context.Context, req *secretmanagerpb.AddSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)

AddSecretVersion mocks base method.

func (*MockSecretManagerClient) CreateSecret 

func (m *MockSecretManagerClient) CreateSecret(ctx context.Context, req *secretmanagerpb.CreateSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)

CreateSecret mocks base method.

func (*MockSecretManagerClient) DeleteSecret 

func (m *MockSecretManagerClient) DeleteSecret(ctx context.Context, req *secretmanagerpb.DeleteSecretRequest, opts ...gax.CallOption) error

DeleteSecret mocks base method.

func (*MockSecretManagerClient) EXPECT 

func (m *MockSecretManagerClient) EXPECT() *MockSecretManagerClientMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockSecretManagerClient) GetSecret 

func (m *MockSecretManagerClient) GetSecret(ctx context.Context, req *secretmanagerpb.GetSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)

GetSecret mocks base method.

func (*MockSecretManagerClient) ListSecrets 

func (m *MockSecretManagerClient) ListSecrets(ctx context.Context, req *secretmanagerpb.ListSecretsRequest, opts ...gax.CallOption) *secretmanager.SecretIterator

ListSecrets mocks base method.

type MockSecretManagerClientMockRecorder 

type MockSecretManagerClientMockRecorder struct {
	// contains filtered or unexported fields
}

MockSecretManagerClientMockRecorder is the mock recorder for MockSecretManagerClient.

func (*MockSecretManagerClientMockRecorder) AccessSecretVersion 

func (mr *MockSecretManagerClientMockRecorder) AccessSecretVersion(ctx, req any, opts ...any) *gomock.Call

AccessSecretVersion indicates an expected call of AccessSecretVersion.

func (*MockSecretManagerClientMockRecorder) AddSecretVersion 

func (mr *MockSecretManagerClientMockRecorder) AddSecretVersion(ctx, req any, opts ...any) *gomock.Call

AddSecretVersion indicates an expected call of AddSecretVersion.

func (*MockSecretManagerClientMockRecorder) CreateSecret 

func (mr *MockSecretManagerClientMockRecorder) CreateSecret(ctx, req any, opts ...any) *gomock.Call

CreateSecret indicates an expected call of CreateSecret.

func (*MockSecretManagerClientMockRecorder) DeleteSecret 

func (mr *MockSecretManagerClientMockRecorder) DeleteSecret(ctx, req any, opts ...any) *gomock.Call

DeleteSecret indicates an expected call of DeleteSecret.

func (*MockSecretManagerClientMockRecorder) GetSecret 

func (mr *MockSecretManagerClientMockRecorder) GetSecret(ctx, req any, opts ...any) *gomock.Call

GetSecret indicates an expected call of GetSecret.

func (*MockSecretManagerClientMockRecorder) ListSecrets 

func (mr *MockSecretManagerClientMockRecorder) ListSecrets(ctx, req any, opts ...any) *gomock.Call

ListSecrets indicates an expected call of ListSecrets.

type ResourceManagerClient 

type ResourceManagerClient interface {
	SetIamPolicy(ctx context.Context, req *iampb.SetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error)
	GetIamPolicy(ctx context.Context, req *iampb.GetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error)
}

type SAMap 

type SAMap map[string]ServiceAccountInfo

type SecretManagerClient 

type SecretManagerClient interface {
	ListSecrets(ctx context.Context, req *secretmanagerpb.ListSecretsRequest, opts ...gax.CallOption) *secretmanager.SecretIterator
	GetSecret(ctx context.Context, req *secretmanagerpb.GetSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
	DeleteSecret(ctx context.Context, req *secretmanagerpb.DeleteSecretRequest, opts ...gax.CallOption) error
	CreateSecret(ctx context.Context, req *secretmanagerpb.CreateSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
	AddSecretVersion(ctx context.Context, req *secretmanagerpb.AddSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
	AccessSecretVersion(ctx context.Context, req *secretmanagerpb.AccessSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.AccessSecretVersionResponse, error)
}

SecretManagerClient interface defines methods for interacting with Google Secret Manager

type SecretType 

type SecretType int

SecretType represents the type of secret for cleanup decisions 

const (
	SecretTypeUnknown SecretType = iota
	SecretTypeSA                 // Service Account secrets
	SecretTypeIndex              // Index secrets
	SecretTypeGeneric            // Generic secrets
)

func ClassifySecret 

func ClassifySecret(secretName string) SecretType

ClassifySecret determines the type of secret based on its name

type ServiceAccountInfo 

type ServiceAccountInfo struct {
	Email       string
	DisplayName string
	ID          string
	Collection  string
	Description string
}

ServiceAccountInfo represents the actual state of an updater Service Account in GCP

func GetDesiredState 

func GetDesiredState(configFile string, config Config) ([]ServiceAccountInfo, map[string]GCPSecret, []*iampb.Binding, map[string]bool, error)

GetDesiredState parses the configuration file and builds the desired state specifications. For each unique secret collection referenced by groups, it generates the required resource definitions. Returns desired service account specs, secret specs, IAM binding specs, and the set of active collections.

func GetUpdaterServiceAccounts 

func GetUpdaterServiceAccounts(ctx context.Context, client IAMClient, config Config) ([]ServiceAccountInfo, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.